在 Grails 3 应用程序中使用 Spring Security Rest 对 "refresh_token" 请求的 403 响应
403 response on a "refresh_token" request with Spring Security Rest in a Grails 3 application
我在 Grails 3 应用程序中使用 Spring Security Rest 发出 "refresh_token" 请求时遇到一些问题。我有一个同时包含 Web front-end 和一些 Rest 端点的应用程序,其他一切似乎都运行良好。 Web 应用程序的行为符合预期,当我通过 curl with
发出登录请求时
curl -i -X POST localhost:8080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"johndoe", "password":"johndoepassword"}'
我得到了预期的响应(我已经截断了标记):
{
"username":"johndoe",
"roles":["ROLE_USER"],
"token_type":"Bearer",
"access_token":"eyJhbGciOiJIUzI1NiJ9.xxxxxx",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiJ9.xxxx"
}
在实际应用中,我可以将access_token加到header上,在session期间认证没有问题。但是,当我使用
访问 "refresh token" 端点时,我得到了 403
curl -i -X POST localhost:8080/oauth/access_token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1NiJ9.xxxx"
这在文档中看起来很简单,但我显然做错了什么。这是我认为是我的配置文件的相关部分:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/error', access: ['permitAll']],
[pattern: '/login', access: ['permitAll']],
[pattern: '/login/**', access: ['permitAll']],
[pattern: '/oauth/**', access: ['permitAll']],
[pattern: '/user/register', access: ['permitAll']],
[pattern: '/user/register/**', access: ['permitAll']],
[pattern: '/user/submitRegistration', access: ['permitAll']],
[pattern: '/logoff', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/surveyAdmin/**', access: ['ROLE_ADMIN']] ,
[pattern: '/**', access: ['ROLE_USER']]
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[
pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
[
pattern: '/rest/**',
filters: 'restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
],
[pattern: '/**', filters: 'JOINED_FILTERS']
]
谁能推荐一条路过这里?
谢谢,
亚历克斯
正如经常发生的那样,我在发布问题后不久就找到了答案。我正在使用实现 org.springframework.security.core.userdetails.UserDetails 但不扩展 org.springframework.security.core.userdetails.User 的自定义用户 class。该插件假定主体可以转换为 "User" 对象,这导致用户 lookup/token 生成失败。更改我的自定义 class 以扩展 User 或覆盖插件中的 refreshToken 方法以接受我的自定义用户 class 让事情正常进行。
我在 Grails 3 应用程序中使用 Spring Security Rest 发出 "refresh_token" 请求时遇到一些问题。我有一个同时包含 Web front-end 和一些 Rest 端点的应用程序,其他一切似乎都运行良好。 Web 应用程序的行为符合预期,当我通过 curl with
发出登录请求时curl -i -X POST localhost:8080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"johndoe", "password":"johndoepassword"}'
我得到了预期的响应(我已经截断了标记):
{
"username":"johndoe",
"roles":["ROLE_USER"],
"token_type":"Bearer",
"access_token":"eyJhbGciOiJIUzI1NiJ9.xxxxxx",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiJ9.xxxx"
}
在实际应用中,我可以将access_token加到header上,在session期间认证没有问题。但是,当我使用
访问 "refresh token" 端点时,我得到了 403curl -i -X POST localhost:8080/oauth/access_token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1NiJ9.xxxx"
这在文档中看起来很简单,但我显然做错了什么。这是我认为是我的配置文件的相关部分:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/error', access: ['permitAll']],
[pattern: '/login', access: ['permitAll']],
[pattern: '/login/**', access: ['permitAll']],
[pattern: '/oauth/**', access: ['permitAll']],
[pattern: '/user/register', access: ['permitAll']],
[pattern: '/user/register/**', access: ['permitAll']],
[pattern: '/user/submitRegistration', access: ['permitAll']],
[pattern: '/logoff', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/surveyAdmin/**', access: ['ROLE_ADMIN']] ,
[pattern: '/**', access: ['ROLE_USER']]
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[
pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
[
pattern: '/rest/**',
filters: 'restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
],
[pattern: '/**', filters: 'JOINED_FILTERS']
]
谁能推荐一条路过这里?
谢谢, 亚历克斯
正如经常发生的那样,我在发布问题后不久就找到了答案。我正在使用实现 org.springframework.security.core.userdetails.UserDetails 但不扩展 org.springframework.security.core.userdetails.User 的自定义用户 class。该插件假定主体可以转换为 "User" 对象,这导致用户 lookup/token 生成失败。更改我的自定义 class 以扩展 User 或覆盖插件中的 refreshToken 方法以接受我的自定义用户 class 让事情正常进行。