stackoom
  简体   繁体   中英

spring-oauth2: HTTP Status 403 - Access Denied

 原文  2015-09-09 19:49:33       java/ spring/ rest/ curl/ spring-security

Question

I try to send a request to my rest-api with curl and spring security oauth2 but i get this error: 

* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test/oauth/token HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: application/json
> Authorization: Basic bXktdHJ1c3RlZC1jbGllbnQ6MTIzNDU=
> Content-Length: 99
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 99 out of 99 bytes
< HTTP/1.1 403 Forbidden
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 1030
< Date: Wed, 09 Sep 2015 19:37:49 GMT
< 
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.20 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 403 - Access Denied</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>Access Denied</u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><hr class="line"><h3>Apache Tomcat/8.0.20</h3></body><* Connection #0 to host localhost left intact

my request: 

curl -X GET -k -vu my-trusted-client:12345 http://localhost:8080/test/oauth/token -H "Accept: application/jd "grant_type=password&scope=read&client_secret=12345&client_id=my-trusted-client&resource_id=rest_api"

a part of my code:

my oauth2serverconfiguration: 

@Configuration
@EnableResourceServer
public class OAuth2ServerConfiguration {

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients.inMemory()
                .withClient("my-trusted-client")
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                    .authorities("USER")
                    .scopes("read", "write", "trust")
                    .resourceIds("rest_api")
                    .secret("12345")
                    .accessTokenValiditySeconds(600);
            // @formatter:on
        }
    }
}

my securityconfiguration class: 

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        //builder.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity security) throws Exception {
        security.authorizeRequests()
            .antMatchers("/oauth/token")
            .hasRole("USER")
            .antMatchers("/greeting").authenticated();
    }
}

My controller: 

@Path("/oauth")
@Produces(MediaType.APPLICATION_JSON)
public class TestController {

    public TestController() {
        ApplicationContext applicationContext = new AnnotationConfigApplicationContext(OAuth2ServerConfiguration.class);
        AutowireCapableBeanFactory acbFactory = applicationContext.getAutowireCapableBeanFactory();
        acbFactory.autowireBean(this);
    }

    @GET
    @Path("/token")
    public Response testToken() {

        return Response.status(200).entity("is working \n").build();
    }
}

Spring has already generate the refresh_token but i don't get the access_token can somebody help me? What is false? My code or my request?

Thank.

1 answers

solution1
 2  2015-09-10 02:01:42

You are using grant_type=password parameter, means you want to use Resource Owner flow. 

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          v
          |    Resource Owner
         (A) Password Credentials
          |
          v
     +---------+                                  +---------------+
     |         |>--(B)---- Resource Owner ------->|               |
     |         |         Password Credentials     | Authorization |
     | Client  |                                  |     Server    |
     |         |<--(C)---- Access Token ---------<|               |
     |         |    (w/ Optional Refresh Token)   |               |
     +---------+                                  +---------------+

            Figure 5: Resource Owner Password Credentials Flow

   The flow illustrated in Figure 5 includes the following steps:

   (A)  The resource owner provides the client with its username and
        password.

   (B)  The client requests an access token from the authorization
        server's token endpoint by including the credentials received
        from the resource owner.  When making the request, the client
        authenticates with the authorization server.

   (C)  The authorization server authenticates the client and validates
        the resource owner credentials, and if valid, issues an access
        token.

You have to include the username and password of the user for this flow, not only your client_id and client_secret.

From the code you have not setup autentication manager for the user. Try adding this in your SecurityConfiguration class. 

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
    auth
            .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
}

Test it 

curl -X GET -k -vu user:password http://localhost:8080/test/oauth/token -H "Accept: application/jd "grant_type=password&scope=read&client_secret=12345&client_id=my-trusted-client"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HTTP Status 403 - Access is denied Spring security spring security HTTP Status 403 - Access Denied hasRole() not working error Http Status 403 - Access is denied How to fix tomcat HTTP status 403 : access denied spring-oauth2 login success handler Spring-Oauth2 Access Token request never succeeds due to missing CSRF 'preserved state' Access is denied in spring oauth 2 Access Denied (Status 403) error message trying to access index.html file declared in Spring Boot project "status": 403, "error": "Forbidden" "message": "Access Denied" in postman spring boot code Spring Security OAuth - Access is denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM