Java – why can’t my spring oauth2 server use SSL to self sign SSL?
I use OAuth 2.0 on my application I have 2 applications developed using spring boot, and one uses URL https://192.168.1.30:2999/autenticador For authentication, the second uses the client https://192.168.1.30:2901/ Authenticate
When I use a server without SSL( http://192.168.1.30:2999/autenticador and https://192.168.1.30:2901/ )The authorization is successful However, when I use the self signed certificate, I encounter a problem. Error 401 is returned, unauthorized, authentication fails: unable to obtain the access token I don't know how or why it happened
Observation: the certificate is registered on my computer, such as trust, and then I see that the address bar is green
client:
@SpringBootApplication @EnableOAuth2Sso public class Application { public static void main(String[] args) throws KeyManagementException,NoSuchAlgorithmException,KeyStoreException { SpringApplication.run(Application.class,args); } }
OAuth 2.0 configuration on server:
@Configuration @EnableAuthorizationServer public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter{ @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("client") .authorizedGrantTypes("authorization_code") .scopes("read","trust") .resourceIds("RESOURCE_ID") .secret("secret"); } }
This is the client log after the server logs in successfully:
2016-06-06 16:47:27.376 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2016-06-06 16:47:27.377 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2016-06-06 16:47:27.378 DEBUG [nio-2901-exec-4] w.c.HttpSessionSecurityContextRepository No HttpSession currently exists 2016-06-06 16:47:27.378 DEBUG [nio-2901-exec-4] w.c.HttpSessionSecurityContextRepository No SecurityContext was available from the HttpSession: null. A new one will be created. 2016-06-06 16:47:27.381 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' 2016-06-06 16:47:27.382 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter' 2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 5 of 12 in additional filter chain; firing Filter: 'logoutFilter' 2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher Request 'GET /' doesn't match 'POST /logout 2016-06-06 16:47:27.383 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter' 2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher Checking match of request : '/'; against '/login' 2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2016-06-06 16:47:27.384 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2016-06-06 16:47:27.386 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.1.30; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.s.w.session.SessionManagementFilter Requested session ID CBA2CC9F09D613F91D95FD4764E48A50 is invalid. 2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2016-06-06 16:47:27.389 DEBUG [nio-2901-exec-4] o.s.security.web.FilterChainProxy / at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2016-06-06 16:47:27.390 DEBUG [nio-2901-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor Secure object: FilterInvocation: URL: /; Attributes: [authenticated] 2016-06-06 16:47:27.390 DEBUG [nio-2901-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor PrevIoUsly Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.1.30; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 2016-06-06 16:47:27.399 DEBUG [nio-2901-exec-4] o.s.s.access.Vote.AffirmativeBased Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3fcae110,returned: -1 2016-06-06 16:47:27.404 DEBUG [nio-2901-exec-4] o.s.s.w.a.ExceptionTranslationFilter Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.access.AccessDeniedException: Access is denied
Solution
Can you check the configuration in "spring-security. XML" to see if the 'requires channel' attribute is set to HTTPS instead of HTTP? If not, please set all to HTTPS and try again
More information about this problem is here http://docs.spring.io/spring-security/site/faq/faq.html#faq -tomcat-https-session
Sample:
<intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/> <intercept-url pattern="/resources/**" access="permitAll" requires-channel="https"/> <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" requires-channel="https"/> <intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" requires-channel="https"/> <intercept-url pattern="/index" access="hasRole('ROLE_USER')" requires-channel="https"/> <intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')" requires-channel="https"/>