我正在使用Spring Security Oauth 2.0密码流来获取承载令牌。使用“ oauth /令牌”端点。 对服务器的后续请求将SET-COOKIE返回给JSESSION ID。当UI返回JSESSIONID时,服务器将返回匿名用户而不是已登录的用户。
由于某种原因,JSESSIONID与AUTH令牌不相关。 JSESSIONID和auth令牌的关联正在使用Spring Boot 1.5 AND OAUTH:2.0.0.RELEASE,但在升级到Spring Boot 2.0.8和oauth2:2.3.4RELEASE后无法使用
REQUEST1
http://localhost:9090/oauth/token
{
"access_token": "a06f4924-0bf0-4726-8932-eeb0afb3758f",
"token_type": "bearer",
"expires_in": 43199,
"scope": "read write"
}
REQUEST 2
http://localhost:9090/ signin/check
HEADERS
authorization Bearer a06f4924-0bf0-4726-8932-eeb0afb3758f
RESPONSE
HEADERS
Set-Cookie →JSESSIONID=42477E242D38FA91A6DA61F92DCF4234; Path=/artulous-dev-v2; HttpOnly
BODY
{
"id": 37,
"firstName": null,
"lastName": null,
"email": null,
"displayName": "demo User",
"userPic": "img/user.jpg",
"userThumb": null,
"sessionId": null,
"orgId": 28,
"orgDisplayName": "INTERNET",
"roles": [
{
"name": "ROLE_USER",
"id": 2
}
],
"activities": [
"ROLE_USER",
"ROLE_USER",
"upload_images"
],
"signedIn": true,
"admin": false
}
REQUEST 3
http://localhost:9090/artulous-dev-v2/signin/check
SENDS THE JSESSION ID COOKIE but not auth token.
BODY
{
"id": null,
"firstName": null,
"lastName": null,
"email": null,
"displayName": null,
"userPic": null,
"userThumb": null,
"sessionId": "42477E242D38FA91A6DA61F92DCF4234",
"orgId": null,
"orgDisplayName": null,
"roles": [],
"activities": [],
"signedIn": false,
"admin": false
}
ACTUAL RESULT anonymous user. But expected signed in user.
依赖项
Spring boot version 2.0.8.RELEASE
compile ("org.springframework.boot:spring-boot-starter-log4j2")
compile("org.springframework.boot:spring-boot-starter-data-jpa")
compile("org.springframework.boot:spring-boot-starter-data-rest")
compile("org.springframework.security.oauth:spring-security-oauth2:2.3.4.RELEASE")
AuthorizationServerConfig.java
@Configuration
@EnableAuthorizationServer
@Order(Ordered.LOWEST_PRECEDENCE - 100)
public class AuthorizationServerConfigurer extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
UserDetailsService userDetailsService;
@Autowired
PasswordEncoder passwordEncoder;
private ClientAndUserDetailsService combinedService_;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
String encodedClientSecret = passwordEncoder.encode("mobilesecret"); // assume encoded value is $%*@DJ#
ClientDetailsService csvc = new InMemoryClientDetailsServiceBuilder()
.withClient("mobile")
.secret(encodedClientSecret)
.authorizedGrantTypes("password")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write")
// .resourceIds(RESOURCE_ID)
.and()
.withClient("mobileReader")
.secret("mobileReaderSecret")
.authorizedGrantTypes("password")
.authorities("ROLE_CLIENT").scopes("read")
// .resourceIds(RESOURCE_ID)
.accessTokenValiditySeconds(3600)
.and().build();
combinedService_ = new ClientAndUserDetailsService(csvc, userDetailsService);
clients.withClientDetails(combinedService_);
}
}
REsourceServerConfig.java
@Configuration
@EnableResourceServer
public class ResourceSecurityConfigurer extends
ResourceServerConfigurerAdapter {
@Autowired
SignOutHandler signOutHandler;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
// resources.resourceId(AuthorizationServerConfigurer.RESOURCE_ID);
}
@Value("${spring.application.name}")
private String appName;
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
// session management
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionFixation().changeSessionId();
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/api-docs/**").permitAll()
.antMatchers("/v2/api-docs/**").permitAll()
.antMatchers("/swagger/**").permitAll()
.antMatchers("/springfox/**").permitAll()
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/api/**").permitAll()
.antMatchers("/api-repo/**").permitAll()
.antMatchers("/service/**").permitAll()
.antMatchers("/bower_components/**").permitAll()
.antMatchers("/stylesheets/**").permitAll()
.antMatchers("/album/**").permitAll()
.antMatchers("/appbase/**").permitAll()
.antMatchers("/studio/**").permitAll()
.antMatchers("/" + appName + "/**").permitAll()
.antMatchers("/playground/**").permitAll()
.antMatchers("/partials/**").permitAll()
// .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
// .antMatchers(HttpMethod.POST, "/oauth/token").permitAll()
.antMatchers("/3pl/**").permitAll()
.antMatchers("/robots.txt").permitAll()
.antMatchers("/sitemap.xml").permitAll()
.antMatchers("/index.html").permitAll()
.antMatchers("/signup/**").permitAll()
.antMatchers("/signup.html").permitAll()
.antMatchers("/register.html").permitAll()
.antMatchers("/signin/**").permitAll()
.antMatchers("/login/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/disconnect/facebook").permitAll()
.antMatchers("/login/facebook").permitAll()
.antMatchers("/connect/facebook").permitAll()
.antMatchers("/**").denyAll()
.and()
.anonymous()
.and()
.logout().permitAll()
.logoutUrl("/signout")
.addLogoutHandler(signOutHandler)
.deleteCookies("remember-me")
.and()
.authorizeRequests()
.and()
.rememberMe()
.and().apply(new SpringSocialConfigurer());
}