Spring security Spring安全OAuth2:身份验证不足异常
首先,我禁用了基本身份验证:Spring security Spring安全OAuth2:身份验证不足异常,spring-security,spring-security-oauth2,Spring Security,Spring Security Oauth2,首先,我禁用了基本身份验证: security.basic.enabled=false 然后我访问授权页面: http://localhost:8080/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.baidu.com 我得到了以下例外: org.springframework.security.authentication.InsufficientAuthenticat
security.basic.enabled=false
然后我访问授权页面:
http://localhost:8080/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.baidu.com
我得到了以下例外:
org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138) ~[spring-security-oauth2-2.0.10.RELEASE.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_45]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221) ~[spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) ~[spring-web-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) ~[spring-webmvc-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832) ~[spring-webmvc-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743) ~[spring-webmvc-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) ~[spring-webmvc-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) ~[spring-webmvc-4.2.7.RELEASE.jar:4.2.7.RELEASE]
at ...
我不明白为什么我必须在OAuth之前先进行身份验证?授权码授予的流程如下所示:
http://localhost:8080/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.baidu.com
<security:http disable-url-rewriting="true"
use-expressions="true"
entry-point-ref="loginEntryPoint">
...
<security:intercept-url pattern="/oauth/authorize" access="hasRole('ROLE_USER')"/>
...
</security:http>
...
...
如果用户尚未登录,这将触发Spring Security将用户重定向到您的
LoginTerypoint
中配置的登录。通常,您会将用户重定向到登录页面。成功身份验证后,用户将返回到授权端点。如果服务器是无状态的,该怎么办?它没有会话。我的授权服务器可以有一个登录控制器或过滤器,但它如何通知Spring Security用户凭据是正确的?@Stephane您的授权服务器需要启用会话。您可以通过依赖redis之类的工具来进行会话管理来扩展应用程序。我将授权服务器配置为使用JWT访问令牌进行身份验证,使用登录筛选器创建令牌,并在向/oauth/authorize
端点发送请求时在头中传递令牌。这样我就跳过了会话,我的授权服务器是无状态的。