Comments (7)
When you say "spin up" you mean "run the main method"? So the app is just broken?
It might be the client credentials that don't match (you can tell by setting logging.level.org.springframework.security=DEBUG
), or it might be that the default Spring Boot authentication manager (user/password) is being used for password grants (we had an issue in Spring OAuth about that - there is a workaround, if we confirm that's the problem here).
from tut-rest.
I turned up the log levels as you suggested and then saw it fail inside DaoAuthenticationProvider. I set a break point and ran it again. I saw it succeed when supplying the clientid/secret credentials, but then later it failed when trying to authentication jlong/password. I snapshotted the state right before jlong is failed as shown below:
this = {org.springframework.security.authentication.dao.DaoAuthenticationProvider@9610}
passwordEncoder = {org.springframework.security.authentication.encoding.PlaintextPasswordEncoder@9623}
userNotFoundEncodedPassword = {java.lang.String@9602}"userNotFoundPassword"
saltSource = null
userDetailsService = {org.springframework.security.provisioning.InMemoryUserDetailsManager@9624}
logger = {org.apache.commons.logging.impl.SLF4JLocationAwareLog@9639}
users = {java.util.HashMap@9640} size = 1
[0] = {java.util.HashMap$Node@9643}"user" -> {org.springframework.security.provisioning.MutableUser@9645}
key: java.lang.String = {java.lang.String@9644}"user"
value: org.springframework.security.provisioning.MutableUser = {org.springframework.security.provisioning.MutableUser@9645}
password = {java.lang.String@9646}"8b609cdb-b9ae-473c-b172-156146c3ea4a"
delegate = {org.springframework.security.core.userdetails.User@9647}"org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER"
username = {java.lang.String@9618}"jlong"
authentication = {org.springframework.security.authentication.UsernamePasswordAuthenticationToken@9619}"org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4e813b62: Principal: jlong; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities"
principal = {java.lang.String@9618}"jlong"
credentials = {java.lang.String@9651}"password"
details = null
authorities = {java.util.Collections$EmptyList@9652} size = 0
authenticated = false
from tut-rest.
I confirm, UserDetails returned from userDetailsService() method are never queried during request. Something is misconfigured.
Switching to fresh spring-security-oauth2:2.0.3.RELEASE also doesn't solve anything.
from tut-rest.
2014-10-25 01:01:49.469 INFO 3648 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2014-10-25 01:01:49.469 INFO 3648 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2014-10-25 01:01:49.481 INFO 3648 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 12 ms
2014-10-25 01:01:49.489 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/css/'
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/js/'
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/images/'
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '//favicon.ico'
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/error'
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/oauth/token']
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : matched
2014-10-25 01:01:49.490 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-10-25 01:01:49.491 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-10-25 01:01:49.491 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2014-10-25 01:01:49.491 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@e475215
2014-10-25 01:01:49.492 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2014-10-25 01:01:49.492 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2014-10-25 01:01:49.492 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-10-25 01:01:49.494 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'android-bookmarks'
2014-10-25 01:01:49.495 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2014-10-25 01:01:49.501 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@15c1ad4b: Principal: org.springframework.security.core.userdetails.User@51dc1c1f: Username: android-bookmarks; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
2014-10-25 01:01:49.501 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-10-25 01:01:49.501 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-10-25 01:01:49.502 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-10-25 01:01:49.502 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@15c1ad4b: Principal: org.springframework.security.core.userdetails.User@51dc1c1f: Username: android-bookmarks; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2014-10-25 01:01:49.502 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-10-25 01:01:49.502 DEBUG 3648 --- [nio-8080-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy@afbd831
2014-10-25 01:01:49.502 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-10-25 01:01:49.503 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-10-25 01:01:49.503 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2014-10-25 01:01:49.503 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token; Attributes: [fullyAuthenticated]
2014-10-25 01:01:49.503 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@15c1ad4b: Principal: org.springframework.security.core.userdetails.User@51dc1c1f: Username: android-bookmarks; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
2014-10-25 01:01:49.506 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@43d1ea2d, returned: 1
2014-10-25 01:01:49.506 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2014-10-25 01:01:49.506 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2014-10-25 01:01:49.507 DEBUG 3648 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /oauth/token reached end of additional filter chain; proceeding with original chain
2014-10-25 01:01:49.511 DEBUG 3648 --- [nio-8080-exec-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Looking up handler method for path /oauth/token
2014-10-25 01:01:49.512 DEBUG 3648 --- [nio-8080-exec-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Returning handler method [public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>)]
2014-10-25 01:01:49.522 DEBUG 3648 --- [nio-8080-exec-1] .o.p.p.ResourceOwnerPasswordTokenGranter : Getting access token for: android-bookmarks
2014-10-25 01:01:49.522 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2014-10-25 01:01:49.523 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'jlong' not found
2014-10-25 01:01:49.525 INFO 3648 --- [nio-8080-exec-1] o.s.s.o.provider.endpoint.TokenEndpoint : Handling error: InvalidGrantException, Bad credentials
2014-10-25 01:01:49.569 DEBUG 3648 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2014-10-25 01:01:49.570 DEBUG 3648 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
from tut-rest.
