问题
I am writing a RESTful web service (Jersey running on Tomcat) that needs to authenticate users' email address, and possibly access their Google Calendar.
The plan is that users will be redirected to login to Google via OAuth2.
My web service is already protected by Spring Security. It works fine with basic authentication (i.e. hard-wired list of users and passwords.) If I try to access any of the protected resources I am prompted to login.
Now I am trying to wire in Spring Security OAuth2. My understanding is that I will get a redirect to Google if I try to access a protected resource.
However, no matter what I try I can't seem to get OAuth to fire. There are no console errors logged, and resources are protected (I get the error "Full authentication is required to access this resource").
Something is wrong; could be my config, my understanding, or both. Suggestions would be greatly appreciated.
web.xml (partial):
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/V1/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/spring-security.xml</param-value>
</context-param>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml (with google keys hidden):
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<debug />
<oauth:client id="oauth2ClientFilter" />
<oauth:resource id="googleOauth2Resource"
type="authorization_code"
client-id="hidden"
client-secret="hidden"
access-token-uri="https://accounts.google.com/o/oauth2/v3/token"
user-authorization-uri="https://accounts.google.com/o/oauth2/auth"
scope="email" />
<http xmlns="http://www.springframework.org/schema/security" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<intercept-url pattern="/V1/**" access="IS_AUTHENTICATED_FULLY" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<oauth:rest-template id="googleOauthRestTemplate"
resource="googleOauth2Resource" />
<beans:bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
</beans:bean>
<beans:bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</beans:bean>
<authentication-manager>
</authentication-manager>
</beans:beans>
UPDATE: I did find a working demo (The name is misleading-- it is using OAuth2, not OpenID.) Accessing a protected resource triggers a redirect to Google as expected. I didn't have any luck translating his annotated classes into XML though, and I'm not running under Spring Boot or Spring MVC so it would be difficult for me to switch to using annotations.
** UPDATE 2: ** With the debugger I can see that OAuth2ClientContextFilter.doFilter is getting called, but it decides not to redirect because the filter chain isn't throwing a UserRedirectRequiredException. (The exception being thrown by the filter chain is AccessDeniedException.)
回答1:
The reason you are receiving the response: "Full authentication is required to access this resource" is because OAuth2AuthenticationEntryPoint is expecting an access token.
The OAuth2AuthenticationEntryPoint is used if you are a resource server accepting requests with access tokens. In your case though, it appears that your intention is to be a relying party that relies on Google to give back an access token so you can access a user's data on Google on his behalf.
So what you must do is follow the same flow as the demo app you found on GitHub:
- The user accesses a secured endpoint
/test - The user is not yet authenticated so he gets redirected to
/loginas configured inLoginUrlAuthenticationEntryPoint - The request to
/logingoes through the filterchain again and is intercepted inOpenIDConnectAuthenticationFilterwhere its configuredOAuth2RestTemplateattempts to retrieve user info. This throwsUserRedirectRequiredExceptionbecause the OAuth2ClientContext does not have an access token yet to retrieve the user's info. OAuth2ClientContextFiltercatches the thrownUserRedirectRequiredExceptionand redirects the user to the google's authorization page.
Here's the DEBUG logs to show you the flow:
2016-09-11 02:32:34.361 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-11 02:32:34.366 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-11 02:32:34.367 DEBUG 41435 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-09-11 02:32:34.367 DEBUG 41435 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-09-11 02:32:34.375 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-11 02:32:34.378 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@38511637
2016-09-11 02:32:34.379 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-09-11 02:32:34.381 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-11 02:32:34.382 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /test' doesn't match 'POST /logout
2016-09-11 02:32:34.382 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 6 of 13 in additional filter chain; firing Filter: 'OAuth2ClientContextFilter'
2016-09-11 02:32:34.382 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 7 of 13 in additional filter chain; firing Filter: 'OpenIDConnectAuthenticationFilter'
2016-09-11 02:32:34.383 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-09-11 02:32:34.383 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-09-11 02:32:34.385 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-09-11 02:32:34.396 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-09-11 02:32:34.396 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-09-11 02:32:34.405 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID D2C2005BFB0AD21F3380BC0BE8326094 is invalid.
