All geek questions in one place

Spring OAuth2 "Full authentication required to access this resource"

I am trying to use Spring OAuth2 for my leisure application. But it looks like I made a mistake, and I can find where I did it. The stream should be: 1. get a token from / oauth / token with username and password 2. make a request / security with the token provided

MethodSecurityConfig:

@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { @Autowired private SecurityConfiguration securityConfig; @Override protected MethodSecurityExpressionHandler createExpressionHandler() { return new OAuth2MethodSecurityExpressionHandler(); } }

OAuth2ServerConfig:

 @Configuration public class OAuth2ServerConfig { private static final String RESOURCE_ID = "nessnity"; @Configuration @Order(10) protected static class UiResourceConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers().antMatchers("/security") .and() .authorizeRequests() .antMatchers("/security").access("hasRole('USER')"); } } @Configuration @EnableResourceServer protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { http .requestMatchers().antMatchers("/security/") .and() .authorizeRequests() .antMatchers("/security").access("#oauth2.hasScope('read')"); } } @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { @Autowired private TokenStore tokenStore; @Autowired private UserApprovalHandler userApprovalHandler; @Autowired private AuthenticationManager authenticationManager; @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("my-client") .resourceIds(RESOURCE_ID) .authorizedGrantTypes("client_credentials") .authorities("ROLE_CLIENT") .scopes("read") .secret("password") .accessTokenValiditySeconds(60); } @Bean public TokenStore tokenStore() { return new InMemoryTokenStore(); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .tokenStore(tokenStore) .userApprovalHandler(userApprovalHandler) .authenticationManager(authenticationManager); } @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.realm("sparklr2/client"); } } protected static class Stuff { @Autowired private ClientDetailsService clientDetailsService; @Autowired private TokenStore tokenStore; @Bean public ApprovalStore approvalStore() throws Exception { TokenApprovalStore store = new TokenApprovalStore(); store.setTokenStore(tokenStore); return store; } @Bean @Lazy @Scope(proxyMode=ScopedProxyMode.TARGET_CLASS) public SparklrUserApprovalHandler userApprovalHandler() throws Exception { SparklrUserApprovalHandler handler = new SparklrUserApprovalHandler(); handler.setApprovalStore(approvalStore()); handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService)); handler.setClientDetailsService(clientDetailsService); handler.setUseApprovalStore(true); return handler; } } }

SecurityConfiguration:

 @Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("root") .password("password") .roles("USER"); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/oauth/uncache_approvals", "/oauth/cache_approvals"); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().hasRole("USER"); } }

Problem: when I tried to get a token

 curl --user root:password --data "grant_type=client_credentials" http://localhost:8080/oauth/token

I got a message:

{"error": "invalid_client", "error_description": "Bad client Credentials"}

Second question: how to pass username / password in url parameters, for example / oauth / token? username = root & password = password?

Thanks.

UPDATE

I decided to start from scratch and use the xml configuration.

The following configuration works perfectly:

 <?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/> <anonymous enabled="false"/> <http-basic entry-point-ref="clientAuthenticationEntryPoint"/> <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/> <access-denied-handler ref="oauthAccessDeniedHandler"/> </http> <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> <property name="authenticationManager" ref="authenticationManager"/> </bean> <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider user-service-ref="clientDetailsUserService"/> </authentication-manager> <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <constructor-arg ref="clientDetails"/> </bean> <bean id="clientDetails" class="com.nessnity.api.security.OAuthClienDetailsService"> <property name="id" value="testuser"/> <property name="secretKey" value="secret" /> </bean> <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> <property name="realmName" value="springsec/client"/> <property name="typeName" value="Basic"/> </bean> <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/> <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:authorization-code/> <oauth:implicit/> <oauth:refresh-token/> <oauth:client-credentials/> <oauth:password authentication-manager-ref="userAuthenticationManager"/> </oauth:authorization-server> <authentication-manager id="userAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider ref="customUserAuthenticationProvider"> </authentication-provider> </authentication-manager> <bean id="customUserAuthenticationProvider" class="com.nessnity.api.security.OAuthUserAuthenticationProvider"> </bean> <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <property name="tokenStore" ref="tokenStore"/> <property name="supportRefreshToken" value="true"/> <property name="accessTokenValiditySeconds" value="900000000"/> <property name="clientDetailsService" ref="clientDetails"/> </bean> <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/> <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> </bean> <http pattern="/resources/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false"/> <intercept-url pattern="/resources/**" method="GET"/> <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/> <access-denied-handler ref="oauthAccessDeniedHandler"/> </http> <oauth:resource-server id="resourceServerFilter" resource-id="springsec" token-services-ref="tokenServices"/> </beans>
+6
source share
2 answers

I came across a similar one for me, it worked after making the following change

In your AuthorizationServerConfiguration class, replace

  @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.realm("sparklr2/client"); }

with the code below

  @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { //oauthServer.realm("sparklr2/client"); oauthServer.allowFormAuthenticationForClients(); }

and the request should like

/ OAuth / token grant_type = password &? Scope = Read + Write & client_id = yourclientId & client_secret = secret & username = username & password = PWD

+6
source

In the access token request, you use the client credential type. The OAuth specification indicates that in the case of the client_credentials provisioning type, you need to provide base64 encoded client_id:client_secret as the base authorization header. For example, if your client_id is google and client_secret x23r-ss56-rfg8-6yt6 , then you need to add this line as google:x23r-ss56-rfg8-6yt6 , encode it using Base64 encoder and make the request as

 curl --header "Authorization: Basic <base64 encoded_string>" --data "grant_type=client_credentials" http://localhost:8080/oauth/token
0
source

Source: https://habr.com/ru/post/970071/

More articles:


All Articles