无法使用 curl 通过 tut-spring-security-and-angular-js “pairs-oauth2” 示例调用资源
Posted
技术标签:
【中文标题】无法使用 curl 通过 tut-spring-security-and-angular-js “pairs-oauth2” 示例调用资源【英文标题】:Cannot use curl to call resource with tut-spring-security-and-angular-js "pairs-oauth2" example 【发布时间】:2016-08-22 07:03:45 【问题描述】:我遵循Spring Security and Angular JS - A Secure Single Page Application 教程并从 GITHUB 下载了它的源代码。我正在尝试使用“client_credentials”grant_type 模拟远程应用程序访问“resource”api。
我可以通过发出这个命令来获得令牌:
curl "http://acme:acmesecret@192.168.1.12:9999/uaa/oauth/token" -d grant_type=client_credentials -d client_id=acme
这给了我以下标记:
"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsiZGF0YS1jb25zdW1lci1zZXJ2aWNlIl0sInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsIm9wZW5pZCJdLCJleHAiOjE0NjE4MjUwMTIsImp0aSI6ImJkZjVhODA3LTFkYjktNDI2Ni1iMWQxLTMzMmNmZWQ0NDQ4NCIsImNsaWVudF9pZCI6ImFjbWUifQ.lcKodEkwuG6JXhakgk_W4Mat0chiXePcreFZ-WmX0RAAYhPexqxJSX-OHmgOPYLh9sdRqCFbvuZFxQL-xn34Q1N9fj3ppAzDNnXa-GNq7x83pnkcbEVwtXWyEjfSSjo1ui0Ui0N-gQ5XeecXG_JXyV9ZfjopRtyz0ReimietJMU6qgUfH59b9GC6LnAciL4wOzlzPPY2p_ZR0x8XuruBWluE5IZwe3jDxtcz_UGhvjwrdjczaYTONMTRul-pKZtieG18e4CLjiu0-z_EboVmW7JaQMOJKzDf_Ew2PkomMJwPaIk4CtJIm7U8JtwqO8j--n9GEfcb5pM07-wmHjqE7w","token_type":"bearer","expires_in":42813,"scope":"read write openid","jti":"bdf5a807-1db9-4266-b1d1-332cfed44484"
但是,当我尝试使用令牌访问 API 时
curl -v -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsiZGF0YS1jb25zdW1lci1zZXJ2aWNlIl0sInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsIm9wZW5pZCJdLCJleHAiOjE0NjE4MjUwMTIsImp0aSI6ImJkZjVhODA3LTFkYjktNDI2Ni1iMWQxLTMzMmNmZWQ0NDQ4NCIsImNsaWVudF9pZCI6ImFjbWUifQ.lcKodEkwuG6JXhakgk_W4Mat0chiXePcreFZ-WmX0RAAYhPexqxJSX-OHmgOPYLh9sdRqCFbvuZFxQL-xn34Q1N9fj3ppAzDNnXa-GNq7x83pnkcbEVwtXWyEjfSSjo1ui0Ui0N-gQ5XeecXG_JXyV9ZfjopRtyz0ReimietJMU6qgUfH59b9GC6LnAciL4wOzlzPPY2p_ZR0x8XuruBWluE5IZwe3jDxtcz_UGhvjwrdjczaYTONMTRul-pKZtieG18e4CLjiu0-z_EboVmW7JaQMOJKzDf_Ew2PkomMJwPaIk4CtJIm7U8JtwqO8j--n9GEfcb5pM07-wmHjqE7w" http://192.168.1.12/8080/resource/resources
我收到 302 响应并被重定向到登录页面。以下是身份验证服务器的输出:
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/css/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/css/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/js/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/js/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/images/**']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/images/**'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/**/favicon.ico']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/**/favicon.ico'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/error']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/error'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/login']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/login'
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/authorize']
2016-04-27 12:38:52.563 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/authorize'; against '/oauth/authorize'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.web.util.matcher.OrRequestMatcher : matched
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@53614cb0
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth/authorize' doesn't match 'POST /logout
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth/authorize' doesn't match 'POST /login
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.session.SessionManagementFilter : Requested session ID CCFF7CFAC451E5D4E219B975C94780EF is invalid.
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.security.web.FilterChainProxy : /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/authorize?client_id=acme&redirect_uri=http://192.168.1.12:8080/login&response_type=code&state=g9DTvR; Attributes: [authenticated]
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-04-27 12:38:52.564 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6276271, returned: -1
2016-04-27 12:38:52.565 DEBUG 2691 --- [nio-9999-exec-9] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
我确实更改了 OAuth2AuthorizationConfig 以添加“client_credentials”授权类型
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.scopes("read","write")
.authorizedGrantTypes("authorization_code", "refresh_token","password","client_credentials")
.scopes("openid");
但我一定错过了其他东西。非常感谢任何帮助!
【问题讨论】:
【参考方案1】:我找到了解决方案。当您向具有“@EnableOAuth2Sso”的类添加资源服务器时,您可以使用 access_token 访问资源。例如:
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration
extends ResourceServerConfigurerAdapter
@Override
public void configure(HttpSecurity http) throws Exception
// @formatter:off
http
.antMatcher("/user")
.authorizeRequests().anyRequest().authenticated()
.and()
.antMatcher("/data")
.authorizeRequests().anyRequest().authenticated();
// @formatter:on
【讨论】:
以上是关于无法使用 curl 通过 tut-spring-security-and-angular-js “pairs-oauth2” 示例调用资源的主要内容,如果未能解决你的问题,请参考以下文章
无法在 ubuntu 20.04 上通过 apt 安装 curl
解决Windows平台通过cURL上传APP到蒲公英pgyer平台时无法使用中文升级描述的问题