问题描述

我目前正在从事一个涉及Spring Security(用于OAuth2)的项目.

i am currently working on a project involving spring security (for OAuth2).

我们正在使用authorization_code流.

We are using the authorization_code flow.

但是，当客户端到达AuthorizationEndpoint(/oauth/authorize)时我们得到一个"InsufficientAuthenticationException".这可能是由于此流程中还涉及外部系统，该系统为客户端执行重定向，将其发送到/oauth/authorize端点.

However when the client hits the AuthorizationEndpoint (/oauth/authorize)we get an "InsufficientAuthenticationException".This may be due to an external system which is also involved in this flow which performs a redirect for the client, sending him to the /oauth/authorize endpoint.

据我了解，通过查看调试日志文件和阅读源代码，principal为null，它在AuthorizationEndpoint.authorize方法中使用(特别是第138行，我们使用的是spring-security-oauth2-2.0.7).释放).

From what I understand by looking through the debug logfile and from reading the source code, the principal is null which is used in the AuthorizationEndpoint.authorize method (specifically line 138, we are using spring-security-oauth2-2.0.7.RELEASE).

我了解此时的问题是什么(它不知道"已经通过系统验证的用户)，但是我不知道弹簧专门用来识别用户的信息(我想这将是我的问题).中心问题)

I understand what spring's problem is at this point (it does not "know" the user who is already authenticated with the system) but I do not understand which information specifically spring uses to identify the user (I guess this would be my central question)

我尝试使用正确的参数针对/oauth/authorize执行GET并与请求一起发送包含承载访问令牌的授权标头，但是spring总是抛出InsufficientAuthenticationException.我希望有人可以帮助我.

I tried performing a GET against /oauth/authorize with the correct parameters and sending with the request the authorization header containing the bearer access token but spring always throws the InsufficientAuthenticationException. I'm hoping somebody can help me with this.

最诚挚的问候p.s.

推荐答案

为便于说明，我将在这里回答我自己的问题. TJ 基本上为我指明了正确的方向.

I am going to answer my own question here for the sake of documentation.TJ basically pointed me in the right direction.

就我而言，InsufficientAuthenticationException源于整个堆栈的稍微错误的设置.为了将内容交付给用户，使用了一个Apache，该Apache还用作反向代理，它截断了部署在其背后的tomcat上的应用程序的根上下文.

In my case, the InsufficientAuthenticationException stems from a slightly wrong setup of the whole stack. For delivering the content to users an apache is used which also serves as a reverse proxy, truncating the root context of the application deployed on the tomcat behind it.

可以在此处找到最终解决我问题的答案.问题实际上是，会话cookie包含无效路径(path属性仍包含rootcontext，因为尚未使tomcat意识到它前面的apache将rootcontext截断为"/".)通过tomcat的context.xml中的setSessionCookie ="/"在tomcat侧的路径可以解决问题.

The answer which finally solved my problem can be found here.The problem actually was, that the session cookie contained an invalid path (the path attribute still contained the rootcontext, because tomcat has not been made aware that the apache in front of it is truncating the rootcontext to just "/".) So setting the path on tomcat side via setSessionCookie="/" in tomcat's context.xml did the trick.

因此，当重定向命中spring的oauth/authorize端点时，它使用包含错误路径的会话cookie进行了此操作.因此，对于春季，该请求似乎源自未经身份验证的来源，因此使我为InsufficientAuthenticationException scratch之以鼻.

So, when a redirect hit spring's oauth/authorize endpoint it did so with a session cookie containing the wrong path. because of this, for spring the request seemed to originate from an unauthenticated source, thus leaving me scratching my head about the InsufficientAuthenticationException.

这篇关于具有弹簧安全性的OAuth2-InsufficientAuthenticationException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！