I have followed the Spring Security and Angular JS - A Secure Single Page Application tutorial and downloaded its source from GITHUB. I am trying to simulate a remote application hitting the "resource" api using the "client_credentials" grant_type.
I can get the token just fine by issuing this command:
curl "http://acme:acmesecret@192.168.1.12:9999/uaa/oauth/token" -d grant_type=client_credentials -d client_id=acme
which gives me the following token:
{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsiZGF0YS1jb25zdW1lci1zZXJ2aWNlIl0sInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsIm9wZW5pZCJdLCJleHAiOjE0NjE4MjUwMTIsImp0aSI6ImJkZjVhODA3LTFkYjktNDI2Ni1iMWQxLTMzMmNmZWQ0NDQ4NCIsImNsaWVudF9pZCI6ImFjbWUifQ.lcKodEkwuG6JXhakgk_W4Mat0chiXePcreFZ-WmX0RAAYhPexqxJSX-OHmgOPYLh9sdRqCFbvuZFxQL-xn34Q1N9fj3ppAzDNnXa-GNq7x83pnkcbEVwtXWyEjfSSjo1ui0Ui0N-gQ5XeecXG_JXyV9ZfjopRtyz0ReimietJMU6qgUfH59b9GC6LnAciL4wOzlzPPY2p_ZR0x8XuruBWluE5IZwe3jDxtcz_UGhvjwrdjczaYTONMTRul-pKZtieG18e4CLjiu0-z_EboVmW7JaQMOJKzDf_Ew2PkomMJwPaIk4CtJIm7U8JtwqO8j--n9GEfcb5pM07-wmHjqE7w","token_type":"bearer","expires_in":42813,"scope":"read write openid","jti":"bdf5a807-1db9-4266-b1d1-332cfed44484"}
However, when I try to use the token to access the API
curl -v -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsiZGF0YS1jb25zdW1lci1zZXJ2aWNlIl0sInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsIm9wZW5pZCJdLCJleHAiOjE0NjE4MjUwMTIsImp0aSI6ImJkZjVhODA3LTFkYjktNDI2Ni1iMWQxLTMzMmNmZWQ0NDQ4NCIsImNsaWVudF9pZCI6ImFjbWUifQ.lcKodEkwuG6JXhakgk_W4Mat0chiXePcreFZ-WmX0RAAYhPexqxJSX-OHmgOPYLh9sdRqCFbvuZFxQL-xn34Q1N9fj3ppAzDNnXa-GNq7x83pnkcbEVwtXWyEjfSSjo1ui0Ui0N-gQ5XeecXG_JXyV9ZfjopRtyz0ReimietJMU6qgUfH59b9GC6LnAciL4wOzlzPPY2p_ZR0x8XuruBWluE5IZwe3jDxtcz_UGhvjwrdjczaYTONMTRul-pKZtieG18e4CLjiu0-z_EboVmW7JaQMOJKzDf_Ew2PkomMJwPaIk4CtJIm7U8JtwqO8j--n9GEfcb5pM07-wmHjqE7w" http://192.168.1.12/8080/resource/resources
I get a 302 response and get redirected to the login page. Here is the output from the auth server:
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/css/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/css/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/js/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/js/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/images/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/images/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/**/favicon.ico']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/**/favicon.ico'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/error']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/error'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/login']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/login'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/authorize']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/oauth/authorize'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : matched
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@53614cb0
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth/authorize' doesn't match 'POST /logout
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth/authorize' doesn't match 'POST /login
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.session.SessionManagementFilter : Requested session ID CCFF7CFAC451E5D4E219B975C94780EF is invalid.
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR; Attributes: [authenticated]
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6276271, returned: -1
2016-04-27 12:38:52.565 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
I did change the OAuth2AuthorizationConfig to add the "client_credentials" grant type
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.scopes("read","write")
.authorizedGrantTypes("authorization_code", "refresh_token","password","client_credentials")
.scopes("openid");
}
But I must be missing something else. Any assistance is much appreciated!
I found the solution. When, you add a resource server to your class which has the "@EnableOAuth2Sso", then you can access the resource using an access_token. For example:
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration
extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.antMatcher("/user")
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("/data")
.authorizeRequests().anyRequest().authenticated();
// @formatter:on
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.