Spring Security: OAuth Stuck in a redirect loop before getting access token, but no pages beside initial page is protected

huangapple go评论147阅读模式
英文:

Spring Security: OAuth Stuck in a redirect loop before getting access token, but no pages beside initial page is protected

问题

我有一个使用Spring Boot的应用程序,前端使用React打包在一起。

React是一个单页应用程序,位于http://localhost:8080/。它会接收任何页面更改并更新本地浏览器URL,使其看起来已经更改为新页面,但实际上仍然位于根位置。例如,单击“Admin Dashboard”会更新浏览器URL为“http://localhost:8080/admin”,但实际上仍然位于主页面(如果有任何过多的解释,请见谅)。

但是,如果用户点击刷新,浏览器将请求/server /admin,实际上并不存在。为了解决这个问题,我将所有404错误重定向回根URL(http://localhost:8080/),React将智能显示Admin页面,因此它似乎不仅仅是一个单页应用程序。

这个方法可以正常工作,但我目前的问题是,我正在尝试更改安全性,使我的应用程序成为OAuth 1.0a(生产者是一个仅支持1.0a的较旧应用程序)的消费者,并且对第三方OAuth生产者应用程序的用户进行身份验证,如果凭据验证成功,它们将被重定向回我的应用程序,并可以继续访问我的应用程序的受保护资源(如果我的预期不正确,请告诉我)。

**问题:应用程序重定向请求到第三方应用程序,我可以正常登录。但是,我陷入了一个OAuth循环,并且它在ERR_TOO_MANY_REDIRECTS的超时处卡住。我认为它在步骤3中被卡住,此时它被重定向到应用程序,应用程序应该用授权码交换访问令牌的详细信息。我认为处理步骤3的任何内容都被视为受保护资源,因此它不断重放OAuth流程,但我不确定。但这没有道理,因为除了授权资源(/static/testing/ - 这是该目录中唯一的内容 - 我更改了它以便我可以更确定布局)外,所有请求都被允许。我是否需要使用自己的代码处理这个最后的步骤?

在页面超时并显示ERR_TOO_MANY_REDIRECTS时,以下是最终URL。它有很多新的实例?oauth_token=<token>&oauth_verifier=<verifier>。每个都有不同的键,所以似乎有些东西阻止它完成OAuth流程并不断重复从头开始的步骤,但卡在同一个地方。

http://localhost:8080/static/testing/index.html?oauth_token=b20eecd7a7994a62b751b43458049302&oauth_verifier=c03877ca49be497fb7f2e803e97e8137&oauth_token=25097eab2e3b4b97bf6cbb5a112bb4a8&oauth_verifier=74877789499242f18a9b4d01ee9fea44&oauth_token=6d3136579d234b1c8d21c5f1aabe43a1&oauth_verifier=fe51e99d83954f928b598923ff10fc44&oauth_token=dcb33bce0d8b40d89ae09429adc0fd73&oauth_verifier=4df25da7f1b1403880dce4f7d36b25a5&oauth_token=e9cb8a40323448bbad391df137b7e81d&oauth_verifier=885aa185049f426895529885f34f85c6&oauth_token=bcbe5012553e405c8b6699907fd78256&oauth_verifier=ee9c69c3d1df433289562008b5483810&oauth_token=d7fb00125b664bff820488dc4bc1852d&oauth_verifier=b0c7dee12f4647f2821860170b1c6c42&oauth_token=fbb0f9a607534

英文:

I have a Spring Boot application that is bundled with React for the front-end.

React is a single-page application, served at http://localhost:8080/. It will take any page changes and update the local browser URL to look like it's changed to a new page, however, it still is actually at the root location. For example, clicking "Admin Dashboard" would update the browser URL to say "http://localhost:8080/admin" but it would still be on the main page (apologies for any over-explanation).

If a user clicks refresh though, the browser would ask the server for /admin which doesn't actually exist. To work around this I am redirecting any 404 errors back to the root URL
(http://localhost:8080/) and React will intelligently display the Admin page, so it appears it's more than a single-page application.

