UAA服务器 - org.springframework.security.authentication.BadCredentialsException:凭据错误

时间:2016-11-22 01:47:20

标签: spring spring-boot oauth-2.0 restful-authentication cloudfoundry-uaa

客户端需要从UAA服务器获取令牌,但是在发送请求时,我总是得到如下错误:

org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48d8d90a: Principal: admin-portal-ui; Credentials: [PROTECTED]; Authenticated: false; Details: remoteAddress=127.0.0.1, clientId=admin-portal-ui; Not granted any authorities]

UAA服务器日志如下所示:

[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- CorsFilter: CORS Processing request: URI: /uaa/oauth/token; Scheme: http; Host: localhost; Port: 8080; Origin: http://localhost:81; Method: POST
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- CorsFilter: Request cross origin request has passed validation.
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/uaa/oauth/token response_type:token
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/uaa/oauth/token response_type:token
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'tokenEndpointSecurity' processing request POST /uaa/oauth/token
[2016-11-21 18:40:57.095] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] ....  INFO --- Audit: PrincipalAuthenticationFailure ('null'): principal=admin-portal-ui, origin=[127.0.0.1], identityZoneId=[uaa]
[2016-11-21 18:40:57.095] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] ....  INFO --- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=admin-portal-ui, origin=[remoteAddress=127.0.0.1, clientId=admin-portal-ui], identityZoneId=[uaa]
[2016-11-21 18:40:57.095] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- CorsFilter: CORS processing completed for: URI: /uaa/oauth/token; Scheme: http; Host: localhost; Port: 8080; Origin: http://localhost:81; Method: POST Status:401

以下是login-server-security.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">

    <oauth:resource-server id="oauthResourceAuthenticationFilter" token-services-ref="tokenServices"
        resource-id="oauth" entry-point-ref="oauthAuthenticationEntryPoint" />

    <http name="secFilterLoginServerAuthenticate" request-matcher-ref="loginAuthenticateRequestMatcher" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
          authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
        <!-- scope authentication filter configured with a scope authentication manager -->
        <custom-filter ref="oauthLoginScopeAuthenticatingFilter" after="PRE_AUTH_FILTER"/>
        <anonymous enabled="false" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <csrf disabled="true"/>
    </http>

    <bean id="loginAuthenticateRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
        <constructor-arg value="/authenticate" />
        <property name="accept" value="application/json" />
        <property name="headers">
            <map>
                <entry key="Authorization" value="bearer "  />
            </map>
        </property>
    </bean>

    <sec:http name="secFilterAuthenticateOpen"  pattern="/authenticate/**" security="none" />

    <http name="secFilterLoginServerAuthorize" request-matcher-ref="loginAuthorizeRequestMatcher" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
        authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
        <custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
        <!-- scope authentication filter configured with a scope authentication manager -->
        <custom-filter ref="oauthLoginScopeAuthenticatingFilter" after="PRE_AUTH_FILTER"/>
        <custom-filter ref="loginAuthenticationFilter" position="FORM_LOGIN_FILTER" />
        <anonymous enabled="false" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <csrf disabled="true"/>
    </http>

    <bean id="loginAuthorizeRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
        <constructor-arg value="/oauth/authorize" />
        <property name="accept" value="application/json" />
        <property name="parameters">
            <map>
                <entry key="source" value="login" />
            </map>
        </property>
    </bean>

    <http name="secFilterLoginServerToken" request-matcher-ref="loginTokenRequestMatcher" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
          authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
        <!--
          This represents a /oauth/token requests that gets passed through
          from the login server. It assumes that the User has been authenticated
          It requires that:
           - userid parameter exists
           - client_id and client_secret are present
           - Bearer token belongs to login server (oauth.login) validated as resource="oauth"
        -->
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <!-- the oauthResourceAuthenticationFilter validates the Bearer token
             TODO, if there is no token this filter must throw.
             What we need is scope=oauth.login
         -->
        <custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
        <custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
        <!-- scope authentication filter configured with a scope authentication manager -->
        <custom-filter ref="oauthLoginScopeAuthenticatingFilter" after="PRE_AUTH_FILTER"/>
        <!-- filter to validate the client_id and client_secret -->
        <custom-filter ref="loginClientParameterAuthenticationFilter" position="FORM_LOGIN_FILTER" />
        <!-- The loginServerTokenEndpointAuthenticationFilter validates the user or creates one-->
        <custom-filter ref="loginServerTokenEndpointAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
        <anonymous enabled="false" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <csrf disabled="true"/>
    </http>

