Question

我从http://spring-security-oauth.codehaus.org/tutorial.html下载了示例项目，并尝试为我的试用版实施

以下是我发送的xml

<bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
  <property name="mappings">
    <props>
      <prop key="/oauth/authorization">oauthController</prop>
    </props>
  </property>
  <property name="alwaysUseFullPath" value="true"/>
</bean>

<bean id="oauthController" class="mypackage.OauthController">
    <property name="clientDetailsService" ref="clientDetails"/>
</bean>

以下是应用程序上下文

<security:http auto-config='true' access-denied-page="/index.jsp">
    <security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <security:form-login authentication-failure-url="/index.jsp" default-target-url="/index.jsp" login-page="/index.jsp" />
    <security:logout logout-success-url="/index.jsp" />
</security:http>

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
    <property name="supportRefreshToken" value="true"/>
</bean>

<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices" >
    <oauth:verification-code user-approval-page="/oauth/authorization"/>
</oauth:provider>

<oauth:client-details-service id="clientDetails">
    <oauth:client clientId="client1" authorizedGrantTypes="authorization_code"/>
</oauth:client-details-service>

从客户端发送请求后

http://localhost:8080/trialsite/oauth/user/authorize?client_id=client1&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Ftonr%2Ftrialsite%2Faccess.jsp&response_type=code

我收到404错误（未找到资源），可能是什么问题？

Answer 1

您必须在web.xml中添加springservlet调度程序....因为端点（oauth / authorize和oauth / token）由spring servlet处理，您还必须在provider.xml页面中添加它。 ...........

Answer 2

确保您具有以下配置：

<http pattern="/oauth/(users|clients)/.*" request-matcher="regex"
    create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    use-expressions="true" xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false" />
    <intercept-url pattern="/oauth/users/([^/].*?)/tokens/.*"
        access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')"
        method="DELETE" />
    <intercept-url pattern="/oauth/users/.*"
        access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')"
        method="GET" />
    <intercept-url pattern="/oauth/clients/.*"
        access="#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')"
        method="GET" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
    <expression-handler ref="oauthWebExpressionHandler" />
</http>

在你的“security：http ...”标签之前。

并确保您使用的用户已使用ROLE_USER登录。

春季安全oauth实施

2 个答案: