我有一个Spring Boot OAuth2客户端& Spring Boot OAuth 2 ResourceServer,它也是一个授权服务。我知道问题是什么。我知道OAuth 2令牌不允许通过get,只有Post。但是,我对如何修复它感到茫然。这似乎是自动w / @EnableOAuth2Sso内置的。在下面的代码中,您可以看到该类是骨干。我没有在WebSecurityConfigurerAdapter中看到过提及这个问题的方法。
我不打算包含整个POM,但我使用的是Spring Boot 1.5.10.RELEASE,其中包括spring-security-oauth2-2.0.14.RELEASE
我已将我的课程和课程包括在内属性文件w / client-id&客户秘密XXX out out,客户端类&道具第一:
客户端application.properties:
server.port=7293
server.context-path=/ui
server.session.cookie.name=UISESSION
security.basic.enabled=false
security.oauth2.client.client-id=XXXXX
security.oauth2.client.client-secret=XXXXX
security.oauth2.client.access-token-uri=http://localhost:7291/auth/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:7291/auth/oauth/token
security.oauth2.resource.user-info-uri=http://localhost:7291/auth/user/me
spring.thymeleaf.cache=false
客户端安全配置:
@Configuration
@EnableOAuth2Sso
public class UISecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/login**")
.permitAll()
.anyRequest()
.authenticated();
}
}
Client Spring Boot应用程序类:
@SpringBootApplication
public class OAuth2ClientApplication {
public static void main(String[] args) {
SpringApplication.run(OAuth2ClientApplication.class, args);
}
@Bean
public RequestContextListener requestContextListener(){
return new RequestContextListener();
}
}
资源/身份验证服务器应用程序类:
application.properties:
server.port=7291
server.context-path=/auth
security.oauth2.client.client-id=XXXXX
security.oauth2.client.client-secret=XXXXX
security.oauth2.authorization.checkTokenAccess=isAuthenticated()
security.oauth2.authorization.token-key-access=permitAll()
security.basic.enabled=false
Auth服务器配置类:
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(FilteringServiceAuthServerConfig.class);
@Value("${security.oauth2.client.client-id}")
private String clientId;
@Value("${security.oauth2.client.client-secret}")
private String clientSecret;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient(clientId)
.secret(clientSecret)
.authorizedGrantTypes("authorization_code")
.scopes("user_info")
.autoApprove(true) ;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
}
这是我的授权服务器Web安全配置类:
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.requestMatchers()
.antMatchers("/login", "/oauth/authorize", "/oauth/token")
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager)
.inMemoryAuthentication()
.withUser("XXXXX").password("XXXXX").roles("USER", "ADMIN");
}
}
和授权/资源服务器组合Spring Boot Application类:
@SpringBootApplication
@EnableResourceServer
public class FilteringServiceApp extends SpringBootServletInitializer {
private static Logger logger = LoggerFactory.getLogger(FilteringServiceApp.class);
@Value("${matches.file.name}")
private String fileName;
@Autowired
private FilterMatchRepository matchRepo;
@PostConstruct
private void init() {
new MatchInitializer(matchRepo, fileName).init();
}
/**
* Start up the Filter Matching Application
*
* @param args
*/
public static void main(String[] args) {
SpringApplication.run(FilteringServiceApp.class, args);
}
@Bean
public RequestContextListener requestContextListener(){
return new RequestContextListener();
}
}
我以这种方式访问网址时遇到的错误(通过client_id& secret_id进行身份验证后:
{ “error”:“method_not_allowed”, “error_description”:“不支持请求方法'GET'” }
我使用NGrok来查看发生了什么,因为我收到此错误信息&你可以看到它通过一个违反规范的GET请求清楚地访问/ oauth / token。这是输出:
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:7291/auth/oauth/token?client_id=XXXXX&redirect_uri=http://57bfa798.ngrok.io/ui/login&response_type=code&state=BgLGhq
Content-Length: 0
Date: Mon, 26 Feb 2018 09:42:30 GMT
答案 0 :(得分:0)
我改变了我的AuthServerConfig类
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
//... other methods still the same. below fixed the error
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}
}