    <bean id="oauthLoginScopeAuthenticatingFilter" class="org.cloudfoundry.identity.uaa.authentication.manager.ScopeAuthenticationFilter">
        <property name="authenticationManager" ref="oauthLoginAuthManager"/>
    </bean>

    <bean id="oauthLoginAuthManager" class="org.cloudfoundry.identity.uaa.authentication.manager.ScopeAuthenticationManager">
        <property name="requiredScopes">
            <list>
                <value type="java.lang.String">oauth.login</value>
            </list>
        </property>
    </bean>

    <bean id="loginTokenRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
        <constructor-arg value="/oauth/token" />
        <property name="accept" value="application/json" />
        <property name="headers">
            <map>
                <entry key="Authorization" value="bearer " />
            </map>
        </property>
        <property name="parameters">
            <map>
                <entry key="source" value="login" />
                <entry key="grant_type" value="password" />
                <entry key="add_new" value="" />
            </map>
        </property>
    </bean>

    <bean id="loginServerTokenEndpointAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.LoginServerTokenEndpointFilter">
        <constructor-arg ref="loginAuthenticationMgr" />
        <constructor-arg ref="authorizationRequestManager"/>
        <constructor-arg ref="addNewUserParameters"/>
        <property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
    </bean>

    <bean id="loginClientParameterAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.LoginClientParametersAuthenticationFilter">
        <property name="clientAuthenticationManager" ref="clientAuthenticationManager"/>
    </bean>

    <!-- Support for older login servers -->
    <http name="secFilterLoginServerAuthorizeOld" request-matcher-ref="loginAuthorizeRequestMatcherOld" create-session="always" entry-point-ref="oauthAuthenticationEntryPoint"
        authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
        <custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
        <custom-filter ref="loginAuthenticationFilter" position="FORM_LOGIN_FILTER" />
        <anonymous enabled="false" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <csrf disabled="true"/>
    </http>

    <bean id="loginAuthorizeRequestMatcherOld" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
        <constructor-arg value="/oauth/authorize" />
        <property name="accept" value="application/json" />
        <property name="parameters">
            <map>
                <entry key="login" value="{" />
            </map>
        </property>
    </bean>
    <!-- End support for older login servers -->
    <util:list id="addNewUserParameters" value-type="java.lang.String">
        <value>login</value>
        <value>username</value>
        <value>user_id</value>
        <value>origin</value>
        <value>given_name</value>
        <value>family_name</value>
        <value>email</value>
        <value>authorities</value>
    </util:list>

    <bean id="loginAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.AuthzAuthenticationFilter">
        <constructor-arg ref="loginAuthenticationMgr" />
        <property name="parameterNames" ref="addNewUserParameters"/>
    </bean>

    <bean id="loginAuthenticationMgr" class="org.cloudfoundry.identity.uaa.authentication.manager.LoginAuthenticationManager">
        <property name="userDatabase" ref="userDatabase" />
    </bean>

    <bean class="org.cloudfoundry.identity.uaa.authentication.RemoteAuthenticationEndpoint">
        <constructor-arg ref="zoneAwareAuthzAuthenticationManager" />
        <property name="loginAuthenticationManager" ref="loginAuthenticationMgr"/>
    </bean>

    <bean id="codeStore" class="org.cloudfoundry.identity.uaa.codestore.JdbcExpiringCodeStore">
        <constructor-arg ref="dataSource" />
    </bean>

    <bean id="passwordResetEndpoints" class="org.cloudfoundry.identity.uaa.account.PasswordResetEndpoint">
        <constructor-arg ref="resetPasswordService"/>
        <property name="messageConverters">
            <list>
                <bean class="org.cloudfoundry.identity.uaa.web.ExceptionReportHttpMessageConverter" />
                <bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
            </list>
        </property>
        <property name="codeStore" ref="codeStore"/>
    </bean>

    <bean id="changeEmailEndpoints" class="org.cloudfoundry.identity.uaa.scim.endpoints.ChangeEmailEndpoints">
        <constructor-arg ref="scimUserProvisioning"/>
        <constructor-arg ref="codeStore"/>
        <constructor-arg ref="clientDetailsService"/>
    </bean>

    <http name="secFilterLoginServerPasswordEndpoints" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
        access-decision-manager-ref="accessDecisionManager" pattern="/password_*" xmlns="http://www.springframework.org/schema/security"  use-expressions="false">
        <intercept-url pattern="/**" access="scope=oauth.login" />
        <custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
        <anonymous enabled="false" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <csrf disabled="true"/>
    </http>

    <http name="secFilterLoginServerEmailEndpoints" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
          access-decision-manager-ref="accessDecisionManager" pattern="/email_*" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
        <intercept-url pattern="/**" access="scope=oauth.login" />
        <custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
        <anonymous enabled="false" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
        <csrf disabled="true"/>
    </http>
</beans>

有一个配置uaa.yml如下:

login:
  #Disable create account and forgot password links on the Login Server
  selfServiceLinksEnabled: false
  # Configure branding for the UAA
  branding:
    companyName: Consent2Share
    productLogo: iVBORw0KGgoAAAANSUhEUgAAARkAAAA0CAYAAAC+VUxLAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAFxEAABcRAcom8z8AAAAZdEVYdFNvZnR3YXJlAEFkb2JlIEltYWdlUmVhZHlxyWU8AAANcUlEQVR4Xu2c25HcuA6GHYIDOA8OYUNwCBuCQ/DLed8MHMJmMJvAqXIIG4JDmBD2/F83oYEgkqIodU95jb8KNRJ4EUhcCFLq+ZBIJBKJRCLxPLy8fhT9saFEIpE4jQwwiUTiobgHmc+BfiuliUQicQIvr59E/wR6FX0sNRKJROIEXl6/iuJW6VMpTSQSiRNgS/Ty+j3Qn6U0kUgkTuB+DsO2KG6VMotJJH4G/Oe///sk+iL6JvreIMqo83zHvm+LYhbzO0WS57PoD0fImAfBiWsho8LQoDSuQWiuPopwyL9F/xwk2nwpXT0W97dHMYP5IUJ+6LXIFAn+n6LrgqI644FmbJ8LO/ETAwNxOm0ai8rMsL4XVqIDzRPBpeWcR+iH6JZRTGH7Khpavym6B5QYZG7+rWeTXdXkikS9uTdQaojxEa1aE8YkUJ6vuJ4MzfkSIAprCOhKRNqL7qI+q6uTK88g04Hmh7n9y81XjWxrZNsP20L1ghJ9HvMxtjvb4PF3Kb3jvk2Kdf4qpYzHtke2EH0VIW/Ndsi+xmVUZQyYgceOWpQHRCcxMofUEREEakrGELt9qPw3Ua1tpG+lyQ2On0GmAc0NumltjdDZbkaiOugHJ64FnHEnbh/kvm1379/ExDrD38RIFoJPtKV1EGtBFRloHCQGTBSziAYR5eD/KE0TB6G5s6DBfHc/3VY58+91UiP6qZ6biM8q652ARcSvUlwjC2WrPgrv1qawEg6aF+Z2KvDXoDb0R7CJ/Y0FmpfXby5wGK0WDt1zuBvrfC2lQ0CWIpOXsf8TBFXA6H2AGVkdj6VxiQWaO5x7SDkqNyPmLwZowYHg4xWN/jY6Ec8Hqeb3Dyrb6Nu1yyAToDmpORp0+uBWfaDfuOD3dXD/3iUGj3WGMrKVGoTkiQG2an8LVOi3SPkhzoOhOT4SZGz/XlWg+CwIzb7EM0foG0EFpR2UQSZAcxIzDub3srdw9FX6tP772QbBYhtA3rZqI1upg5BM3o6heoClwFVKY3oCNM/DQWYPak8W2tRfr2wPZ9r+m6H5iM4Fzb8NakB92llaPxDcfxYQg8daZyNbqQkU+WwO6rasAp/yHd5HRqgP0ijb55Mh2blOs2+VUZ8Ve3ljomsmGB59QFzvbuFEPItn0obVppu+qjzKCzXlFX9aVvEwTsrsDASy+kaHPxNQm0WHhbXA+NQprGG4tovB6pqxMq/IbbrtZkgqt3GbXhg/89hspzKbj9s8Uldkut3otJQP6/EMSt82N9BpZ51GO0N5G/fIVmoSGjv62NjJAjH9Knh6m6Q+MIq4