我的api /登录帖子在带有spring-security的grails 3上未经授权

Question

我正在尝试使用access_token授权执行Simple Grails RESTFUL API。

我正在关注一个示例，因为它是在教程上，但在这种情况下，我无法继续，因为我的localhost：8080 / api / login url，我应该用来获取access_token，不起作用。

我首先创建了我的grails 3 api：

grails create-app --profile rest-api --features hibernate5，json-views，security

这些是我的安全域类：

我没有触摸它们，它们是由Spring Security s2-quickstart coopoliova.backend.security用户角色命令创建的。

这是我的application.groovy

grails.plugin.springsecurity.filterChain.chainMap = [
        //Stateless chain
        [
                pattern: '/**',
                filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
        ],

        //Traditional, stateful chain
        [
                pattern: '/stateful/**',
                filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
        ]
]


// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName =       'coopoliva.backend.security.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName =    'coopoliva.backend.security.UserRole'
grails.plugin.springsecurity.authority.className =                  'coopoliva.backend.security.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/',               access: ['permitAll']],
    [pattern: '/error',          access: ['permitAll']],
    [pattern: '/index',          access: ['permitAll']],
    [pattern: '/index.gsp',      access: ['permitAll']],
    [pattern: '/shutdown',       access: ['permitAll']],
    [pattern: '/assets/**',      access: ['permitAll']],
    [pattern: '/**/js/**',       access: ['permitAll']],
    [pattern: '/**/css/**',      access: ['permitAll']],
    [pattern: '/**/images/**',   access: ['permitAll']],
    [pattern: '/**/favicon.ico', access: ['permitAll']],
    [pattern: '/api/rest', access: ['permitAll']]
]

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**',      filters: 'none'],
    [pattern: '/**/js/**',       filters: 'none'],
    [pattern: '/**/css/**',      filters: 'none'],
    [pattern: '/**/images/**',   filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],
    [pattern: '/**',             filters: 'JOINED_FILTERS']
]

所以，我在bootstrap上创建了几个用户，如下所示：

def init = { servletContext ->

    def adminUser = new User(username: "adminuser",
            password: "1234", enabled: true);
    adminUser.save(flush:true)

    def userUser = new User(username: "useruser",
            password: "1234", enabled: true);
    userUser.save(flush:true)

    def userRole = Role.findByAuthority("ROLE_USER") ?: new Role("ROLE_USER")
    def adminRole = Role.findByAuthority("ROLE_ADMIN") ?: new Role("ROLE_ADMIN")

    userRole.save(flush:true)
    adminRole.save(flush:true)

    UserRole.create(adminUser, adminRole)
    UserRole.create(userUser, userRole)


}

所以，理论上;如果我使用凭据用户名发送POST请求：“useruser”，密码：“1234”，它应该可以工作。

但是，这种情况发生了：

401 UNAUTHORIZED！

所以...为什么会这样？我只需要access_token，这样我就可以通过所有其他请求传递它。

提前致谢！

Answer 1

您需要允许访问您的登录URL

[pattern: 'api/login/**', access: ['permitAll']]

另外，你有重复的grails.plugin.springsecurity.filterChain.chainMap配置

Answer 2

发现了问题！

这些密码：

    def adminUser = new User(username: "adminuser",
            password: "1234", enabled: true);
    adminUser.save(flush:true)

    def userUser = new User(username: "useruser",
            password: "1234", enabled: true);
    userUser.save(flush:true)

Spring安全服务不会输入密码，因此登录时不正确：

这是添加用户的正确方法：

    def adminUser = new User(username: "adminuser",
            password: springSecurityService.encodePassword("1234"), enabled: true);
    adminUser.save(flush:true)

    def userUser = new User(username: "useruser",
            password: springSecurityService.encodePassword("1234"), enabled: true);
    userUser.save(flush:true)

谢谢大家的帮助！