spring-security-oauth2

问题 I am trying to use OAuth2 with spring security, with the following config xml: <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="oauthUserAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/> <anonymous enabled="false"/> <http-basic entry-point-ref="clientAuthenticationEntryPoint"/> <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH

问题 I implement oauth2 sso by using @EnableOAuth2Sso on spring-boot:1.3.0.M1 I want to use my userInfo from my resource server (http://oauth2_resource_server/me). So I try to implement my own ResourceServerTokenServices refering to UserInfoTokenServices @Configuration @EnableWebSecurity @EnableOAuth2Sso public class OAuth2Config { @Autowired ResourceServerProperties sso; @Bean public ResourceServerTokenServices userInfoTokenServices() { return new MyTokenService(sso.getUserInfoUri(), sso

问题 I'm currently working on a simple Spring Boot application where I pass client_id and secret to get the access token which gets me a refresh and access token. But then when I try to access resources(my REST API) using that token (with this URL: curl -H "Authorization: Bearer ead8ba5d-88ad-4531-a821-db08bf25e888" localhost:8081/my-end-point ), it doesn't work for me and gives me following error- {"error":"invalid_token","error_description":"Invalid access token: ead8ba5d-4531-db08bf2fe888"}

问题 The error format of spring security oauth conforms with the OAuth spec and looks like this. { "error":"insufficient_scope", "error_description":"Insufficient scope for this resource", "scope":"do.something" } Especially on a resource server I find it a bit strange to get a different error format for authentication issues. So I would like to change the way this exception is rendered. The documentation says Error handling in an Authorization Server uses standard Spring MVC features, namely

问题 I want to ask how to perform an action after a successful login via OAuth2 and how to veto a login based on some preconditions. I tried to search on Google and found some links but I'm not sure how to do that on this framework. There might be some filter etc I can add but wanted to know the right place to do this. Note: The AuditEvent will not work for me since successful audit is called with every API call. Ref: http://blog.jdriven.com/2015/01/stateless-spring-security-part-3-jwt-social

问题 I am wondering what's the best way to this. My scenario is the following: I have separate oath2 server and resource server sharing the auth information via database. The user authentication is being made by a provider that extends from AbstractUserDetailsAuthenticationProvider. Whenever I build UserDetails object, I attach the authorities to that user details. The thing is, a specific call to my resource server might change the user authorities. As far as I understand the UserDetails is

问题 Am trying to use Spring Secruity's OAuth API to obtain an access token from an externally published API within a Spring MVC 4 based Web Services (not Spring Boot). This curl command works (and its contents are all that I need to obtain an access token): curl -X POST \ https://api.app.com/v1/oauth/token \ -H 'content-type: application/x-www-form-urlencoded' \ -d'grant_type=client_credentials&client_id=bcfrtew123&client_secret=Y67493012' Spring Security OAuth API: <dependency> <groupId>org

问题 I have separate authorization server and resource server. Authorization server is pointing to a separate database. I haves used CustomUserDetailService for user related information. I have used CustomTokenEnhancer to have additional information apart from the token in the response. @Configuration public class OAuth2Configuration { @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter implements

问题 I've created Spring MVC application and set up Spring Security OAuth 2. While calling methods from my brower i get XML: <oauth> <error_description> Full authentication is required to access this resource </error_description> <error>unauthorized</error> </oauth> Browser sends following header: Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 When I set json accept header I get JSON. I need to force my authorization server always send JSON. Haven't found any

问题 Is it possible to set a default login successurl for a Spring Oauth2 Sso service? Following szenario browser reqeuests index.html sso service: Not protected ==> return the index.html index.html contains manifest attribute ==> browser requests the manifest sso service: Manifest is protected ==> returns 401 client redirects to ${sso.host}/login sso service redirects to auth server authentication ==> redirects back to ${sso.host}/login with the code in the query-String sso service: requests