【发布时间】:2018-06-12 20:34:58
【问题描述】:
我的个人项目需要 oauth2,所以我正在阅读 Spring 网站上的 this 教程。
我的配置主要取自他们的example project,安全模块。
但是,当我启动应用程序时,我无法获得令牌。当我尝试向http://localhost:8080/oauth/token 发出 POST 请求时,服务器一直显示“需要完全身份验证才能访问此资源”。
我正在使用 Postman 创建请求。使用 Import 进行转换:
curl -X POST -vu android-bookmarks:123456 http://localhost:8080/oauth/token -H "Accept: application/json" -d "password=password&username=defaultuser&grant_type=password&scope=write&client_secret=123456&client_id=android-gps_tracker_server"
我花了一些时间寻找答案,但我发现的所有案例都不适合我。可能是什么问题?
下面是配置代码: WebSecurityConfiguration:
@Configuration
public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter{
final private PlayerRepository playerRepository;
@Autowired
public WebSecurityConfiguration(PlayerRepository playerRepository) {
this.playerRepository = playerRepository;
}
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Bean
UserDetailsService userDetailsService() {
return (username) -> playerRepository.findByUserName(username)//@formatter:off
.map(a -> new User(a.getUserName(), a.getPassword(), true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_USER", "write")))
.orElseThrow(() -> new UsernameNotFoundException("could not find the user '" + username + "'"));//@formatter:on
}
}
OAuth2 配置:
@Configuration
@EnableResourceServer
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter{
private final String applicationName = "gps_tracker_server";
private final AuthenticationManagerBuilder authenticationManager;
@Autowired
public OAuth2Configuration(AuthenticationManagerBuilder authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(new AuthenticationManager(){
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
return authenticationManager.getOrBuild().authenticate(authentication);
}
});
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("android-" + applicationName)
.authorizedGrantTypes("password", "authorization_code", "refresh_token")
.authorities("ROLE_USER")
.scopes("write")
.resourceIds(applicationName)
.secret("123456");
}
还有主应用:
@SpringBootApplication
public class GpsTrackerServerApplication{
public static void main(String[] args) {
SpringApplication.run(GpsTrackerServerApplication.class, args);
}
@Bean
FilterRegistrationBean corsFilter(@Value("${tagit.origin:http://localhost:9000}") String origin) {
return new FilterRegistrationBean(new Filter(){
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String method = request.getMethod();
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS,DELETE");
response.setHeader("Access-Control-Max-Age", Long.toString(60 * 60));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Headers", "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization");
if ("OPTIONS".equals(method)) {
response.setStatus(HttpStatus.OK.value());
} else {
chain.doFilter(req, res);
}
}
public void init(FilterConfig filterConfig) { }
public void destroy() { }
});
}
}
还有两个YML文件,一个是application-https.yml,另一个是application.yml。后者仅保存数据库凭据和“profiles.active: https”。第一个看起来像这样:
server:
port: 8443
ssl:
key-store: classpath:tomcat.keystore
key-store-password: defaultuser
key-password: defaultuser
【问题讨论】: