[英]Spring Security Oauth: migration from xml to annotations
我正在尝试从xml迁移到注释。 但是我无法正确配置端点/ oauth / token-它不接受我的POST查询参数。
请求:
curl -X POST -d "grant_type=password&client_secret=secret&client_id=testclient&username=root&password=password" http://localhost:8080/oauth/token
日志:
2014-09-07 16:33:39 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/oauth/token'; against '/oauth/token'
2014-09-07 16:33:39 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /oauth/token; Attributes: [fullyAuthenticated]
2014-09-07 16:33:39 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2014-09-07 16:33:39 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@302753d0, returned: -1
2014-09-07 16:33:39 DEBUG ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
XML(工作正常):
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="false"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
注释版本:
@Configuration
@EnableWebSecurity
@EnableAuthorizationServer
public class SecurityConfig {
@Bean
public AuthorizationServerConfigurer authorizationServerConfigurer() {
return new AuthorizationServerConfigurerAdapter() {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.authenticationEntryPoint(customEntryPoint());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore());
endpoints.authenticationManager(authenticationManager());
endpoints.clientDetailsService(clientDetailsService());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService());
}
};
}
@Bean
public PasswordEncoder passwordEncoder() {
return new MD5PasswordEncoder();
}
@Bean
public OAuth2AuthenticationEntryPoint customEntryPoint() {
OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
oAuth2AuthenticationEntryPoint.setRealmName("springsec/client");
oAuth2AuthenticationEntryPoint.setTypeName("Basic");
return oAuth2AuthenticationEntryPoint;
}
@Bean
public TokenStoreDao tokenStoreDao() {
return new TokenStoreDaoImpl();
}
@Bean
public TokenStore tokenStore() {
MongoTokenStore tokenStore = new MongoTokenStore();
tokenStore.setTokenStoreDao(tokenStoreDao());
return tokenStore;
}
@Bean
public AuthenticationManager authenticationManager() throws Exception {
OAuth2AuthenticationManager oAuth2AuthenticationManager = new OAuth2AuthenticationManager();
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore());
oAuth2AuthenticationManager.setTokenServices(tokenServices);
return oAuth2AuthenticationManager;
}
@Bean
public ClientDetailsService clientDetailsService() {
return new OAuthClienDetailsService();
}
@Bean
public ClientDetailsUserDetailsService clientDetailsUserDetailsService() {
return new ClientDetailsUserDetailsService(clientDetailsService());
}
@Bean
public AuthenticationProvider authenticationProvider() throws Exception {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(clientDetailsUserDetailsService());
authenticationProvider.setPasswordEncoder(passwordEncoder());
authenticationProvider.afterPropertiesSet();
return authenticationProvider;
}
有什么建议吗?
答案是:
.allowFormAuthenticationForClients();
@Bean
public AuthorizationServerConfigurer authorizationServerConfigurer() {
return new AuthorizationServerConfigurerAdapter() {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer
.authenticationEntryPoint(customEntryPoint())
.allowFormAuthenticationForClients();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.