我有一个oauth2客户端spring-boot应用程序,依赖项为:
- spring-boot 1.2.0.RC1
- spring-security-oauth2 2.0.4.RELEASE
- spring-security 3.2.5.RELEASE
客户端进行身份验证,身份验证设置在SecurityContextHolder中,但当请求重定向到原始URL时,过滤器链会再次开始处理。我注意到在SecurityContextPersistenceFilter中,contextBeforeChainExecution和contextAfterChainExecution都具有空身份验证。
我基于[1]Spring Security OAuth2 (google) web app in redirect loop的一些代码。
有什么想法为什么会出现重定向循环?谢谢您的帮助。
[日志片段]https://gist.github.com/yterradas/61da3f6eccc683b3a086 以下是安全配置。
客户端进行身份验证,身份验证设置在SecurityContextHolder中,但当请求重定向到原始URL时,过滤器链会再次开始处理。我注意到在SecurityContextPersistenceFilter中,contextBeforeChainExecution和contextAfterChainExecution都具有空身份验证。
我基于[1]Spring Security OAuth2 (google) web app in redirect loop的一些代码。
有什么想法为什么会出现重定向循环?谢谢您的帮助。
[日志片段]https://gist.github.com/yterradas/61da3f6eccc683b3a086 以下是安全配置。
@Configuration public class SecurityConfig {
@Configuration @EnableWebMvcSecurity protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired private OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter;
@Autowired private LoginUrlAuthenticationEntryPoint vaultAuthenticationEntryPoint;
@SuppressWarnings({"SpringJavaAutowiringInspection"}) @Autowired private OAuth2ClientContextFilter oAuth2ClientContextFilter;
@Override protected void configure(HttpSecurity http) throws Exception { // 禁用匿名访问,只允许已认证用户访问 http .authorizeRequests() .antMatchers("/**").authenticated() .and() .exceptionHandling().authenticationEntryPoint(vaultAuthenticationEntryPoint) .and() // 添加过滤器 .addFilterAfter(oAuth2ClientContextFilter, ExceptionTranslationFilter.class) .addFilterBefore(oAuth2ClientAuthenticationProcessingFilter, FilterSecurityInterceptor.class) .anonymous().disable(); }
@Override public void configure(WebSecurity web) throws Exception { // 禁用调试模式 web /* TODO: disable debug in production */ .debug(true); } }
@Configuration @EnableOAuth2Client protected static class ClientSecurityConfig {
@Value("${app.name}") private String appId; @Value("${app.clientId}") private String appClientId; @Value("${app.clientSecret}") private String appClientSecret; @Value("${app.redirectUrl}") private String appRedirectUrl; @Value("${vault.accessTokenUrl}") private String vaultAccessTokenUrl; @Value("${vault.userAuthorizationUrl}") private String vaultUserAuthorizationUrl; @Value("${vault.checkTokenUrl}") private String vaultCheckTokenUrl;
@SuppressWarnings({"SpringJavaAutowiringInspection"}) @Resource @Qualifier("oauth2ClientContext") private OAuth2ClientContext oAuth2ClientContext;
@Autowired @Qualifier("securityDataSource") private DataSource securityDataSource;
@Autowired private MappingJackson2HttpMessageConverter jackson2HttpMessageConverter;
// 创建 OAuth2RestOperations 实例 @Bean public OAuth2RestOperations oAuth2RestOperations() { AccessTokenProviderChain provider = new AccessTokenProviderChain( Arrays.asList(new AuthorizationCodeAccessTokenProvider()) ); provider.setClientTokenServices(new JdbcClientTokenServices(securityDataSource));
OAuth2RestTemplate template = new OAuth2RestTemplate(oAuth2Resource(), oAuth2ClientContext); template.setAccessTokenProvider(provider); template.setMessageConverters(Arrays.asList(jackson2HttpMessageConverter));
return template; }
// 创建 OAuth2ProtectedResourceDetails 实例 @Bean OAuth2ProtectedResourceDetails oAuth2Resource() { AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setId(appId); resource.setAuthenticationScheme(AuthenticationScheme.query); resource.setAccessTokenUri(vaultAccessTokenUrl); resource.setUserAuthorizationUri(vaultUserAuthorizationUrl); resource.setUseCurrentUri(false); resource.setPreEstablishedRedirectUri(appRedirectUrl); resource.setClientId(appClientId); resource.setClientSecret(appClientSecret); resource.setClientAuthenticationScheme(AuthenticationScheme.form);
return resource; }
// 创建 ResourceServerTokenServices 实例 @Bean ResourceServerTokenServices oAuth2RemoteTokenServices() { VaultTokenServices tokenServices = new VaultTokenServices();
RestTemplate restOperations = new RestTemplate(); restOperations.setMessageConverters(Arrays.asList(jackson2HttpMessageConverter));
tokenServices.setRestTemplate(restOperations); tokenServices.setClientId(appClientId); tokenServices.setClientSecret(appClientSecret); tokenServices.setCheckTokenEndpointUrl(vaultCheckTokenUrl);
return tokenServices; }
// 创建 OAuth2ClientAuthenticationProcessingFilter 实例 @Bean OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter() { OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter("/vaultLogin");
filter.setRestTemplate(oAuth2RestOperations()); filter.setTokenServices(oAuth2RemoteTokenServices());
return filter; }
} }
RemoteTokenServices
来处理验证,因为授权服务器不使用http-basic进行验证。我已经在问题中更新了日志片段。也许这可以帮助解决问题。 - Yoandy Terradas