客户端需要从UAA服务器获取令牌,但是在发送请求时,我总是得到如下错误:
org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48d8d90a: Principal: admin-portal-ui; Credentials: [PROTECTED]; Authenticated: false; Details: remoteAddress=127.0.0.1, clientId=admin-portal-ui; Not granted any authorities]
UAA服务器日志如下所示:
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/uaa/oauth/token'; '/uaa/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- CorsFilter: CORS Processing request: URI: /uaa/oauth/token; Scheme: http; Host: localhost; Port: 8080; Origin: http://localhost:81; Method: POST
[2016-11-21 18:40:57.008] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- CorsFilter: Request cross origin request has passed validation.
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/uaa/oauth/token response_type:token
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/uaa/oauth/token response_type:token
[2016-11-21 18:40:57.012] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'tokenEndpointSecurity' processing request POST /uaa/oauth/token
[2016-11-21 18:40:57.095] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... INFO --- Audit: PrincipalAuthenticationFailure ('null'): principal=admin-portal-ui, origin=[127.0.0.1], identityZoneId=[uaa]
[2016-11-21 18:40:57.095] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... INFO --- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=admin-portal-ui, origin=[remoteAddress=127.0.0.1, clientId=admin-portal-ui], identityZoneId=[uaa]
[2016-11-21 18:40:57.095] cloudfoundry-identity-server - ???? [http-apr-8080-exec-2] .... DEBUG --- CorsFilter: CORS processing completed for: URI: /uaa/oauth/token; Scheme: http; Host: localhost; Port: 8080; Origin: http://localhost:81; Method: POST Status:401
以下是login-server-security.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">
<oauth:resource-server id="oauthResourceAuthenticationFilter" token-services-ref="tokenServices"
resource-id="oauth" entry-point-ref="oauthAuthenticationEntryPoint" />
<http name="secFilterLoginServerAuthenticate" request-matcher-ref="loginAuthenticateRequestMatcher" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
<!-- scope authentication filter configured with a scope authentication manager -->
<custom-filter ref="oauthLoginScopeAuthenticatingFilter" after="PRE_AUTH_FILTER"/>
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<bean id="loginAuthenticateRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/authenticate" />
<property name="accept" value="application/json" />
<property name="headers">
<map>
<entry key="Authorization" value="bearer " />
</map>
</property>
</bean>
<sec:http name="secFilterAuthenticateOpen" pattern="/authenticate/**" security="none" />
<http name="secFilterLoginServerAuthorize" request-matcher-ref="loginAuthorizeRequestMatcher" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
<!-- scope authentication filter configured with a scope authentication manager -->
<custom-filter ref="oauthLoginScopeAuthenticatingFilter" after="PRE_AUTH_FILTER"/>
<custom-filter ref="loginAuthenticationFilter" position="FORM_LOGIN_FILTER" />
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<bean id="loginAuthorizeRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/authorize" />
<property name="accept" value="application/json" />
<property name="parameters">
<map>
<entry key="source" value="login" />
</map>
</property>
</bean>
<http name="secFilterLoginServerToken" request-matcher-ref="loginTokenRequestMatcher" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<!--
This represents a /oauth/token requests that gets passed through
from the login server. It assumes that the User has been authenticated
It requires that:
- userid parameter exists
- client_id and client_secret are present
- Bearer token belongs to login server (oauth.login) validated as resource="oauth"
-->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<!-- the oauthResourceAuthenticationFilter validates the Bearer token
TODO, if there is no token this filter must throw.
