Spring Oauth2：SecurityContextに認証オブジェクトが見つかりません

Question

私はSpringセキュリティとSpring OAuth2 Securityを実装するプロジェクトを持っています。アクセストークンを要求するとうまく動作しますが、アクセストークンを使用してリソースを要求すると、 SecurityContextで認証オブジェクトが見つかりませんでした '。

私のプロジェクトのSecurityContextががある：

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 
     http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd 
     http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security.xsd"> 

<global-method-security jsr250-annotations="enabled" /> 
<http pattern="/**/*.css" security="none" /> 
<http pattern="/**/*.css.map" security="none" /> 


<http pattern="/**/*.gif" security="none" /> 
<http pattern="/**/*.html" security="none" /> 
<http pattern="/**/*.ttf" security="none" /> 
<http pattern="/**/*.eot" security="none" /> 
<http pattern="/**/*.svg" security="none" /> 
<http pattern="/**/*.woff" security="none" /> 
<http pattern="/**/*.woff2" security="none" /> 
<http pattern="/**/*.xls" security="none" /> 
<http pattern="/**/*.ico" security="none" /> 
<http pattern="/**/*.jpg" security="none" /> 
<http pattern="/**/*.js" security="none" /> 
<http pattern="/**/*.png" security="none" /> 
<http pattern="/**/*.xml" security="none" /> 
<http pattern="/**/*.mp4" security="none" /> 
<http pattern="editCustomerTrnx" security="none"/> 
<!--<http pattern="/embed/*" security="none"/> --> 

<!-- Default URL provided by spring to get the token(access and refresh) from oauth --> 
<http pattern="/oauth/token" create-session="never" 
     authentication-manager-ref="clientAuthenticationManager" 
     xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/> 
    <!-- Using this to authenticate client using request parameter --> 
    <custom-filter ref="clientCredentialsTokenEndPointFilter" after="BASIC_AUTH_FILTER"/> 
    <access-denied-handler ref="oauthAccessDeniedHandler"/> 
</http> 

<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
     separately. This isn't mandatory, but it makes it easier to control the behaviour --> 
<http pattern="/Api/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" 
     access-decision-manager-ref="accessDecisionManager" 
     xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false"/> 
    <intercept-url pattern="/Api/**" access="ROLE_ADMIN"/> 
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler"/> 
</http> 

<!-- 2 --> 
<http auto-config="true"> 
    <intercept-url pattern="/Admin/**" 
     access="ROLE_ADMINISTRATOR,ROLE_AUTHENTICATED" requires-channel="any" /> 
    <intercept-url pattern="/Seller/**" access="ROLE_AUTHENTICATED,ROLE_SELLER" 
     requires-channel="any" /> 
    <intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY" 
     requires-channel="any" /> 
    <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" 
     requires-channel="any" /> 
    <!-- <remember-me key="remittancerm" /> --> 
    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="customSessionFilter" /> 
    <form-login login-page="/main" 

     authentication-failure-handler-ref="failureHandler" 
     always-use-default-target="false" default-target-url="/" 
     authentication-success-handler-ref="ash" /> 
    <logout logout-url="/logout" logout-success-url="/" /> 
    <access-denied-handler ref="" error-page="/" /> 
    <!-- authentication-failure-url="/main?errormessage=authentication.login.failed" --> 
    <session-management 
     session-authentication-strategy-ref="sls" /> 
    <port-mappings> 
     <port-mapping http="8080" https="8443" /> 
    </port-mappings> 
</http> 

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> 
    <authentication-provider> <!-- user-service-ref="userDetailService" --> 
     <user-service> 
      <user name="subash" authorities="ROLE_ADMIN" password="123456"/> 
     </user-service> 
     <!-- <password-encoder ref="passwordEncoder"> 
     </password-encoder> --> 
    </authentication-provider> 
</authentication-manager> 

<beans:bean id="ash" 
    class="com.remittance.session.CustomSavedRequestAwareAuthenticationSuccessHandler"> 
</beans:bean> 

