我正在实施某种SSO系统。我在我的应用程序中使用Spring security oauth 2。我有一个客户端应用程序(localhost:8081)和一个服务器应用程序(localhost:8080)。
用户尝试从客户端应用进行登录。客户端应用程序依次启动身份验证流程。它会发送到服务器应用程序身份验证请求http://localhost:8080/authorize?response_type=code&client_id=client&scope=openid+email+address+profile+phone&redirect_uri=localhost:8081/login&nonce=3fc29332c5377&state=18960fbd838be
登录页面有重定向,输入凭据并在服务器上提交表单身份验证成功。
之后,我期待流程继续授权并转到org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint中的oauth / authorize终点。 在irder中生成授权代码并将其发送回客户端应用程序。 但它并没有。
请帮我澄清原因?为什么在成功验证后,流程不会进入oauth /授权终点。
这是我登录和点的配置:
<security:http pattern="/mylogin"
create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint">
<security:intercept-url pattern="/mylogin" access="permitAll"/>
<security:csrf disabled="true"/>
<security:custom-filter before="PRE_AUTH_FILTER" ref="customAuthenticationFilter"/>
<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
<security:logout logout-url="/logout" />
<security:anonymous />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:headers>
<security:frame-options policy="DENY" />
</security:headers>
</security:http>
这是我的自定义身份验证过滤器:
public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private static Logger logger = LoggerFactory.getLogger(CustomAuthenticationFilter.class);
public CustomAuthenticationFilter() {
super("/mylogin");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (!HttpMethod.POST.name().equals(request.getMethod())) {
if(logger.isDebugEnabled()) {
logger.debug("Authentication method not supported. Request method: " + request.getMethod());
}
throw new AuthenticationServiceException("Authentication method not supported");
}
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
if (StringUtils.isBlank(username) || StringUtils.isBlank(password)) {
throw new AuthenticationServiceException("Username or Password not provided");
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
setDetails(request, authRequest);
Authentication auth = this.getAuthenticationManager().authenticate(authRequest);
return auth;
}
protected void setDetails(HttpServletRequest request,
UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
}
我的授权服务器配置:
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit />
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:password/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
答案 0 :(得分:0)
我找到了原因。
create-session =&#34;无状态&#34; 是未在安全上下文中保存身份验证的原因。
这就是为什么在处理授权请求阶段(成功验证后)FilterSecurityInterceptor中存在访问被拒绝的异常。