2. 질의 응답
  3. 제공된 CSRF 토큰을 확인할 수 없습니다.</ ERROR_DESCRIPTION><error> ACCESS_DENIED</error></oauth> *

제공된 CSRF 토큰을 확인할 수 없습니다.</ ERROR_DESCRIPTION><error> ACCESS_DENIED</error></oauth> *

2016-08-17 1 views
0

내가 스프링 MVC + 스프링 시큐리티 OAuth2를 예를 개발하고있다. 이 예에서 제공된 CSRF 토큰을 확인할 수 없습니다.</ ERROR_DESCRIPTION><error> ACCESS_DENIED</error></oauth> *

나는 <springsec.version>3.2.8.RELEASE</springsec.version>
  • 스프링 MVC 버전 <spring.version>4.0.9.RELEASE</spring.version>

    • 봄 보안 버전을 사용했다하지만 내 비즈니스 클라이언트는 최신 버전으로 봄과 보안 종속성을 업데이트하려고합니다 . 나는 <springsec.version>4.1.1.RELEASE</springsec.version><spring.version>4.3.1.RELEASE</spring.version>

    • 보안

      • 스프링 MVC를 변경했습니다.

      아래의 CURL 명령을 사용하여 액세스 토큰을 얻으려고했지만 성공적으로 응용 프로그램을 배포 할 수있었습니다. 다음 오류가 발생했습니다. 왜 ? 참조

      C:\>curl -vvv -X POST "http://localhost:8080/demo.rest.springsecurity.oauth2.0.authentication/oauth/token?username=user1&password=user1&client_id=client1&client_secret=client1&grant_type=password&scope=read,write,trust" 
* Trying 127.0.0.1... 
* Connected to localhost (127.0.0.1) port 8080 (#0) 
> POST /demo.rest.springsecurity.oauth2.0.authentication/oauth/token?username=user1&password=user1&client_id=client1&client_secret=client1&grant_type=password&scope=read,write,trust HTTP/1.1 
> Host: localhost:8080 
> User-Agent: curl/7.46.0 
> Accept: */* 
> 
< HTTP/1.1 403 Forbidden 
< Server: Apache-Coyote/1.1 
< Set-Cookie: JSESSIONID=D3BE17423B26618D2931A9B317E422E1; Path=/demo.rest.springsecurity.oauth2.0.authentication/; HttpOnly 
< Cache-Control: no-store 
< Pragma: no-cache 
< X-XSS-Protection: 1; mode=block 
< X-Frame-Options: DENY 
< X-Content-Type-Options: nosniff 
< Content-Type: application/xml 
< Transfer-Encoding: chunked 
< Date: Wed, 17 Aug 2016 11:19:28 GMT 
< 
<oauth><error_description>Could not verify the provided CSRF token because your session was not found.</error_description><error>access_denied</error></oauth>* Connection #0 to host localhost left intact 

C:\>

      의 pom.xml :

      <properties> 
     <!-- General Properties --> 
     <java.version>1.8</java.version> 
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> 
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> 

     <!-- Spring Security --> 
     <!-- <springsec.version>3.2.8.RELEASE</springsec.version> --> 
     <springsec.version>4.1.1.RELEASE</springsec.version> 

     <!-- Spring MVC --> 
     <!-- <spring.version>4.0.9.RELEASE</spring.version> --> 
     <spring.version>4.3.1.RELEASE</spring.version> 

     <!-- Jersey Server --> 
     <jersey-version>1.19</jersey-version> 

     <!-- Spring Security OAuth2 --> 
     <spring-security-oauth2-version>2.0.10.RELEASE</spring-security-oauth2-version> 

     <logback.version>1.1.7</logback.version> 
     <jcl-over-slf4j.version>1.7.21</jcl-over-slf4j.version> 

     <!-- Servlet, JSP, CGLIB, JSTL --> 
     <servlet.version>3.1.0</servlet.version> 
     <jsp.version>2.2</jsp.version> 
     <cglib.version>2.2.2</cglib.version> 
     <jstl.version>1.2</jstl.version> 
    </properties> 


    <dependencies> 
     <!-- Spring Security OAuth2 --> 
     <dependency> 
      <groupId>org.springframework.security.oauth</groupId> 
      <artifactId>spring-security-oauth2</artifactId> 
      <version>${spring-security-oauth2-version}</version> 
     </dependency> 

     <!-- Spring Web MVC --> 
     <dependency> 
      <groupId>org.springframework</groupId> 
      <artifactId>spring-webmvc</artifactId> 
      <version>${spring.version}</version> 
     </dependency> 

