使用Spring Security OAuth 2.0无法获得access_token（404）

Question

我使用Spring 4.2.1.RELEASE,Spring Security 4.0.2.RELEASE和Spring Security OAuth 2.0.7.RELEASE来构建带有RESTful API的Web应用程序。

此前，我的登录功能并非100％RESTful，因为我使用Cookie进行身份验证。

现在我需要通过OAuth端点转向使用令牌认证的纯RESTful。

我跟着导游很多，特别是这一个：https://www.youtube.com/watch?v=LnJsspvxE1c

当我试图得到一个访问令牌，我就与邮差以下请求。

HTTP GET
http://localhost:8080/oauth/token?grant_type=password&client_id=trusted-client&username=name&password=pass

但我总是得到一个404未找到。

我找不到我错在哪里。

下面是我的spring安全配置文件。

```

<beans:beans xmlns="http://www.springframework.org/schema/security" 
     xmlns:beans="http://www.springframework.org/schema/beans" 
     xmlns:oauth="http://www.springframework.org/schema/security/oauth2" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-4.0.xsd 
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security-4.0.xsd 
      http://www.springframework.org/schema/security/oauth2 
      http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd 
      http://www.springframework.org/schema/context 
      http://www.springframework.org/schema/context/spring-context-3.1.xsd"> 


<!-- Definition of the Authentication Service --> 
<http pattern="/oauth/token" 
     create-session="stateless" 
     authentication-manager-ref="clientAuthenticationManager" 
     xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/token" 
        access="isAuthenticated()"/> 
    <anonymous enabled="false"/> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/> 

    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/> 

    <access-denied-handler ref="oauthAccessDeniedHandler"/> 
</http> 



<!-- Protected resources --> 
<http auto-config="true" 
     use-expressions="true" 
     pattern="/api/**" 
     create-session="never" 
     entry-point-ref="oauthAuthenticationEntryPoint" 
     access-decision-manager-ref="accessDecisionManager" 
     xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false"/> 
    <intercept-url pattern="/api/**" access="ROLE_USER" /> 
    <custom-filter ref="resourceServerFilter" 
        before="PRE_AUTH_FILTER"/> 
    <access-denied-handler 
      ref="oauthAccessDeniedHandler"/> 
</http> 

<beans:bean id="oauthAuthenticationEntryPoint" 
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <beans:property name="realmName" value="auth"/> 
</beans:bean> 

<beans:bean id="clientAuthenticationEntryPoint" 
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <beans:property name="realmName" value="auth/client"/> 
    <beans:property name="typeName" value="Basic"/> 
</beans:bean> 

<beans:bean 
    id="oauthAccessDeniedHandler" 
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/> 

<beans:bean id="clientCredentialsTokenEndpointFilter" 
     class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> 
    <beans:property name="authenticationManager" 
        ref="clientAuthenticationManager"/> 
</beans:bean> 

<beans:bean id="accessDecisionManager" 
      class="org.springframework.security.access.vote.UnanimousBased" 
      xmlns="http://www.springframework.org/schema/beans"> 
    <constructor-arg> 
     <list> 
      <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/> 
      <bean class="org.springframework.security.access.vote.RoleVoter"/> 
      <bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/> 
      <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> 
     </list> 
    </constructor-arg> 
</beans:bean> 

<!-- Authentication in config file --> 
<authentication-manager id="clientAuthenticationManager" 
         xmlns="http://www.springframework.org/schema/security"> 
    <authentication-provider user-service-ref="clientDetailsUserService"/> 
</authentication-manager> 

<beans:bean id="passwordEncoder" 
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"> 
</beans:bean> 

<authentication-manager alias="authenticationManager"> 
    <authentication-provider user-service-ref="customUserService"> 
     <password-encoder ref="passwordEncoder" />   
    </authentication-provider> 
</authentication-manager> 

<beans:bean id="clientDetailsUserService" 
     class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> 
    <beans:constructor-arg ref="clientDetails"/> 
</beans:bean> 

<!-- Token Store --> 
<beans:bean id="tokenStore" 
     class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/> 

<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 
    <beans:property name="tokenStore" ref="tokenStore"/> 
    <beans:property name="supportRefreshToken" value="true"/> 
    <beans:property name="clientDetailsService" ref="clientDetails"/> 
    <beans:property name="accessTokenValiditySeconds" value="10"/> 
</beans:bean> 

<beans:bean id="oAuth2RequestFactory" 
    class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory"> 
    <beans:constructor-arg ref="clientDetails" /> 
</beans:bean> 

<beans:bean id="userApprovalHandler" 
     class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler"> 
    <beans:property name="tokenStore" ref="tokenStore"/> 
    <beans:property name="requestFactory" ref="oAuth2RequestFactory" /> 
    <beans:property name="clientDetailsService" ref="clientDetails"/> 
</beans:bean> 

<!-- Token management --> 
<oauth:authorization-server client-details-service-ref="clientDetails" 
          token-services-ref="tokenServices" 
          user-approval-handler-ref="userApprovalHandler" 
          token-endpoint-url="/oauth/token"> 
    <oauth:authorization-code/> 
    <oauth:implicit/> 
    <oauth:refresh-token/> 
    <oauth:client-credentials/> 
    <oauth:password/> 
</oauth:authorization-server> 

<oauth:resource-server id="resourceServerFilter" 
        resource-id="auth" 
        token-services-ref="tokenServices"/> 

<!-- Client Definition --> 
<oauth:client-details-service id="clientDetails"> 

    <oauth:client client-id="trusted-client" 
        authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect" 
        authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" 
        redirect-uri="/secure/index" 
        scope="read,write,trust" 
        access-token-validity="30" 
        refresh-token-validity="600"/> 

</oauth:client-details-service> 

<global-method-security pre-post-annotations="enabled" 
         secured-annotations="enabled" 
         proxy-target-class="true" order="1" > 
    <expression-handler ref="oauthExpressionHandler"/> 
</global-method-security> 

<oauth:expression-handler id="oauthExpressionHandler"/> 
<oauth:web-expression-handler id="oauthWebExpressionHandler"/> 

Answer 1

格兰特型password需要一个POST查询/oauth/token，而不是GET之一。 所以它应该是：

curl -X POST -d 'grant_type=password&client_id=trusted-client&username=name&password=pass' 'http://localhost:8080/oauth/token' 

此外，您oauth/token终点仅适用于isAuthenticated用户：

<intercept-url pattern="/oauth/token" access="isAuthenticated()"/> 

但据我了解您拨打一个电话为匿名用户。