Spring OAuth2 - 没有客户端身份验证.尝试添加适当的身份验证过滤器 [英] Spring OAuth2 - There is no client authentication. Try adding an appropriate authentication filter
问题描述
我们有一个使用 spring-security-oauth2:1.0
的应用程序.我试图将其更改为更新版本 spring-security-oauth2:2.0.7.RELEASE
.删除了一些类,更改了一些包结构,我设法解决了所有这些问题,并且能够毫无问题地启动服务器.但是我在这里遇到了一个奇怪的问题.
We have an application which is using spring-security-oauth2:1.0
. I was trying to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE
. Some classes were removed, some package structure is changed, I managed to sort out all those things and I was able to start the server without any issue. But I am facing a strange issue here.
使用OAuth2 - 1.0 版本
,当用户登录时,我们曾经在/oauth/token
上做一个GET
请求,例如:
With OAuth2 - 1.0 version
, when the user logs in we used to do a GET
request on /oauth/token
, For example :
它曾经工作得很好.
当我尝试同样的事情时,首先我无法发出 GET
请求,因为 TokenEndPoint.java一个>
When I try the same thing, First of all I am not able to make a GET
request because of the logic in TokenEndPoint.java
private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));
@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!allowedRequestMethods.contains(HttpMethod.GET)) {
throw new HttpRequestMethodNotSupportedException("GET");
}
return postAccessToken(principal, parameters);
}
我尝试发出与上述 URL 相同的 POST
请求,但我收到 InsufficientAuthenticationException
和错误消息
I have tried to make a POST
request same as above URL, but I get InsufficientAuthenticationException
with the error message
没有客户端身份验证.尝试添加适当的身份验证过滤器
There is no client authentication. Try adding an appropriate authentication filter
这是因为 TokenEndpoint.java
中的以下 POST
请求控制器.当我调试时,我看到 principal
为空.
This is because of the following POST
request controller in TokenEndpoint.java
. When I debug, I see that principal
is null.
@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
//principal is null here
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
"There is no client authentication. Try adding an appropriate authentication filter.");
}
.............
}
我有一个身份验证过滤器,当我使用 version 1.0
时,它运行良好.这是我的配置的相关内容:
I have an authentication filter and it worked well when I used version 1.0
. This is the relevant prats of my config:
<authentication-manager xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="userDetailsService"/>
</authentication-manager>
<bean id="userDetailsService" class="com.hcl.nc.service.UserDetailsService">
<constructor-arg><ref bean="sessionFactory" /></constructor-arg>
</bean>
我一直认为请求将由 authentication-provider
进行身份验证并转到 token-endpoint
但这似乎不是正确的流程.使用2.0.7版
调试应用程序后,现在我真的怀疑我对流程的理解.
I always thought that the request will be authenticated by authentication-provider
and goes to token-endpoint
but that does not seem to be the correct flow. After debugging the application with version 2.0.7
, now I really doubt my understanding about the flow.
谁能解释一下为什么它在以前的版本中有效,为什么现在不起作用?
我是否需要做一些不同的事情才能获得 OAuth 令牌?
注意:我已经检查了这些问题:此处,此处,此处.但是我找不到正确的解决方案.
NOTE: I have already checked these questions : here, here, here. But I was not able to find the correct solution.
推荐答案
我不知道以前的版本,但我对2.0.7有点了解.
I don't know the previous version, but I know a bit about 2.0.7.
我怀疑您的问题是您的 TokenEndpoint 安全尝试针对您的 用户 服务验证您的客户端.
I suspect your problem is that your TokenEndpoint security tries to authenticate your clients against your user service.
TokenEndpoint 由 BasicAuthenticationFilter
保护.默认情况下,此过滤器将使用 AuthenticationManager
实例,该实例本身包含一个 AuthenticationProvider
,它本身取决于 UserDetailsService
的实例.诀窍是 UserDetailsService
的这个特定实例必须基于 客户端,而不是基于 用户:这就是为什么有 ClientDetailsUserDetailsService
,将 ClientDetailsService
适配为 UserDetailsService
.
The TokenEndpoint is protected by a BasicAuthenticationFilter
. By default this filter would use an AuthenticationManager
instance, which itself holds an AuthenticationProvider
, which itself depends on an instance of UserDetailsService
.
The trick is that this particular instance of UserDetailsService
must be client based, not user based : that's why there is a ClientDetailsUserDetailsService
, which adapts ClientDetailsService
to UserDetailsService
.
通常,当您使用框架的配置类AuthorizationServerConfigurerAdapter
、@EnableAuthorizationServer
等时,默认情况下所有这些内容都已完成.
Normally all this stuff is already done by default when you use the framework's configuration classes AuthorizationServerConfigurerAdapter
, @EnableAuthorizationServer
, etc..
这篇关于Spring OAuth2 - 没有客户端身份验证.尝试添加适当的身份验证过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!