<beans:bean id="failureHandler" class="com.remittance.session.CustomAuthenticationFailureHandler"> 
</beans:bean> 
<beans:bean id="forbiddenEntryPoint" 
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> 


<beans:bean id="customSessionFilter" class="com.remittance.session.CustomSessionFilter"> 
    <beans:constructor-arg ref="sessionRegistry" /> 
</beans:bean> 

<beans:bean id="sls" 
    class="com.remittance.session.SessionLoggingStrategy"> 
    <beans:constructor-arg ref="sas" /> 
    <beans:constructor-arg ref="sessionLogApi" /> 
</beans:bean> 

<beans:bean id="sas" 
    class="com.remittance.session.PersistingConcurrentSessionControlStrategy"> 
    <beans:constructor-arg name="sessionRegistry" 
     ref="sessionRegistry" /> 
    <beans:constructor-arg name="sessionApi" ref="sessionApi" /> 
    <beans:property name="maximumSessions" value="-1" /> 
</beans:bean> 

<beans:bean id="sessionRegistry" 
    class="com.remittance.session.PersistingSessionRegistry"> 
    <beans:constructor-arg ref="sessionApi" /> 
</beans:bean> 

<beans:bean id="userDetailService" 
    class="com.remittance.session.UserDetailsServiceImpl"> 
    <beans:constructor-arg ref="userRepository" /> 
</beans:bean> 

<beans:bean id="passwordEncoder" 
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> 


<beans:bean id="userTest" class="com.remittance.session.UserTest"> 
    <beans:constructor-arg ref="userRepository" /> 
</beans:bean> 



<!-- OAuth2 Security --> 


<!-- Resource protected by oauth2 security --> 

<!-- OAuth Client Details --> 
<oauth2:client-details-service id="clientDetails"> 
    <oauth2:client client-id="android5.5" secret="1234567890" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials" 
       authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" scope="read,write,trust"/> 
    <oauth2:client client-id="nokia3320" secret="0987654321" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials" 
       authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" scope="read,write,trust"/> 
</oauth2:client-details-service> 

<!-- This defined token store, we have used in memory token store for now but this can be changed to a user defined one --> 
<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/> 

<!-- Load User By User name --> 
<beans:bean id="clientDetailsUserDetailsService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> 
    <beans:constructor-arg ref="clientDetails"/> 
</beans:bean> 

<!-- This is where we defined token based configurations, token validity and other things --> 
<beans:bean id="tokenService" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> 
    <beans:property name="tokenStore" ref="tokenStore"/> 
    <beans:property name="accessTokenValiditySeconds" value="500"/> 
    <beans:property name="clientDetailsService" ref="clientDetails"/> 
    <beans:property name="supportRefreshToken" value="true"/> 
</beans:bean> 

<!-- It Determine whether a given client authentication request has been approved by user or not --> 
<!-- ToeknStoreUserApprovalHandler : A user approval handler that remembers approval decisions by consulting existing tokens --> 
<beans:bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler"> 
    <beans:property name="tokenStore" ref="tokenStore"/> 
    <beans:property name="requestFactory" ref="oauth2RequestFactory"/> 
</beans:bean> 


<!-- Server issuing access token to the client after successfully authenticating the resource owner and obtaining authorization --> 
<oauth2:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenService" 
          user-approval-handler-ref="userApprovalHandler"> 
    <!-- <oauth2:authorization-code/> --> 
    <!-- <oauth2:client-credentials/> --> 
    <!-- <oauth2:implicit/> --> 
    <oauth2:password/> 
    <!-- <oauth2:refresh-token/> --> 
</oauth2:authorization-server> 

<authentication-manager id="clientAuthenticationManager"> 
    <authentication-provider user-service-ref="clientDetailsUserDetailsService"/> 
</authentication-manager> 

<!-- Include this if you need to authenticate client via request parameter --> 
<beans:bean id="clientCredentialsTokenEndPointFilter" 
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> 
    <beans:property name="authenticationManager" ref="clientAuthenticationManager" /> 
</beans:bean> 

<!-- Server hosting the protected resource ,capable of accepting and responding to protected resource request using access tokens --> 
<oauth2:resource-server id="resourceServerFilter" resource-id="test" token-services-ref="tokenService"/> 

