[英]Documentation on creating a spring-security-oauth2 client using java config
[英]spring-security-oauth2 client need to authenticated(relogin) again after get authorization code
我有一個授權服務器和客戶端服務器。 授權服務器運行良好,我用郵遞員對其進行了測試,以獲取accessToken和授權代碼。 但是客戶端服務器不起作用。 在authorization_code模式下,客戶端登錄,然后從授權服務器成功獲取授權代碼,下一步,瀏覽器應重定向到redirect_uri,但沒有,它重定向到客戶端的登錄頁面。
java8,spring-boot-starter-parent-1.4.5.RELEASE,spring-boot-starter-security,spring-security-oauth2
org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(OAuth2ProtectedResourceDetails,AccessTokenRequest)
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth instanceof AnonymousAuthenticationToken) {
if (!resource.isClientOnly()) {
throw new InsufficientAuthenticationException(
"Authentication is required to obtain an access token (anonymous not allowed)");
}
}
來自SecurityContextHolder的身份驗證是AnonymousAuthenticationToken,我不知道為什么。
@SpringBootApplication
@EnableOAuth2Client
public class App {
.............
}
@Configuration
public class CustomWebMvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("index");
registry.addViewController("/login").setViewName("login");
super.addViewControllers(registry);
}
}
@Configuration
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
super.configure(auth);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/webjars/**", "/img/**").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/getCurrentUserInfo").authenticated()//the resource that need access token
.anyRequest().permitAll()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.defaultSuccessUrl("/")
.and()
.csrf()
.disable();
}
.............
@Autowired
private OAuth2ClientContext clientContext;
@RequestMapping("/getCurrentUserInfo")
@ResponseBody
public Map<String, String> getCurrentUserInfo(){
AuthorizationCodeResourceDetails resourceDetails = new AuthorizationCodeResourceDetails();
resourceDetails.setClientId("authorization_code");
resourceDetails.setClientSecret("123456");
resourceDetails.setAccessTokenUri("http://localhost:8080/oauth/token");
resourceDetails.setUserAuthorizationUri("http://localhost:8080/oauth/authorize");
resourceDetails.setScope(Arrays.asList("empty")); OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails, clientContext);
Map<String, String> result = restTemplate.getForObject(URI.create("http://localhost:8082/user/getCurrentUserInfo"), HashMap.class);
logger.debug("------------------------- result: {}",result);
return result;
}
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
private static List<String> grantTypes = Arrays.asList("authorization_code", "password", "client_credentials", "implicit");
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if(!grantTypes.contains(username)){
throw new UsernameNotFoundException(String.format("用戶 %s 不存在!", username));
}
User user = new User(username, "123456", Arrays.asList());
return user;
}
}
我很傻,這是一個Cookie(會話)問題。 我的授權服務器和客戶端服務器具有相同的域:本地主機,但端口不同。 授權服務器是8080,客戶端服務器是8081。客戶端服務器首先登錄,具有cookie。 授權需要先登錄才能批准授權。 授權登錄后,將覆蓋客戶的cookie。 當瀏覽器重定向到客戶頁面時,客戶無法找到其與授權cookie的會話。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.