【问题标题】:Grails Spring Securiy Oauth Provider plugin: Full authentication is required to access this resourceGrails Spring Securiy Oauth Provider 插件:访问此资源需要完全身份验证
【发布时间】:2015-04-15 09:20:33
【问题描述】:

我正在使用 grails “Spring Security OAuth Provider”插件。而且我能够在以下 URL 的响应中获得 访问代码

http://localhost:8080/oauthServer/oauth/authorize?response_type=code&client_id=test_client&scope=read&redirect_uri=http://example.com?

但是,当我使用以下 URL 通过 访问代码 发送获取 访问令牌 的请求时,我收到“访问此资源需要完全身份验证”错误消息。

curl -header "Authorization: Basic bnVkZ2VDbGllbnQ6YjRkNzA3NmE3YTA4N2E4MWMzMTE2ZjZlNWQzZWY0MDJjNmQ4ZjM3Nw==" http://localhost:8080/oauthServer/oauth/token?grant_type=authorization_code&code=kuH8aC

注意:base64(client_id:client_secret)=bnVkZ2VDbGllbnQ6YjRkNzA3NmE3YTA4N2E4MWMzMTE2ZjZlNWQzZWY0MDJjNmQ4ZjM3Nw==

下面给出了完整的错误消息。

<oauth>
 <error_description>
   Full authentication is required to access this resource
 </error_description>
 <error>unauthorized</error>
</oauth>

我错过了什么。请建议。

谢谢

更新 1

其实我在关注 this documentation 的 Spring security oauth provider plugin。

这是我的配置设置。

// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'com.oauth.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'com.oauth.AuthorizationCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'com.oauth.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'com.oauth.RefreshToken'
grails.plugin.springsecurity.logout.postOnly = false

//grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/client/index'

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.auth.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.auth.UserRole'
grails.plugin.springsecurity.authority.className = 'com.auth.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/oauth/authorize.dispatch':      ["isFullyAuthenticated() and (request.getMethod().equals('GET') or request.getMethod().equals('POST'))"],
    '/oauth/token.dispatch':          ["isFullyAuthenticated() and request.getMethod().equals('POST')"],
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/assets/**':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]

grails.plugin.springsecurity.providerNames = [
        'clientCredentialsAuthenticationProvider',
        'daoAuthenticationProvider',
        'anonymousAuthenticationProvider',
        'rememberMeAuthenticationProvider'
]

grails.exceptionresolver.params.exclude = ['password', 'client_secret']

grails.plugin.springsecurity.filterChain.chainMap = [
        '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter',
        '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-rememberMeAuthenticationFilter',
        '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter'
]

我的控制器是默认控制器。

@Secured(["#oauth2.clientHasRole('ROLE_CLIENT')"])
    def clientRoleExpression() {
        render "client role expression"
    }

    @Secured(["ROLE_CLIENT"])
    def clientRole() {
        render "client role"
    }

    @Secured(["#oauth2.clientHasAnyRole('ROLE_CLIENT', 'ROLE_TRUSTED_CLIENT')"])
    def clientHasAnyRole() {
        render "client has any role"
    }

    @Secured(["#oauth2.isClient()"])
    def client() {
        render "is client"
    }

    @Secured(["#oauth2.isUser()"])
    def user() {
        // code
    }

    @Secured(["#oauth2.isUser()"])
    def getSubscriptionDetail() {
       //code
    }

    @Secured(["#oauth2.isUser()"])
    def getHistory(){
        //code 
    }

    @Secured(["#oauth2.denyOAuthClient()"])
    def denyClient() {
        render "no client can see"
    }

    @Secured(["permitAll"])
    def anyone() {
        render "anyone can see"
    }

    def nobody() {
        render "nobody can see"
    }

    @Secured(["#oauth2.clientHasRole('ROLE_TRUSTED_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('trust')"])
    def trustedClient() {
        render "trusted client"
    }

    @Secured(["hasRole('ROLE_USER') and #oauth2.isUser() and #oauth2.hasScope('trust')"])
    def trustedUser() {
        render "trusted user"
    }

    @Secured(["hasRole('ROLE_USER') or #oauth2.hasScope('read')"])
    def userRoleOrReadScope() {
        render "user role or read scope"
    }

【问题讨论】:

  • 您使用的是哪个 grails 版本?我认为您应该为您的操作提供完整的身份验证。
  • 需要更多信息。发布您的配置、路由和控制器。
  • 你是怎么解决这个问题的?,我也遇到了同样的问题

标签: grails oauth-2.0 spring-security-oauth2 oauth-provider


【解决方案1】:

您的令牌端点配置要求请求是 POST。除非你的 curl 命令比上面显示的更多,否则你需要有类似

的东西
curl -X POST

除了您的 --header 选项。

【讨论】:

    【解决方案2】:

    我不知道这个问题的确切原因,但这个问题不在插件的最新版本中。请使用此插件的最新版本。

    【讨论】:

      猜你喜欢
      • 2016-11-11
      • 2016-10-03
      • 2018-01-07
      • 2015-01-08
      • 2018-09-11
      • 2019-01-01
      • 2020-11-21
      • 2020-03-30
      • 2022-01-03
      相关资源
      最近更新 更多