Oauth 2 + Spring Security - 获取403 Forbidden Error

Question

我使用Spring框架创建了一个简单的Web应用程序客户端。我使用OAuth2RestTemplate来调用需要TLS / SSL连接的第三方REST服务。我已将Tomcat配置为使用HTTPS端口并指定我创建的密钥库文件。我还在第三方资源提供商的Tomcat localhost上注册了我的客户端应用程序。我有我在安全配置XML文件中指定的客户端ID，密码和其他详细信息。我在注册我的网络客户端时选择了“授权代码授予类型”。

当我发出请求时，我被重定向到我的Web客户端的表单登录。在那里进行身份验证后，我被重定向到第三方资源提供者站点以验证用户身份。当我输入用户名和密码时，我会看到我需要授权或拒绝请求的页面。在此之后我得到403禁止错误。当我检查第三方REST服务提供商站点时，我可以看到为我的POST请求生成了令牌。日志也表示与Http代码相同200 Ok。但是我相信在使用令牌访问资源时，我收到403 Forbidden错误使用我的请求的Get调用。

我花了很长时间调试和研究这个问题，但到目前为止没有运气。任何帮助将不胜感激！

以下是我的一些代码段。

security-config.xml：

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"

    xsi:schemaLocation="
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security.xsd
        http://www.springframework.org/schema/security/oauth2 
        http://www.springframework.org/schema/security/spring-security-oauth2.xsd">

    <authentication-manager>
        <authentication-provider>
            <user-service>          
                <user name="mm" password="mm" authorities="ROLE_MAIL_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>


    <http pattern="/**">

        <intercept-url pattern="/login.jsp" access="permitAll()" requires-channel="https"/>
        <intercept-url pattern="/css/**" access="permitAll()"  requires-channel="https"/>       
        <intercept-url pattern="/images/**" access="permitAll()"  requires-channel="https"/>        

        <intercept-url pattern="/login" access="permitAll()" requires-channel="https"/>
    <!--    <intercept-url pattern="/**" access="hasRole('ROLE_MAIL_USER')" requires-channel="https"/> -->

        <form-login login-page="/login.jsp"
                    authentication-failure-url="/login.jsp?error=1"
                    login-processing-url="/login"/>

        <logout logout-success-url="/build-newsletter.html"/>

        <csrf/>

    <port-mappings>
        <port-mapping http="8080" https="8443" />
    </port-mappings>

        <custom-filter ref="leg1Filter" after="EXCEPTION_TRANSLATION_FILTER"/>

    </http>

    <oauth2:resource id="tResource" client-id="myclientid"
                                      user-authorization-uri="https://thirdpartyhost/sss/authorize"
                                      access-token-uri="https://thirdpartyhost/oauth2/sss/token"
                                      client-secret="somesecret"
                                      type="authorization_code"
                                      scope="read,write"/>

    <oauth2:rest-template id="tOAuthTemplate" resource="tResource"/>

    <oauth2:client id="leg1Filter"/>

</beans:beans>

我的控制器：

@Controller
public class TAppController 
{   
    String endPoint = rest api endpoint;

    @Autowired
    private OAuth2RestTemplate tOAuthTemplate;

        @RequestMapping("/tEventDetails.html")
        public ModelAndView getEventDetails() {
        List<TEventData> tEventData = (List<TEventData>) tOAuthTemplate.getForObject(endPoint + "tEvents", TEvent.class).getData();

    return new ModelAndView("/tDetailsPage.jsp", "tDetails", tEventData);
    }
    }

重定向到：

以下是日志中的一些片段：

13:10:34,957 DEBUG org.springframework.beans.factory.support.DefaultListableBeanFactory:449 - Creating instance of bean 'scopedTarget.org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest#1'
13:10:34,960 DEBUG org.springframework.beans.factory.support.DefaultListableBeanFactory:477 - Finished creating instance of bean 'scopedTarget.org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest#1'
13:10:34,968 DEBUG org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider:159 - Retrieving token from *****thirdpartyhost/oauth2/ss/token
13:10:34,982 DEBUG org.springframework.web.client.RestTemplate:78 - Created POST request for "https://thirdpartyhost/ss/super/token"
13:10:34,983 DEBUG org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider:221 - Encoding and sending form: {grant_type=[authorization_code], code=[cjtjlstkw7uzt7rvim0xq3ogl], redirect_uri=[****localhost:8443/mm/tDetails.html]}
***13:10:35,383 DEBUG org.springframework.web.client.RestTemplate:569 - POST request for "***thirdpartyhost/ss/oauth2/token" resulted in 200 (OK)
13:10:35,403 DEBUG*** org.springframework.web.client.HttpMessageConverterExtractor:92 - Reading [interface org.springframework.security.oauth2.common.OAuth2AccessToken] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@4997b84c]
13:10:35,600 DEBUG org.springframework.security.oauth2.client.OAuth2RestTemplate:78 - Created GET request for "*****thirdpartyhost/v7/ss/me/tEvents?limit=5"
13:10:35,628 DEBUG org.springframework.security.oauth2.client.OAuth2RestTemplate:669 - Setting request Accept header to [application/json, application/*+json]
13:10:35,797  WARN ***org.springframework.security.oauth2.client.OAuth2RestTemplate:581 - GET request for "****thirdpartyhost/v7/ss/tEvents" resulted in 403 (Forbidden); invoking error handler***
13:10:35,804 DEBUG org.springframework.web.client.HttpMessageConverterExtractor:92 - Reading [class org.springframework.security.oauth2.common.exceptions.OAuth2Exception] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@161bd9ce]
13:10:35,806 DEBUG org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerExceptionResolver:134 - Resolving exception from handler [com.pvp.webcontrollers.TCERefAppController@4c233b11]: org.springframework.web.client.HttpClientErrorException: 403 Forbidden
13:10:35,807 DEBUG org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver:134 - Resolving exception from handler [com.pvp.webcontrollers.TCERefAppController@4c233b11]: org.springframework.web.client.HttpClientErrorException: 403 Forbidden
13:10:35,807 DEBUG org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver:134 - Resolving exception from handler [com.pvp.webcontrollers.TRefAppController@4c233b11]: org.springframework.web.client.HttpClientErrorException: 403 Forbidden
13:10:35,807 DEBUG org.springframework.web.servlet.DispatcherServlet:984 - Could not complete request
org.springframework.web.client.HttpClientErrorException: 403 Forbidden
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
at org.springframework.security.oauth2.client.http.OAuth2ErrorHandler.handleError(OAuth2ErrorHandler.java:165)
at org.springframework.web.client.RestTemplate.handleResponseError(RestTemplate.java:588)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:546)
at org.springframework.security.oauth2.client.OAuth2RestTemplate.doExecute(OAuth2RestTemplate.java:128)

从日志中我可以看到获取令牌以交换授权代码的POST请求成功。但是当我从GET请求访问资源服务器的资源/数据时，我得到403禁止错误。

Answer 1

我能够解决这个问题。我在服务提供商处注册的客户端没有定义正确的类别/组。他们的所有Web服务都是按特定的产品区域定义的。