0
내가 스프링 MVC + 스프링 시큐리티 OAuth2를 예를 개발하고있다. 이 예에서 제공된 CSRF 토큰을 확인할 수 없습니다.</ ERROR_DESCRIPTION><error> ACCESS_DENIED</error></oauth> *
나는<springsec.version>3.2.8.RELEASE</springsec.version>
<spring.version>4.0.9.RELEASE</spring.version>
- 봄 보안 버전을 사용했다하지만 내 비즈니스 클라이언트는 최신 버전으로 봄과 보안 종속성을 업데이트하려고합니다 . 나는
<springsec.version>4.1.1.RELEASE</springsec.version>
에<spring.version>4.3.1.RELEASE</spring.version>
및 보안
스프링 MVC를 변경했습니다.
아래의 CURL 명령을 사용하여 액세스 토큰을 얻으려고했지만 성공적으로 응용 프로그램을 배포 할 수있었습니다. 다음 오류가 발생했습니다. 왜 ? 참조
C:\>curl -vvv -X POST "http://localhost:8080/demo.rest.springsecurity.oauth2.0.authentication/oauth/token?username=user1&password=user1&client_id=client1&client_secret=client1&grant_type=password&scope=read,write,trust" * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) > POST /demo.rest.springsecurity.oauth2.0.authentication/oauth/token?username=user1&password=user1&client_id=client1&client_secret=client1&grant_type=password&scope=read,write,trust HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.46.0 > Accept: */* > < HTTP/1.1 403 Forbidden < Server: Apache-Coyote/1.1 < Set-Cookie: JSESSIONID=D3BE17423B26618D2931A9B317E422E1; Path=/demo.rest.springsecurity.oauth2.0.authentication/; HttpOnly < Cache-Control: no-store < Pragma: no-cache < X-XSS-Protection: 1; mode=block < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Content-Type: application/xml < Transfer-Encoding: chunked < Date: Wed, 17 Aug 2016 11:19:28 GMT < <oauth><error_description>Could not verify the provided CSRF token because your session was not found.</error_description><error>access_denied</error></oauth>* Connection #0 to host localhost left intact C:\>
내 의 pom.xml :
<properties> <!-- General Properties --> <java.version>1.8</java.version> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <!-- Spring Security --> <!-- <springsec.version>3.2.8.RELEASE</springsec.version> --> <springsec.version>4.1.1.RELEASE</springsec.version> <!-- Spring MVC --> <!-- <spring.version>4.0.9.RELEASE</spring.version> --> <spring.version>4.3.1.RELEASE</spring.version> <!-- Jersey Server --> <jersey-version>1.19</jersey-version> <!-- Spring Security OAuth2 --> <spring-security-oauth2-version>2.0.10.RELEASE</spring-security-oauth2-version> <logback.version>1.1.7</logback.version> <jcl-over-slf4j.version>1.7.21</jcl-over-slf4j.version> <!-- Servlet, JSP, CGLIB, JSTL --> <servlet.version>3.1.0</servlet.version> <jsp.version>2.2</jsp.version> <cglib.version>2.2.2</cglib.version> <jstl.version>1.2</jstl.version> </properties> <dependencies> <!-- Spring Security OAuth2 --> <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>${spring-security-oauth2-version}</version> </dependency> <!-- Spring Web MVC --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring security core, web, config, aspects, taglibs --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${springsec.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${springsec.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-aspects</artifactId> <version>${springsec.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${springsec.version}</version> </dependency> <!-- JSTL --> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>${jstl.version}</version> </dependency> <!-- Jersey Server --> <dependency> <groupId>com.sun.jersey</groupId> <artifactId>jersey-server</artifactId> <version>${jersey-version}</version> </dependency> <!-- Jersey Client --> <dependency> <groupId>com.sun.jersey.contribs</groupId> <artifactId>jersey-apache-client</artifactId> <version>${jersey-version}</version> </dependency> <!-- Spring Jersey --> <dependency> <groupId>com.sun.jersey.contribs</groupId> <artifactId>jersey-spring</artifactId> <version>${jersey-version}</version> <exclusions> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> </exclusion> </exclusions> </dependency> <!-- Jersey JSON --> <dependency> <groupId>com.sun.jersey</groupId> <artifactId>jersey-json</artifactId> <version>${jersey-version}</version> </dependency> <dependency> <groupId>com.sun.jersey</groupId> <artifactId>jersey-client</artifactId> <version>${jersey-version}</version> </dependency> <!