This works fine, but my current issue is I'm trying to change the security so that my application becomes an OAuth 1.0a (the producer is an older app that only supports 1.0a) Consumer and authenticates the user against the 3rd Party OAuth Producer application, and if the credentials authenticate successfully, they are redirected back to my application and can proceed to access my applications protected resources (please let me know if my expectation of how this works is wrong though).

Problem: The application redirects requests to the 3rd-party application and I can login with no issues. However, I get stuck in an OAuth loop and it times out with ERR_TOO_MANY_REDIRECTS. I think it gets stuck in Step 3 where it's redirected to the application and the application should then exchange the details for an access token. I think whatever is handling Step 3 is being treated as a protected resource, so it keeps replaying the OAuth flow, but not sure though. But it doesn't make sense as all requests are permitted except the authorized resource (/static/testing/** - which is the only thing in that directory - changed it so I could be more sure of how things are laid out). Do I need to handle this final step with the code of my own?

Here is the final URL when the page times out with ERR_TOO_MANY_REDIRECTS. It has a lot of new instances of ?oauth_token=<token>&oauth_verifier=<verifier>. Each one has different keys, so it seems it's hitting something that's preventing it to complete the OAuth flow and keeps repeating the steps from the start, but getting stuck at the same place.

http://localhost:8080/static/testing/index.html?oauth_token=b20eecd7a7994a62b751b43458049302&amp;oauth_verifier=c03877ca49be497fb7f2e803e97e8137&amp;oauth_token=25097eab2e3b4b97bf6cbb5a112bb4a8&amp;oauth_verifier=74877789499242f18a9b4d01ee9fea44&amp;oauth_token=6d3136579d234b1c8d21c5f1aabe43a1&amp;oauth_verifier=fe51e99d83954f928b598923ff10fc44&amp;oauth_token=dcb33bce0d8b40d89ae09429adc0fd73&amp;oauth_verifier=4df25da7f1b1403880dce4f7d36b25a5&amp;oauth_token=e9cb8a40323448bbad391df137b7e81d&amp;oauth_verifier=885aa185049f426895529885f34f85c6&amp;oauth_token=bcbe5012553e405c8b6699907fd78256&amp;oauth_verifier=ee9c69c3d1df433289562008b5483810&amp;oauth_token=d7fb00125b664bff820488dc4bc1852d&amp;oauth_verifier=b0c7dee12f4647f2821860170b1c6c42&amp;oauth_token=fbb0f9a6075345c6b1e2c1f11fc874a6&amp;oauth_verifier=f30761f460134103a132c60803145358&amp;oauth_token=ff5da5a77b2e4599b3b3465b48668504&amp;oauth_verifier=a9fe7da1abb1460a8836896aaa442cc9&amp;oauth_token=726ea4b12fd8445bb2cb5e1de10fd94b&amp;oauth_verifier=8d8653ea2dbe4547a0401c6b8524638b&amp;oauth_token=6b8e507ce3254f79b8ce6d98c9ec6784&amp;oauth_verifier=491e101a3cc04c01b16e8834711a0ac8&amp;oauth_token=792be2983ca1496a9ec0f7384eae6316&amp;oauth_verifier=db916051bff443ceacd1b59d2d87cdb8&amp;oauth_token=98f1d137d7144e568f96b7b21df0679c&amp;oauth_verifier=06c3c963161d4fcd966573db262d021c&amp;oauth_token=74ef3c374186405a93a507ebfd7779f0&amp;oauth_verifier=9e492fcf456d4c4e80cb21ed5ec9c6e5&amp;oauth_token=6d609503d8c64cca993ab9298a85054e&amp;oauth_verifier=41e4aca57f184c7b88f4d82820c1f5ab&amp;oauth_token=0f32bfceaa474bff91a88dafe4da9d66&amp;oauth_verifier=59a67e101fe64ee7ba7531d8cb7f65af&amp;oauth_token=af4065dac8184b748d8719cc2f2d429d&amp;oauth_verifier=20d0ffee40214635a12f987b7d338053&amp;oauth_token=718f65634195446c831b8acc9d9ddc81&amp;oauth_verifier=3e6b0ac42028403abf0ed77d0b205fe7&amp;oauth_token=6ce3d8e1460748ccb6a5a151cc467d40&amp;oauth_verifier=dd5173ad4fab491aab50a66047329dfa