l/SEAWwGJp4p7aYs/pb7GlWDBnxR69nVlVh8jN9HYk/0VTPmaVl1z/zU6nk6nNmozWL0hbVAPL+IHH3tbe3oHyf2wdFTdasg3u+i1vxCzVXa1UFHtqIbbzVHuj+sx1moL2Tx/fPc0846DV49bwPI2ob2tlInoLHbAgJt5xmmyCbrlCLU3hsgiuWeB/PXOz9Gv1KK7s1J+Ov7oe7iQI5WzsK9K+NZOD7Ptii7WWnEw1hMLt+Gv17elTJ0Py2rrplv6njHx0jhGR3Wg9pYf5s3fuKxmtuzGNfwHty1Q67ViiXyY4DoO+rVnk0Z7c0YfVvKalmflaPb+KzFiXQ9pcdZlH6tT+jQm5lLcf/ILgaPtQ10tlKSnSSjugBfBj0AZdhknTkA8v1gENHYWAW9oaycXvcYLXwzCu4Xw9N1XEVXqb/uvQOsxqF72q6MuPBs5avJy+Rb+Uppuj8lKxDPB8XDmYuH2vM862uTjZby6KTIt3HsiNDG2i1zpWvmqadXyqvbKfG8zdTktjLrn7+3gK2/t/74K5rS4yzUT5zLzdiehs5XuzfsbKUku9ny4wKle8gmzR6F2qJoczgUWp30Us8UDnnHXOQQNc8OVNZqvzh8YXWhet7Aq84mvg8ES3ah61OyAt1fGWR8plLNgsSvBRqI4NzcQoW61e20+Diy1TnkyNQv7V4La0HhG20CCBBvWo+zcH1Bj80Ceqh/tbvWUWcrxVzEsYguP7zmQVcEmV0jN1Du6vqU1ztuc6C0qdVzvKHDTdUz4+6eQ6ncgpf/5PqUrED3lwQZtfWBu+vgpS4y2Zg8sQWoObGv01yxVeYD2PDKrrp+6xEDsfGh6jyLP63HGah9PI85tUBM4/7Vbgwe8ZuY7lZKsnNe5sfiCRvHVpoL0DBKZ7eOC+sw1NZvVboGRrmru6wCXBu/sKpQedU5de1l2DM4v/LuBUWTawlejjclK+iVHYHaeicdWqVVz4KNz7Sg2nbDyrortsp9QN01TNXBWZkDv61ctXP8TZYDxD+lxxmovdcb9D7nMSNf7e5tpYQynmgHNWL+5oKOGg0HiBbUzoQczSJs1VuMR9dng4w//IOQqXUW4PtAFp7doqXP0vy0rKBXNgq18yvRVNqudsyRn7dVgHb8U0FGPAICAbFn0K0gU3029V2dw3qcgdr7Z0LHne4sXl6/hMABredoZCvloHGww/CxYI+oS5v9mKFK3jiaqX8Prv2QoVPP2hRWlVeDyvcc1zsMxH3cqvgxD1NpfqWs1bIRqE18ozK1QIDSl8kC+bMu400HGd3HtzGQOb8POkeDzCk9zkDt3zfIjHy1O7KVakDjIctl8UJnfgvcImyPuu2+VehXw81r3hG49u8aZIB4rXOHJZ3WtTdO0nXud6k0v0TWXtkeVJ8x+vFNvxU0qI/qtsvxpoKMrv3qyLzFN3/VdsDxR4LMYT3OQO1jkHnudulJP4A0aHwWdJi7xe4rhD3W7VAFdLJULOxDUDtbjYbeLLj6l55zeKjMgo3VhW7RVn/94fPhlUht3i3IqC7j8ivM0DnMHtRPVR7HOxxk+Ot41QNX8TftDI7fCjKn9DgDPcefA0GngtYhtA5y14e9+1upE9B4Lej4szSjbqDxq83hiBfaV18jGih3datvbAqrCpUfck7quPo3h9Rfvz04bCRq8y5BRvUeEmCA+npEkPHZUev18pkgc0qPs3DPbMr2ELzDDyB70Njx5Zjd1BMNFXgDgw4Jpfr+FXZX2SpvpeWPCjIt57HtxqHvOoDaPD3IqM7DAgxQf97ZF8N1vJkgsztPKht5u9R8tsqm9TgL5CnPNJo+DxvGO/4Acg8af8xq6rapAu/8KG74EFh1cQBTNlQNUvBdHeovytH1o4KMP3PyQc2Pd7cfD9W/IshUM7oaVB4DzKFsU/W7iwblItPfastceNBMkOlmuOLFA+eZIDOtx1noOX5RhS4N+Bu0/5Pd25yObKUKJC/2a3Q6y1Ef2Kc/wG9/QqLCeJqMEOx7Vwaie5yHifbbHT/xGOxq4rkvfKsT3/icclxdY9CxTxzZj2kZh65jYMRYawrBEeJYTslqEM8/f3EwXa/k0P3yPBGrBv32KOqLdswDOliMinqF5+WIwdD4M0HG2wRj8IsKcvrnLu0Mjt8LMtN6nIX68QsEhINtnnkZLv4BZJB9NeezUD8+2LdtRYUorHag0yNvOLEtk49x+SgHbZQt3rTj6q9XOgZHXzFg1pzcr+BGtKP9Io9olYr7ssKqQuUbWT3Ea821Dzhx1Ryh5Vm69pncHm1WIFc2E2TiCme68Tw/vsNBBqh8So9noL6i7jb6vQT1DGX9PVp9K9XMjoPcwzuWHhi/67OrrxtUCefwqW6LqBNXTYw6BhUjFF6NnKXsVq+wqqC91RNZkMHIvDF5wvia2wuVEaD2AutKYbqfltVDPJwwBkPIBxmvvFHyQYZn0Ed0Qk/oq7rKuzqHgwzQNbqpjZFnUuYXiJgxGn/XaFXnsB7PQH3FbAa6xGEX3A9y934Aub+VCpCc3hYuObOhH9fnfpAxqDIGiqNgQEak1/C66aHKMSBWKdoQeJqDBqU+/VaDkEHlJhMUAxyK51kma7cvD9WlX9+2OU7xTsvqoTL/XK59dsiYrI9Rqj5LfORmXH6Me+c11udePS9nbc7g80xsYtVXKYOiPo0/fG6gusN6PIvSvzkWhPMOy7qLkz+AbEEy+gQCmU/PjfrwiUX7TCaRSByDHKqWpZ0