Spring oauth2。重定向到oauth /授权AuthorizationEndpoint不会发生
我正在实施某种SSO系统。我在我的应用程序中使用了Spring安全性oauth 2。我有一个客户端应用程序(localhost:8081)和一个服务器应用程序(localhost:8080)。Spring oauth2。重定向到oauth /授权AuthorizationEndpoint不会发生
用户尝试从客户端应用做一个登录。客户端应用程序依次启动身份验证流程。它发送到服务器应用程序 AUTH请求http://localhost:8080/authorize?response_type=code&client_id=client&scope=openid+email+address+profile+phone&redirect_uri=localhost:8081/login&nonce=3fc29332c5377&state=18960fbd838be
有一个重定向到登录页面,并输入凭据并提交表单认证成功上服务器后。
之后,我期待继续流动授权,去到OAuth /在irder授权终点org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint 生成授权码,并发送回客户端应用。 但它没有。
请帮我澄清一下为什么?为什么在成功认证后流程不会进入oauth /授权终点。
这是我登录andpoint配置:
<security:http pattern="/mylogin"
create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint">
<security:intercept-url pattern="/mylogin" access="permitAll"/>
<security:csrf disabled="true"/>
<security:custom-filter before="PRE_AUTH_FILTER" ref="customAuthenticationFilter"/>
<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
<security:logout logout-url="/logout" />
<security:anonymous />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:headers>
<security:frame-options policy="DENY" />
</security:headers>
</security:http>
这是我的自定义身份验证过滤器:
public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private static Logger logger = LoggerFactory.getLogger(CustomAuthenticationFilter.class);
public CustomAuthenticationFilter() {
super("/mylogin");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (!HttpMethod.POST.name().equals(request.getMethod())) {
if(logger.isDebugEnabled()) {
logger.debug("Authentication method not supported. Request method: " + request.getMethod());
}
throw new AuthenticationServiceException("Authentication method not supported");
}
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
if (StringUtils.isBlank(username) || StringUtils.isBlank(password)) {
throw new AuthenticationServiceException("Username or Password not provided");
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
setDetails(request, authRequest);
Authentication auth = this.getAuthenticationManager().authenticate(authRequest);
return auth;
}
protected void setDetails(HttpServletRequest request,
UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
}
没有我的授权服务器的配置:
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit />
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:password/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
我找到了原因。
create-session =“无状态”是认证尚未保存在安全上下文中的原因。
这就是为什么在处理授权请求(成功验证后)的阶段,FilterSecurityInterceptor中存在Access Denied异常。