Note: Here are the redirects in my application (not directly related, but could be so wanted to provide context)

Redirects:

*RedirectController*: /private to /  &lt;-- was used in the original login implementation
*NotFoundHandler*: 404 to /static/index.html
*WebSocketConfig*: Registered at /ws
 
*NotFoundHandler Source Code*: (and we removed application.getSources().remove(ErrorPageFilter.class) from ApplicationContext)
@ControllerAdvice
public class NotFoundHandler {

    @ExceptionHandler(NoHandlerFoundException.class)
    public ResponseEntity&lt;String&gt; renderDefaultPage() {
        try {
            InputStream inputStream = new ClassPathResource(&quot;/static/index.html&quot;).getInputStream();
            String body = StreamUtils.copyToString(inputStream, Charset.defaultCharset());
            return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(body);
        } catch (IOException e) {
            e.printStackTrace();
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(&quot;There was an error completing the action.&quot;);
        }
    }
}

OAuth Configuration:
Note: I've allowed all requests without authentication (/), except one directory (/static/testing/) - or that is my intention at least.

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // permit all requests (except the /static/testing/** which is called out further down)
        http.authorizeRequests().antMatchers(&quot;/**&quot;).permitAll();

        http.addFilterAfter(this.oauthConsumerContextFilter(), SwitchUserFilter.class);
        http.addFilterAfter(this.oauthConsumerProcessingFilter(), OAuthConsumerContextFilter.class);
    }

    // IMPORTANT: this must not be a Bean
    OAuthConsumerContextFilter oauthConsumerContextFilter() {
        OAuthConsumerContextFilter filter = new OAuthConsumerContextFilter();
        filter.setConsumerSupport(this.consumerSupport());
        return filter;
    }

    // IMPORTANT: this must not be a Bean
    OAuthConsumerProcessingFilter oauthConsumerProcessingFilter() {
        OAuthConsumerProcessingFilter filter = new OAuthConsumerProcessingFilter();
        filter.setProtectedResourceDetailsService(this.prds());

        LinkedHashMap&lt;RequestMatcher, Collection&lt;ConfigAttribute&gt;&gt; map = new LinkedHashMap&lt;&gt;();

		// one entry per oauth:url element in xml
        map.put(
                // 1st arg is equivalent of url:pattern in xml
                // 2nd arg is equivalent of url:httpMethod in xml
                new AntPathRequestMatcher(&quot;/static/testing/**&quot;, null),
                // arg is equivalent of url:resources in xml
                // IMPORTANT: this must match the ids in prds() and prd() below
                Collections.singletonList(new SecurityConfig(&quot;myResource&quot;)));

        filter.setObjectDefinitionSource(new DefaultFilterInvocationSecurityMetadataSource(map));

        return filter;
    }

    @Bean // optional, I re-use it elsewhere, hence the Bean
    OAuthConsumerSupport consumerSupport() {
        CoreOAuthConsumerSupport consumerSupport = new CoreOAuthConsumerSupport();
        consumerSupport.setProtectedResourceDetailsService(prds());
        return consumerSupport;
    }

    @Bean // optional, I re-use it elsewhere, hence the Bean
    ProtectedResourceDetailsService prds() {
        return (String id) -&gt; {
            switch (id) {
                // this must match the id in prd() below
                case &quot;myResource&quot;:
                    return prd();
            }
            throw new RuntimeException(&quot;Invalid id: &quot; + id);
        };
    }

    ProtectedResourceDetails prd() {
        BaseProtectedResourceDetails details = new BaseProtectedResourceDetails();

        // this must be present and match the id in prds() and prd() above
        details.setId(&quot;myResource&quot;);

        details.setConsumerKey(&quot;&lt;consumer key was here&gt;&quot;);
        details.setSharedSecret(new SharedConsumerSecretImpl(&quot;&lt;consumer secret was here&gt;&quot;));

        details.setRequestTokenURL(&quot;https://localhost:9443/oauth-request-token&quot;);
        details.setUserAuthorizationURL(&quot;https://localhost:9443/oauth-authorize&quot;);
        details.setAccessTokenURL(&quot;https://localhost:9443/oauth-access-token&quot;);

        // any other service-specific settings

        return details;
    }
}

Final Question
It seems to get stuck at the final major step of the OAuth flow, after it receives the oauth_token and oauth_verifier from the Producer, and never makes the final request to get an access token using the access token URL. Does anyone know why it would be getting stuck at this point?

