1
我正在使用REST API,它在本地主機上偵聽,並且我想包含Spring Security。密碼授予和客戶端憑據授權完美地工作,我可以去檢查/ smarthouse和/ smarthouse2的安全數據。授權代碼授權
雖然,當我嘗試通過郵遞員使用授權代碼授予時,它給了我同樣的錯誤,並且我已到處檢查。我的項目在這裏:https://github.com/sharjak/Smarthouse。該操作全部發生在demoapplication文件夾中。
我的授權和資源服務器代碼:
@Configuration
public class OAuth2ServerConfig {
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
.csrf().disable()
.authorizeRequests()
.anyRequest()
.authenticated().and()
.formLogin();
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("my-trusted-client")
.authorizedGrantTypes("password","authorization_code","refresh_token", "implicit")
.authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT","ROLE_USER")
.scopes("read", "write", "trust")
.resourceIds("oauth2-resource")
.secret("secret")
.accessTokenValiditySeconds(6000)
.and()
.withClient("my-client")
.authorizedGrantTypes("authorization_code", "implicit")
.authorities("ROLE_CLIENT", "ROLE_USER")
.scopes("read","trust", "write")
.resourceIds("oauth2-resource")
.accessTokenValiditySeconds(6000)
.and()
.withClient("my-client-with-secret")
.authorizedGrantTypes("client_credentials","password")
.authorities("ROLE_CLIENT", "ROLE_USER")
.scopes("read", "trust", "write")
.resourceIds("oauth2-resource")
.secret("secret")
.accessTokenValiditySeconds(6000);
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenStore(tokenStore);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.checkTokenAccess("permitAll()");
}
}
}
代碼Websecurity服務器:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous().disable()
.csrf().disable()
.authorizeRequests()
.antMatchers("/smarthouse", "smarthouse2", "/user").permitAll()
.and()
.formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("password").roles("ADMIN")
.and()
.withUser("sander").password("Sander123").roles("USER");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setTokenStore(tokenStore);
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
return handler;
}
@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore);
return store;
}
}
堆棧跟蹤,當我嘗試與用戶登錄:
org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)
我是一個初學者,但它似乎是一個小問題來解決。誰能幫我?
所以你想要的是使用郵差獲取訪問令牌? –
是的,問題是,當我與用戶一起登錄時,它沒有給我授權碼,但告訴我用戶必須通過驗證。如果我嘗試從瀏覽器登錄,它會給我一個錯誤在安全上下文中找不到認證對象。 –