spring - 令牌URL失败,Spring Security oauth2失败

  显示原文与译文双语对照的内容
0 0

我试图获得一个to配置来保护我的to,并且只允许受信任的客户端访问应用程序。

这就是我目前所拥有

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security"
 xmlns:mvc="http://www.springframework.org/schema/mvc"
 xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
 http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
 <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
 xmlns="http://www.springframework.org/schema/security">
 <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
 <anonymous enabled="false"/>
 <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
 <!-- include this only if you need to authenticate clients via request parameters -->
 <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
 <access-denied-handler ref="oauthAccessDeniedHandler"/>
 </http>
 <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
 <http request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
 xmlns="http://www.springframework.org/schema/security">
 <!-- <anonymous enabled="false"/> -->
 <intercept-url pattern="/api/register/.*" access="ROLE_CLIENT"/>
 <intercept-url pattern="/api/.*" access="ROLE_USER"/>
 <access-denied-handler ref="oauthAccessDeniedHandler"/>
 <expression-handler ref="oauthWebExpressionHandler"/>
 </http>
 <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
 <property name="realmName" value="qeep"/>
 </bean>
 <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
 <property name="realmName" value="qeep/client"/>
 </bean>
 <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/> 
 <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
 <authentication-provider user-service-ref="qeepUserDetailsService"/>
 </authentication-manager>
 <bean id="myUserDetailsService" class="com.example.core.web.rest.auth.QeepUserDetailsService"/>
 <bean id="tokenStore" class="com.example.core.web.rest.auth.QeepTokenStore"/>
 <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
 <property name="tokenStore" ref="tokenStore"/>
 <property name="supportRefreshToken" value="true"/>
 <property name="clientDetailsService" ref="clientDetails"/>
 </bean>
 <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
 <authentication-provider user-service-ref="clientDetailsUserService"/>
 </authentication-manager>
 <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
 <constructor-arg ref="clientDetails"/>
 </bean>
 <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
 <property name="authenticationManager" ref="clientAuthenticationManager"/>
 </bean> 
 <oauth:client-details-service id="clientDetails">
 <oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token,implicit"
 secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"/>
 </oauth:client-details-service>
 <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
 <oauth:authorization-code/>
 <oauth:implicit/>
 <oauth:refresh-token/>
 <oauth:client-credentials/>
 <oauth:password/>
 </oauth:authorization-server>
 <sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
 <!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
 <sec:expression-handler ref="oauthExpressionHandler"/>
 </sec:global-method-security>
 <oauth:expression-handler id="oauthExpressionHandler"/>
 <oauth:web-expression-handler id="oauthWebExpressionHandler"/>
</beans>

如果使用curl访问 /oauth/token,我得到一个客户端授权请求,通过使用配置的客户端凭据获得。 但是在这个 /oauth/token 只返回 404 - Not found 我在过去的几个小时里尝试了不同的东西。

我从 sparklr 1.0.5的/tonr示例中提取了配置,因为我们仍然在 spring 3.2上。

同样的测试在sparklr-Sample-webapp中运行良好。

编辑

实际的curl url如下所示:

curl -v -H"Authorization: Basic bXktdHJ1c3RlZC1jbGllbnQtd2l0aC1zZWNyZXQ6c29tZXNlY3JldA==""http://localhost:8084/core/oauth/token"

我得到一个 401 ("my-trusted-client-with-secret"还有"somesecret"),但使用添加的授权头,却没有找到 404的认证头。 如果我对sparklr示例进行测试,在添加类似于上面的Basic-Auth-Header之后,我会获得一个错误。

我希望这能让你更清楚一点。

我的配置有什么问题?

时间:原作者:4个回答

0 0

DispatcherServlet被映射到错误的网址,我在尝试修复一个问题的时候,我打破了它。 调度servlet映射到 core/api,令牌服务首先映射到 core/api/oauth/token,稍后我将它的更改为 core/oauth/token,但我忘记更改 DispatcherServlet 。 感谢你的提示 Dave !

原作者:
...