Is that in the final step it redirects back to the protected resource (/static/testing/index.html), and the oauthConsumerProcessingFilter isn't intercepting the request first and requesting the access token?

Or is that I should have been forwarding /static/testing/index.html to the Provider instead of serving local content, and my understanding of the OAuth flow won't work out of the box for the use case I'm trying to do (really just use OAuth for user verification against the Provider when my own applications protected resources are being accessed)?

###################### EDIT ######################

Adding Spring Log:

Here is the Spring log that shows the initial token request from the Provider, the redirection to the Provider, but once the Provider is logged into and redirects back to the Callback, Spring doesn't recognize the current oauth process in progress, and starts it over again with the oauth_token and oauth_verifier appended to the URL, and loops this process indefinitely til the browser fails with ERR_TOO_MANY_REDIRECTS.

2020-08-12T14:53:56,383 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 2 of 13 in additional filter chain; firing Filter: &#39;SecurityContextPersistenceFilter&#39;
2020-08-12T14:53:56,383 DEBUG http-nio-8080-exec-1 o.s.s.w.c.HttpSessionSecurityContextRepository: No HttpSession currently exists
2020-08-12T14:53:56,383 DEBUG http-nio-8080-exec-1 o.s.s.w.c.HttpSessionSecurityContextRepository: No SecurityContext was available from the HttpSession: null. A new one will be created.
2020-08-12T14:53:56,385 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 3 of 13 in additional filter chain; firing Filter: &#39;HeaderWriterFilter&#39;
2020-08-12T14:53:56,385 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 4 of 13 in additional filter chain; firing Filter: &#39;CsrfFilter&#39;
2020-08-12T14:53:56,386 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 5 of 13 in additional filter chain; firing Filter: &#39;LogoutFilter&#39;
2020-08-12T14:53:56,386 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher: Request &#39;GET /static/testing/index.html&#39; doesn&#39;t match &#39;POST /logout&#39;
2020-08-12T14:53:56,386 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 6 of 13 in additional filter chain; firing Filter: &#39;RequestCacheAwareFilter&#39;
2020-08-12T14:53:56,386 DEBUG http-nio-8080-exec-1 o.s.s.w.s.HttpSessionRequestCache: saved request doesn&#39;t match
2020-08-12T14:53:56,386 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 7 of 13 in additional filter chain; firing Filter: &#39;SecurityContextHolderAwareRequestFilter&#39;
2020-08-12T14:53:56,387 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 8 of 13 in additional filter chain; firing Filter: &#39;AnonymousAuthenticationFilter&#39;
2020-08-12T14:53:56,388 DEBUG http-nio-8080-exec-1 o.s.s.w.a.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: &#39;org.springframework.security.authentication.AnonymousAuthenticationToken@7bf9dbd5: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS&#39;
2020-08-12T14:53:56,388 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 9 of 13 in additional filter chain; firing Filter: &#39;SessionManagementFilter&#39;
2020-08-12T14:53:56,388 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 10 of 13 in additional filter chain; firing Filter: &#39;ExceptionTranslationFilter&#39;
2020-08-12T14:53:56,389 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 11 of 13 in additional filter chain; firing Filter: &#39;FilterSecurityInterceptor&#39;
2020-08-12T14:53:56,389 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher: Request &#39;/static/testing/index.html&#39; matched by universal pattern &#39;/**&#39;  (it matches against the /** permit All)
2020-08-12T14:53:56,389 DEBUG http-nio-8080-exec-1 o.s.s.a.i.AbstractSecurityInterceptor: Secure object: FilterInvocation: URL: /static/testing/index.html; Attributes: [permitAll]
