我正在嘗試在我的項目中使用spring security和spring oauth2,並將我的授權服務器和資源服務器分開。我不想在這兩臺服務器之間共享一個令牌存儲,所以我決定使用RemoteTokenServices和check_token端點。除了當我使用訪問令牌查詢資源服務器時,我得到了「401未授權」錯誤,如下所示:使用RemoteTokenServices解耦授權服務器和資源服務器
2015-10-19 11:50:10.291 DEBUG 2590 --- [nio-8080- exec-1] osweb.client.RestTemplate:「http://localhost:9080/uaa/oauth/check_token/」的POST請求導致401(未授權);調用錯誤處理程序 2015-10-19 11:50:10.293 DEBUG 2590 --- [nio-8080-exec-1] sswcSecurityContextPersistenceFilter:SecurityContextHolder現在被清除,因爲請求處理已完成 2015-10-19 11:50:10.293調試2590 --- [nio-8080-exec-1] osweb.filter.RequestContextFilter:清除線程綁定的請求上下文:[email protected] 2015-10-19 11:50:10.297錯誤2590 --- [nio-8080-exec-1] oaccC [。[。] [jerseyServlet]:servlet [jerseyServlet]在路徑[]中的上下文引發異常
org .springframework.web.client.HttpClientErrorException:401未授權 at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
的授權服務器的代碼:
@Configuration
@EnableAuthorizationServer
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Bean
public DefaultAccessTokenConverter defaultAccessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(this.tokenStore())
.authenticationManager(authenticationManager)
.accessTokenConverter(defaultAccessTokenConverter());
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
}
而且安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication();
// .withUser("John").roles("ADMIN").password("password")
// .and()
// .withUser("Mary").roles("BASIC").password("password");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").authenticated()
.and().httpBasic().realmName("OAuth Server");
http.csrf().disable();
}
}
資源服務器設置如下:
@Configuration
@EnableResourceServer
public class ResourceConfiguration extends ResourceServerConfigurerAdapter {
private static String RESOURCE_ID = "xn-resource-id";
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().authenticated();
}
@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Bean
public RemoteTokenServices remoteTokenServices(final @Value("${auth.server.url}") String checkTokenUrl,
final @Value("${auth.server.client_id}") String clientId,
final @Value("${auth.server.client_secret}") String clientSecret) {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl(checkTokenUrl);
remoteTokenServices.setClientId(clientId);
remoteTokenServices.setClientSecret(clientSecret);
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}
}
我測試的安全性curl設置和使用client_credentials授權類型。
有人幫我弄清楚上面的代碼有什麼問題嗎?
你得到的這個底部(注意,網址與/結束)? – christopher