After some time playing around I eventually found a way to get this to work by replacing this part of the code in Application.java:
@Configuration
class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Autowired
AccountRepository accountRepository;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Bean
UserDetailsService userDetailsService() {
return (username) ->
accountRepository.findByUsername(username)
.map(a -> new User(a.username, a.password, true, true, true, true, AuthorityUtils.createAuthorityList("USER", "write")))
.orElseThrow(() -> new UsernameNotFoundException("could not find the user '" + username + "'"));
}
}
with this:
@Configuration
class WebSecurityConfig {
@Autowired
AccountRepository accountRepository;
@Bean
public AuthenticationManager authenticationManager() throws Exception {
return new AuthenticationManagerBuilder(new NopPostProcessor())
.userDetailsService(new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return accountRepository.findByUsername(username)
.map(a -> new User(a.username, a.password, true, true, true, true, AuthorityUtils.createAuthorityList("USER", "write")))
.orElseThrow(() -> new UsernameNotFoundException("could not find the user '" + username + "'"));
}
}).and().build();
}
private static class NopPostProcessor implements ObjectPostProcessor {
@Override
@SuppressWarnings("unchecked")
public Object postProcess(Object object) {
return object;
}
};
}
There's a good chance this may not be best practice, so please scrutinize!
from tut-rest.
@jdoyle65 that was useful thanks. My workaround is slightly different than yours, but neither should be necessary once we get to Boot 1.1.9 (or 1.2).
from tut-rest.
@dsyer can you open a separate issue on this tutorial so we can track making the necessary update?
from tut-rest.
Related Issues (20)
- Complete Building REST services with Spring tutorial with OrderNotFoundAdvice Class HOT 1
- Misleading Put method in non-REST EmployeeController HOT 1
- Confused by DELETE http://localhost:8080/orders/4/cancel HOT 1
- isse in postman to post mapping HOT 2
- unable to proceed when adding links in one method of EmployeeController class HOT 1
- Order Controller /cancel Mapping Feedback HOT 2
- Error: The method methodOn(Class) is undefined for the type EmployeeController. HOT 4
- Error: java.lang.IllegalArgumentException: Invalid character found in method name [] . HTTP method names must be tokens HOT 3
- Missing Code Snippets in README.md HOT 1
- Logging of preloading data has changed HOT 1
- Link to HAL returns 404 HOT 3
- Package imports for Jakarta are not correct with latest version of Spring Boot HOT 1
- Employee.java imports javax.persistence-api.* not found HOT 2
- Mentioning correct curl commands for Windows HOT 1
- Not a managed entity error HOT 5
- 415 when attempting to post json object HOT 2
- warning: You aren't using a compiler supported by lombok, so lombok will not work and has been disabled. Your processor is: org.gradle.api.internal.tasks.compile.processing.IncrementalProcessingEnvironment Lombok supports: OpenJDK javac, ECJ HOT 3
- Duplicated, outdated tutorial HOT 5
- EntityModel is Deprecated
- Improvements for beginners HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tut-rest.