2020-08-12T14:53:56,389 DEBUG http-nio-8080-exec-1 o.s.s.a.i.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@7bf9dbd5: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2020-08-12T14:53:56,393 DEBUG http-nio-8080-exec-1 o.s.s.a.v.AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2987f971, returned: 1
2020-08-12T14:53:56,393 DEBUG http-nio-8080-exec-1 o.s.s.a.i.AbstractSecurityInterceptor: Authorization successful
2020-08-12T14:53:56,393 DEBUG http-nio-8080-exec-1 o.s.s.a.i.AbstractSecurityInterceptor: RunAsManager did not change Authentication object
2020-08-12T14:53:56,393 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 12 of 13 in additional filter chain; firing Filter: &#39;OAuthConsumerContextFilter&#39;
2020-08-12T14:53:56,394 DEBUG http-nio-8080-exec-1 o.s.s.o.c.f.OAuthConsumerContextFilter: Storing access tokens in request attribute &#39;OAUTH_ACCESS_TOKENS&#39;.
2020-08-12T14:53:56,394 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html at position 13 of 13 in additional filter chain; firing Filter: &#39;OAuthConsumerProcessingFilter&#39;
2020-08-12T14:53:56,394 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher: Checking match of request : &#39;/static/testing/index.html&#39;; against &#39;/static/testing/**&#39; (it further matches against the OAuth resource since it is /static/testing/**)
2020-08-12T14:53:56,404 DEBUG http-nio-8080-exec-1 o.s.s.o.c.f.OAuthConsumerContextFilter: Obtaining request token for resource: myResource (Step 1a: Getting request token from JTS. The callback URL is the protected page that we requested, is that a problem? Or should a filter intercept it on the next step to take over part 3 in the process before actually requesting the resource?)
2020-08-12T14:53:56,548 DEBUG http-nio-8080-exec-1 o.s.s.o.c.s.HMAC_SHA1SignatureMethod: signature base: POST&amp;https%3A%2F%2Flocalhost%3A9443%2Fjts%2Foauth-request-token&amp;oauth_callback%3Dhttp%253A%252F%252Flocalhost%253A8080%252Fstatic%252Ftesting%252Findex.html%26oauth_consumer_key%3D14b5f4e56856464c9ba64e11a6d558cb%26oauth_nonce%3Dce7d30a7-0b11-4525-a42f-9a353868a5f2%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1597258436%26oauth_version%3D1.0
2020-08-12T14:53:56,548 DEBUG http-nio-8080-exec-1 o.s.s.o.c.s.HMAC_SHA1SignatureMethod: signature: zAri6vOmcybjeKi3W6CvTkMv5uk=
2020-08-12T14:53:56,628 DEBUG http-nio-8080-exec-1 o.s.s.o.c.f.OAuthConsumerContextFilter: Request token obtained for resource myResource: cba433cd39a34a34a80e3dbe96d593bd (Step 1b:Received the request token from JTS)
2020-08-12T14:53:56,629 DEBUG http-nio-8080-exec-1 o.s.s.o.c.f.OAuthConsumerContextFilter: Redirecting request to https://localhost:9443/jts/oauth-authorize?oauth_token=cba433cd39a34a34a80e3dbe96d593bd for user authorization of the request token for resource myResource. (Step 2a: redirecting user to the JTS login page for authorization)
2020-08-12T14:53:56,629 DEBUG http-nio-8080-exec-1 o.s.s.w.DefaultRedirectStrategy: Redirecting to &#39;https://localhost:9443/jts/oauth-authorize?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&#39;
2020-08-12T14:53:56,630 DEBUG http-nio-8080-exec-1 o.s.s.w.h.w.HstsHeaderWriter: Not injecting HSTS header since it did not match the requestMatcher (is this line and the next 3 a problem? Should it be storing the security context and can’t because of the http/https mismatch?)org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3df79515
2020-08-12T14:53:56,630 DEBUG http-nio-8080-exec-1 o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper: SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-08-12T14:53:56,631 DEBUG http-nio-8080-exec-1 o.s.s.w.a.ExceptionTranslationFilter: Chain processed normally
2020-08-12T14:53:56,632 DEBUG http-nio-8080-exec-1 o.s.s.w.c.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
