问题出在这里
实施授权代码后,一切都很好。用户登录,/ userinfo端点被吊销。但是在spring之后设置了一个会话,并始终信任该会话,直到用户单击logut。但是实际上有access_token过期日期,也有刷新令牌,但是spring从来没有使用/检查它们,只寻找始终有效的会话有效性:
Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT:
我想了解我是否不缺少Spring支持的一些配置,例如未配置的过滤器等。否则,我将寻找解决方法,例如设置为最小/删除spring会话或实现自己的过滤器。这是示例日志:
2019-11-03 10:23:00.573 DEBUG 25212 --- [o-auto-1-exec-7] o.a.tomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@603a0c96:org.apache.tomcat.util.net.NioChannel@44d9c1f:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:63492 remote=/0:0:0:0:0:0:0:1:63936]], Read from buffer: [0]
2019-11-03 10:23:00.574 DEBUG 25212 --- [o-auto-1-exec-7] org.apache.tomcat.util.net.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@603a0c96:org.apache.tomcat.util.net.NioChannel@44d9c1f:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:63492 remote=/0:0:0:0:0:0:0:1:63936]], Read direct from socket: [747]
2019-11-03 10:23:00.574 DEBUG 25212 --- [o-auto-1-exec-7] o.a.coyote.http11.Http11InputBuffer : Received [GET /oidc-code/secured HTTP/1.1
Host: localhost:63492
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8095/authServer/login?service=http%3A%2F%2Flocalhost%3A8095%2FauthServer%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Ddemo-webapp-oidc-code%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A63492%252Foidc-code%252Flogin%252Foauth2%252Fcode%252FauthServer%26response_type%3Dcode%26client_name%3DCasOAuthClient
Connection: keep-alive
Cookie: UISESSION=33D5F75F4DE3CB66CCC031640984F559
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
]
2019-11-03 10:23:00.575 DEBUG 25212 --- [o-auto-1-exec-7] o.a.t.util.http.Rfc6265CookieProcessor : Cookies: Parsing b[]: UISESSION=33D5F75F4DE3CB66CCC031640984F559
2019-11-03 10:23:00.576 DEBUG 25212 --- [o-auto-1-exec-7] o.a.catalina.connector.CoyoteAdapter : Requested cookie session id is 33D5F75F4DE3CB66CCC031640984F559
2019-11-03 10:23:00.577 DEBUG 25212 --- [o-auto-1-exec-7] o.a.c.authenticator.AuthenticatorBase : Security checking request GET /oidc-code/secured
2019-11-03 10:23:00.578 DEBUG 25212 --- [o-auto-1-exec-7] org.apache.catalina.realm.RealmBase : No applicable constraints defined
2019-11-03 10:23:00.578 DEBUG 25212 --- [o-auto-1-exec-7] o.a.c.authenticator.AuthenticatorBase : Not subject to any constraint
2019-11-03 10:23:00.578 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/'
2019-11-03 10:23:00.579 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/swagger-ui.html'
2019-11-03 10:23:00.579 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/swagger-resources/**'
2019-11-03 10:23:00.579 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/v2/api-docs'
2019-11-03 10:23:00.580 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/webjars/**'
2019-11-03 10:23:00.580 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /secured' doesn't match 'OPTIONS '
2019-11-03 10:23:00.580 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-11-03 10:23:00.581 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-11-03 10:23:00.581 DEBUG 25212 --- [o-auto-1-exec-7] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1ab821a: Authentication: org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@1ab821a: Principal: Name: [director], Granted Authorities: [ROLE_USER], User Attributes: [at_hash=2qh1wR2fmrSDko6ueoH5Ww, sub=director, iss=http://localhost:8080/cas/oidc, preferred_username=director, nonce=, client_id=demo-webapp-oidc-code, aud=[demo-webapp-oidc-code], nbf=2019-11-03T07:08:13Z, service=http://localhost:63492/oidc-code/login/oauth2/code/authServer, auth_time=1572765192, attributes={}, id=director, state=Vqqe5l-ZDmoPUHxrsRfuLi47yRA-tXXA07yHg_sQcGg=, exp=2019-11-03T07:13:43Z, iat=2019-11-03T07:13:13Z, jti=TGT-33-tuBMOmHNwkH2vtxvThGADcBgFLLUneGqYr87ku2GlVIflVLBug--XrOGJrUu-3KC-9A-982dfeee30a0]; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER'