     <!-- Spring security core, web, config, aspects, taglibs --> 
     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-web</artifactId> 
      <version>${springsec.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-config</artifactId> 
      <version>${springsec.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-aspects</artifactId> 
      <version>${springsec.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-taglibs</artifactId> 
      <version>${springsec.version}</version> 
     </dependency> 

     <!-- JSTL --> 
     <dependency> 
      <groupId>javax.servlet</groupId> 
      <artifactId>jstl</artifactId> 
      <version>${jstl.version}</version> 
     </dependency> 

     <!-- Jersey Server --> 
     <dependency> 
      <groupId>com.sun.jersey</groupId> 
      <artifactId>jersey-server</artifactId> 
      <version>${jersey-version}</version> 
     </dependency> 
     <!-- Jersey Client --> 
     <dependency> 
      <groupId>com.sun.jersey.contribs</groupId> 
      <artifactId>jersey-apache-client</artifactId> 
      <version>${jersey-version}</version> 
     </dependency> 
     <!-- Spring Jersey --> 
     <dependency> 
      <groupId>com.sun.jersey.contribs</groupId> 
      <artifactId>jersey-spring</artifactId> 
      <version>${jersey-version}</version> 
      <exclusions> 
       <exclusion> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-core</artifactId> 
       </exclusion> 
       <exclusion> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-beans</artifactId> 
       </exclusion> 
       <exclusion> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-context</artifactId> 
       </exclusion> 
       <exclusion> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-web</artifactId> 
       </exclusion> 
       <exclusion> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-aop</artifactId> 
       </exclusion> 
      </exclusions> 
     </dependency> 
     <!-- Jersey JSON --> 
     <dependency> 
      <groupId>com.sun.jersey</groupId> 
      <artifactId>jersey-json</artifactId> 
      <version>${jersey-version}</version> 
     </dependency> 
     <dependency> 
      <groupId>com.sun.jersey</groupId> 
      <artifactId>jersey-client</artifactId> 
      <version>${jersey-version}</version> 
     </dependency> 

     <!-- Spring Core, Context, Support, beans, test, Web MVC --> 
     <dependency> 
      <groupId>org.springframework</groupId> 
      <artifactId>spring-core</artifactId> 
      <version>${spring.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework</groupId> 
      <artifactId>spring-context</artifactId> 
      <version>${spring.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework</groupId> 
      <artifactId>spring-context-support</artifactId> 
      <version>${spring.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework</groupId> 
      <artifactId>spring-beans</artifactId> 
      <version>${spring.version}</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework</groupId> 
      <artifactId>spring-test</artifactId> 
      <version>${spring.version}</version> 
      <scope>test</scope> 
     </dependency> 


     <!-- logging, slf4j --> 
     <dependency> 
      <groupId>org.slf4j</groupId> 
      <artifactId>jcl-over-slf4j</artifactId> 
      <version>${jcl-over-slf4j.version}</version> 
     </dependency> 

     <dependency> 
      <groupId>ch.qos.logback</groupId> 
      <artifactId>logback-classic</artifactId> 
      <version>${logback.version}</version> 
     </dependency> 

     <!-- Cglib --> 
     <dependency> 
      <groupId>cglib</groupId> 
      <artifactId>cglib</artifactId> 
      <version>${cglib.version}</version> 
     </dependency> 
     <!-- Servlet --> 
     <dependency> 
      <groupId>javax.servlet</groupId> 
      <artifactId>javax.servlet-api</artifactId> 
      <version>${servlet.version}</version> 
     </dependency> 
     <!-- JSP API --> 
     <dependency> 
      <groupId>javax.servlet.jsp</groupId> 
      <artifactId>jsp-api</artifactId> 
      <version>${jsp.version}</version> 
      <scope>provided</scope> 
     </dependency>

      봄-servlet.xml에

      <?xml version="1.0" encoding="UTF-8" ?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" 
    xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd 
     http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd 
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd "> 


    <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager" 
     xmlns="http://www.springframework.org/schema/security" > 

     <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
     <anonymous enabled="false" /> 
     <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
     <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 
    </http> 

    <http pattern="/resources/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" 
     xmlns="http://www.springframework.org/schema/security"> 
     <anonymous enabled="false" /> 
     <intercept-url pattern="/resources/**" method="GET" /> 
     <!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> --> 
     <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 
    </http> 

    <http pattern="/logout" create-session="never" 
     entry-point-ref="oauthAuthenticationEntryPoint" 
     xmlns="http://www.springframework.org/schema/security"> 
     <anonymous enabled="false" /> 
     <intercept-url pattern="/logout" method="GET" /> 
     <sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" /> 
     <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 
    </http> 

    <bean id="logoutSuccessHandler" class="demo.oauth2.authentication.security.LogoutImpl" > 
     <property name="tokenstore" ref="tokenStore"></property> 
    </bean> 

