Spring OAuth2-没有客户端身份验证。尝试添加适当的身份验证过滤器 [英] Spring OAuth2 - There is no client authentication. Try adding an appropriate authentication filter
问题描述
我们有一个使用 spring-security-oauth2:1.0
的应用程序。我试图将其更改为较新的版本, spring-security-oauth2:2.0.7.RELEASE
。删除了某些类,更改了某些程序包结构,我设法整理了所有这些内容,并且能够毫无问题地启动服务器。但是我在这里面临一个奇怪的问题。
We have an application which is using spring-security-oauth2:1.0
. I was trying to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE
. Some classes were removed, some package structure is changed, I managed to sort out all those things and I was able to start the server without any issue. But I am facing a strange issue here.
使用 OAuth2-1.0版本
,当用户登录时,我们使用对 / oauth / token
进行 GET
请求,例如:
With OAuth2 - 1.0 version
, when the user logs in we used to do a GET
request on /oauth/token
, For example :
它曾经可以正常工作。
When I try the same thing, First of all I am not able to make a GET
request because of the logic in TokenEndPoint.java
private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));
@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!allowedRequestMethods.contains(HttpMethod.GET)) {
throw new HttpRequestMethodNotSupportedException("GET");
}
return postAccessToken(principal, parameters);
}
我试图发布 POST
请求与上述URL相同,但出现错误消息 InsufficientAuthenticationException
I have tried to make a POST
request same as above URL, but I get InsufficientAuthenticationException
with the error message
没有客户端身份验证。尝试添加适当的身份验证过滤器
There is no client authentication. Try adding an appropriate authentication filter
这是因为以下 POST
请求 TokenEndpoint.java
中的控制器。调试时,我看到 principal
为空。
This is because of the following POST
request controller in TokenEndpoint.java
. When I debug, I see that principal
is null.
@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
//principal is null here
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
"There is no client authentication. Try adding an appropriate authentication filter.");
}
.............
}
我有一个身份验证过滤器,当我使用版本1.0
时,它可以很好地工作。这是我的配置的相关参数:
I have an authentication filter and it worked well when I used version 1.0
. This is the relevant prats of my config:
<authentication-manager xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="userDetailsService"/>
</authentication-manager>
<bean id="userDetailsService" class="com.hcl.nc.service.UserDetailsService">
<constructor-arg><ref bean="sessionFactory" /></constructor-arg>
</bean>
我一直认为请求将由 authentication-provider进行身份验证
并转到 token-endpoint
,但这似乎不是正确的流程。在使用版本2.0.7
调试应用程序后,现在我真的怀疑我对流程的理解。
I always thought that the request will be authenticated by authentication-provider
and goes to token-endpoint
but that does not seem to be the correct flow. After debugging the application with version 2.0.7
, now I really doubt my understanding about the flow.
有人可以解释一下为什么它在以前的版本中有效,为什么现在不能正常工作吗?
为了获得OAuth令牌?
注意:我已经检查了以下问题:此处,此处,此处。但是我找不到正确的解决方案。
NOTE: I have already checked these questions : here, here, here. But I was not able to find the correct solution.
推荐答案
我不知道以前的版本,但是我知道一点大约是2.0.7。
I don't know the previous version, but I know a bit about 2.0.7.
我怀疑您的问题是您的TokenEndpoint安全性试图针对您的用户验证您的客户端 >服务。
I suspect your problem is that your TokenEndpoint security tries to authenticate your clients against your user service.
TokenEndpoint受 BasicAuthenticationFilter
保护。默认情况下,此过滤器将使用 AuthenticationManager
实例,该实例本身包含 AuthenticationProvider
本身,该实例本身取决于 UserDetailsService
。
诀窍在于, UserDetailsService
的特定实例必须基于 client ,而不是基于 user :为什么有一个 ClientDetailsUserDetailsService
,它将 ClientDetailsService
修改为 UserDetailsService
The TokenEndpoint is protected by a BasicAuthenticationFilter
. By default this filter would use an AuthenticationManager
instance, which itself holds an AuthenticationProvider
, which itself depends on an instance of UserDetailsService
.
The trick is that this particular instance of UserDetailsService
must be client based, not user based : that's why there is a ClientDetailsUserDetailsService
, which adapts ClientDetailsService
to UserDetailsService
.
通常,当您使用框架的配置类 AuthorizationServerConfigurerAdapter
, @EnableAuthorizationServer
等。
Normally all this stuff is already done by default when you use the framework's configuration classes AuthorizationServerConfigurerAdapter
, @EnableAuthorizationServer
, etc..
这篇关于Spring OAuth2-没有客户端身份验证。尝试添加适当的身份验证过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!