spring-security-oauth2

问题 I am trying to create a spring resource server secured with oauth2. I am using auth0 for my auth2 service, and I have an api and client configured with scopes. I have a resource server that mostly works. It is secured, and I can use @EnableGlobalMethodSecurity and @PreAuthorize("#oauth2.hasScope('profile:read')") to limit access to tokens with that scope. However, when I try to get the Principal or the OAuth2Authentication they are both null. I've configured the resource server to use the JWK

问题 I am trying to create a spring resource server secured with oauth2. I am using auth0 for my auth2 service, and I have an api and client configured with scopes. I have a resource server that mostly works. It is secured, and I can use @EnableGlobalMethodSecurity and @PreAuthorize("#oauth2.hasScope('profile:read')") to limit access to tokens with that scope. However, when I try to get the Principal or the OAuth2Authentication they are both null. I've configured the resource server to use the JWK

问题 I have some rest api like this: /users/{user_id} /users/{user_id}/orders /users/{user_id}/orders/{order_id} How I must secure them? every user must see only her/his data, But admin can see all of them. How & What I must implement in Spring Security that User by Id == 1 can't see data of user by Id == 2 and vice versa, expect users by role admin that can see all? Do I check before every method User Id in session is equail with user_id param passed to api? is there a better way? p.s: I use JWT

问题 I am attempting to build a Spring application that uses JWT tokens and the OAuth2 protocol. I have the Authentication Server running thanks to this tutorial. However, I am struggling with getting the Resource Server to function properly. From following the article, and thanks to a response to a prior question, this is my current attempt: Security config for Resource Server: @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends

问题 Referring to the logout flow in oauth2 spring-guides project, once the the user has authenticated using user/password for the first time, the credentials are not asked next time after logout. How can I ensure that username/password are asked every time after a logout. This is what I am trying to implement:- OAuth2 server issuing JWT token using "authorization_code" grant type with auto approval. This has html/angularjs form to collect username/password. UI/Webfront - Uses @EnableSSO. ALL its

问题 I was using Spring Boot 1.4.0 with Spring OAuth2. When I requested a token, the server response was: { "access_token": "93f8693a-22d2-4139-a4ea-d787f2630f04", "token_type": "bearer", "refresh_token": "2800ea24-bb4a-4a01-ba87-2d114c1a2235", "expires_in": 899, "scope": "read write" } When I updated my project to Spring Boot 1.4.1, the server response became { "error": "invalid_client", "error_description": "Bad client credentials" } What was changed from version 1.4.0 to 1.4.1 ? And what should

问题 I have a Spring Boot application that is "invitation only". Ie. users are sent a signup link and there is no "Sign up" functionality. This works fine and users log on with their username and password. I would like to allow logon with FaceBook and Google using OAuth2 as a supplementary logon method. This would involve mapping the existing users to their social account in some way. The users and their passwords are stored in a MySQL database. I have found a number of articles on OAuth2 and

问题 I have created an Authorization service as follows @SpringBootApplication @EnableAuthorizationServer public class AuthorizationApplication { ... } With this application.properties . server.port=9000 security.oauth2.client.client-id=monederobingo security.oauth2.client.client-secret=monederobingosecret security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials security.oauth2.client.scope=company,client Then, in a separate spring boot project I

问题 Added OAuth2FeignRequestInterceptor to handle OAuth2 @FeignClient request and I'm now seeing the following exception: *org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'scopedTarget.oauth2ClientContext': Scope 'session' is not active for the current thread; consider defining a scoped proxy for this bean if you intend to refer to it from a singleton; nested exception is java.lang.IllegalStateException: No thread-bound request found: Are you referring to

问题 I started to use Spring OAuth2 and in the process, I struggled to find relevant tutorials and content mostly because of the following I did not want to use Spring Boot I did not want to use Java configs rather xml configuration I needed to customize Spring OAuth2 grant flows and other features for our specific needs I needed to disable some grant flows I needed to Spring OAuth2 to use custom Users and Roles I needed to use store oauth_client details in a custom database tab Other stuff I have