0

我正在使用 Spring 和本教程构建 Oauth 服务器。

在资源服务器实现期间,我注意到令牌密钥端点 (/oauth/token_key) 不是公开的。

基于此文档,我尝试将以下内容添加到 AuthorizationServerConfigurerAdapter:

security.tokenKeyAccess("permitAll()")
                .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");

并且:

security.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
               .checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");

两种配置都不起作用。我还尝试在我的 WebSecurityAdapter 上添加一条规则:

protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/oauth/token_key").permitAll();
}

现在我将看到一个对话框,询问登录名和密码,当我单击取消时,我将收到以下信息:

There was an unexpected error (type=Unauthorized, status=401).
Unauthorized
org.springframework.security.access.AccessDeniedException: You need to authenticate to see a shared key
    at org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint.getKey(TokenKeyEndpoint.java:58)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    (...)

我错过了什么吗?

4

1 回答 1

0

经过一番调查,我发现了问题:我忘记将 keyPair 注入用于转换为 JWT 的 tokenConverter 并添加一些额外的用户信息:

//Inside AuthorizationServerConfigurerAdapter

@Autowired
private MyJwtTokenEnhancer jwtTokenEnhancer;
@Autowired
private KeystoreService keystoreService;

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        //this line solved the issue
        jwtTokenEnhancer.setKeyPair(keystoreService.getKeyPair());

        endpoints.authenticationManager(manager)
            .accessTokenConverter(jwtTokenEnhancer)
            .tokenStore(tokenStore())
            .addInterceptor(new AuditInterceptor());
}
于 2019-05-02T16:10:39.713 回答