Spring OAuth2 401尝试在oauth / token端点获取访问令牌时未经授权

时间:2016-12-26 20:32:24

标签: spring oauth-2.0 http-status-code-401

我是OAuth2的新手,在尝试通过密码授予流程获取访问令牌时,我收到了401 Unauthorized。我的UserDetailsS​​ervice是用MySQL数据库后端实现的,但在收到401 Unauthorized消息之前我从未点击过loadUserByUsername方法,所以我认为这可能是我的OAuth2配置有问题。我的AuthorizationConfigurerAdapter如下:

...imports

@Configuration

@EnableAuthorizationServer
public class AuthorizationServerConfig extends     
AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Value("${signing-key:oui214}")
    private String signingKey;

    public AuthorizationServerConfig() {
        super();
    }

   // beans

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        final JwtAccessTokenConverter jwtAccessTokenConverter = new               
        JwtAccessTokenConverter();
        jwtAccessTokenConverter.setSigningKey(signingKey);
        return jwtAccessTokenConverter;
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices tokenServices = new DefaultTokenServices();
        tokenServices.setTokenStore(tokenStore());
        return tokenServices;
    }

    // config

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients)  
    throws Exception {
        // @formatter:off
        clients.inMemory()
               .withClient("password-flow-client")
               .secret("publicpass")
               .authorizedGrantTypes("password")
               .scopes("qlc-webapp")
               .accessTokenValiditySeconds(3600 * 12);
               // @formatter:on
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer    
    endpoints) {

         // @formatter:off
         endpoints.tokenStore(tokenStore()).
         tokenEnhancer(tokenEnhancerChain).
         authenticationManager(authenticationManager);

         endpoints.tokenStore(tokenStore()).
         authenticationManager(authenticationManager).
         userDetailsService(userDetailsService).
         allowedTokenEndpointRequestMethods(HttpMethod.GET,  
         HttpMethod.POST).accessTokenConverter(accessTokenConverter());
         // @formatter:on
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) 
    throws Exception {
        security.checkTokenAccess("permitAll()");
        super.configure(security);
    }

}

我的ResourceConfigurerAdapter如下:

...imports


@Configuration
@EnableResourceServer
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
@ComponentScan({ "org.quickloanconnect.spring.security" })
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Value("${signing-key:oui214}")
    private String signingKey;

    public ResourceServerConfig() {
        super();
    }

    // global security concerns

    @Bean
    public AuthenticationProvider authProvider() {
        final DaoAuthenticationProvider authProvider = new   
        DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        return authProvider;
    }

    @Autowired
    public void configureGlobal(final AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(authProvider());
    }

    // http security concerns

    @Override
    public void configure(final HttpSecurity http) throws Exception {
        // @formatter:off
        http.
        authorizeRequests().
        // antMatchers("/oauth/token").permitAll().
        anyRequest().authenticated().and().

        sessionManagement().
        sessionCreationPolicy(SessionCreationPolicy.STATELESS).
        and().
        csrf().disable();
        // @formatter:on
   }

}

UserDetailsS​​ervice的MyUserDetailsS​​ervice实现

@Component
public final class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private IUsersService userService;

    public MyUserDetailsService() {
        super();
    }

    @Override
    public final UserDetails loadUserByUsername(final String username) {
        Preconditions.checkNotNull(username);

        final User user = userService.findUserByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("Username was not found: " + 
            username);
        }

        return new  
        org.springframework.security.core.userdetails.User(username, 
        user.getPassword(), Lists.newArrayList());
}

我使用inMemory用户设置(当时没有用户详细信息服务),但是当切换到userDetailsS​​ervice后端并消除我的内存用户时,我的配置似乎不起作用,我得到401 Unauthorized。我现在使用UserDetailsS​​ervice时,我的配置是否有变化?我错过了什么吗?

0 个答案:

没有答案