Fatal编程技术网
  • java/
  • Java Spring Oauth2授权\授权-无法在令牌之后访问资源-用户匿名

Java Spring Oauth2授权\授权-无法在令牌之后访问资源-用户匿名

java spring spring-security oauth-2.0

Java Spring Oauth2授权\授权-无法在令牌之后访问资源-用户匿名,java,spring,spring-security,oauth-2.0,Java,Spring,Spring Security,Oauth 2.0,我正试图用spring的授权授予流来保护我的RESTAPI 我可以(通过邮递员)获得一个访问令牌,我用Bearer将授权放入头中,但我无法访问资源,因为Spring Security告诉我: 2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository[186] - HttpSession returned null object for SPRING_SEC

我正试图用spring的授权授予流来保护我的RESTAPI

我可以(通过邮递员)获得一个访问令牌,我用Bearer将授权放入头中,但我无法访问资源,因为Spring Security告诉我:

    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository[186] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository[116] - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6e24700e. A new one will be created.
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.h.writers.HstsHeaderWriter[130] - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3e385c64
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy[325] - /api/user at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter[100] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B1FF11055AA4F347AB8AA7B6E467D93F; Granted Authorities: ROLE_ANONYMOUS'
2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor[219] - Secure object: FilterInvocation: URL: /api/user; Attributes: [authenticated]
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor[348] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B1FF11055AA4F347AB8AA7B6E467D93F; Granted Authorities: ROLE_ANONYMOUS
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.access.vote.AffirmativeBased[66] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@53b3549c, returned: -1
    2017-04-06 17:36:33 [http-nio-8080-exec-9] DEBUG o.s.s.w.a.ExceptionTranslationFilter[173] - Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.access.AccessDeniedException: Access is denied
所以基本上,在获得访问令牌后,如果我使用它,我将是一个匿名用户,基本上是因为SPRING\u SECURITY\u上下文为空

这是我的ResourceServer配置

@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter{

    private final Logger logger = LoggerFactory.getLogger(ResourceServerConfig.class);

    @Autowired
    DataSource dataSource;

     @Override
    public void configure(HttpSecurity http) throws Exception {
                logger.debug("Api security configured");
                http    
                .antMatcher("/api/**")
               .authorizeRequests()
               .anyRequest().access("hasRole('USER')")
               .and().exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
               .and().httpBasic();
            }

     @Bean
        public TokenStore tokenStore() {
            return new JdbcTokenStore(dataSource);
        }

     @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {

            resources.tokenStore(tokenStore());
        }
}
这是身份验证服务器

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    DataSource dataSource;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authManager;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

        endpoints.tokenStore(tokenStore()).authenticationManager(authManager);

    }

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

}
我正在尝试使用此身份验证
承载77a226bf-74a4-4a89-b2a6-e130c215566b访问/api/user,该身份验证
来自与用户登录后的身份验证服务器令牌请求


怎么了?
我认为用户角色没有从数据库中获取。
必须定义角色列吗

这将帮助您:

将spring boot从1.4升级到1.5后,我遇到了完全相同的问题。通过禁用boot的自动配置黑魔法,问题得以解决


@EnableAutoConfiguration(exclude = {OAuth2AutoConfiguration.class})



我相信他们添加了一些新的~~ bug~~功能,打破了旧的应用程序配置。
用户可以登录web应用程序,所以我认为它的角色是正确的,只有在尝试通过OAUTH流进行访问时,问题才会出现。能否显示存储在DB中的角色列数据?ID | type->1 | USERupdate configure方法如下:public void configure(HttpSecurity http)抛出异常{http.requestMatchers().antMatchers(“/api/**”)。和().authorizeRequests().antMatchers()(“/api/**”).access(“hasRole('USER')”)和().exceptionHandling().authenticationEntryPoint(新的Http403ForbiddenEntryPoint())和().httpBasic();}获取始终相同的内容..SecurityContext为空或内容为匿名-上下文将不会存储在HttpSession中我有相同的问题,您是否解决了问题?