令牌URL因Spring Security OAuth2而失敗

Question

我正在嘗試獲取oauth2配置以保護我的Web應用程序，並僅允許具有提供的用戶憑據的受信任客戶端訪問該應用程序。

這就是我到目前為止

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
   xmlns:mvc="http://www.springframework.org/schema/mvc"
   xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">


    <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
     xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
        <anonymous enabled="false" />
        <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
        <!-- include this only if you need to authenticate clients via request parameters -->
        <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
       <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>

    <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
    <http request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
      xmlns="http://www.springframework.org/schema/security">
        <!-- <anonymous enabled="false" /> -->
        <intercept-url pattern="/api/register/.*" access="ROLE_CLIENT" />
        <intercept-url pattern="/api/.*" access="ROLE_USER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <expression-handler ref="oauthWebExpressionHandler" />
    </http>

    <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="qeep" />
    </bean>

    <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="qeep/client" />
    </bean>

   <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />    

   <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="qeepUserDetailsService" />
   </authentication-manager>

   <bean id="myUserDetailsService" class="com.example.core.web.rest.auth.QeepUserDetailsService"/>

   <bean id="tokenStore" class="com.example.core.web.rest.auth.QeepTokenStore" />

   <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
       <property name="tokenStore" ref="tokenStore" />
       <property name="supportRefreshToken" value="true" />
       <property name="clientDetailsService" ref="clientDetails" />
   </bean>

   <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="clientDetailsUserService" />
   </authentication-manager>

   <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
       <constructor-arg ref="clientDetails" />
   </bean>

   <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
       <property name="authenticationManager" ref="clientAuthenticationManager" />
   </bean>                

   <oauth:client-details-service id="clientDetails">
       <oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token,implicit"
                  secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" />
   </oauth:client-details-service>

   <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
       <oauth:authorization-code />
       <oauth:implicit />
       <oauth:refresh-token />
       <oauth:client-credentials />
       <oauth:password />
   </oauth:authorization-server>

   <sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
       <!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
   <sec:expression-handler ref="oauthExpressionHandler" />
   </sec:global-method-security>

   <oauth:expression-handler id="oauthExpressionHandler" />

   <oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>

如果我使用curl訪問/oauth/token ，我將收到一個客戶端授權請求，該請求通過使用配置的客戶端憑據來完成。 但是在此之后/oauth/token僅返回404 - Not found 。 在過去的幾個小時里，我嘗試了不同的方法，但沒有成功。

我從oauth2 1.0.5的sparklr / tonr樣本中提取了配置，我使用了它，因為我們仍在Spring 3.2上。

相同的測試在sparklr-Sample-webapp中可以正常工作。

編輯

實際的curl網址如下：

curl -v -H "Authorization: Basic bXktdHJ1c3RlZC1jbGllbnQtd2l0aC1zZWNyZXQ6c29tZXNlY3JldA==" "http://localhost:8084/core/oauth/token"

如果沒有Authorization-Header，我會收到一個401，要求進行配置的客戶端身份驗證（“ my-trusted-client-with-secret”和“ somesecret”），但是添加了授權頭后，我只會得到404-Not found。 如果我使用sparklr-Sample進行相同的測試，則在添加了如上所述的Basic-Auth-Header之后，出現了詢問授權類型的錯誤，這是我所期望的。

我希望這可以使事情變得更清楚。

任何想法我的配置有什么問題嗎？

Answer 1

DispatcherServlet映射到錯誤的URL，在嘗試解決我最初遇到的問題時將其斷開。 Dispatcher-Servlet映射到core/api ，令牌服務首先映射到core/api/oauth/token ，后來我更改為core/oauth/token但我忘記更改DispatcherServlet。 謝謝，戴夫的提示！