<!-- Authentication Entry Point --> 
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <beans:property name="realmName" value="test" /> 
</beans:bean> 

<beans:bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> 
    <beans:property name="realmName" value="test/client" /> 
    <beans:property name="typeName" value="Basic" /> 
</beans:bean> 

<!-- Access Denied Handler --> 
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/> 

<!-- This beans prepares oauth2Request using incoming request parameter --> 
<beans:bean id="oauth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory"> 
    <beans:constructor-arg ref="clientDetails"/> 
</beans:bean> 

<!-- Access Decision Manager --> 
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans"> 
    <beans:constructor-arg> 
    <beans:list> 
     <beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> 
     <beans:bean class="org.springframework.security.access.vote.RoleVoter" /> 
     <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
    </beans:list> 
</beans:constructor-arg> 
</beans:bean> 

私はhttp://localhost:8060/oauth/token?grant_type=password&client_id=nokia3320&client_secret=0987654321&username=subash&password=123456を使用してトークンを要求し、私がアクセストークンとhttp://localhost:8060/Api/currencyListを使用してリソースにアクセスしようとすると、私は応答

{ 
"access_token": "9f5a89ce-a0d9-4d65-8e83-5d3b16d8c025", 
"token_type": "bearer", 
"refresh_token": "c2ac82ec-9f41-46dd-b7c2-4772c018505c", 
"expires_in": 499, 
"scope": "read trust write" 
} 

を以下ました私の質問に答えるつもりです

{ 
"error": "unauthorized", 
"error_description": "An Authentication object was not found in the 
         SecurityContext" 
} 

私は私は私はこの問題を解決することができ、約2 days.Howのために、この問題に捕まってしまった！春のOAuth2

@RequestMapping(value="/currencyList",method=RequestMethod.GET,produces={MediaType.APPLICATION_JSON_VALUE}) 
@ResponseBody 
public List<CurrencyDTO> getCurrencyList(){ 

    List<CurrencyDTO> currencyList=new ArrayList<CurrencyDTO>(); 

    CurrencyDTO currency1 = new CurrencyDTO(); 
    currency1.setCurrencyCode("NEP"); 
    currency1.setCurrencyName("Rupees"); 
    currency1.setId((long)1); 
    currency1.setSymbol("Rs"); 

    CurrencyDTO currency2 = new CurrencyDTO(); 
    currency2.setCurrencyCode("AM"); 
    currency2.setCurrencyName("Dollar"); 
    currency2.setId((long)2); 
    currency2.setSymbol("$"); 

    currencyList.add(currency1); 
    currencyList.add(currency2); 

    return currencyList; 

} 

を使用して、以下のリソースを保護したいですか認証が成功

Answer 1

、あなたが

public void successfulAuthentication(HttpServletRequest request,HttpServletResponse response, 
       FilterChain chain, Authentication authentication) throws IOException, ServletException { 

    //your some custom code 

    // Add the authentication to the Security context 
    SecurityContextHolder.getContext().setAuthentication(authentication); 
} 

Answer 2

などのセキュリティコンテキストで認証オブジェクトを追加する必要があり、ここでの問題は、リソースおよび認証サーバの両方がtoken.Whenのための共通のメモリ位置を共有していないということです私はInMemoryTokenStoreを変更私の問題は解決されるJdbcTokenStoreに。私の場合は

Answer 3

あなたのポンポンファイル春のブート親のリリースを更新してください1.4.2.RELEASE

Answer 4

、私はパブリックURLとして私のAPIのURLを追加しました。私のOAuthは、RESTサービスのURLは/resource/api/**で始まる保護されますが、私は

@Override 
public void configure(WebSecurity web) throws Exception { 
    web.ignoring().antMatchers("/css/**","/js/**","/resource/**"); 
} 

ので、OAuth2AuthenticationProcessingFilterが起動していなかったとして、私のセキュリティの設定クラスに追加され、私は私のAPIサーバーでAuthentication Object was not found in the SecurityContextとして例外が発生しました。