堆棧內存溢出
  簡體   English   中英

spring-oauth2:HTTP狀態403-訪問被拒絕

[英]spring-oauth2: HTTP Status 403 - Access Denied

 原文  2015-09-09 19:49:33       java/ spring/ rest/ curl/ spring-security

問題描述

我嘗試使用curl和spring security oauth2向我的rest-api發送請求,但出現此錯誤: 

* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test/oauth/token HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: application/json
> Authorization: Basic bXktdHJ1c3RlZC1jbGllbnQ6MTIzNDU=
> Content-Length: 99
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 99 out of 99 bytes
< HTTP/1.1 403 Forbidden
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 1030
< Date: Wed, 09 Sep 2015 19:37:49 GMT
< 
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.20 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 403 - Access Denied</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>Access Denied</u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><hr class="line"><h3>Apache Tomcat/8.0.20</h3></body><* Connection #0 to host localhost left intact

我的請求: 

curl -X GET -k -vu my-trusted-client:12345 http://localhost:8080/test/oauth/token -H "Accept: application/jd "grant_type=password&scope=read&client_secret=12345&client_id=my-trusted-client&resource_id=rest_api"

我的代碼的一部分:

我的oauth2serverconfiguration: 

@Configuration
@EnableResourceServer
public class OAuth2ServerConfiguration {

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients.inMemory()
                .withClient("my-trusted-client")
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
                    .authorities("USER")
                    .scopes("read", "write", "trust")
                    .resourceIds("rest_api")
                    .secret("12345")
                    .accessTokenValiditySeconds(600);
            // @formatter:on
        }
    }
}

我的安全配置類: 

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        //builder.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity security) throws Exception {
        security.authorizeRequests()
            .antMatchers("/oauth/token")
            .hasRole("USER")
            .antMatchers("/greeting").authenticated();
    }
}

我的控制器: 

@Path("/oauth")
@Produces(MediaType.APPLICATION_JSON)
public class TestController {

    public TestController() {
        ApplicationContext applicationContext = new AnnotationConfigApplicationContext(OAuth2ServerConfiguration.class);
        AutowireCapableBeanFactory acbFactory = applicationContext.getAutowireCapableBeanFactory();
        acbFactory.autowireBean(this);
    }

    @GET
    @Path("/token")
    public Response testToken() {

        return Response.status(200).entity("is working \n").build();
    }
}

Spring已經生成了refresh_token,但是我沒有access_token,有人可以幫我嗎? 什么是假的? 我的代碼還是我的要求?

謝謝。

1 個解決方案

解決方案1
 2  2015-09-10 02:01:42

您正在使用grant_type=password參數,這意味着您要使用資源所有者流。 

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          v
          |    Resource Owner
         (A) Password Credentials
          |
          v
     +---------+                                  +---------------+
     |         |>--(B)---- Resource Owner ------->|               |
     |         |         Password Credentials     | Authorization |
     | Client  |                                  |     Server    |
     |         |<--(C)---- Access Token ---------<|               |
     |         |    (w/ Optional Refresh Token)   |               |
     +---------+                                  +---------------+

            Figure 5: Resource Owner Password Credentials Flow

   The flow illustrated in Figure 5 includes the following steps:

   (A)  The resource owner provides the client with its username and
        password.

   (B)  The client requests an access token from the authorization
        server's token endpoint by including the credentials received
        from the resource owner.  When making the request, the client
        authenticates with the authorization server.

   (C)  The authorization server authenticates the client and validates
        the resource owner credentials, and if valid, issues an access
        token.

您必須為此流程添加用戶名和密碼,而不僅是client_id和client_secret。

從代碼中,您尚未為用戶設置自動識別管理器。 嘗試將其添加到SecurityConfiguration類中。 

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
    auth
            .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
}

測試一下 

curl -X GET -k -vu user:password http://localhost:8080/test/oauth/token -H "Accept: application/jd "grant_type=password&scope=read&client_secret=12345&client_id=my-trusted-client"

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 HTTP狀態403 - 拒絕訪問Spring安全性 spring 安全 HTTP 狀態 403 - 訪問被拒絕 hasRole()無法正常工作錯誤HTTP狀態403-訪問被拒絕 如何修復tomcat HTTP狀態403:訪問被拒絕 spring-oauth2登錄成功處理程序 由於缺少CSRF'保留狀態',Spring-Oauth2訪問令牌請求永遠不會成功 在春季OAuth 2中拒絕訪問 Access Denied (Status 403) 錯誤消息試圖訪問在 Spring 引導項目中聲明的 index.html 文件 “狀態”:403,“錯誤”:“禁止”“消息”:郵遞員彈簧啟動代碼中的“訪問被拒絕” Spring Security OAuth-訪問被拒絕
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM