【发布时间】:2016-01-17 08:10:41
【问题描述】:
我在我的项目中尝试使用 spring security 和 spring oauth2 并且已经分离了我的授权服务器和资源服务器。我不想在这两个服务器之间共享令牌存储,所以我决定使用 RemoteTokenServices 和 check_token 端点。一切都很好,除了当我使用访问令牌查询资源服务器时,出现“401 Unauthorized”错误,如下所示:
2015-10-19 11:50:10.291 DEBUG 2590 --- [nio-8080-exec-1] os.web.client.RestTemplate :“http://localhost:9080/uaa/oauth/check_token/”的 POST 请求导致 401(未经授权);调用错误处理程序 2015-10-19 11:50:10.293 调试 2590 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder 现在已清除,因为请求处理已完成 2015-10-19 11:50:10.293 调试 2590 --- [nio-8080-exec-1] os.web.filter.RequestContextFilter:清除线程绑定请求上下文:org.apache.catalina.connector.RequestFacade@41f4867a 2015-10-19 11:50:10.297 错误 2590 --- [nio-8080-exec-1] oaccC[.[.[/].[jerseyServlet] :Servlet.service() 用于 servlet [jerseyServlet] 的上下文中路径 [] 抛出异常
org.springframework.web.client.HttpClientErrorException: 401 Unauthorized 在 org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
授权服务器的代码:
@Configuration
@EnableAuthorizationServer
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Bean
public DefaultAccessTokenConverter defaultAccessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(this.tokenStore())
.authenticationManager(authenticationManager)
.accessTokenConverter(defaultAccessTokenConverter());
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
}
以及安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication();
// .withUser("John").roles("ADMIN").password("password")
// .and()
// .withUser("Mary").roles("BASIC").password("password");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").authenticated()
.and().httpBasic().realmName("OAuth Server");
http.csrf().disable();
}
}
资源服务器设置如下:
@Configuration
@EnableResourceServer
public class ResourceConfiguration extends ResourceServerConfigurerAdapter {
private static String RESOURCE_ID = "xn-resource-id";
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().authenticated();
}
@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Bean
public RemoteTokenServices remoteTokenServices(final @Value("${auth.server.url}") String checkTokenUrl,
final @Value("${auth.server.client_id}") String clientId,
final @Value("${auth.server.client_secret}") String clientSecret) {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl(checkTokenUrl);
remoteTokenServices.setClientId(clientId);
remoteTokenServices.setClientSecret(clientSecret);
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}
}
我使用 curl 测试了安全设置并使用了 client_credentials 授权类型。
有人帮我弄清楚上面的代码有什么问题吗?
【问题讨论】:
-
你查到真相了吗?
标签: oauth spring-security