2019-11-03 10:23:00.582 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-11-03 10:23:00.582 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2019-11-03 10:23:00.583 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2019-11-03 10:23:00.583 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /secured' doesn't match 'POST /logout'
2019-11-03 10:23:00.583 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
2019-11-03 10:23:00.584 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/oauth2/authorization/{registrationId}'
2019-11-03 10:23:00.584 DEBUG 25212 --- [o-auto-1-exec-7] org.apache.tomcat.util.http.Parameters : Set encoding to UTF-8
2019-11-03 10:23:00.585 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 7 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2019-11-03 10:23:00.586 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/login/oauth2/code/*']
2019-11-03 10:23:00.588 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/login/oauth2/code/*'
2019-11-03 10:23:00.589 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2019-11-03 10:23:00.589 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2019-11-03 10:23:00.590 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 9 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
2019-11-03 10:23:00.590 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/secured'; against '/logout'
2019-11-03 10:23:00.591 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-11-03 10:23:00.591 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2019-11-03 10:23:00.591 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-11-03 10:23:00.592 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-11-03 10:23:00.592 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@1ab821a: Principal: Name: [director], Granted Authorities: [ROLE_USER], User Attributes: [at_hash=2qh1wR2fmrSDko6ueoH5Ww, sub=director, iss=http://localhost:8080/cas/oidc, preferred_username=director, nonce=, client_id=demo-webapp-oidc-code, aud=[demo-webapp-oidc-code], nbf=2019-11-03T07:08:13Z, service=http://localhost:63492/oidc-code/login/oauth2/code/authServer, auth_time=1572765192, attributes={}, id=director, state=Vqqe5l-ZDmoPUHxrsRfuLi47yRA-tXXA07yHg_sQcGg=, exp=2019-11-03T07:13:43Z, iat=2019-11-03T07:13:13Z, jti=TGT-33-tuBMOmHNwkH2vtxvThGADcBgFLLUneGqYr87ku2GlVIflVLBug--XrOGJrUu-3KC-9A-982dfeee30a0]; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER'
2019-11-03 10:23:00.592 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-11-03 10:23:00.593 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-11-03 10:23:00.593 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-11-03 10:23:00.593 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /secured; Attributes: [authenticated]
2019-11-03 10:23:00.594 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@1ab821a: Principal: Name: [director], Granted Authorities: [ROLE_USER], User Attributes: [at_hash=2qh1wR2fmrSDko6ueoH5Ww, sub=director, iss=http://localhost:8080/cas/oidc, preferred_username=director, nonce=, client_id=demo-webapp-oidc-code, aud=[demo-webapp-oidc-code], nbf=2019-11-03T07:08:13Z, service=http://localhost:63492/oidc-code/login/oauth2/code/authServer, auth_time=1572765192, attributes={}, id=director, state=Vqqe5l-ZDmoPUHxrsRfuLi47yRA-tXXA07yHg_sQcGg=, exp=2019-11-03T07:13:43Z, iat=2019-11-03T07:13:13Z, jti=TGT-33-tuBMOmHNwkH2vtxvThGADcBgFLLUneGqYr87ku2GlVIflVLBug--XrOGJrUu-3KC-9A-982dfeee30a0]; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
2019-11-03 10:23:00.595 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@aed88b, returned: 1
2019-11-03 10:23:00.595 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2019-11-03 10:23:00.596 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2019-11-03 10:23:00.596 DEBUG 25212 --- [o-auto-1-exec-7] o.s.security.web.FilterChainProxy : /secured reached end of additional filter chain; proceeding with original chain
2019-11-03 10:23:00.597 DEBUG 25212 --- [o-auto-1-exec-7] o.s.web.servlet.DispatcherServlet : GET "/oidc-code/secured", parameters={}
2019-11-03 10:23:00.597 DEBUG 25212 --- [o-auto-1-exec-7] pertySourcedRequestMappingHandlerMapping : looking up handler for path: /secured
2019-11-03 10:23:00.598 DEBUG 25212 --- [o-auto-1-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to public java.lang.String com.apiomat.demowebapp.oidccode.controller.SecuredController.secured(org.springframework.ui.Model,org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken)
2019-11-03 10:23:00.599 DEBUG 25212 --- [o-auto-1-exec-7] c.a.d.o.controller.SecuredController : Your secret access_token: AT-51-Hg33bxhMLt4ibA7fZqlitZxv4AS8Vbcr
2019-11-03 10:23:00.599 DEBUG 25212 --- [o-auto-1-exec-7] c.a.d.o.controller.SecuredController : Your secret refresh_token: RT-51-sIJQ-1wqJfzBw68COnJ5venr5twLpzqe
2019-11-03 10:23:00.601 DEBUG 25212 --- [o-auto-1-exec-7] o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, application/xhtml+xml, application/xml;q=0.9, *q=0.8]
2019-11-03 10:23:00.605 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4c3b1780
2019-11-03 10:23:00.607 DEBUG 25212 --- [o-auto-1-exec-7] o.s.web.servlet.DispatcherServlet : Completed 200 OK
2019-11-03 10:23:00.607 DEBUG 25212 --- [o-auto-1-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2019-11-03 10:23:00.608 DEBUG 25212 --- [o-auto-1-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-11-03 10:23:00.609 DEBUG 25212 --- [o-auto-1-exec-7] o.a.tomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@603a0c96:org.apache.tomcat.util.net.NioChannel@44d9c1f:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:63492 remote=/0:0:0:0:0:0:0:1:63936]], Read from buffer: [0]
2019-11-03 10:23:00.610 DEBUG 25212 --- [o-auto-1-exec-7] org.apache.tomcat.util.net.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@603a0c96:org.apache.tomcat.util.net.NioChannel@44d9c1f:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:63492 remote=/0:0:0:0:0:0:0:1:63936]], Read direct from socket: [0]
2019-11-03 10:23:00.610 DEBUG 25212 --- [o-auto-1-exec-7] o.apache.coyote.http11.Http11Processor : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@603a0c96:org.apache.tomcat.util.net.NioChannel@44d9c1f:java.nio.channels.SocketChannel[connected local=/0:0:0:0:0:0:0:1:63492 remote=/0:0:0:0:0:0:0:1:63936]], Status in: [OPEN_READ], State out: [OPEN]
2019-11-03 10:23:00.924 DEBUG 25212 --- [alina-utility-1] org.apache.catalina.session.ManagerBase : Start expire sessions StandardManager at 1572765780924 sessioncount 1
2019-11-03 10:23:00.924 DEBUG 25212 --- [alina-utility-1] org.apache.catalina.session.ManagerBase : End expire sessions StandardManager processingTime 0 expired sessions: 0
和配置:
spring:
thymeleaf:
cache: false
security:
oauth2:
client:
registration:
bouncer:
id: demo-webapp-oidc-code
client-id: demo-webapp-oidc-code
client-secret: secret
client-name: demo-webapp-oidc-code
provider: authServer
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
authorization-grant-type: authorization_code
client-authentication-method: post
scope: openid, address
provider:
authServer:
token-uri: http://localhost:8095/authServer/oidc/token
authorization-uri: http://localhost:8095/authServer/oidc/authorize
user-info-uri: http://localhost:8095/authServer/oidc/profile
jwk-set-uri: http://localhost:8095/authServer/oidc/jwks
user-name-attribute: id