Java 访问Danied-弹簧靴e Oauth2
我有一个问题,我正在用spring boot和oauth2测试一个api,但是当请求令牌时,会生成相同的令牌并将其发送到浏览器,但是当发送到资源时,我只获得danied访问权限,代码如下: 服务器授权应用程序Java 访问Danied-弹簧靴e Oauth2,java,spring,spring-boot,spring-security,spring-security-oauth2,Java,Spring,Spring Boot,Spring Security,Spring Security Oauth2,我有一个问题,我正在用spring boot和oauth2测试一个api,但是当请求令牌时,会生成相同的令牌并将其发送到浏览器,但是当发送到资源时,我只获得danied访问权限,代码如下: 服务器授权应用程序 package br.com.serverAuthorization; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootA
package br.com.serverAuthorization;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class ServerAuthorizationApplication {
public static void main(String[] args) {
SpringApplication.run(ServerAuthorizationApplication.class, args);
}
}
package br.com.serverAuthorization.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
public static final String RESOURCE_ID = "arip";
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new InMemoryTokenStore()).authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.checkTokenAccess("hasRole('CLIENT')");
}
@Override
public void configure(ClientDetailsServiceConfigurer client) throws Exception {
client.inMemory()
.withClient("clientapp")
.secret("123456")
.authorizedGrantTypes("password")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.and()
.withClient("clientcred")
.secret("123456")
.authorizedGrantTypes("client_credentials")
.scopes("trust")
.resourceIds(RESOURCE_ID)
.and()
.withClient("clientauthcode")
.secret("123456")
.authorizedGrantTypes("authorization_code", "refresh_token")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.and()
.withClient("jsclient")
.secret("123456")
.authorizedGrantTypes("implicit")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.authorities("CLIENT")
.redirectUris("http://localhost:8080/contacts")
.accessTokenValiditySeconds(3600)
.autoApprove(true);
}
}
package br.com.serverAuthorization.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
public static final String RESOURCE_ID = "arip";
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/contacts").hasRole("ADMIN");
//http.authorizeRequests().antMatchers("/api/staff").hasRole("STAFF");
//http.authorizeRequests().antMatchers("/api/client").access("#oauth2.hasScope('trust')");
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setClientId("jsclient");
tokenService.setClientSecret("123456");
tokenService.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
resources.resourceId(RESOURCE_ID).tokenServices(tokenService);
}
}
package br.com.serverAuthorization.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
public static final String RESOURCE_ID = "arip";
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new InMemoryTokenStore()).authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.checkTokenAccess("hasRole('CLIENT')");
}
@Override
public void configure(ClientDetailsServiceConfigurer client) throws Exception {
client.inMemory()
.withClient("clientapp")
.secret("123456")
.authorizedGrantTypes("password")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.and()
.withClient("clientcred")
.secret("123456")
.authorizedGrantTypes("client_credentials")
.scopes("trust")
.resourceIds(RESOURCE_ID)
.and()
.withClient("clientauthcode")
.secret("123456")
.authorizedGrantTypes("authorization_code", "refresh_token")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.and()
.withClient("jsclient")
.secret("123456")
.authorizedGrantTypes("implicit")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.authorities("CLIENT")
.redirectUris("http://localhost:8080/contacts")
.accessTokenValiditySeconds(3600)
.autoApprove(true);
}
}
package br.com.serverAuthorization.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
public static final String RESOURCE_ID = "arip";
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/contacts").hasRole("ADMIN");
//http.authorizeRequests().antMatchers("/api/staff").hasRole("STAFF");
//http.authorizeRequests().antMatchers("/api/client").access("#oauth2.hasScope('trust')");
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setClientId("jsclient");
tokenService.setClientSecret("123456");
tokenService.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
resources.resourceId(RESOURCE_ID).tokenServices(tokenService);
}
}
package br.com.serverAuthorization.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity(debug = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("passw0rd").roles("ADMIN");
auth.inMemoryAuthentication().withUser("staff").password("passw0rd").roles("STAFF");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/contacts").authenticated();
}
}
package br.com.serverAuthorization.controllers;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import br.com.serverAuthorization.models.Contact;
@RestController
@RequestMapping("/contacts")
public class HomeController {
private List<Contact> listContact = new ArrayList<Contact>();
@GetMapping
public ResponseEntity<Principal> listAll(Principal user){
System.out.println("Entro");
listContact.add(new Contact(1, "Marcos Paulo Souza Miranda", "marcospsmiranda@gmail.com"));
listContact.add(new Contact(2, "João Pedro Souza Miranda", "joaopedro@gmail.com"));
listContact.add(new Contact(3, "Radames Aurelio Miranda", "radames@gmail.com"));
listContact.add(new Contact(4, "Lucelia de Souza Silva Miranda", "lucelia@gmail.com"));
return new ResponseEntity<>(user, HttpStatus.OK);
}
}
如果我理解得很好,您可以获得一个令牌,但您不能使用它访问资源,对吗?没错,我获得了令牌,但在访问资源时,mi返回代码403 talking access danied。@Marcspaulo您可以解码您获得的访问令牌(可能在)并查看您是否有“aud”声明吗?如果是,请检查“澳元”索赔中的金额。我认为您在访问令牌中的“aud”声明与资源ID不匹配,这就是资源服务器不接受令牌的原因。@htulsiani,当访问令牌时,我使用以下代码:(Curl-X POST-vu clientapp:123456-H“accept:application/json”-d“client_id=clientapp&grant_type=password&username=admin&password=passw0rd”)检查令牌时使用以下代码:curl,尝试访问资源时使用以下代码:curl-H“Authorization:Berear-token”,但是我检查了,并且aud是正确的,那么我找不到错误。您能在这里共享您的访问令牌吗?