我有一个Spring Boot OAuth2客户端和一个Spring Boot OAuth 2 ResourceServer,它也是一个授权服务。我知道问题出在哪里。我知道 OAuth 2 令牌不允许通过 get 使用,只允许通过 Post。但是,我不知道如何解决它。这似乎是内置的@EnableOAuth2Sso自动出现的。在下面的代码中,您可以看到类是裸露的。我还没有在WebSecurityConfigurerAdapter中看到处理这个问题的方法。
我不打算包括整个POM,但我使用的是Spring Boot 1.5.10.RELEASE,其中包括spring-security-oauth2-2.0.14.RELEASE
我已经包含了我的类和属性文件,带有client-id和client-secret XXXed,客户端类和道具首先:
客户端应用程序属性:
server.port=7293
server.context-path=/ui
server.session.cookie.name=UISESSION
security.basic.enabled=false
security.oauth2.client.client-id=XXXXX
security.oauth2.client.client-secret=XXXXX
security.oauth2.client.access-token-uri=http://localhost:7291/auth/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:7291/auth/oauth/token
security.oauth2.resource.user-info-uri=http://localhost:7291/auth/user/me
spring.thymeleaf.cache=false
客户端安全配置:
@Configuration
@EnableOAuth2Sso
public class UISecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/login**")
.permitAll()
.anyRequest()
.authenticated();
}
}
客户端 Spring 启动应用类:
@SpringBootApplication
public class OAuth2ClientApplication {
public static void main(String[] args) {
SpringApplication.run(OAuth2ClientApplication.class, args);
}
@Bean
public RequestContextListener requestContextListener(){
return new RequestContextListener();
}
}
资源/身份验证服务器应用类:
应用程序属性:
server.port=7291
server.context-path=/auth
security.oauth2.client.client-id=XXXXX
security.oauth2.client.client-secret=XXXXX
security.oauth2.authorization.checkTokenAccess=isAuthenticated()
security.oauth2.authorization.token-key-access=permitAll()
security.basic.enabled=false
身份验证服务器配置类:
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(FilteringServiceAuthServerConfig.class);
@Value("${security.oauth2.client.client-id}")
private String clientId;
@Value("${security.oauth2.client.client-secret}")
private String clientSecret;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient(clientId)
.secret(clientSecret)
.authorizedGrantTypes("authorization_code")
.scopes("user_info")
.autoApprove(true) ;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
}
这是我的授权服务器网络安全配置类:
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.requestMatchers()
.antMatchers("/login", "/oauth/authorize", "/oauth/token")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager)
.inMemoryAuthentication()
.withUser("XXXXX").password("XXXXX").roles("USER", "ADMIN");
}
}
和授权/资源服务器组合 Spring 引导应用程序类:
@SpringBootApplication
@EnableResourceServer
public class FilteringServiceApp extends SpringBootServletInitializer {
private static Logger logger = LoggerFactory.getLogger(FilteringServiceApp.class);
@Value("${matches.file.name}")
private String fileName;
@Autowired
private FilterMatchRepository matchRepo;
@PostConstruct
private void init() {
new MatchInitializer(matchRepo, fileName).init();
}
/**
* Start up the Filter Matching Application
*
* @param args
*/
public static void main(String[] args) {
SpringApplication.run(FilteringServiceApp.class, args);
}
@Bean
public RequestContextListener requestContextListener(){
return new RequestContextListener();
}
}
当我以这种方式访问URL时(通过client_id secret_id进行身份验证后),我得到的错误是:
{ "错误": "method_not_allowed", "error_description": "不支持请求方法'GET'" }
我使用 NGrok 查看收到此错误消息时发生了什么,您可以看到它显然是通过违反规范的 GET 请求访问/oauth/token。
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:7291/auth/oauth/token?client_id=XXXXX&redirect_uri=http://57bfa798.ngrok.io/ui/login&response_type=code&state=BgLGhq
Content-Length: 0
Date: Mon, 26 Feb 2018 09:42:30 GMT
我更改了我的AuthServerConfig类
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
//... other methods still the same. below fixed the error
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}
}