What we need is scope=oauth.login
-->
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
<!-- scope authentication filter configured with a scope authentication manager -->
<custom-filter ref="oauthLoginScopeAuthenticatingFilter" after="PRE_AUTH_FILTER"/>
<!-- filter to validate the client_id and client_secret -->
<custom-filter ref="loginClientParameterAuthenticationFilter" position="FORM_LOGIN_FILTER" />
<!-- The loginServerTokenEndpointAuthenticationFilter validates the user or creates one-->
<custom-filter ref="loginServerTokenEndpointAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<bean id="oauthLoginScopeAuthenticatingFilter" class="org.cloudfoundry.identity.uaa.authentication.manager.ScopeAuthenticationFilter">
<property name="authenticationManager" ref="oauthLoginAuthManager"/>
</bean>
<bean id="oauthLoginAuthManager" class="org.cloudfoundry.identity.uaa.authentication.manager.ScopeAuthenticationManager">
<property name="requiredScopes">
<list>
<value type="java.lang.String">oauth.login</value>
</list>
</property>
</bean>
<bean id="loginTokenRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/token" />
<property name="accept" value="application/json" />
<property name="headers">
<map>
<entry key="Authorization" value="bearer " />
</map>
</property>
<property name="parameters">
<map>
<entry key="source" value="login" />
<entry key="grant_type" value="password" />
<entry key="add_new" value="" />
</map>
</property>
</bean>
<bean id="loginServerTokenEndpointAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.LoginServerTokenEndpointFilter">
<constructor-arg ref="loginAuthenticationMgr" />
<constructor-arg ref="authorizationRequestManager"/>
<constructor-arg ref="addNewUserParameters"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
</bean>
<bean id="loginClientParameterAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.LoginClientParametersAuthenticationFilter">
<property name="clientAuthenticationManager" ref="clientAuthenticationManager"/>
</bean>
<!-- Support for older login servers -->
<http name="secFilterLoginServerAuthorizeOld" request-matcher-ref="loginAuthorizeRequestMatcherOld" create-session="always" entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="loginAuthenticationMgr" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
<custom-filter ref="loginAuthenticationFilter" position="FORM_LOGIN_FILTER" />
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<bean id="loginAuthorizeRequestMatcherOld" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/authorize" />
<property name="accept" value="application/json" />
<property name="parameters">
<map>
<entry key="login" value="{" />
</map>
</property>
</bean>
<!-- End support for older login servers -->
<util:list id="addNewUserParameters" value-type="java.lang.String">
<value>login</value>
<value>username</value>