2020-08-12T14:53:59,846 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?  (We’ve now received the call back redirection from JTS to go back to /static/testing/index.html but with the oauth_token and oauth_verifier which would be used in the final step, sending those back to JTS to get a oauth_access token (using /jts/oauth-access-token). However, it seems it doesn’t realize it has the current OAuth flow in process, and repeats all of the above steps in an infinite loop til the browser stops the process with ERR_TOO_MANY_REDIRECTS. Is this because the SecurityContext wasn’t stored? Or another configuration issue I’m missing?). oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 1 of 13 in additional filter chain; firing Filter: &#39;WebAsyncManagerIntegrationFilter&#39;
2020-08-12T14:53:59,846 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 2 of 13 in additional filter chain; firing Filter: &#39;SecurityContextPersistenceFilter&#39;
2020-08-12T14:53:59,846 DEBUG http-nio-8080-exec-2 o.s.s.w.c.HttpSessionSecurityContextRepository: No HttpSession currently exists
2020-08-12T14:53:59,847 DEBUG http-nio-8080-exec-2 o.s.s.w.c.HttpSessionSecurityContextRepository: No SecurityContext was available from the HttpSession: null. A new one will be created.
2020-08-12T14:53:59,847 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 3 of 13 in additional filter chain; firing Filter: &#39;HeaderWriterFilter&#39;
2020-08-12T14:53:59,847 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 4 of 13 in additional filter chain; firing Filter: &#39;CsrfFilter&#39;
2020-08-12T14:53:59,847 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 5 of 13 in additional filter chain; firing Filter: &#39;LogoutFilter&#39;
2020-08-12T14:53:59,847 DEBUG http-nio-8080-exec-2 o.s.s.w.u.m.AntPathRequestMatcher: Request &#39;GET /static/testing/index.html&#39; doesn&#39;t match &#39;POST /logout&#39;
2020-08-12T14:53:59,847 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 6 of 13 in additional filter chain; firing Filter: &#39;RequestCacheAwareFilter&#39;
2020-08-12T14:53:59,848 DEBUG http-nio-8080-exec-2 o.s.s.w.s.HttpSessionRequestCache: saved request doesn&#39;t match
2020-08-12T14:53:59,848 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 7 of 13 in additional filter chain; firing Filter: &#39;SecurityContextHolderAwareRequestFilter&#39;
2020-08-12T14:53:59,848 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 8 of 13 in additional filter chain; firing Filter: &#39;AnonymousAuthenticationFilter&#39;
2020-08-12T14:53:59,848 DEBUG http-nio-8080-exec-2 o.s.s.w.a.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: &#39;org.springframework.security.authentication.AnonymousAuthenticationToken@7bf9dbd5: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS&#39;
2020-08-12T14:53:59,848 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 9 of 13 in additional filter chain; firing Filter: &#39;SessionManagementFilter&#39;
2020-08-12T14:53:59,849 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 10 of 13 in additional filter chain; firing Filter: &#39;ExceptionTranslationFilter&#39;
2020-08-12T14:53:59,849 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 11 of 13 in additional filter chain; firing Filter: &#39;FilterSecurityInterceptor&#39;
2020-08-12T14:53:59,849 DEBUG http-nio-8080-exec-2 o.s.s.w.u.m.AntPathRequestMatcher: Request &#39;/static/testing/index.html&#39; matched by universal pattern &#39;/**&#39;
2020-08-12T14:53:59,849 DEBUG http-nio-8080-exec-2 o.s.s.a.i.AbstractSecurityInterceptor: Secure object: FilterInvocation: URL: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca; Attributes: [permitAll]
2020-08-12T14:53:59,849 DEBUG http-nio-8080-exec-2 o.s.s.a.i.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@7bf9dbd5: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2020-08-12T14:53:59,850 DEBUG http-nio-8080-exec-2 o.s.s.a.v.AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2987f971, returned: 1
