未授权：在SecurityContext

Question

我正在我的项目中实现spring oauth2。当我访问url时     http://localhost:8080/oauth/token?grant_type=password&client_id=nokia3320&client_secret=0987654321&username=subash&password=123456

我收到了以下回复

{
 "access_token": "701f6e72-932e-4600-ad95-17c8734693b9",
 "token_type": "bearer",
 "refresh_token": "57e28f59-ffef-4361-9bdd-a9927767252c",
 "expires_in": 499,
 "scope": "read trust write"
}

当我尝试使用Url访问受保护资源时     http://localhost:8080/Api/currencyList?access_token=701f6e72-932e-4600-ad95-17c8734693b9

它给出了

{
  "error": "invalid_token",
  "error_description": "Invalid access token: 701f6e72-932e-4600-ad95-
  17c8734693b9"
}

当我尝试通过在Authorization标头中发送access_token来访问受保护资源时，我收到了以下错误：

{
 "error": "unauthorized",
 "error_description": "An Authentication object was not found in the 
 SecurityContext"
 }

我的oauth2安全配置是：

<!-- Default URL provided by spring to get the token(access and refresh) from oauth -->
<http pattern="/oauth/token" create-session="stateless"
      authentication-manager-ref="clientAuthenticationManager"
      xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <!-- Using this to authenticate client using request parameter -->
    <custom-filter ref="clientCredentialsTokenEndPointFilter" after="BASIC_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
 </http>

 <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
      separately. This isn't mandatory, but it makes it easier to control the behaviour -->
<http pattern="/Api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager"
      xmlns="http://www.springframework.org/schema/security">
   <anonymous enabled="false"/>
   <intercept-url pattern="/Api/**" access="ROLE_ADMIN"/>
   <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
   <access-denied-handler ref="oauthAccessDeniedHandler"/>
 </http>

<authentication-manager alias="authenticationManager">
    <authentication-provider><!-- user-service-ref="userDetailService" -->
        <user-service>
           <user name="subash" password="123456" authorities="ROLE_ADMIN"/>
        </user-service>
        <!-- <password-encoder ref="passwordEncoder">
        </password-encoder> -->
    </authentication-provider>
</authentication-manager>

<!-- OAuth Client Details -->
<oauth:client-details-service id="clientDetails">
   <oauth:client client-id="android5.5" secret="1234567890" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
                 authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" scope="read,write,trust"/>
   <oauth:client client-id="nokia3320" secret="0987654321" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
                 authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" scope="read,write,trust"/>
</oauth:client-details-service>

 <!-- This defined token store, we have used in memory token store for now but this can be changed to a user defined one -->
 <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/>

 <!-- Load User By User name -->
 <beans:bean id="clientDetailsUserDetailsService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetails"/>
 </beans:bean>

 <!-- This is where we defined token based configurations, token validity and other things -->
 <beans:bean id="tokenService" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
   <beans:property name="tokenStore" ref="tokenStore"/>
   <beans:property name="accessTokenValiditySeconds" value="500"/>
   <beans:property name="clientDetailsService" ref="clientDetails"/>
   <beans:property name="supportRefreshToken" value="true"/>
 </beans:bean>

 <!-- It Determine whether a given client authentication request has been approved by user or not -->
 <!-- ToeknStoreUserApprovalHandler : A user approval handler that remembers approval decisions by consulting existing tokens -->
 <beans:bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
    <beans:property name="tokenStore" ref="tokenStore"/>
    <beans:property name="requestFactory" ref="oauth2RequestFactory"/>
 </beans:bean>


 <!-- Server issuing access token to the client after successfully authenticating the resource owner and obtaining authorization -->
 <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenService"
                             user-approval-handler-ref="userApprovalHandler">
     <!-- <oauth:authorization-code/> -->
     <!-- <oauth:client-credentials/> -->
     <!-- <oauth:implicit/> -->
     <oauth:password/>
     <!-- <oauth:refresh-token/> -->
 </oauth:authorization-server>

 <authentication-manager id="clientAuthenticationManager">
     <authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
 </authentication-manager>

 <!-- Include this if you need to authenticate client via request parameter -->
 <beans:bean id="clientCredentialsTokenEndPointFilter"
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <beans:property name="authenticationManager" ref="clientAuthenticationManager" />
</beans:bean>

 <!-- Server hosting the protected resource ,capable of accepting and responding to protected resource request using access tokens -->
 <oauth:resource-server id="resourceServerFilter" resource-id="test" token-services-ref="tokenService"/>

 <!-- Authentication Entry Point -->
 <beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
   <beans:property name="realmName" value="test" />
 </beans:bean>

 <beans:bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="test/client" />
    <beans:property name="typeName" value="Basic" />
 </beans:bean>

<!-- Access Denied Handler -->
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

<!-- This beans prepares oauth2Request using incoming request parameter -->
<beans:bean id="oauth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
  <beans:constructor-arg ref="clientDetails"/>
</beans:bean>

<!-- Access Decision Manager -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
  <beans:constructor-arg>
    <beans:list>
        <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
        <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
        <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    </beans:list>
</beans:constructor-arg>
</beans:bean>

我怎么能解决这个问题？