Java 为什么我的SpringOAuth2服务器不能使用SSL自签名SSL工作?
我正在我的应用程序上使用OAuth2.0。我有两个使用SpringBoot开发的应用程序,一个是url认证,另一个是客户端 当我使用不带SSL的服务器时(和)授权成功。但是,当我使用自签名证书时我遇到问题,返回错误401,未经授权,身份验证失败:无法获取访问令牌。我不知道这是怎么发生的,为什么会发生 观察:证书像trusted一样在我的计算机上注册,然后我看到地址栏呈绿色 客户:Java 为什么我的SpringOAuth2服务器不能使用SSL自签名SSL工作?,java,spring,ssl,oauth,spring-boot,Java,Spring,Ssl,Oauth,Spring Boot,我正在我的应用程序上使用OAuth2.0。我有两个使用SpringBoot开发的应用程序,一个是url认证,另一个是客户端 当我使用不带SSL的服务器时(和)授权成功。但是,当我使用自签名证书时我遇到问题,返回错误401,未经授权,身份验证失败:无法获取访问令牌。我不知道这是怎么发生的,为什么会发生 观察:证书像trusted一样在我的计算机上注册,然后我看到地址栏呈绿色 客户: @SpringBootApplication @EnableOAuth2Sso public class Appli
@SpringBootApplication
@EnableOAuth2Sso
public class Application {
public static void main(String[] args) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
SpringApplication.run(Application.class, args);
}
}
服务器上的OAuth 2.0配置:
@Configuration
@EnableAuthorizationServer
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter{
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.authorizedGrantTypes("authorization_code")
.scopes("read", "trust")
.resourceIds("RESOURCE_ID")
.secret("secret");
}
}
2016-06-06 16:47:27.376 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-06-06 16:47:27.377 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-06-06 16:47:27.378 DEBUG [nio-2901-exec-4] w.c.HttpSessionSecurityContextRepository No HttpSession currently exists
2016-06-06 16:47:27.378 DEBUG [nio-2901-exec-4] w.c.HttpSessionSecurityContextRepository No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-06-06 16:47:27.381 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-06-06 16:47:27.382 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher Request 'GET /' doesn't match 'POST /logout
2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher Checking match of request : '/'; against '/login'
2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-06-06 16:47:27.386 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.1.30; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.s.w.session.SessionManagementFilter Requested session ID CBA2CC9F09D613F91D95FD4764E48A50 is invalid.
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-06-06 16:47:27.390 DEBUG [nio-2901-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
2016-06-06 16:47:27.390 DEBUG [nio-2901-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.1.30; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-06-06 16:47:27.399 DEBUG [nio-2901-exec-4] o.s.s.access.vote.AffirmativeBased Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3fcae110, returned: -1
2016-06-06 16:47:27.404 DEBUG [nio-2901-exec-4] o.s.s.w.a.ExceptionTranslationFilter Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
以下是客户端在服务器上成功登录后的日志:
@Configuration
@EnableAuthorizationServer
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter{
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client")
.authorizedGrantTypes("authorization_code")
.scopes("read", "trust")
.resourceIds("RESOURCE_ID")
.secret("secret");
}
}
2016-06-06 16:47:27.376 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-06-06 16:47:27.377 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-06-06 16:47:27.378 DEBUG [nio-2901-exec-4] w.c.HttpSessionSecurityContextRepository No HttpSession currently exists
2016-06-06 16:47:27.378 DEBUG [nio-2901-exec-4] w.c.HttpSessionSecurityContextRepository No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-06-06 16:47:27.381 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-06-06 16:47:27.382 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher Request 'GET /' doesn't match 'POST /logout
2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher Checking match of request : '/'; against '/login'
2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-06-06 16:47:27.386 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.1.30; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.s.w.session.SessionManagementFilter Requested session ID CBA2CC9F09D613F91D95FD4764E48A50 is invalid.
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-06-06 16:47:27.390 DEBUG [nio-2901-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
2016-06-06 16:47:27.390 DEBUG [nio-2901-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.1.30; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-06-06 16:47:27.399 DEBUG [nio-2901-exec-4] o.s.s.access.vote.AffirmativeBased Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3fcae110, returned: -1
2016-06-06 16:47:27.404 DEBUG [nio-2901-exec-4] o.s.s.w.a.ExceptionTranslationFilter Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
您能否检查
“spring security.xml”
中的配置,并查看“requires-channel”
属性是否设置为https而不是http
如果没有,请将all设置为https并重试。
更多关于这个问题的信息在这里。
样本:
<intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/>
<intercept-url pattern="/resources/**" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
<intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" requires-channel="https"/>
<intercept-url pattern="/index" access="hasRole('ROLE_USER')" requires-channel="https"/>
<intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')" requires-channel="https"/>
@找到了问题
问题:
因为我在开发模式下使用WSO2 Identity Server,并且使用自签名证书,所以Java不信任它。而且,在一些对WSO2端点的HTTP请求中,连接因该无效证书而失败
临时解决办法:
在开发模式中关闭SSL检查
解决方案:
在生产环境中,确保WSO2 Identity Server具有有效的证书
资源位置:
与其拥有自签名证书,不如创建一个本地根CA,然后从该CA生成SSL证书。确保JVM信任库具有根CA公钥的副本客户端JVM信任库中的证书是否可用?。如果没有,那么您必须创建一个信任库,并将该证书添加到信任库,并在启动客户机JVM时提供该信任库谢谢您的评论。我试过这个,但没用。我以前也试过,但没用。查看我的日志,您将验证这不是问题所在。谢谢您的尝试。我知道问题是关于自我签名的,但我需要打开此SSL的例外以在intranet上使用。我不能关闭SSL,就像我说的,如果没有它,它可以工作,只使用HTTP。我也在JVM x86和x64上尝试过它,但它不工作。也许我需要在SpringOAuth2上更改一些配置来接受证书。