我正在与此tutorial一起使用Spring构建Oauth服务器。
在资源服务器实施期间,我注意到令牌密钥端点(/ oauth / token_key)不公开。
基于this doc,我尝试将以下内容添加到AuthorizationServerConfigurerAdapter:
security.tokenKeyAccess("permitAll()")
.checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
还有:
security.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
.checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
两种配置均无效。我还尝试在WebSecurityAdapter上添加一条规则:
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/token_key").permitAll();
}
现在,我将出现一个对话框,要求输入登录名和密码,当我单击“取消”时,将收到以下消息:
There was an unexpected error (type=Unauthorized, status=401).
Unauthorized
org.springframework.security.access.AccessDeniedException: You need to authenticate to see a shared key
at org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint.getKey(TokenKeyEndpoint.java:58)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
(...)
我想念什么吗?
答案 0 :(得分:0)
经过一番调查,我发现了问题所在:我忘记将keyPair注入用于转换为JWT的tokenConverter中,并添加一些额外的用户信息:
//Inside AuthorizationServerConfigurerAdapter
@Autowired
private MyJwtTokenEnhancer jwtTokenEnhancer;
@Autowired
private KeystoreService keystoreService;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
//this line solved the issue
jwtTokenEnhancer.setKeyPair(keystoreService.getKeyPair());
endpoints.authenticationManager(manager)
.accessTokenConverter(jwtTokenEnhancer)
.tokenStore(tokenStore())
.addInterceptor(new AuditInterceptor());
}