Я работаю над требованием, чтобы разрешить другому доверенному приложению (бэкенду) подключаться к нашему API с помощью предоставления пароля oauth2, но я не могу получить токен с помощью / oauth / token.
Наше приложение уже имеет базовую форму авторизации при входе в систему с формой входа в систему.
Вот оригинальный WebSecurityConfig, который позволяет пользователю войти в систему с помощью формы. Это работает некоторое время.
@Configuration
@ComponentScan("config")
@EnableWebSecurity
@Order(2)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsServiceImpl userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and()
.csrf().disable()
.headers().frameOptions().disable()
.and()
.authorizeRequests()
//allow anyone to access the following with the pattern
.antMatchers("/", "/static/**", "/ping", "/topic/**", "/oauth/token" ).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/").permitAll()
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.and()
.sessionManagement()
.expiredUrl("/")
.and()
.invalidSessionUrl("/");
}
@Bean(name = "corsConfigurationSource")
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT"));
configuration.setAllowedHeaders(Arrays.asList("Cache-Control", "Authorization", "Content-Type", "content-type", "x-requested-with", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "x-auth-token", "x-app-id", "Origin", "Accept", "X-Requested-With", "Access-Control-Request-Method", "Access-Control-Request-Headers"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authProvider());
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
@Bean
public PasswordEncoder encoder() {
return new MessageDigestPasswordEncoder("md5");
}
}
А вот и новые настройки сервера авторизации, которые я добавил. Я просто пытаюсь запустить простейшее дело. Поэтому я использую в памяти все.
@Configuration
@EnableAuthorizationServer
@ComponentScan ("config")
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("client")
.secret("clientpassword")
.secret("{noop}secret")
.authorizedGrantTypes("password")
.scopes("read", "write");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore( new InMemoryTokenStore())
.authenticationManager(authenticationManager)
.allowedTokenEndpointRequestMethods(HttpMethod.POST);
}
}
И это еще один WebSecurityConfig, который я создал, пытаясь отделить исходный от нового:
@Configuration
@Order(1)
@ComponentScan ("config")
@EnableWebSecurity (debug = true)
public class WebSecurityOauthConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.csrf().disable();
}
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(NoOpPasswordEncoder.getInstance())
.withUser("user").password("user").roles("ROLE");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
А это версия:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>5.0.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
<version>5.0.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
Это запрос, который я отправляю:
curl -X POST \
http://localhost:8081/oauth/token \
-H 'Authorization: Basic Y2xpZW50OmNsaWVudHBhc3N3b3Jk' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: 06a1108e-d620-4e01-b8f7-81eb7a57ae44' \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
-F client_id=client \
-F user=user \
-F password=user \
-F grant_type=password
Нет явной ошибки. Это журнал трассировки от весенней безопасности. Из того, что я вижу, DaoAuthenticationProvider не правильно зарегистрирован. Я ожидал использовать пользователя в памяти, но цепочка фильтров не включает его. Я также пробовал автоматическое подключение userDetailsService, но результат тот же
************************************************************
Request received for POST '/oauth/token':
org.apache.catalina.connector.RequestFacade@47616c04
servletPath:/oauth/token
pathInfo:null
headers:
content-type: multipart/form-data; boundary=--------------------------127172580218970013444831
authorization: Basic Y2xpZW50OmNsaWVudHBhc3N3b3Jk
cache-control: no-cache
postman-token: db0faf20-d49c-485a-8712-4d31bc65615a
user-agent: PostmanRuntime/7.1.5
accept: */*
host: localhost:8081
cookie: JSESSIONID=AC9D0F63FB67F51917751325403CC4B1
accept-encoding: gzip, deflate
content-length: 505
connection: keep-alive
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2018-09-05 22:42:36 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/oauth/token']
2018-09-05 22:42:36 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/oauth/token'; against '/oauth/token' 2018-09-05 22:42:36 DEBUG OrRequestMatcher:68 - matched
2018-09-05 22:42:36 DEBUG FilterChainProxy:328 - /oauth/token at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-09-05 22:42:36 DEBUG FilterChainProxy:328 - /oauth/token at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-09-05 22:42:36 DEBUG FilterChainProxy:328 - /oauth/token at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-09-05 22:42:36 DEBUG HstsHeaderWriter:130 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@42b51d34
2018-09-05 22:42:36 DEBUG FilterChainProxy:328 - /oauth/token at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2018-09-05 22:42:36 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2018-09-05 22:42:36 DEBUG AntPathRequestMatcher:137 - Request 'POST /oauth/token' doesn't match 'GET /logout
2018-09-05 22:42:36 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2018-09-05 22:42:36 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/oauth/token'; against '/logout'
2018-09-05 22:42:36 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2018-09-05 22:42:36 DEBUG AntPathRequestMatcher:137 - Request 'POST /oauth/token' doesn't match 'PUT /logout
2018-09-05 22:42:36 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2018-09-05 22:42:36 DEBUG AntPathRequestMatcher:137 - Request 'POST /oauth/token' doesn't match 'DELETE /logout
2018-09-05 22:42:36 DEBUG OrRequestMatcher:72 - No matches found
2018-09-05 22:42:36 DEBUG FilterChainProxy:328 - /oauth/token at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2018-09-05 22:42:36 DEBUG BasicAuthenticationFilter:170 - Basic Authentication Authorization header found for user 'client'
2018-09-05 22:42:36 DEBUG ProviderManager:169 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2018-09-05 22:42:36 DEBUG DaoAuthenticationProvider:87 - Authentication failed: password does not match stored value
2018-09-05 22:42:36 DEBUG BasicAuthenticationFilter:198 - Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2018-09-05 22:42:36 DEBUG DelegatingAuthenticationEntryPoint:78 - Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2018-09-05 22:42:36 DEBUG DelegatingAuthenticationEntryPoint:91 - No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@68e001ed
2018-09-05 22:42:36 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed
А ответ 401 Без слов:
<html>
<head>
<title>Apache Tomcat/7.0.47 - Error report</title>
<style>
<!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}-->
</style>
</head>
<body>
<h1>HTTP Status 401 - Unauthorized</h1>
<HR size="1" noshade="noshade">
<p>
<b>type</b> Status report
</p>
<p>
<b>message</b>
<u>Unauthorized</u>
</p>
<p>
<b>description</b>
<u>This request requires HTTP authentication.</u>
</p>
<HR size="1" noshade="noshade">
<h3>Apache Tomcat/7.0.47</h3>
</body>
</html>
Пожалуйста, помогите. Любые предложения приветствуются.