    <bean id="oauthAuthenticationEntryPoint" 
     class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    </bean> 

    <bean id="clientAuthenticationEntryPoint" 
     class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
     <property name="realmName" value="springsec/client" /> 
     <property name="typeName" value="Basic" /> 
    </bean> 

    <bean id="oauthAccessDeniedHandler" 
     class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"> 
    </bean> 

    <bean id="clientCredentialsTokenEndpointFilter" 
     class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> 
     <property name="authenticationManager" ref="authenticationManager" /> 
    </bean> 

    <authentication-manager alias="authenticationManager" 
     xmlns="http://www.springframework.org/schema/security"> 
     <authentication-provider user-service-ref="clientDetailsUserService" /> 
    </authentication-manager> 

    <bean id="clientDetailsUserService" 
     class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> 
     <constructor-arg ref="clientDetails" /> 
    </bean> 

    <bean id="clientDetails" class="demo.oauth2.authentication.security.ClientDetailsServiceImpl"/> 

    <authentication-manager id="userAuthenticationManager" 
     xmlns="http://www.springframework.org/schema/security"> 
     <authentication-provider ref="customUserAuthenticationProvider"> 
     </authentication-provider> 
    </authentication-manager> 

    <bean id="customUserAuthenticationProvider" 
     class="demo.oauth2.authentication.security.CustomUserAuthenticationProvider"> 
    </bean> 

    <oauth:authorization-server 
     client-details-service-ref="clientDetails" token-services-ref="tokenServices"> 
     <oauth:authorization-code /> 
     <oauth:implicit/> 
     <oauth:refresh-token/> 
     <oauth:client-credentials /> 
     <oauth:password authentication-manager-ref="userAuthenticationManager"/> 
    </oauth:authorization-server> 

    <oauth:resource-server id="resourceServerFilter" 
     resource-id="springsec" token-services-ref="tokenServices" /> 

    <!-- <bean id="tokenStore" 
     class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> --> 

    <bean id="tokenStore" 
      class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" /> 

    <bean id="tokenServices" 
     class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 
     <property name="tokenStore" ref="tokenStore" /> 
     <property name="supportRefreshToken" value="true" /> 
     <property name="accessTokenValiditySeconds" value="300000"></property> 
     <property name="clientDetailsService" ref="clientDetails" /> 
    </bean> 


    <mvc:annotation-driven /> <!-- Declares explicit support for annotation-driven MVC controllers @RequestMapping, @Controller --> 

    <mvc:default-servlet-handler /> 

    <bean id="MyResource" class="demo.oauth2.authentication.resources.MyResource"></bean> 

</beans>

      날로부터 더 이상 정보가 필요하면 알려 주시기 바랍니다! !

    출처

    2016-08-17 Prateek

    답변

    0

    나는 해결책을 얻었다. "Could not verify the provided CSRF token because your session was not found." 오류를 없애기 위해서는 아래처럼 모든 요소에 <sec:csrf disabled="true" />을 덧붙여 <http> 태그에 추가해야합니다.

    <http pattern="/oauth/token" auto-config="true" create-session="stateless" authentication-manager-ref="authenticationManager" 
     xmlns="http://www.springframework.org/schema/security" > 

     <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
     <anonymous enabled="false" /> 
     <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
     <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 
     <!-- Added this to fix error --> 
     <sec:csrf disabled="true" /> 
    </http> 

    <http pattern="/resources/**" auto-config="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" 
     xmlns="http://www.springframework.org/schema/security"> 
     <anonymous enabled="false" /> 
     <intercept-url pattern="/resources/**" method="GET" /> 
     <!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> --> 
     <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 
     <!-- Added this to fix error --> 
     <sec:csrf disabled="true" /> 
    </http> 

    <http pattern="/logout" create-session="never" auto-config="true" 
     entry-point-ref="oauthAuthenticationEntryPoint" 
     xmlns="http://www.springframework.org/schema/security"> 
     <anonymous enabled="false" /> 
     <intercept-url pattern="/logout" method="GET" /> 
     <sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" /> 
     <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 
     <!-- Added this to fix error --> 
     <sec:csrf disabled="true" /> 
    </http>

    출처

    2016-08-17 12:13:06 Prateek

    +0

    하지만 너무 다른 문제에 직면하고 있습니다 : org.springframework.expression.spel.SpelEvaluationException :에 의한 EL1008E : (POS 0) : 건물 또는 'IS_AUTHENTICATED_FULLY'필드는 조직의 형태를 나타내는 개체를 찾을 수 없습니다 .springframework.security.web.access.expression.WebSecurityExpressionRoot '- 아마도 공개가 아니겠습니까? – Prateek

    관련 문제

     관련 문제