0

我遵循Spring Security and Angular JS - A Secure Single Page Application tutorial 并从 GITHUB 下载了它的源代码。我正在尝试使用“client_credentials”grant_type 模拟远程应用程序访问“资源”api。

通过发出以下命令,我可以很好地获取令牌:

curl "http://acme:acmesecret@192.168.1.12:9999/uaa/oauth/token" -d grant_type=client_credentials -d client_id=acme

这给了我以下令牌:

    {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsiZGF0YS1jb25zdW1lci1zZXJ2aWNlIl0sInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsIm9wZW5pZCJdLCJleHAiOjE0NjE4MjUwMTIsImp0aSI6ImJkZjVhODA3LTFkYjktNDI2Ni1iMWQxLTMzMmNmZWQ0NDQ4NCIsImNsaWVudF9pZCI6ImFjbWUifQ.lcKodEkwuG6JXhakgk_W4Mat0chiXePcreFZ-WmX0RAAYhPexqxJSX-OHmgOPYLh9sdRqCFbvuZFxQL-xn34Q1N9fj3ppAzDNnXa-GNq7x83pnkcbEVwtXWyEjfSSjo1ui0Ui0N-gQ5XeecXG_JXyV9ZfjopRtyz0ReimietJMU6qgUfH59b9GC6LnAciL4wOzlzPPY2p_ZR0x8XuruBWluE5IZwe3jDxtcz_UGhvjwrdjczaYTONMTRul-pKZtieG18e4CLjiu0-z_EboVmW7JaQMOJKzDf_Ew2PkomMJwPaIk4CtJIm7U8JtwqO8j--n9GEfcb5pM07-wmHjqE7w","token_type":"bearer","expires_in":42813,"scope":"read write openid","jti":"bdf5a807-1db9-4266-b1d1-332cfed44484"}

但是,当我尝试使用令牌访问 API 时

curl -v -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsiZGF0YS1jb25zdW1lci1zZXJ2aWNlIl0sInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsIm9wZW5pZCJdLCJleHAiOjE0NjE4MjUwMTIsImp0aSI6ImJkZjVhODA3LTFkYjktNDI2Ni1iMWQxLTMzMmNmZWQ0NDQ4NCIsImNsaWVudF9pZCI6ImFjbWUifQ.lcKodEkwuG6JXhakgk_W4Mat0chiXePcreFZ-WmX0RAAYhPexqxJSX-OHmgOPYLh9sdRqCFbvuZFxQL-xn34Q1N9fj3ppAzDNnXa-GNq7x83pnkcbEVwtXWyEjfSSjo1ui0Ui0N-gQ5XeecXG_JXyV9ZfjopRtyz0ReimietJMU6qgUfH59b9GC6LnAciL4wOzlzPPY2p_ZR0x8XuruBWluE5IZwe3jDxtcz_UGhvjwrdjczaYTONMTRul-pKZtieG18e4CLjiu0-z_EboVmW7JaQMOJKzDf_Ew2PkomMJwPaIk4CtJIm7U8JtwqO8j--n9GEfcb5pM07-wmHjqE7w" http://192.168.1.12/8080/resource/resources

我收到 302 响应并被重定向到登录页面。以下是身份验证服务器的输出:

2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/css/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/js/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/images/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/**/favicon.ico'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/error'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/login']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/login'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/authorize']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/authorize'; against '/oauth/authorize'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : matched
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@53614cb0
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /oauth/authorize' doesn't match 'POST /logout
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /oauth/authorize' doesn't match 'POST /login
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.session.SessionManagementFilter  : Requested session ID CCFF7CFAC451E5D4E219B975C94780EF is invalid.
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy        : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR; Attributes: [authenticated]
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6276271, returned: -1
2016-04-27 12:38:52.565 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

我确实更改了 OAuth2AuthorizationConfig 以添加“client_credentials”授权类型

        @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("acme")
                .secret("acmesecret")
                .scopes("read","write")
                .authorizedGrantTypes("authorization_code", "refresh_token","password","client_credentials")
                .scopes("openid");
    }

但我一定错过了别的东西。非常感谢任何帮助!

4

1 回答 1

0

我找到了解决方案。当您向具有“@EnableOAuth2Sso”的类添加资源服务器时,您可以使用 access_token 访问资源。例如:

    @Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration
        extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .antMatcher("/user")
                .authorizeRequests().anyRequest().authenticated()
                .and()
                .antMatcher("/data")
                .authorizeRequests().anyRequest().authenticated();
        // @formatter:on
    }
}
于 2016-05-03T19:32:33.923 回答