2020-08-12T14:53:59,850 DEBUG http-nio-8080-exec-2 o.s.s.a.i.AbstractSecurityInterceptor: Authorization successful
2020-08-12T14:53:59,850 DEBUG http-nio-8080-exec-2 o.s.s.a.i.AbstractSecurityInterceptor: RunAsManager did not change Authentication object
2020-08-12T14:53:59,850 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 12 of 13 in additional filter chain; firing Filter: &#39;OAuthConsumerContextFilter&#39;
2020-08-12T14:53:59,851 DEBUG http-nio-8080-exec-2 o.s.s.o.c.f.OAuthConsumerContextFilter: Storing access tokens in request attribute &#39;OAUTH_ACCESS_TOKENS&#39;.
2020-08-12T14:53:59,851 DEBUG http-nio-8080-exec-2 o.s.s.w.FilterChainProxy$VirtualFilterChain: /static/testing/index.html?oauth_token=cba433cd39a34a34a80e3dbe96d593bd&amp;oauth_verifier=82d017779d1547129e84b3173e7c3dca at position 13 of 13 in additional filter chain; firing Filter: &#39;OAuthConsumerProcessingFilter&#39;
2020-08-12T14:53:59,851 DEBUG http-nio-8080-exec-2 o.s.s.w.u.m.AntPathRequestMatcher: Checking match of request : &#39;/static/testing/index.html&#39;; against &#39;/static/testing/**&#39;
2020-08-12T14:53:59,852 DEBUG http-nio-8080-exec-2 o.s.s.o.c.f.OAuthConsumerContextFilter: Obtaining request token for resource: myResource
2020-08-12T14:53:59,853 DEBUG http-nio-8080-exec-2 o.s.s.o.c.s.HMAC_SHA1SignatureMethod: signature base: POST&amp;https%3A%2F%2Flocalhost%3A9443%2Fjts%2Foauth-request-token&amp;oauth_callback%3Dhttp%253A%252F%252Flocalhost%253A8080%252Fstatic%252Ftesting%252Findex.html%253Foauth_token%253Dcba433cd39a34a34a80e3dbe96d593bd%2526oauth_verifier%253D82d017779d1547129e84b3173e7c3dca%26oauth_consumer_key%3D14b5f4e56856464c9ba64e11a6d558cb%26oauth_nonce%3D08415a86-c1b8-4bcf-9379-961afddd6f3e%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1597258439%26oauth_version%3D1.0
2020-08-12T14:53:59,853 DEBUG http-nio-8080-exec-2 o.s.s.o.c.s.HMAC_SHA1SignatureMethod: signature: x/yPyZhL1RS8RqDOpqnpBwjG57I=
2020-08-12T14:53:59,856 DEBUG http-nio-8080-exec-2 o.s.s.o.c.f.OAuthConsumerContextFilter: Request token obtained for resource myResource: c97af51ba3554c24a8a00642ca84d950
2020-08-12T14:53:59,856 DEBUG http-nio-8080-exec-2 o.s.s.o.c.f.OAuthConsumerContextFilter: Redirecting request to https://localhost:9443/jts/oauth-authorize?oauth_token=c97af51ba3554c24a8a00642ca84d950 for user authorization of the request token for resource myResource.
2020-08-12T14:53:59,856 DEBUG http-nio-8080-exec-2 o.s.s.w.DefaultRedirectStrategy: Redirecting to &#39;https://localhost:9443/jts/oauth-authorize?oauth_token=c97af51ba3554c24a8a00642ca84d950&#39;
2020-08-12T14:53:59,857 DEBUG http-nio-8080-exec-2 o.s.s.w.h.w.HstsHeaderWriter: Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3df79515
2020-08-12T14:53:59,857 DEBUG http-nio-8080-exec-2 o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper: SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-08-12T14:53:59,857 DEBUG http-nio-8080-exec-2 o.s.s.w.a.ExceptionTranslationFilter: Chain processed normally
2020-08-12T14:53:59,858 DEBUG http-nio-8080-exec-2 o.s.s.w.c.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed```
</details>
# 答案1
**得分**: 1
Sure, here's the translation:
不确定错误是什么,但是一旦我将提供者移动到自己的主机、域名和正确的 SSL 设置上,它就开始正常工作了。(之前两者都在本地主机上,提供者有一个无效的 SSL 证书,但我已在 JRE 中导入了它)。
感谢 @jzheaux!
<details>
<summary>英文:</summary>
Not for sure what the error was, but once I moved the Provider to it&#39;s own host, domain, and proper SSL setup, it started working ok. (Previously both were on the local host and the Provider had an invalid SSL certificate, but I had imported it within the JRE).
Thanks @jzheaux!
</details>

huangapple
  • 本文由 发表于 2020年8月12日 04:23:39
  • 转载请务必保留本文链接:https://go.coder-hub.com/63365871.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定