Spring security 自定义身份验证提供程序总是导致错误的客户端凭据

Posted

技术标签:

【中文标题】Spring security 自定义身份验证提供程序总是导致错误的客户端凭据【英文标题】:Spring security custom authentication provider always resulted in bad client credentials 【发布时间】:2016-11-28 15:46:24 【问题描述】:

我正在 Spring Security 中实现一个自定义身份验证提供程序,用于对用户进行身份验证。身份验证服务器在远程端(Restful 服务)。每次我调用我的服务时都会遇到此错误(此代码到达

return new UsernamePasswordAuthenticationToken(userDetails, authentication.getCredentials().toString(), grantedAuthorities); 部分)

"error":"invalid_client","error_description":"Bad client credentials"

这是我的代码:

CustomAuthenticationProvider

public class CustomAuthenticationProvider implements AuthenticationProvider 


@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException 

    HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(HttpClients.createDefault());
    RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout(60 * 1000)
            .setSocketTimeout(60 * 1000).build();
    PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
    poolingHttpClientConnectionManager.setMaxTotal(20);
    poolingHttpClientConnectionManager.setDefaultMaxPerRoute(20);
    CloseableHttpClient httpClientBuilder = HttpClientBuilder.create()
            .setConnectionManager(poolingHttpClientConnectionManager).setDefaultRequestConfig(requestConfig)
            .build();
    requestFactory.setHttpClient(httpClientBuilder);
    RestTemplate restTemplate = new RestTemplate(requestFactory);

    UserInfoRequestBean userInfoRequestBean = new UserInfoRequestBean();

    String username = (String)authentication.getPrincipal();
    userInfoRequestBean.setUsername(username);
    userInfoRequestBean.setPassword((String)authentication.getCredentials());

    HttpHeaders headers = new HttpHeaders();
    headers.setContentType(MediaType.APPLICATION_JSON);

    HttpEntity<?> httpEntity = new HttpEntity<UserInfoRequestBean>(userInfoRequestBean, headers);

    try                                
        ResponseBean<LoginResponseBean> responseBody = restTemplate.exchange(getLoginUrl(), HttpMethod.POST, httpEntity, new ParameterizedTypeReference<ResponseBean<LoginResponseBean>>() ).getBody();
        UserDetails userDetails = new UserDetails();
        userDetails.setGender(responseBody.getResult().getGender());
        userDetails.setLastLoginDate(new Date());
        userDetails.setYaghutSessionId(responseBody.getResult().getSessionId());
        userDetails.setName(responseBody.getResult().getName());
        userDetails.setUsername(username);

        List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
        // Granting authorization roles to user
        grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new UsernamePasswordAuthenticationToken(userDetails, authentication.getCredentials().toString(), grantedAuthorities);

    catch (RestClientException exp) 
        exp.printStackTrace();
        //TODO: implement this method
    

    return null;


@Override
public boolean supports(Class<?> authentication) 
    // TODO Auto-generated method stub
    return true;


private String getLoginUrl()
    //return restful service url



弹簧安全配置

<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />


<bean id="clientCredentialsTokenEndpointFilter"
      class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="customAuthenticationManager" />
</bean>

<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="test/client" />
    <property name="typeName" value="Basic" />
</bean>


<bean id="customProvider"
    class="com.adpdigital.idm.security.provider.CustomAuthenticationProvider" />

<authentication-manager id="customAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security">
    <authentication-provider ref="customProvider" />
</authentication-manager> 

<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="customAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

【问题讨论】:

【参考方案1】:

在返回 UsernamePasswordAuthenticationToken 时,只需传递用户名,而不是传递 UserDetails。以下是示例 -

return new UsernamePasswordAuthenticationToken(username, authentication.getCredentials().toString(), grantedAuthorities);

【讨论】:

以上是关于Spring security 自定义身份验证提供程序总是导致错误的客户端凭据的主要内容,如果未能解决你的问题,请参考以下文章

使用 Spring Security 配置自定义 LDAP 身份验证提供程序

使用事务包装 Spring Security 自定义身份验证提供程序

Spring security 自定义身份验证提供程序总是导致错误的客户端凭据

具有 Spring Security 和 Java Config 的自定义身份验证提供程序

Spring Security 和 Keycloak 因自定义身份验证提供程序而失败

甚至没有调用自定义 Spring Security 身份验证提供程序?