我正在尝试在我的项目中使用spring security和spring oauth2,并将我的授权服务器和资源服务器分开。我不想在这两台服务器之间共享一个令牌存储,所以我决定使用RemoteTokenServices和check_token端点。除了当我使用访问令牌查询资源服务器时,我得到了“401未授权”错误,如下所示:使用RemoteTokenServices解耦授权服务器和资源服务器
2015-10-19 11:50:10.291 DEBUG 2590 --- [nio-8080- exec-1] osweb.client.RestTemplate:“http://localhost:9080/uaa/oauth/check_token/”的POST请求导致401(未授权);调用错误处理程序 2015-10-19 11:50:10.293 DEBUG 2590 --- [nio-8080-exec-1] sswcSecurityContextPersistenceFilter:SecurityContextHolder现在被清除,因为请求处理已完成 2015-10-19 11:50:10.293调试2590 --- [nio-8080-exec-1] osweb.filter.RequestContextFilter:清除线程绑定的请求上下文:[email protected] 2015-10-19 11:50:10.297错误2590 --- [nio-8080-exec-1] oaccC [。[。] [jerseyServlet]:servlet [jerseyServlet]在路径[]中的上下文引发异常
org .springframework.web.client.HttpClientErrorException:401未授权 at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
的授权服务器的代码:
@Configuration
@EnableAuthorizationServer
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Bean
public DefaultAccessTokenConverter defaultAccessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(this.tokenStore())
.authenticationManager(authenticationManager)
.accessTokenConverter(defaultAccessTokenConverter());
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
}
而且安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication();
// .withUser("John").roles("ADMIN").password("password")
// .and()
// .withUser("Mary").roles("BASIC").password("password");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").authenticated()
.and().httpBasic().realmName("OAuth Server");
http.csrf().disable();
}
}
资源服务器设置如下:
@Configuration
@EnableResourceServer
public class ResourceConfiguration extends ResourceServerConfigurerAdapter {
private static String RESOURCE_ID = "xn-resource-id";
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().authenticated();
}
@Bean
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Bean
public RemoteTokenServices remoteTokenServices(final @Value("${auth.server.url}") String checkTokenUrl,
final @Value("${auth.server.client_id}") String clientId,
final @Value("${auth.server.client_secret}") String clientSecret) {
final RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setCheckTokenEndpointUrl(checkTokenUrl);
remoteTokenServices.setClientId(clientId);
remoteTokenServices.setClientSecret(clientSecret);
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
return remoteTokenServices;
}
}
我测试的安全性curl设置和使用client_credentials授权类型。
有人帮我弄清楚上面的代码有什么问题吗?
你得到的这个底部(注意,网址与/结束)? – christopher