Java Spring-Security-Oauth2:访问此资源需要完全身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26881296/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring-Security-Oauth2: Full authentication is required to access this resource
提问by Harmeet Singh Taara
I am trying to use spring-security-oauth2.0with Java based configuration. My configuration is done, but when i deploy application on tomcat and hit the /oauth/tokenurl for access token, Oauthgenerate the follwoing error:
我正在尝试使用spring-security-oauth2.0基于 Java 的配置。我的配置已经完成,但是当我在 tomcat 上部署应用程序并点击/oauth/token访问令牌的url 时,Oauth生成以下错误:
<oauth>
<error_description>Full authentication is required to access this resource</error_description>
<error>unauthorized</error>
</oauth>
My configuration is on Git hub, please click on link
我的配置在Git hub 上,请点击链接
The code is large, so refer to git. I am using chrome postman client for send request. follwing is my request.
代码比较大,参考git。我正在使用 chrome postman 客户端发送请求。以下是我的要求。
POST /dummy-project-web/oauth/token HTTP/1.1
Host: localhost:8081
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=abc%40gmail.com&client_secret=12345678
The error is just like, the URL is secure by Oauth, but in configuration, i give the all permission for access this URL. What actual this problem is?
错误就像,URL 是安全的Oauth,但在配置中,我授予访问此 URL 的所有权限。这个问题究竟是什么?
回答by GaryF
The client_idand client_secret, by default, should go in the Authorization header, not the form-urlencoded body.
该client_id和client_secret,默认情况下,应该在Authorization头,而不是窗体-urlencoded体。
- Concatenate your
client_idandclient_secret, with a colon between them:[email protected]:12345678. - Base 64 encode the result:
YWJjQGdtYWlsLmNvbToxMjM0NTY3OA== - Set the Authorization header:
Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
- 连接您的
client_id和client_secret,它们之间有一个冒号:[email protected]:12345678。 - Base 64 编码结果:
YWJjQGdtYWlsLmNvbToxMjM0NTY3OA== - 设置授权标头:
Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==
回答by Marco Lenzo
The reason is that by default the /oauth/tokenendpoint is protected through Basic Access Authentication.
原因是默认情况下/oauth/token端点是通过基本访问身份验证来保护的。
All you need to do is add the Authorizationheader to your request.
您需要做的就是将Authorization标头添加到您的请求中。
You can easily test it with a tool like curlby issuing the following command:
您可以curl通过发出以下命令,使用类似工具轻松测试它:
curl.exe --user [email protected]:12345678 http://localhost:8081/dummy-project-web/oauth/token?grant_type=client_credentials
curl.exe --user [email protected]:12345678 http://localhost:8081/dummy-project-web/oauth/token?grant_type=client_credentials
回答by Stackee007
With Spring OAuth 2.0.7-RELEASE the following command works for me
使用 Spring OAuth 2.0.7-RELEASE,以下命令对我有用
curl -v -u [email protected]:12345678 -d "grant_type=client_credentials" http://localhost:9999/uaa/oauth/token
It works with Chrome POSTMAN too, just make sure you client and secret in "Basic Auth" tab, set method to "POST" and add grant type in "form data" tab.
它也适用于 Chrome POSTMAN,只需确保您在“基本身份验证”选项卡中设置客户端和密码,将方法设置为“POST”并在“表单数据”选项卡中添加授权类型。
回答by maniekq
By default Spring OAuth requires basic HTTP authentication. If you want to switch it off with Java based configuration, you have to allow form authentication for clients like this:
默认情况下,Spring OAuth 需要基本的 HTTP 身份验证。如果要使用基于 Java 的配置将其关闭,则必须允许对客户端进行表单身份验证,如下所示:
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients();
}
}
回答by Ravi Vyas
setting management.security.enabled=falsein application.propertiesresolved the issue for me.
设置management.security.enabled=false在application.properties解决了这个问题对我来说。
回答by compiler123
You should pre authenticate the token apis "/oauth/token"
您应该预先验证令牌 API "/oauth/token"
extend ResourceServerConfigurerAdapterand override configure functionto do this.
扩展ResourceServerConfigurerAdapter和覆盖configure function来做到这一点。
eg:
例如:
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/oauth/token").permitAll().
anyRequest().authenticated();
回答by Hiago Balbino
I had the same problem, but I solve this with the following class:
我遇到了同样的问题,但我用以下课程解决了这个问题:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
