春季OAuth2：InsufficientAuthenticationException

Question

我正在嘗試使用Spring在OAuth2中為我的REST API實現資源所有者流，但是當我嘗試獲取訪問令牌時，出現以下錯誤：

INFO: Handling error: InsufficientAuthenticationException, There is no client authentication. Try adding an appropriate authentication filter.

這是我的Spring配置中與OAuth2設置有關的部分：

<sec:http pattern="/api/oauth/token" create-session="stateless"
          authentication-manager-ref="authenticationManager">
    <sec:intercept-url pattern="/api/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <sec:anonymous enabled="false" />
    <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>

<sec:http pattern="/protected/**" create-session="never"
          entry-point-ref="oauthAuthenticationEntryPoint">
    <sec:anonymous enabled="false" />
    <sec:intercept-url pattern="/protected/**" method="GET" access="IS_AUTHENTICATED_FULLY" />
    <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>

<bean id="oauthAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
</bean>

<bean id="clientAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="springsec/client" />
    <property name="typeName" value="Basic" />
</bean>

<bean id="oauthAccessDeniedHandler"
      class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>

<bean id="clientCredentialsTokenEndpointFilter"
      class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>

<bean id="clientDetailsUserService"
      class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails" />
</bean>

<bean id="clientDetails" class="org.myproject.CustomClientDetailsService">
    <property name="id" value="clientid" />
    <property name="secretKey" value="secret" />
</bean>

<sec:authentication-manager id="userAuthenticationManager">
    <sec:authentication-provider ref="customUserAuthenticationProvider" />
</sec:authentication-manager>

<bean id="customUserAuthenticationProvider"
      class="org.myproject.CustomAuthenticationProvider">
</bean>

<oauth:authorization-server
        client-details-service-ref="clientDetails" token-services-ref="tokenServices">
    <oauth:authorization-code />
    <oauth:implicit/>
    <oauth:refresh-token/>
    <oauth:client-credentials />
    <oauth:password authentication-manager-ref="userAuthenticationManager"/>
</oauth:authorization-server>

<oauth:resource-server id="resourceServerFilter"
                       resource-id="springsec" token-services-ref="tokenServices" />


<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<!--<bean id="tokenStore"-->
      <!--class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />-->

<bean id="tokenServices"
      class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
    <property name="supportRefreshToken" value="true" />
    <property name="accessTokenValiditySeconds" value="120"></property>
    <property name="clientDetailsService" ref="clientDetails" />
</bean>

<mvc:annotation-driven />

<mvc:default-servlet-handler />
<context:annotation-config />

這是我用來獲取令牌的curl命令：

✗ curl --user clientapp:secret --data "grant_type=password" --trace-ascii /dev/stdout http://localhost:8080/api/oauth/token    
== Info: Hostname was NOT found in DNS cache
== Info:   Trying 127.0.0.1...
== Info: Connected to localhost (127.0.0.1) port 8080 (#0)
== Info: Server auth using Basic with user 'clientapp'
=> Send header, 210 bytes (0xd2)
0000: POST /api/oauth/token HTTP/1.1
0020: Authorization: Basic Y2xpZW50YXBwOnNlY3JldA==
004f: User-Agent: curl/7.35.0
0068: Host: localhost:8080
007e: Accept: */*
008b: Content-Length: 19
009f: Content-Type: application/x-www-form-urlencoded
00d0: 
=> Send data, 19 bytes (0x13)
0000: grant_type=password
== Info: upload completely sent off: 19 out of 19 bytes
<= Recv header, 27 bytes (0x1b)
0000: HTTP/1.1 401 Unauthorized
<= Recv header, 37 bytes (0x25)
0000: Date: Fri, 09 Oct 2015 15:05:23 GMT
<= Recv header, 25 bytes (0x19)
0000: Cache-Control: no-store
<= Recv header, 18 bytes (0x12)
0000: Pragma: no-cache
<= Recv header, 152 bytes (0x98)
0000: WWW-Authenticate: Bearer error="unauthorized", error_description
0040: ="There is no client authentication. Try adding an appropriate a
0080: uthentication filter."
<= Recv header, 46 bytes (0x2e)
0000: Content-Type: application/json;charset=UTF-8
<= Recv header, 28 bytes (0x1c)
0000: Transfer-Encoding: chunked
== Info: Server Jetty(9.2.10.v20150310) is not blacklisted
<= Recv header, 33 bytes (0x21)
0000: Server: Jetty(9.2.10.v20150310)
<= Recv header, 2 bytes (0x2)
0000: 
<= Recv data, 134 bytes (0x86)
0000: 82
0004: {"error":"unauthorized","error_description":"There is no client 
0044: authentication. Try adding an appropriate authentication filter.
0084: "}
<= Recv data, 7 bytes (0x7)
0000: 
0002: 0
0005: 
== Info: Connection #0 to host localhost left intact
{"error":"unauthorized","error_description":"There is no client authentication. Try adding an appropriate authentication filter."}%   

Answer 1

我能夠解決我的問題。

我必須將此過濾器添加到我的web.xml中：

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>