Grails spring security oauth2 提供者对具有正确承载令牌的资源的请求重定向到登录

Posted

技术标签:

【中文标题】Grails spring security oauth2 提供者对具有正确承载令牌的资源的请求重定向到登录【英文标题】:Grails spring security oauth2 provider request for resource with correct bearer token redirects to login 【发布时间】:2016-03-18 00:19:38 【问题描述】:

正如标题所暗示的,我有一个受 oAuth2 插件保护的控制器方法,但是当我向它发送一个包含正确授权的请求时:Bearer (使用 Postman),我得到的响应是 html登录页面。

有问题的方法:

@Secured(["ROLE_USER", "#oauth2.clientHasAnyRole('ROLE_CLIENT', 'ROLE_TRUSTED_CLIENT')"])
    def getUserData()
        response.setContentType("application/json")
        User u = springSecurityService.currentUser
        println u
        render u.mseUserInfo
    

Config.groovy:

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.auth.loginFormUrl = '/mse/login'

grails.plugin.springsecurity.userLookup.userDomainClassName = 'cz.improvisio.MSEauthProvider.user.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'cz.improvisio.MSEauthProvider.user.UserRole'
grails.plugin.springsecurity.authority.className = 'cz.improvisio.MSEauthProvider.user.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/oauth/authorize.dispatch':[
        "ROLE_USER",
        "isFullyAuthenticated()"
    ],
    '/oauth/token.dispatch':[
        "ROLE_USER",
        "isFullyAuthenticated()"
    ],
    '/mse/login':["permitAll"],
    '/mse/':["permitAll"],
    '/**':["permitAll"]]



// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'cz.improvisio.MSEauthProvider.user.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'cz.improvisio.MSEauthProvider.user.AuthCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'cz.improvisio.MSEauthProvider.user.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'cz.improvisio.MSEauthProvider.user.RefreshToken'

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter'
]

这是从 Bootstrap.groovy 创建的客户端:

new Client(
                clientId: 'testClient',
                authorizedGrantTypes: [
                    'authorization_code',
                    'refresh_token',
                    'implicit',
                    'password',
                    'client_credentials'
                ],
                authorities: ['ROLE_CLIENT'],
                scopes: ['read', 'write'],
                redirectUris: ['http://test.com']).save(flush: true)

还有一个稍微相关的问题:我找不到一种方法来让访问令牌应该链接到其资源的用户,所以我假设 Id 能够通过 springSecurityService 获取它。这是这样做的正确方法吗?还是我需要将 userId 传递给方法(OpenAM 会这样做吗?)?

【问题讨论】:

您可以发布您用于验证的客户可用的角色吗? @ShashankAgrawal 从创建客户端的 Bootstrap 添加了一些代码 【参考方案1】:

原来我没有为我的操作设置正确的过滤器链。将配置更改为

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
'/myController/getUserData': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter'
]

修复它。

【讨论】:

让我感到困惑的是“securedOAuth2Resources”,我以为这是春天的东西之一,而不是我的。 @Вадим 实际上“securedOAuth2Resources”是他们在文档中显示的一个类(控制器),您可以在此处查看:bluesliverx.github.io/grails-spring-security-oauth2-provider/v3/…

以上是关于Grails spring security oauth2 提供者对具有正确承载令牌的资源的请求重定向到登录的主要内容,如果未能解决你的问题,请参考以下文章

grails-spring-security-rest 插件和悲观锁定

Grails + spring-security-core:用户登录后如何分配角色?

Grails Spring Security注释问题

Grails Spring Security 插件网址

Grails spring-security-oauth-google:如何设置

Grails/Spring Security:无法使用新创建的用户登录