<value>user_id</value>
<value>origin</value>
<value>given_name</value>
<value>family_name</value>
<value>email</value>
<value>authorities</value>
</util:list>
<bean id="loginAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.AuthzAuthenticationFilter">
<constructor-arg ref="loginAuthenticationMgr" />
<property name="parameterNames" ref="addNewUserParameters"/>
</bean>
<bean id="loginAuthenticationMgr" class="org.cloudfoundry.identity.uaa.authentication.manager.LoginAuthenticationManager">
<property name="userDatabase" ref="userDatabase" />
</bean>
<bean class="org.cloudfoundry.identity.uaa.authentication.RemoteAuthenticationEndpoint">
<constructor-arg ref="zoneAwareAuthzAuthenticationManager" />
<property name="loginAuthenticationManager" ref="loginAuthenticationMgr"/>
</bean>
<bean id="codeStore" class="org.cloudfoundry.identity.uaa.codestore.JdbcExpiringCodeStore">
<constructor-arg ref="dataSource" />
</bean>
<bean id="passwordResetEndpoints" class="org.cloudfoundry.identity.uaa.account.PasswordResetEndpoint">
<constructor-arg ref="resetPasswordService"/>
<property name="messageConverters">
<list>
<bean class="org.cloudfoundry.identity.uaa.web.ExceptionReportHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</list>
</property>
<property name="codeStore" ref="codeStore"/>
</bean>
<bean id="changeEmailEndpoints" class="org.cloudfoundry.identity.uaa.scim.endpoints.ChangeEmailEndpoints">
<constructor-arg ref="scimUserProvisioning"/>
<constructor-arg ref="codeStore"/>
<constructor-arg ref="clientDetailsService"/>
</bean>
<http name="secFilterLoginServerPasswordEndpoints" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
access-decision-manager-ref="accessDecisionManager" pattern="/password_*" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="scope=oauth.login" />
<custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<http name="secFilterLoginServerEmailEndpoints" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
access-decision-manager-ref="accessDecisionManager" pattern="/email_*" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="scope=oauth.login" />
<custom-filter ref="oauthResourceAuthenticationFilter" position="PRE_AUTH_FILTER" />
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
</beans>
有一个配置uaa.yml如下:
login:
#Disable create account and forgot password links on the Login Server
selfServiceLinksEnabled: false
# Configure branding for the UAA
branding:
companyName: Consent2Share
