我是OAuth2的新手,在尝试通过密码授予流程获取访问令牌时,我收到了401 Unauthorized。我的UserDetailsService是用MySQL数据库后端实现的,但在收到401 Unauthorized消息之前我从未点击过loadUserByUsername方法,所以我认为这可能是我的OAuth2配置有问题。我的AuthorizationConfigurerAdapter如下:
...imports
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Value("${signing-key:oui214}")
private String signingKey;
public AuthorizationServerConfig() {
super();
}
// beans
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
final JwtAccessTokenConverter jwtAccessTokenConverter = new
JwtAccessTokenConverter();
jwtAccessTokenConverter.setSigningKey(signingKey);
return jwtAccessTokenConverter;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore());
return tokenServices;
}
// config
@Override
public void configure(final ClientDetailsServiceConfigurer clients)
throws Exception {
// @formatter:off
clients.inMemory()
.withClient("password-flow-client")
.secret("publicpass")
.authorizedGrantTypes("password")
.scopes("qlc-webapp")
.accessTokenValiditySeconds(3600 * 12);
// @formatter:on
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer
endpoints) {
// @formatter:off
endpoints.tokenStore(tokenStore()).
tokenEnhancer(tokenEnhancerChain).
authenticationManager(authenticationManager);
endpoints.tokenStore(tokenStore()).
authenticationManager(authenticationManager).
userDetailsService(userDetailsService).
allowedTokenEndpointRequestMethods(HttpMethod.GET,
HttpMethod.POST).accessTokenConverter(accessTokenConverter());
// @formatter:on
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
security.checkTokenAccess("permitAll()");
super.configure(security);
}
}
我的ResourceConfigurerAdapter如下:
...imports
@Configuration
@EnableResourceServer
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
@ComponentScan({ "org.quickloanconnect.spring.security" })
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Value("${signing-key:oui214}")
private String signingKey;
public ResourceServerConfig() {
super();
}
// global security concerns
@Bean
public AuthenticationProvider authProvider() {
final DaoAuthenticationProvider authProvider = new
DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
return authProvider;
}
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authProvider());
}
// http security concerns
@Override
public void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.
authorizeRequests().
// antMatchers("/oauth/token").permitAll().
anyRequest().authenticated().and().
sessionManagement().
sessionCreationPolicy(SessionCreationPolicy.STATELESS).
and().
csrf().disable();
// @formatter:on
}
}
UserDetailsService的MyUserDetailsService实现
@Component
public final class MyUserDetailsService implements UserDetailsService {
@Autowired
private IUsersService userService;
public MyUserDetailsService() {
super();
}
@Override
public final UserDetails loadUserByUsername(final String username) {
Preconditions.checkNotNull(username);
final User user = userService.findUserByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("Username was not found: " +
username);
}
return new
org.springframework.security.core.userdetails.User(username,
user.getPassword(), Lists.newArrayList());
}
我使用inMemory用户设置(当时没有用户详细信息服务),但是当切换到userDetailsService后端并消除我的内存用户时,我的配置似乎不起作用,我得到401 Unauthorized。我现在使用UserDetailsService时,我的配置是否有变化?我错过了什么吗?