使用SpringSecurity的OAuth 2.0。成功获取令牌后无法访问

时间:2018-04-15 20:44:00

标签: spring-boot spring-security oauth-2.0

我通过标题向http://localhost:8090/oauth/token发送令牌发布请求: 基本Y2xpZW50OnF3ZXJ0eQ ==(用户名:客户端和密码:qwerty)和参数:用户名:用户 密码:123 grant_type:密码

{
    "access_token": "6595cfb6-e79c-4110-adc1-eb5e0926bd74",
    "token_type": "bearer",
    "refresh_token": "2036efc5-b1a9-4d50-9fc8-4c0746737732",
    "expires_in": 299,
    "scope": "read write trust"
}

并在下一步中尝试访问localhost:8090 / test / 0,但我得到:

{
    "timestamp": 1523824850474,
    "status": 401,
    "error": "Unauthorized",
    "message": "Full authentication is required to access this resource",
    "path": "/test/0"
}

我不明白我做错了什么 在我的AuthorizationServerConfig中:

@Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("client")
                .secret("qwerty")
                .authorizedGrantTypes("password", "refresh_token")
                .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                .scopes("read", "write", "trust")
                .accessTokenValiditySeconds(300)
                .refreshTokenValiditySeconds(3600);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.realm("REALM");
    }

ResourceServer:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

}

And SecurityConfig:

@Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("123").roles("ADMIN").and()
                .withUser("user").password("123").roles("USER");
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .realmName("REALM");
    }


    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    @Autowired
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
        TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
        handler.setTokenStore(tokenStore);
        handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        handler.setClientDetailsService(clientDetailsService);
        return handler;
    }

    @Bean
    @Autowired
    public ApprovalStore approvalStore(TokenStore tokenStore) {
        TokenApprovalStore store = new TokenApprovalStore();
        store.setTokenStore(tokenStore);
        return store;
    }

我不明白为什么这不起作用

1 个答案:

答案 0 :(得分:1)

根据您收到的错误,您似乎没有正确使用访问令牌发出请求。 添加Authorization标头和访问令牌,bearer perfix作为其值。

相关问题
最新问题