Grails Spring Security OAuth2提供者對具有正確承載令牌的資源的請求重定向到登錄

Question

顧名思義，我有一個受oAuth2插件保護的控制器方法，但是當我向它發送包含正確授權的請求：Bearer <token>（使用Postman）時，得到的響應是登錄頁面的HTML。

有問題的方法：

@Secured(["ROLE_USER", "#oauth2.clientHasAnyRole('ROLE_CLIENT', 'ROLE_TRUSTED_CLIENT')"])
    def getUserData(){
        response.setContentType("application/json")
        User u = springSecurityService.currentUser
        println u
        render u.mseUserInfo
    }

Config.groovy中：

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.auth.loginFormUrl = '/mse/login'

grails.plugin.springsecurity.userLookup.userDomainClassName = 'cz.improvisio.MSEauthProvider.user.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'cz.improvisio.MSEauthProvider.user.UserRole'
grails.plugin.springsecurity.authority.className = 'cz.improvisio.MSEauthProvider.user.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/oauth/authorize.dispatch':[
        "ROLE_USER",
        "isFullyAuthenticated()"
    ],
    '/oauth/token.dispatch':[
        "ROLE_USER",
        "isFullyAuthenticated()"
    ],
    '/mse/login':["permitAll"],
    '/mse/':["permitAll"],
    '/**':["permitAll"]]



// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'cz.improvisio.MSEauthProvider.user.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'cz.improvisio.MSEauthProvider.user.AuthCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'cz.improvisio.MSEauthProvider.user.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'cz.improvisio.MSEauthProvider.user.RefreshToken'

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter'
]

這是從Bootstrap.groovy創建的客戶端：

new Client(
                clientId: 'testClient',
                authorizedGrantTypes: [
                    'authorization_code',
                    'refresh_token',
                    'implicit',
                    'password',
                    'client_credentials'
                ],
                authorities: ['ROLE_CLIENT'],
                scopes: ['read', 'write'],
                redirectUris: ['http://test.com']).save(flush: true)

還有一個稍微相關的問題：我無法找到一種方法來將訪問令牌應鏈接到其資源的User，因此我假定Id可以通過springSecurityService獲取它。 這是正確的方法嗎？ 還是我需要將userId傳遞給方法（OpenAM會這樣做嗎？）？

Answer 1

原來我沒有為我的操作設置適當的過濾器鏈。 將配置更改為

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
'/myController/getUserData': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter'
]

修復。