我有一个spring security oauth客户端,它针对自定义auth0提供程序进行身份验证。 为了获得UserAuthorizationUri,我需要向rest端点发出一个post请求,该端点是auth0之上的包装器。 所以我扩展了OAuth2ClientContextFilter并使用了自定义重定向策略。现在应用程序正在重定向到auth提供程序,登录后,访问令牌失败并出现CSRF错误
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/login' matched by universal pattern '/**'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@58543bda. A new one will be created.
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@af35197
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2018-01-18 12:01:21.466 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
2018-01-18 12:01:21.466 DEBUG 28785 --- [nio-8080-exec-3] uth2ClientAuthenticationProcessingFilter : Request is to process authentication
2018-01-18 12:01:21.467 DEBUG 28785 --- [nio-8080-exec-3] uth2ClientAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token
Caused by: org.springframework.security.oauth2.common.exceptions.InvalidRequestException: Possible CSRF detected - state parameter was required but no state could be found
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getParametersForTokenRequest(AuthorizationCodeAccessTokenProvider.java:255) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:209) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
App config
security:
oauth2:
client:
clientId: xxx
clientSecret: xxxx
userAuthorizationUri: https://x.amazonaws.com/v1/login
accessTokenUri: https://x.amazonaws.com/v1/getToken
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
additional-information:
env: test
resource:
userInfoUri: https://x.amazonaws.com/v1/userInfo?env=test
Application.java
@SpringBootApplication
@EnableOAuth2Sso
public class NauthtestApplication extends SpringBootServletInitializer {
@Bean
public NAuth2ClientContextFilter oauth2ClientContextFilter() {
NAuth2ClientContextFilter filter = new NAuth2ClientContextFilter();
return filter;
}
public static void main(String[] args) {
SpringApplication.run(NauthtestApplication.class, args);
}
}
自定义过滤器
public class NAuth2ClientContextFilter extends OAuth2ClientContextFilter implements Filter, InitializingBean {
自定义重定向策略
public class NAuthRedirectStrategy implements RedirectStrategy {
private String clientId="xxx";
@Override
public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
System.out.println("Reached the custom redirect strategy");
NAuthLoginRequest loginRequest = new NAuthLoginRequest();
loginRequest.setClientId(clientId);
loginRequest.setEnv("test");
loginRequest.setClaims(Arrays.asList("user","groups"));
loginRequest.setCallbackUrl("http://localhost:8080/login");
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
RestTemplate restTemplate = new RestTemplate();
ObjectMapper mapper = new ObjectMapper();
HttpEntity<String> loginRestRequest = new HttpEntity<String>(mapper.writeValueAsString(loginRequest), headers);
ResponseEntity<String> loginResponse = restTemplate.exchange(url, HttpMethod.POST,loginRestRequest, String.class);
System.out.println("Login Response redirect url is " + loginResponse.getBody());
String redirectUrl = loginResponse.getBody().substring(1,loginResponse.getBody().length()-1);;
response.sendRedirect(redirectUrl);
}