我是Spring Security和Oauth的新手,我正在尝试使用Oauth2设置一个保护路径“/ api”中资源访问的简单示例。我正在使用spring-security-oauth2-1.0.0.RC2。经过一段时间处理配置后,我可以获得令牌,但当我尝试向“/ api”资源发送请求时,我面临两个问题:
最初,我发送带有“OAuth2”前缀的授权标头,但是spring-security-oauth2似乎需要在标记中带有“Bearer”前缀的标头才能找到它们。这些令牌之间有什么区别?
在Spring验证令牌后,我收到一个安全错误:“ExceptionTranslationFilter - 拒绝访问(用户不是匿名的)”并且我遇到了这个问题。由于我正在使用InMemory令牌存储,我每次都必须登录才能授权客户端,然后我收到此错误。这是弹簧配置:
<http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http disable-url-rewriting="true" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<!--intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /-->
<form-login/>
<logout logout-success-url="/index.jsp" logout-url="/logout" />
</http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="O2Server" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="test" password="test" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails"/>
</bean>
<bean id="userApprovalHandler" class="org.o2server.security.O2ServerUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" resource-id="O2Server" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="O2Client" resource-ids="O2Server" authorized-grant-types="authorization_code,refresh_token,implicit"
authorities="ROLE_CLIENT" scope="read,write" secret="secret" />
</oauth:client-details-service>
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
这是来自服务器的日志:
11:58:30.366 [DEBUG] FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/user/; Attributes: [ROLE_CLIENT, SCOPE_READ]
11:58:30.366 [DEBUG] FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@48a94464: Principal: org.springframework.security.core.userdetails.User@346448: Username: paul; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails@43794494; Granted Authorities: ROLE_USER
11:58:30.366 [DEBUG] UnanimousBased - Voter: org.springframework.security.oauth2.provider.vote.ScopeVoter@4e857327, returned: 0
11:58:30.366 [DEBUG] UnanimousBased - Voter: org.springframework.security.access.vote.RoleVoter@1b4b2db7, returned: -1
11:58:30.367 [DEBUG] ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler <org.springframework.security.access.AccessDeniedException: Access is denied>org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:90)
拜托,你能给我一些建议吗?
提前谢谢。
答案 0 :(得分:1)
我从未使用oauth插件但是从读取调试输出我可以说RoleVoter返回-1,这意味着DecisionVoter拒绝访问。我发现您只授予ROLE_USER本人试图访问的网址/api/user/,该网址由[ROLE_CLIENT, SCOPE_READ]保护,这就是访问被拒绝的原因。
将ROLE_CLIENT和SCOPE_READ授予委托人或更改<intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />。
答案 1 :(得分:1)
正如Xaerxess所说,您应该将intercept-url访问属性更改为ROLE_USER。
<intercept-url pattern="/api/**" access="ROLE_CLIENT,SCOPE_READ" />
到
<intercept-url pattern="/api/**" access="ROLE_USER,SCOPE_READ" />
访问属性控制用户的角色(客户端代表其行事)。
标记<oauth:client>的权限(ROLE_CLIENT)属性的文档声明:
授予客户端的权限(以逗号分隔)。不同 从当局授予客户代表客户 正在行动。
另据用户Dave Syer说:
如果您没有更改Tonr,它不是作为客户,它正在行动 代表用户(谁没有所需的ROLE_CLIENT),所以 预计你会得到403.如果你想做一个 关于tonr的请求来自客户的断言 特定角色(无需更改应用)您可以使用表达式, 例如“oauthClientHasRole('ROLE_CLIENT')和hasScope('trust')”。
来源: http://forum.springsource.org/showthread.php?125468-confusing-between-ROLE_USER-ROLE_CLIENT