Grails 3应用程序中使用Spring Security Rest对“ refresh_token”请求进行403响应

时间:2018-12-09 18:16:10

标签: rest grails spring-security oauth

在Grails 3应用程序中使用Spring Security Rest发出“ refresh_token”请求时遇到了一些麻烦。我有一个同时具有Web前端和一些Rest终结点的应用程序,其他所有东西似乎都正常运行。该Web应用程序的行为符合预期,并且当我通过curl使用

发出登录请求时 
curl -i -X POST localhost:8080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"johndoe", "password":"johndoepassword"}'

我得到了预期的响应(我已将令牌截断了):

{
 "username":"johndoe",
 "roles":["ROLE_USER"],
 "token_type":"Bearer",
 "access_token":"eyJhbGciOiJIUzI1NiJ9.xxxxxx",
 "expires_in":3600,
 "refresh_token":"eyJhbGciOiJIUzI1NiJ9.xxxx"
}

在实际的应用程序中,我可以将access_token添加到标头中,并在会话持续时间内毫无问题地进行身份验证。但是,当我用

点击“刷新令牌”端点时,我得到了403 
curl -i -X POST localhost:8080/oauth/access_token \
-H "Content-Type: application/x-www-form-urlencoded"  \
-d "grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1NiJ9.xxxx"

这一切在文档中似乎都非常简单,但是我显然做错了。我认为这是我的配置文件的相关部分:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/error',          access: ['permitAll']],
    [pattern: '/login',          access: ['permitAll']],
    [pattern: '/login/**',          access: ['permitAll']],
    [pattern: '/oauth/**',          access: ['permitAll']],
    [pattern: '/user/register',          access: ['permitAll']],
    [pattern: '/user/register/**',          access: ['permitAll']],
    [pattern: '/user/submitRegistration',          access: ['permitAll']],
    [pattern: '/logoff',          access: ['permitAll']],
    [pattern: '/shutdown',       access: ['permitAll']],
    [pattern: '/assets/**',      access: ['permitAll']],
    [pattern: '/**/js/**',       access: ['permitAll']],
    [pattern: '/**/css/**',      access: ['permitAll']],
    [pattern: '/**/images/**',   access: ['permitAll']],
    [pattern: '/**/favicon.ico', access: ['permitAll']],
    [pattern: '/surveyAdmin/**',  access: ['ROLE_ADMIN']] ,
    [pattern: '/**',               access: ['ROLE_USER']]
]

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**',      filters: 'none'],
    [pattern: '/**/js/**',       filters: 'none'],
    [pattern: '/**/css/**',      filters: 'none'],
    [pattern: '/**/images/**',   filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],

    [
            pattern: '/api/**',
            filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ],

    [
            pattern: '/rest/**',
            filters: 'restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
    ],
    [pattern: '/**',             filters: 'JOINED_FILTERS']
]

有人可以建议通过这里的方法吗?

谢谢, 亚历克斯

1 个答案:

答案 0 :(得分:1)

由于经常发生,我在发布问题后不久就找到了答案。我正在使用实现org.springframework.security.core.userdetails.UserDetails的自定义用户类,但不扩展org.springframework.security.core.userdetails.User。该插件假定可以将主体转换为“ User”对象,从而导致用户查找/令牌生成失败。更改我的自定义类以扩展User或重写插件中的refreshToken方法以接受我的自定义用户类都可以使工作正常。

相关问题
最新问题