/+xn7p+D7W6kKkC/IeyooqH3c0l+b0SUSvzLkUGROtUCzOUo4hPpXu2/Ba2Qr1YFkizJPBRq1iwHraZ8SJBK/DORYrUADcU60u7Krzts26wE/gIzgeaJ4Ttc8M41QPbbHtXPb4SOKRCJxAHIuAs3eyxKcmKBj50UclsLD2e8HsCNf7V70T8H1zFqggThfMTntXAyys65WQD2/TUwkEn3I0XDE1tvVFr0dvpKNbAPI+iB3byt1AHouGUnrzewoMd7MYBKJZ0JOx1nFXmZjdN9OjXy1+6AfQEoGMhWyl1pm0yLGl9lLIvGekBPaZwx+e+Tp7Ruu+le76wzhHmQ4j/F03WtzQTKxjfKfAXjiTVJmLYnET4d7sIgBJr83SSQSF+B+2MtHdZy1GHE//wo8kUgkFtS/2p36T3aJRCKxxv2wN56x5BeziUTiIjzhIDeRSPyquAcUfw4D5SvhRCJxAe7/ooH/A+MzGLKa07+ITiQSiVYWk2cxiUTiAhBM1hkMlB+4JRKJi3D/gSNvlTz9C7dJHz78H7jWSHhl8Hj+AAAAAElFTkSuQmCC
#Configure to enable to limit login failure attempts
authentication:
  policy:
    lockoutAfterFailures: 5
    countFailuresWithinSeconds: 3600
    lockoutPeriodSeconds: 600
# Patient User will use the e-mail server configured in this section to send e-mails
# Please configure valid e-mail server below to connect to SMTP server
# Configure host, port, username and password per environment
smtp:
  host: ${UAA_SMTP_HOST}
  port: ${UAA_SMTP_PORT}
  user: ${UAA_SMTP_USER}
  password: ${UAA_SMTP_PASSWORD}
  javaMailProperties:
    mail:
      smtp:
        auth: true
        starttls:
          enable: true
        ssl:
          trust: ${UAA_SMTP_HOST}
      debug: true
spring_profiles: mysql # default is empty
database:
  driverClassName: org.mariadb.jdbc.Driver # only if spring_profiles=mysql
  url: jdbc:mysql://${C2S_DB_HOST:localhost}:${C2S_DB_PORT:3306}/uaa # only if spring_profiles=mysql
  username: root # only if spring_profiles=mysql
  password: ${UAA_DB_PASSWORD:wtzhou} # only if spring_profiles=mysql
oauth:
  clients:
    admin:
      secret: adminsecret
      authorized-grant-types: client_credentials
      scope: uaa.none
      authorities: uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin
    cf: # this client is needed for cf cli and uaac cli to act on user's behalf
      authorized-grant-types: implicit,password,refresh_token
      scope: uaa.user,cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,cloud_controller.admin,scim.read,scim.write
      authorities: uaa.none
      autoapprove: true
    patient-portal-ui:
      authorized-grant-types: password
      #secret: changeit
      secret: loginsecret
      scope: openid,phr.hie_read,phr.hie_write,phr.patient_read,pcm.provider_read,pcm.provider_create,pcm.provider_delete,pcm.consent_read,pcm.consent_create,pcm.consent_update,pcm.consent_delete,pcm.consent_sign,pcm.consent_revoke,pcm.clinicalDocument_read,pcm.clinicalDocument_create,pcm.clinicalDocument_delete,pcm.activity_read,ppUI.access,tryPolicy.clinicalDocument_read
      authorities: uaa.resource
    admin-portal-ui:
      authorized-grant-types: password
      secret: loginsecret
      scope: openid,scim.write,scim.read,scim.create,phr.allPatientProfiles_read,phr.hie_write,phr.allPatients_read,phr.patient_read,registration.write,uaa.admin,patientUser.read,patientUser.write,adminUI.access,pep.patient_read
      authorities: uaa.resource
    patient-user:
      secret: loginsecret
      authorized-grant-types: client_credentials
      scope: uaa.none
      authorities: phr.patient_read,phr.allPatientProfiles_read,scim.write,scim.read,scim.create,uaa.admin
    azhec-hie:
      secret: loginsecret
      authorized-grant-types: client_credentials
      scope: uaa.none
      authorities: pep.patient_read
    sysadmin:
      secret: loginsecret
      authorized-grant-types: client_credentials
      scope: uaa.none
      authorities: patientUser.scope_assign,scim.write,scim.read,scim.create,uaa.admin
scim:
  groups:
    phr.hie_read: Access your health information
    phr.hie_write: Add your health information
    phr.patient_read: Access the patient details
    pcm.provider_read: Access provider from list
    pcm.provider_create: Create new provider
    pcm.provider_delete: Delete provider from list
    pcm.consent_read: Access and display your consent
    pcm.consent_create: Add new consent
    pcm.consent_update: Update current consent
    pcm.consent_delete: Delete a consent
    pcm.consent_sign: Sign consent
    pcm.consent_revoke: Revoke current consent
    pcm.clinicalDocument_read: Access and display clinical document
    pcm.clinicalDocument_create: Create new clinical document
    pcm.clinicalDocument_delete: Delete current clinical document
    pcm.activity_read: Access the patient activity history
    ppUI.access: Access patient portal UI
    pep.patient_read: Access policy enforcement point
    tryPolicy.clinicalDocument_read: View policies applied on clinical document
    patientUser.scope_assign: Allows Sysadmin to assign scopes to users
  users:
#  Configure additional c2s staff admin(users) as:
#    - EmailId | password | EmailId | FirstName | LastName | <Comma saperated list of permissions>
#  For example:  - consent2share@gmail.com|admin|consent2share@gmail.com|admin|admin|openid,scim.write,scim.read,scim.create,phr.allPatientProfiles_read,phr.hie_write,phr.allPatients_read,phr.patient_read,registration.write,uaa.admin,patientUser.read,patientUser.write,adminUI.access
    - consent2share@gmail.com|admin|consent2share@gmail.com|admin|admin|openid,scim.write,scim.read,scim.create,phr.allPatientProfiles_read,phr.hie_write,phr.allPatients_read,phr.patient_read,registration.write,uaa.admin,patientUser.read,patientUser.write,adminUI.access
# C2S_APP_HOST and C2S_APP_PORT are related to edge server api
c2s:
  uaa:
    host: http://${C2S_APP_HOST:localhost}:${C2S_APP_PORT:81}/uaa
jwt:
  token:
    verification-key: |
      -----BEGIN PUBLIC KEY-----
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO
      rn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7
      fYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB
      LCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO
      kqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo
      jfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI
      JwIDAQAB
      -----END PUBLIC KEY-----
    signing-key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEowIBAAKCAQEA0m59l2u9iDnMbrXHfqkOrn2dVQ3vfBJqcDuFUK03d+1PZGbV
      lNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7fYb3d8TjhV86Y997Fl4DBrxgM6KT
      JOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQBLCl0vpcXBtFLMaSbpv1ozi8h7DJy
      VZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDOkqwIn7Glry9n9Suxygbf8g5AzpWc
      usZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPojfj9Cw2QICsc5+Pwf21fP+hzf+1W
      SRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nIJwIDAQABAoIBAHPV9rSfzllq16op
      zoNetIJBC5aCcU4vJQBbA2wBrgMKUyXFpdSheQphgY7GP/BJTYtifRiS9RzsHAYY
      pAlTQEQ9Q4RekZAdd5r6rlsFrUzL7Xj/CVjNfQyHPhPocNqwrkxp4KrO5eL06qcw
      UzT7UtnoiCdSLI7IL0hIgJZP8J1uPNdXH+kkDEHE9xzU1q0vsi8nBLlim+ioYfEa
      Q/Q/ovMNviLKVs+ZUz+wayglDbCzsevuU+dh3Gmfc98DJw6n6iClpd4fDPqvhxUO
      BDeQT1mFeHxexDse/kH9nygxT6E4wlU1sw0TQANcT6sHReyHT1TlwnWlCQzoR3l2
      RmkzUsECgYEA8W/VIkfyYdUd5ri+yJ3iLdYF2tDvkiuzVmJeA5AK2KO1fNc7cSPK
      /sShHruc0WWZKWiR8Tp3d1XwA2rHMFHwC78RsTds+NpROs3Ya5sWd5mvmpEBbL+z
      cl3AU9NLHVvsZjogmgI9HIMTTl4ld7GDsFMt0qlCDztqG6W/iguQCx8CgYEA3x/j
      UkP45/PaFWd5c1DkWvmfmi9UxrIM7KeyBtDExGIkffwBMWFMCWm9DODw14bpnqAA
      jH5AhQCzVYaXIdp12b+1+eOOckYHwzjWOFpJ3nLgNK3wi067jVp0N0UfgV5nfYw/
      +YoHfYRCGsM91fowh7wLcyPPwmSAbQAKwbOZKfkCgYEAnccDdZ+m2iA3pitdIiVr
      RaDzuoeHx/IfBHjMD2/2ZpS1aZwOEGXfppZA5KCeXokSimj31rjqkWXrr4/8E6u4
      PzTiDvm1kPq60r7qi4eSKx6YD15rm/G7ByYVJbKTB+CmoDekToDgBt3xo+kKeyna
      cUQqUdyieunM8bxja4ca3ukCgYAfrDAhomJ30qa3eRvFYcs4msysH2HiXq30/g0I
      aKQ12FSjyZ0FvHEFuQvMAzZM8erByKarStSvzJyoXFWhyZgHE+6qDUJQOF6ruKq4
      DyEDQb1P3Q0TSVbYRunOWrKRM6xvJvSB4LUVfSvBDsv9TumKqwfZDVFVn9yXHHVq
      b6sjSQKBgDkcyYkAjpOHoG3XKMw06OE4OKpP9N6qU8uZOuA8ZF9ZyR7vFf4bCsKv
      QH+xY/4h8tgL+eASz5QWhj8DItm8wYGI5lKJr8f36jk0JLPUXODyDAeN6ekXY9LI
      fudkijw0dnh28LJqbkFF5wLNtATzyCfzjp+czrPMn9uqLNKt/iVD
      -----END RSA PRIVATE KEY-----

我一直试图找到很长一段时间的原因,但我仍然无法完成它。任何人都可以帮我弄清楚错误的根本原因是什么?任何回复都将非常感谢!

1 个答案:

答案 0 :(得分:0)

我认为您需要向您正在使用的客户端(admin-portal-ui)添加一些权限。最有可能添加oauth.login

请参阅github uaa repo上的示例客户端xml oauth-clients.xml。 您可能需要与login客户端类似的内容。在此xml中,您可以找到添加到登录客户端的更多权限。你可以尝试添加所有这些。

如果您尝试在没有密码的情况下代表用户获取令牌,那么您可能想要检查的另一点是用户的来源。在这种情况下,原点不能是uaa