2016-09-11 02:32:34.405 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-09-11 02:32:34.406 DEBUG 41435 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /test at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-09-11 02:32:34.407 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/test'; against '/'
2016-09-11 02:32:34.415 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/test'; against '/test'
2016-09-11 02:32:34.421 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /test; Attributes: [authenticated]
2016-09-11 02:32:34.422 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-09-11 02:32:34.650 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3f726a43, returned: -1
2016-09-11 02:32:34.676 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:57)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:57)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2016-09-11 02:32:34.678 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using Ant [pattern='/**', GET]
2016-09-11 02:32:34.678 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/test' matched by universal pattern '/**'
2016-09-11 02:32:34.679 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=Ant [pattern='/**/favicon.ico']]
2016-09-11 02:32:34.679 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/test'; against '/**/favicon.ico'
2016-09-11 02:32:34.679 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2016-09-11 02:32:34.679 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@7f127599, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]]
2016-09-11 02:32:34.689 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
2016-09-11 02:32:34.689 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing text/html
2016-09-11 02:32:34.689 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith text/html = false
2016-09-11 02:32:34.689 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xhtml+xml
2016-09-11 02:32:34.691 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xhtml+xml = false
2016-09-11 02:32:34.692 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing image/webp
2016-09-11 02:32:34.692 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith image/webp = false
2016-09-11 02:32:34.697 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xml;q=0.9
2016-09-11 02:32:34.699 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xml;q=0.9 = false
2016-09-11 02:32:34.703 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing */*;q=0.8
2016-09-11 02:32:34.705 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Ignoring
2016-09-11 02:32:34.707 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Did not match any media types
2016-09-11 02:32:34.707 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2016-09-11 02:32:34.707 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
2016-09-11 02:32:34.708 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2016-09-11 02:32:34.709 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : All requestMatchers returned true
2016-09-11 02:32:34.759 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache : DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/test]
2016-09-11 02:32:34.759 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2016-09-11 02:32:34.760 DEBUG 41435 --- [nio-8080-exec-1] o.s.s.web.DefaultRedirectStrategy : Redirecting to 'http://localhost:8080/login'
2016-09-11 02:32:34.761 DEBUG 41435 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-09-11 02:32:34.761 DEBUG 41435 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-09-11 02:32:35.059 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-09-11 02:32:35.059 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-09-11 02:32:35.059 DEBUG 41435 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2016-09-11 02:32:35.059 DEBUG 41435 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@7ff7af51. A new one will be created.
2016-09-11 02:32:35.060 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-09-11 02:32:35.060 DEBUG 41435 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@38511637
2016-09-11 02:32:35.060 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-09-11 02:32:35.060 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-09-11 02:32:35.061 DEBUG 41435 --- [nio-8080-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout
2016-09-11 02:32:35.061 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 6 of 13 in additional filter chain; firing Filter: 'OAuth2ClientContextFilter'
2016-09-11 02:32:35.062 DEBUG 41435 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /login at position 7 of 13 in additional filter chain; firing Filter: 'OpenIDConnectAuthenticationFilter'
2016-09-11 02:32:35.187 DEBUG 41435 --- [nio-8080-exec-2] o.s.s.web.DefaultRedirectStrategy : Redirecting to 'https://accounts.google.com/o/oauth2/auth?client_id=%3Cclient_id%3E&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&scope=openid&state=19P08W'
2016-09-11 02:32:35.187 DEBUG 41435 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-09-11 02:32:35.188 DEBUG 41435 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Also, in the sample code, take note of @EnableOAuth2Client which imports the OAuth2ClientConfiguration.
来源:https://stackoverflow.com/questions/29948154/cant-get-spring-security-oauth2-login-to-trigger