productLogo: iVBORw0KGgoAAAANSUhEUgAAARkAAAA0CAYAAAC+VUxLAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAFxEAABcRAcom8z8AAAAZdEVYdFNvZnR3YXJlAEFkb2JlIEltYWdlUmVhZHlxyWU8AAANcUlEQVR4Xu2c25HcuA6GHYIDOA8OYUNwCBuCQ/DLed8MHMJmMJvAqXIIG4JDmBD2/F83oYEgkqIodU95jb8KNRJ4EUhcCFLq+ZBIJBKJRCLxPLy8fhT9saFEIpE4jQwwiUTiobgHmc+BfiuliUQicQIvr59E/wR6FX0sNRKJROIEXl6/iuJW6VMpTSQSiRNgS/Ty+j3Qn6U0kUgkTuB+DsO2KG6VMotJJH4G/Oe///sk+iL6JvreIMqo83zHvm+LYhbzO0WS57PoD0fImAfBiWsho8LQoDSuQWiuPopwyL9F/xwk2nwpXT0W97dHMYP5IUJ+6LXIFAn+n6LrgqI644FmbJ8LO/ETAwNxOm0ai8rMsL4XVqIDzRPBpeWcR+iH6JZRTGH7Khpavym6B5QYZG7+rWeTXdXkikS9uTdQaojxEa1aE8YkUJ6vuJ4MzfkSIAprCOhKRNqL7qI+q6uTK88g04Hmh7n9y81XjWxrZNsP20L1ghJ9HvMxtjvb4PF3Kb3jvk2Kdf4qpYzHtke2EH0VIW/Ndsi+xmVUZQyYgceOWpQHRCcxMofUEREEakrGELt9qPw3Ua1tpG+lyQ2On0GmAc0NumltjdDZbkaiOugHJ64FnHEnbh/kvm1379/ExDrD38RIFoJPtKV1EGtBFRloHCQGTBSziAYR5eD/KE0TB6G5s6DBfHc/3VY58+91UiP6qZ6biM8q652ARcSvUlwjC2WrPgrv1qawEg6aF+Z2KvDXoDb0R7CJ/Y0FmpfXby5wGK0WDt1zuBvrfC2lQ0CWIpOXsf8TBFXA6H2AGVkdj6VxiQWaO5x7SDkqNyPmLwZowYHg4xWN/jY6Ec8Hqeb3Dyrb6Nu1yyAToDmpORp0+uBWfaDfuOD3dXD/3iUGj3WGMrKVGoTkiQG2an8LVOi3SPkhzoOhOT4SZGz/XlWg+CwIzb7EM0foG0EFpR2UQSZAcxIzDub3srdw9FX6tP772QbBYhtA3rZqI1upg5BM3o6heoClwFVKY3oCNM/DQWYPak8W2tRfr2wPZ9r+m6H5iM4Fzb8NakB92llaPxDcfxYQg8daZyNbqQkU+WwO6rasAp/yHd5HRqgP0ijb55Mh2blOs2+VUZ8Ve3ljomsmGB59QFzvbuFEPItn0obVppu+qjzKCzXlFX9aVvEwTsrsDASy+kaHPxNQm0WHhbXA+NQprGG4tovB6pqxMq/IbbrtZkgqt3GbXhg/89hspzKbj9s8Uldkut3otJQP6/EMSt82N9BpZ51GO0N5G/fIVmoSGjv62NjJAjH9Knh6m6Q+MIq4l/SEAWwGJp4p7aYs/pb7GlWDBnxR69nVlVh8jN9HYk/0VTPmaVl1z/zU6nk6nNmozWL0hbVAPL+IHH3tbe3oHyf2wdFTdasg3u+i1vxCzVXa1UFHtqIbbzVHuj+sx1moL2Tx/fPc0846DV49bwPI2ob2tlInoLHbAgJt5xmmyCbrlCLU3hsgiuWeB/PXOz9Gv1KK7s1J+Ov7oe7iQI5WzsK9K+NZOD7Ptii7WWnEw1hMLt+Gv17elTJ0Py2rrplv6njHx0jhGR3Wg9pYf5s3fuKxmtuzGNfwHty1Q67ViiXyY4DoO+rVnk0Z7c0YfVvKalmflaPb+KzFiXQ9pcdZlH6tT+jQm5lLcf/ILgaPtQ10tlKSnSSjugBfBj0AZdhknTkA8v1gENHYWAW9oaycXvcYLXwzCu4Xw9N1XEVXqb/uvQOsxqF72q6MuPBs5avJy+Rb+Uppuj8lKxDPB8XDmYuH2vM862uTjZby6KTIt3HsiNDG2i1zpWvmqadXyqvbKfG8zdTktjLrn7+3gK2/t/74K5rS4yzUT5zLzdiehs5XuzfsbKUku9ny4wKle8gmzR6F2qJoczgUWp30Us8UDnnHXOQQNc8OVNZqvzh8YXWhet7Aq84mvg8ES3ah61OyAt1fGWR8plLNgsSvBRqI4NzcQoW61e20+Diy1TnkyNQv7V4La0HhG20CCBBvWo+zcH1Bj80Ceqh/tbvWUWcrxVzEsYguP7zmQVcEmV0jN1Du6vqU1ztuc6C0qdVzvKHDTdUz4+6eQ6ncgpf/5PqUrED3lwQZtfWBu+vgpS4y2Zg8sQWoObGv01yxVeYD2PDKrrp+6xEDsfGh6jyLP63HGah9PI85tUBM4/7Vbgwe8ZuY7lZKsnNe5sfiCRvHVpoL0DBKZ7eOC+sw1NZvVboGRrmru6wCXBu/sKpQedU5de1l2DM4v/LuBUWTawlejjclK+iVHYHaeicdWqVVz4KNz7Sg2nbDyrortsp9QN01TNXBWZkDv61ctXP8TZYDxD+lxxmovdcb9D7nMSNf7e5tpYQynmgHNWL+5oKOGg0HiBbUzoQczSJs1VuMR9dng4w//IOQqXUW4PtAFp7doqXP0vy0rKBXNgq18yvRVNqudsyRn7dVgHb8U0FGPAICAbFn0K0gU3029V2dw3qcgdr7Z0LHne4sXl6/hMABredoZCvloHGww/CxYI+oS5v9mKFK3jiaqX8Prv2QoVPP2hRWlVeDyvcc1zsMxH3cqvgxD1NpfqWs1bIRqE18ozK1QIDSl8kC+bMu400HGd3HtzGQOb8POkeDzCk9zkDt3zfIjHy1O7KVakDjIctl8UJnfgvcImyPuu2+VehXw81r3hG49u8aZIB4rXOHJZ3WtTdO0nXud6k0v0TWXtkeVJ8x+vFNvxU0qI/qtsvxpoKMrv3qyLzFN3/VdsDxR4LMYT3OQO1jkHnudulJP4A0aHwWdJi7xe4rhD3W7VAFdLJULOxDUDtbjYbeLLj6l55zeKjMgo3VhW7RVn/94fPhlUht3i3IqC7j8ivM0DnMHtRPVR7HOxxk+Ot41QNX8TftDI7fCjKn9DgDPcefA0GngtYhtA5y14e9+1upE9B4Lej4szSjbqDxq83hiBfaV18jGih3datvbAqrCpUfck7quPo3h9Rfvz04bCRq8y5BRvUeEmCA+npEkPHZUev18pkgc0qPs3DPbMr2ELzDDyB70Njx5Zjd1BMNFXgDgw4Jpfr+FXZX2SpvpeWPCjIt57HtxqHvOoDaPD3IqM7DAgxQf97ZF8N1vJkgsztPKht5u9R8tsqm9TgL5CnPNJo+DxvGO/4Acg8af8xq6rapAu/8KG74EFh1cQBTNlQNUvBdHeovytH1o4KMP3PyQc2Pd7cfD9W/IshUM7oaVB4DzKFsU/W7iwblItPfastceNBMkOlmuOLFA+eZIDOtx1noOX5RhS4N+Bu0/5Pd25yObKUKJC/2a3Q6y1Ef2Kc/wG9/QqLCeJqMEOx7Vwaie5yHifbbHT/xGOxq4rkvfKsT3/icclxdY9CxTxzZj2kZh65jYMRYawrBEeJYTslqEM8/f3EwXa/k0P3yPBGrBv32KOqLdswDOliMinqF5+WIwdD4M0HG2wRj8IsKcvrnLu0Mjt8LMtN6nIX68QsEhINtnnkZLv4BZJB9NeezUD8+2LdtRYUorHag0yNvOLEtk49x+SgHbZQt3rTj6q9XOgZHXzFg1pzcr+BGtKP9Io9olYr7ssKqQuUbWT3Ea821Dzhx1Ryh5Vm69pncHm1WIFc2E2TiCme68Tw/vsNBBqh8So9noL6i7jb6vQT1DGX9PVp9K9XMjoPcwzuWHhi/67OrrxtUCefwqW6LqBNXTYw6BhUjFF6NnKXsVq+wqqC91RNZkMHIvDF5wvia2wuVEaD2AutKYbqfltVDPJwwBkPIBxmvvFHyQYZn0Ed0Qk/oq7rKuzqHgwzQNbqpjZFnUuYXiJgxGn/XaFXnsB7PQH3FbAa6xGEX3A9y934Aub+VCpCc3hYuObOhH9fnfpAxqDIGiqNgQEak1/C66aHKMSBWKdoQeJqDBqU+/VaDkEHlJhMUAxyK51kma7cvD9WlX9+2OU7xTsvqoTL/XK59dsiYrI9Rqj5LfORmXH6Me+c11udePS9nbc7g80xsYtVXKYOiPo0/fG6gusN6PIvSvzkWhPMOy7qLkz+AbEEy+gQCmU/PjfrwiUX7TCaRSByDHKqWpZ0/+xn7p+D7W6kKkC/IeyooqH3c0l+b0SUSvzLkUGROtUCzOUo4hPpXu2/Ba2Qr1YFkizJPBRq1iwHraZ8SJBK/DORYrUADcU60u7Krzts26wE/gIzgeaJ4Ttc8M41QPbbHtXPb4SOKRCJxAHIuAs3eyxKcmKBj50UclsLD2e8HsCNf7V70T8H1zFqggThfMTntXAyys65WQD2/TUwkEn3I0XDE1tvVFr0dvpKNbAPI+iB3byt1AHouGUnrzewoMd7MYBKJZ0JOx1nFXmZjdN9OjXy1+6AfQEoGMhWyl1pm0yLGl9lLIvGekBPaZwx+e+Tp7Ruu+le76wzhHmQ4j/F03WtzQTKxjfKfAXjiTVJmLYnET4d7sIgBJr83SSQSF+B+2MtHdZy1GHE//wo8kUgkFtS/2p36T3aJRCKxxv2wN56x5BeziUTiIjzhIDeRSPyquAcUfw4D5SvhRCJxAe7/ooH/A+MzGLKa07+ITiQSiVYWk2cxiUTiAhBM1hkMlB+4JRKJi3D/gSNvlTz9C7dJHz78H7jWSHhl8Hj+AAAAAElFTkSuQmCC
#Configure to enable to limit login failure attempts
authentication:
policy:
lockoutAfterFailures: 5
countFailuresWithinSeconds: 3600
lockoutPeriodSeconds: 600
# Patient User will use the e-mail server configured in this section to send e-mails
# Please configure valid e-mail server below to connect to SMTP server
# Configure host, port, username and password per environment
smtp:
host: ${UAA_SMTP_HOST}
port: ${UAA_SMTP_PORT}
user: ${UAA_SMTP_USER}
password: ${UAA_SMTP_PASSWORD}
javaMailProperties:
mail:
smtp:
auth: true
starttls:
enable: true
ssl:
trust: ${UAA_SMTP_HOST}
debug: true
spring_profiles: mysql # default is empty
database:
driverClassName: org.mariadb.jdbc.Driver # only if spring_profiles=mysql
url: jdbc:mysql://${C2S_DB_HOST:localhost}:${C2S_DB_PORT:3306}/uaa # only if spring_profiles=mysql
username: root # only if spring_profiles=mysql
password: ${UAA_DB_PASSWORD:wtzhou} # only if spring_profiles=mysql
oauth:
clients:
admin:
secret: adminsecret
authorized-grant-types: client_credentials
scope: uaa.none
authorities: uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin
cf: # this client is needed for cf cli and uaac cli to act on user's behalf
authorized-grant-types: implicit,password,refresh_token
scope: uaa.user,cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,cloud_controller.admin,scim.read,scim.write
