stackoom
  简体   繁体   中英

Grails spring security oauth2 provider request for resource with correct bearer token redirects to login

 原文  2015-12-11 23:55:58       spring/ grails/ spring-security/ oauth-2.0/ spring-security-oauth2

Question

As the title implies, I have a controller method protected by the oAuth2 plugin, but when I send a request to it including a correct Authorization: Bearer <token> (using Postman), the response I get is the HTML for the login page.

Method in question: 

@Secured(["ROLE_USER", "#oauth2.clientHasAnyRole('ROLE_CLIENT', 'ROLE_TRUSTED_CLIENT')"])
    def getUserData(){
        response.setContentType("application/json")
        User u = springSecurityService.currentUser
        println u
        render u.mseUserInfo
    }

Config.groovy: 

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.auth.loginFormUrl = '/mse/login'

grails.plugin.springsecurity.userLookup.userDomainClassName = 'cz.improvisio.MSEauthProvider.user.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'cz.improvisio.MSEauthProvider.user.UserRole'
grails.plugin.springsecurity.authority.className = 'cz.improvisio.MSEauthProvider.user.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/oauth/authorize.dispatch':[
        "ROLE_USER",
        "isFullyAuthenticated()"
    ],
    '/oauth/token.dispatch':[
        "ROLE_USER",
        "isFullyAuthenticated()"
    ],
    '/mse/login':["permitAll"],
    '/mse/':["permitAll"],
    '/**':["permitAll"]]



// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'cz.improvisio.MSEauthProvider.user.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'cz.improvisio.MSEauthProvider.user.AuthCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'cz.improvisio.MSEauthProvider.user.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'cz.improvisio.MSEauthProvider.user.RefreshToken'

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter'
]

This is the client creation from Bootstrap.groovy: 

new Client(
                clientId: 'testClient',
                authorizedGrantTypes: [
                    'authorization_code',
                    'refresh_token',
                    'implicit',
                    'password',
                    'client_credentials'
                ],
                authorities: ['ROLE_CLIENT'],
                scopes: ['read', 'write'],
                redirectUris: ['http://test.com']).save(flush: true)

And one more slightly related question: I couldnt find a way to get the User to whose resources the access token should be linked to, so I assumed Id be able to get it through springSecurityService. Is this the correct way of doing so? Or do I need to pass the userId to the method (and will OpenAM do it?)?

1 answers

solution1
 2 ACCPTED  2015-12-15 11:15:55

Turns out I didnt have the proper filter chain set up for my action. Changing config to 

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
'/myController/getUserData': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter'
]

fixed it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security OAuth2 always redirects to /login page having a valid Bearer header How to use Spring Boot/Spring Security to wrap a call to an OAuth2 bearer token request? JWT bearer exchange for access token request using Spring Security OAuth2 Spring Security is not working with Authorization: Bearer token from OAuth2 How to implement form-based login with spring security in grails and existing oauth2 provider Spring Security OAuth2- POST request to oauth/token redirects to login and role displays ROLE_ANONYMOUS Grails spring security Oauth2 Grails and Oauth2 Spring security Spring Security with oAuth2 /oAuth/Token request 405 method not allow Spring Security OAuth2 Resource Server Always Returning Invalid Token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM