使用 oAuth2 /oAuth/Token 请求 405 方法的 Spring Security 不允许

【问题标题】:Spring Security with oAuth2 /oAuth/Token request 405 method not allow使用 oAuth2 /oAuth/Token 请求 405 方法的 Spring Security 不允许
【发布时间】:2016-05-20 18:28:34
【问题描述】:

我在 Spring Security 中使用 oAuth2 令牌。如果我使用与 Spring boot 1.3.0 相同的配置,它对我来说工作正常。但是当我使用与 Spring Mvc applicaito 相同的配置时。然后它会创建一个问题

/oAuth/token ---> 发布 405 方法不允许。

我的 oAuth 配置如下:

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;

@Configuration
public class OAuth2ServerConfiguration {

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends
            ResourceServerConfigurerAdapter {

        @Autowired
        private HttpUnauthorizedEntryPoint authenticationEntryPoint;

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                .exceptionHandling()
                .authenticationEntryPoint(authenticationEntryPoint)
            .and()
                .csrf()
                .disable()
                .headers()
                .frameOptions().disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers("/webhook/**").permitAll() 
                .antMatchers("/app/**").permitAll() 
                .antMatchers("/api/**").authenticated() 
                .antMatchers("/protected/**").authenticated();

        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends
            AuthorizationServerConfigurerAdapter {

        @Autowired
        private DataSource dataSource;

        @Bean
        public TokenStore tokenStore() {
            return new JdbcTokenStore(dataSource);
        }

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {

            endpoints.tokenStore(tokenStore()).authenticationManager(
                    authenticationManager);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer)
                throws Exception {
            oauthServer.allowFormAuthenticationForClients();
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
            clients
                .inMemory()
                .withClient(Constants.htgappClientId)
                .scopes("read", "write")
                .authorities("ROLE_ADMIN", "ROLE_USER") 
                .authorizedGrantTypes("password", "refresh_token", "authorization_code", "implicit")
                .secret(Constants.htgappClientSecret) 
                .accessTokenValiditySeconds(Constants.tokenValidityInSeconds);
        }
    }
}

谁能帮我解决我的错误。

【问题讨论】:

    标签: spring spring-mvc spring-security oauth-2.0 spring-oauth2


    【解决方案1】:

    您可以在配置中指定允许的方法如下:

    @Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
    endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager);
    endpoints.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST)
}

    【讨论】:

      【解决方案2】:

      默认只允许/oauth/token endpoint POST。因此,为了允许 GET 方法,我们必须配置 REST 端点。仅使用 XML 配置是不可能配置允许的令牌端点方法的。因此,创建一个额外的配置类,它将在 XML 运行后运行 @PostConstruct 方法,以完成工作。

          @Configuration
    public class OauthTokenEndPointMethodConfig {

    @Autowired
    private TokenEndpoint tokenEndpoint;

    @PostConstruct
    public void reconfigure() {
        Set<HttpMethod> allowedMethods = new HashSet<>(Arrays.asList(HttpMethod.GET, HttpMethod.POST));
        tokenEndpoint.setAllowedRequestMethods(allowedMethods);
    }
  }

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 2014-09-27
        • 1970-01-01
        • 2019-09-03
        • 2019-09-12
        • 2014-09-19
        • 2021-08-16
        • 2015-07-22
        • 2018-08-19
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode