春季引导> 2.2.7

时间:2020-05-22 09:56:13

标签: spring spring-boot spring-security jwt spring-security-oauth2

当令牌类型为“ at + jwt”时,我们会在验证中收到错误消息:

org.springframework.security.oauth2.server.resource.InvalidBearerTokenException:尝试解码Jwt时发生错误:不允许JOSE标头“ typ”(类型)“ at + jwt” 在org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:86)处 在org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) 在org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:124) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:334) 在org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) 在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:334) 在org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:334) 在org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) 在org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:334) 在org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) 在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:334) 在org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)处 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:334) 在org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) 在org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) 在org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) 在org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) 在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 在org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 在org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) 在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) 在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 在org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) 在org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) 在org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) 在org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) 在org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) 在org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) 在org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) 在org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) 在org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) 在org.apache.coyote.AbstractProtocol $ ConnectionHandler.process(AbstractProtocol.java:868) 在org.apache.tomcat.util.net.NioEndpoint $ SocketProcessor.doRun(NioEndpoint.java:1590) 在org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) 在java.base / java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) 在java.base / java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:630) 在org.apache.tomcat.util.threads.TaskThread $ WrappingRunnable.run(TaskThread.java:61) 在java.base / java.lang.Thread.run(Thread.java:832)

这仅在spring boot版本大于2.2.7的情况下发生 您是否知道如何在验证中设置允许的令牌类型?

1 个答案:

答案 0 :(得分:0)

我有同样的问题。 我通过更改依赖项解决了这个问题:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
    <exclusions>
        <exclusion>
            <groupId>com.nimbusds</groupId>
            <artifactId>nimbus-jose-jwt</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>7.9</version>
</dependency>

问题在于,在版本8+中,新的DefaultJOSEObjectTypeVerifier类出现在сommithttps://bitbucket.org/connect2id/nimbus-jose-jwt/commits/ee6aec33c6349ebc85de37f4b76da7f1feeb0ee5中,该类检查允许的类型。必须单独添加“ at + jwt”类型。

相关问题
最新问题