authorities: uaa.none
autoapprove: true
patient-portal-ui:
authorized-grant-types: password
#secret: changeit
secret: loginsecret
scope: openid,phr.hie_read,phr.hie_write,phr.patient_read,pcm.provider_read,pcm.provider_create,pcm.provider_delete,pcm.consent_read,pcm.consent_create,pcm.consent_update,pcm.consent_delete,pcm.consent_sign,pcm.consent_revoke,pcm.clinicalDocument_read,pcm.clinicalDocument_create,pcm.clinicalDocument_delete,pcm.activity_read,ppUI.access,tryPolicy.clinicalDocument_read
authorities: uaa.resource
admin-portal-ui:
authorized-grant-types: password
secret: loginsecret
scope: openid,scim.write,scim.read,scim.create,phr.allPatientProfiles_read,phr.hie_write,phr.allPatients_read,phr.patient_read,registration.write,uaa.admin,patientUser.read,patientUser.write,adminUI.access,pep.patient_read
authorities: uaa.resource
patient-user:
secret: loginsecret
authorized-grant-types: client_credentials
scope: uaa.none
authorities: phr.patient_read,phr.allPatientProfiles_read,scim.write,scim.read,scim.create,uaa.admin
azhec-hie:
secret: loginsecret
authorized-grant-types: client_credentials
scope: uaa.none
authorities: pep.patient_read
sysadmin:
secret: loginsecret
authorized-grant-types: client_credentials
scope: uaa.none
authorities: patientUser.scope_assign,scim.write,scim.read,scim.create,uaa.admin
scim:
groups:
phr.hie_read: Access your health information
phr.hie_write: Add your health information
phr.patient_read: Access the patient details
pcm.provider_read: Access provider from list
pcm.provider_create: Create new provider
pcm.provider_delete: Delete provider from list
pcm.consent_read: Access and display your consent
pcm.consent_create: Add new consent
pcm.consent_update: Update current consent
pcm.consent_delete: Delete a consent
pcm.consent_sign: Sign consent
pcm.consent_revoke: Revoke current consent
pcm.clinicalDocument_read: Access and display clinical document
pcm.clinicalDocument_create: Create new clinical document
pcm.clinicalDocument_delete: Delete current clinical document
pcm.activity_read: Access the patient activity history
ppUI.access: Access patient portal UI
pep.patient_read: Access policy enforcement point
tryPolicy.clinicalDocument_read: View policies applied on clinical document
patientUser.scope_assign: Allows Sysadmin to assign scopes to users
users:
# Configure additional c2s staff admin(users) as:
# - EmailId | password | EmailId | FirstName | LastName | <Comma saperated list of permissions>
# For example: - consent2share@gmail.com|admin|consent2share@gmail.com|admin|admin|openid,scim.write,scim.read,scim.create,phr.allPatientProfiles_read,phr.hie_write,phr.allPatients_read,phr.patient_read,registration.write,uaa.admin,patientUser.read,patientUser.write,adminUI.access
- consent2share@gmail.com|admin|consent2share@gmail.com|admin|admin|openid,scim.write,scim.read,scim.create,phr.allPatientProfiles_read,phr.hie_write,phr.allPatients_read,phr.patient_read,registration.write,uaa.admin,patientUser.read,patientUser.write,adminUI.access
# C2S_APP_HOST and C2S_APP_PORT are related to edge server api
c2s:
uaa:
host: http://${C2S_APP_HOST:localhost}:${C2S_APP_PORT:81}/uaa
jwt:
token:
verification-key: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO
rn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7
fYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB
LCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO
kqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo
jfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI
JwIDAQAB
-----END PUBLIC KEY-----
signing-key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0m59l2u9iDnMbrXHfqkOrn2dVQ3vfBJqcDuFUK03d+1PZGbV
lNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7fYb3d8TjhV86Y997Fl4DBrxgM6KT
JOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQBLCl0vpcXBtFLMaSbpv1ozi8h7DJy
VZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDOkqwIn7Glry9n9Suxygbf8g5AzpWc
usZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPojfj9Cw2QICsc5+Pwf21fP+hzf+1W
SRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nIJwIDAQABAoIBAHPV9rSfzllq16op
zoNetIJBC5aCcU4vJQBbA2wBrgMKUyXFpdSheQphgY7GP/BJTYtifRiS9RzsHAYY
pAlTQEQ9Q4RekZAdd5r6rlsFrUzL7Xj/CVjNfQyHPhPocNqwrkxp4KrO5eL06qcw
UzT7UtnoiCdSLI7IL0hIgJZP8J1uPNdXH+kkDEHE9xzU1q0vsi8nBLlim+ioYfEa
Q/Q/ovMNviLKVs+ZUz+wayglDbCzsevuU+dh3Gmfc98DJw6n6iClpd4fDPqvhxUO
BDeQT1mFeHxexDse/kH9nygxT6E4wlU1sw0TQANcT6sHReyHT1TlwnWlCQzoR3l2
RmkzUsECgYEA8W/VIkfyYdUd5ri+yJ3iLdYF2tDvkiuzVmJeA5AK2KO1fNc7cSPK
/sShHruc0WWZKWiR8Tp3d1XwA2rHMFHwC78RsTds+NpROs3Ya5sWd5mvmpEBbL+z
cl3AU9NLHVvsZjogmgI9HIMTTl4ld7GDsFMt0qlCDztqG6W/iguQCx8CgYEA3x/j
UkP45/PaFWd5c1DkWvmfmi9UxrIM7KeyBtDExGIkffwBMWFMCWm9DODw14bpnqAA
jH5AhQCzVYaXIdp12b+1+eOOckYHwzjWOFpJ3nLgNK3wi067jVp0N0UfgV5nfYw/
+YoHfYRCGsM91fowh7wLcyPPwmSAbQAKwbOZKfkCgYEAnccDdZ+m2iA3pitdIiVr
RaDzuoeHx/IfBHjMD2/2ZpS1aZwOEGXfppZA5KCeXokSimj31rjqkWXrr4/8E6u4
PzTiDvm1kPq60r7qi4eSKx6YD15rm/G7ByYVJbKTB+CmoDekToDgBt3xo+kKeyna
cUQqUdyieunM8bxja4ca3ukCgYAfrDAhomJ30qa3eRvFYcs4msysH2HiXq30/g0I
aKQ12FSjyZ0FvHEFuQvMAzZM8erByKarStSvzJyoXFWhyZgHE+6qDUJQOF6ruKq4
DyEDQb1P3Q0TSVbYRunOWrKRM6xvJvSB4LUVfSvBDsv9TumKqwfZDVFVn9yXHHVq
b6sjSQKBgDkcyYkAjpOHoG3XKMw06OE4OKpP9N6qU8uZOuA8ZF9ZyR7vFf4bCsKv
QH+xY/4h8tgL+eASz5QWhj8DItm8wYGI5lKJr8f36jk0JLPUXODyDAeN6ekXY9LI
fudkijw0dnh28LJqbkFF5wLNtATzyCfzjp+czrPMn9uqLNKt/iVD
-----END RSA PRIVATE KEY-----
我一直试图找到很长一段时间的原因,但我仍然无法完成它。任何人都可以帮我弄清楚错误的根本原因是什么?任何回复都将非常感谢!
答案 0 :(得分:0)
我认为您需要向您正在使用的客户端(admin-portal-ui)添加一些权限。最有可能添加oauth.login。
请参阅github uaa repo上的示例客户端xml oauth-clients.xml。
您可能需要与login客户端类似的内容。在此xml中,您可以找到添加到登录客户端的更多权限。你可以尝试添加所有这些。
如果您尝试在没有密码的情况下代表用户获取令牌,那么您可能想要检查的另一点是用户的来源。在这种情况下,原点不能是uaa