-- Spring Core, Context, Support, beans, test, Web MVC --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-test</artifactId> <version>${spring.version}</version> <scope>test</scope> </dependency> <!-- logging, slf4j --> <dependency> <groupId>org.slf4j</groupId> <artifactId>jcl-over-slf4j</artifactId> <version>${jcl-over-slf4j.version}</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>${logback.version}</version> </dependency> <!-- Cglib --> <dependency> <groupId>cglib</groupId> <artifactId>cglib</artifactId> <version>${cglib.version}</version> </dependency> <!-- Servlet --> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>${servlet.version}</version> </dependency> <!-- JSP API --> <dependency> <groupId>javax.servlet.jsp</groupId> <artifactId>jsp-api</artifactId> <version>${jsp.version}</version> <scope>provided</scope> </dependency>
봄-servlet.xml에
<?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd "> <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager" xmlns="http://www.springframework.org/schema/security" > <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> <anonymous enabled="false" /> <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> <access-denied-handler ref="oauthAccessDeniedHandler" /> </http> <http pattern="/resources/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false" /> <intercept-url pattern="/resources/**" method="GET" /> <!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> --> <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <access-denied-handler ref="oauthAccessDeniedHandler" /> </http> <http pattern="/logout" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false" /> <intercept-url pattern="/logout" method="GET" /> <sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" /> <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <access-denied-handler ref="oauthAccessDeniedHandler" /> </http> <bean id="logoutSuccessHandler" class="demo.oauth2.authentication.security.LogoutImpl" > <property name="tokenstore" ref="tokenStore"></property> </bean> <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> </bean> <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> <property name="realmName" value="springsec/client" /> <property name="typeName" value="Basic" /> </bean> <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"> </bean> <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider user-service-ref="clientDetailsUserService" /> </authentication-manager> <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <constructor-arg ref="clientDetails" /> </bean> <bean id="clientDetails" class="demo.oauth2.authentication.security.ClientDetailsServiceImpl"/> <authentication-manager id="userAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider ref="customUserAuthenticationProvider"> </authentication-provider> </authentication-manager> <bean id="customUserAuthenticationProvider" class="demo.oauth2.authentication.security.CustomUserAuthenticationProvider"> </bean> <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:authorization-code /> <oauth:implicit/> <oauth:refresh-token/> <oauth:client-credentials /> <oauth:password authentication-manager-ref="userAuthenticationManager"/> </oauth:authorization-server> <oauth:resource-server id="resourceServerFilter" resource-id="springsec" token-services-ref="tokenServices" /> <!-- <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> --> <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" /> <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <property name="tokenStore" ref="tokenStore" /> <property name="supportRefreshToken" value="true" /> <property name="accessTokenValiditySeconds" value="300000"></property> <property name="clientDetailsService" ref="clientDetails" /> </bean> <mvc:annotation-driven /> <!-- Declares explicit support for annotation-driven MVC controllers @RequestMapping, @Controller --> <mvc:default-servlet-handler /> <bean id="MyResource" class="demo.oauth2.authentication.resources.MyResource"></bean> </beans>
날로부터 더 이상 정보가 필요하면 알려 주시기 바랍니다! !
하지만 너무 다른 문제에 직면하고 있습니다 : org.springframework.expression.spel.SpelEvaluationException :에 의한 EL1008E : (POS 0) : 건물 또는 'IS_AUTHENTICATED_FULLY'필드는 조직의 형태를 나타내는 개체를 찾을 수 없습니다 .springframework.security.web.access.expression.WebSecurityExpressionRoot '- 아마도 공개가 아니겠습니까? – Prateek