Question

我正在使用Spring Security OAuth2，其中tokenInfoUri指向CXF RFC 7662端点实现。

当调用tokenInfoUri时，Spring会生成一个 java.lang.ClassCastException：java.lang.String无法强制转换为java.util.Collection

RFC 7662的回复是：

{
   "active":true,
   "client_id":"83EQEL8D1OiCIw",
   "username":"alice",
   "token_type":"Bearer",
   "scope":"openid hello.say",
   "iat":1470083268,
   "exp":1470086868
}

因此，范围被反序列化为String而不是Collection。 Spring似乎没有处理这个RFC（https://tools.ietf.org/html/rfc7662#section-2.2）。

DefaultAccessTokenConverter句柄的最新版本处理字符串类型，但它应该拆分范围String（空格分隔符）以创建符合RFC7662的Set。

请参阅https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java#L154。

我应该创建一个问题吗？

谢谢，阿德里安

以下是详细信息; Spring Security OAuth 2.0.9。 Stacktrace：

java.lang.ClassCastException: java.lang.String cannot be cast to java.util.Collection
    at org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter.extractAuthentication(DefaultAccessTokenConverter.java:124) ~[spring-security-oauth2-2.0.9.RELEASE.jar:na]
    at org.springframework.security.oauth2.provider.token.RemoteTokenServices.loadAuthentication(RemoteTokenServices.java:115) ~[spring-security-oauth2-2.0.9.RELEASE.jar:na]
    at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager.authenticate(OAuth2AuthenticationManager.java:83) ~[spring-security-oauth2-2.0.9.RELEASE.jar:na]
    at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:150) ~[spring-security-oauth2-2.0.9.RELEASE.jar:na]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-4.0.4.RELEASE.jar:4.0.4.RELEASE]

配置：

security:
  user:
    password: user
  oauth2:
    client:
      clientId: blabli
      clientSecret: blabla
    resource:
      serviceId: ${PREFIX:}resource
      tokenInfoUri: http://localhost:9081/oidc/oauth2/introspect

请求：

POST /oidc/oauth2/introspect HTTP/1.1
Accept: application/json, application/*+json
Authorization: Basic ODNFUUVMOEQxT2lDSXc6dy1OZHpERnlJaTJadThQUkRmeE9Xdw==
Content-Type: application/x-www-form-urlencoded
User-Agent: Java/1.8.0_91
Host: localhost:9080
Connection: keep-alive
Content-Length: 38
token=faa395452928f5126fc8cf61b66bf0f4

回应：

{
   "active":true,
   "client_id":"83EQEL8D1OiCIw",
   "username":"alice",
   "token_type":"Bearer",
   "scope":"openid hello.say",
   "iat":1470083268,
   "exp":1470086868
}

Answer 1

这在Spring OAuth 2.0.10中得到修复。

Spring OAuth2：tokenInfoUri使用RFC 7662端点

1 个答案: