OAuth2.0授权码/oauth/authorize接口调用unauthorized异常

调用/oauth/authorize接口时，代码首先进入org.springframework.web.method.support.InvocableHandlerMethod类的invokeForRequest方法；代码如下：

@Nullablepublic Object invokeForRequest(NativeWebRequest request, @Nullable ModelAndViewContainer mavContainer,Object... providedArgs) throws Exception {Object[] args = getMethodArgumentValues(request, mavContainer, providedArgs);if (logger.isTraceEnabled()) {logger.trace("Invoking '" + ClassUtils.getQualifiedMethodName(getMethod(), getBeanType()) +"' with arguments " + Arrays.toString(args));}Object returnValue = doInvoke(args);if (logger.isTraceEnabled()) {logger.trace("Method [" + ClassUtils.getQualifiedMethodName(getMethod(), getBeanType()) +"] returned [" + returnValue + "]");}return returnValue;}

通过Object returnValue = doInvoke(args);方法调用org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint类的authorize方法；

 @RequestMapping(value = "/oauth/authorize")public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> parameters,SessionStatus sessionStatus, Principal principal) {// Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should// query off of the authorization request instead of referring back to the parameters map. The contents of the// parameters map will be stored without change in the AuthorizationRequest object once it is created.AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);Set<String> responseTypes = authorizationRequest.getResponseTypes();if (!responseTypes.contains("token") && !responseTypes.contains("code")) {throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);}if (authorizationRequest.getClientId() == null) {throw new InvalidClientException("A client id must be provided");}try {if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");}ClientDetails client = getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId());// The resolved redirect URI is either the redirect_uri from the parameters or the one from// clientDetails. Either way we need to store it on the AuthorizationRequest.String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);String resolvedRedirect = redirectResolver.resolveRedirect(redirectUriParameter, client);if (!StringUtils.hasText(resolvedRedirect)) {throw new RedirectMismatchException("A redirectUri must be either supplied or preconfigured in the ClientDetails");}authorizationRequest.setRedirectUri(resolvedRedirect);// We intentionally only validate the parameters requested by the client (ignoring any data that may have// been added to the request by the manager).oauth2RequestValidator.validateScope(authorizationRequest, client);// Some systems may allow for approval decisions to be remembered or approved by default. Check for// such logic here, and set the approved flag on the authorization request accordingly.authorizationRequest = userApprovalHandler.checkForPreApproval(authorizationRequest,(Authentication) principal);// TODO: is this call necessary?boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);authorizationRequest.setApproved(approved);// Validation is all done, so we can check for auto approval...if (authorizationRequest.isApproved()) {if (responseTypes.contains("token")) {return getImplicitGrantResponse(authorizationRequest);}if (responseTypes.contains("code")) {return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,(Authentication) principal));}}// Place auth request into the model so that it is stored in the session// for approveOrDeny to use. That way we make sure that auth request comes from the session,// so any auth request parameters passed to approveOrDeny will be ignored and retrieved from the session.model.put("authorizationRequest", authorizationRequest);return getUserApprovalPageResponse(model, authorizationRequest, (Authentication) principal);}catch (RuntimeException e) {sessionStatus.setComplete();throw e;}}

在这个方法中，如果principal为null时即生成User must be authenticated with Spring Security before authorization can be completed.异常。

         if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");}

principal在org.springframework.web.servlet.mvc.method.annotation.ServletRequestMethodArgumentResolver类的resolveArgument方法中生成的。在resolveArgument方法中第162行中 Principal userPrincipal = request.getUserPrincipal();如果request中不存在用户信息，则Principal 无法取得，造成参数为Null情况。

 @Nullableprivate Object resolveArgument(Class<?> paramType, HttpServletRequest request) throws IOException {if (HttpSession.class.isAssignableFrom(paramType)) {HttpSession session = request.getSession();if (session != null && !paramType.isInstance(session)) {throw new IllegalStateException("Current session is not of type [" + paramType.getName() + "]: " + session);}return session;}else if (pushBuilder != null && pushBuilder.isAssignableFrom(paramType)) {return PushBuilderDelegate.resolvePushBuilder(request, paramType);}else if (InputStream.class.isAssignableFrom(paramType)) {InputStream inputStream = request.getInputStream();if (inputStream != null && !paramType.isInstance(inputStream)) {throw new IllegalStateException("Request input stream is not of type [" + paramType.getName() + "]: " + inputStream);}return inputStream;}else if (Reader.class.isAssignableFrom(paramType)) {Reader reader = request.getReader();if (reader != null && !paramType.isInstance(reader)) {throw new IllegalStateException("Request body reader is not of type [" + paramType.getName() + "]: " + reader);}return reader;}else if (Principal.class.isAssignableFrom(paramType)) {Principal userPrincipal = request.getUserPrincipal();if (userPrincipal != null && !paramType.isInstance(userPrincipal)) {throw new IllegalStateException("Current user principal is not of type [" + paramType.getName() + "]: " + userPrincipal);}return userPrincipal;}else if (HttpMethod.class == paramType) {return HttpMethod.resolve(request.getMethod());}else if (Locale.class == paramType) {return RequestContextUtils.getLocale(request);}else if (TimeZone.class == paramType) {TimeZone timeZone = RequestContextUtils.getTimeZone(request);return (timeZone != null ? timeZone : TimeZone.getDefault());}else if (ZoneId.class == paramType) {TimeZone timeZone = RequestContextUtils.getTimeZone(request);return (timeZone != null ? timeZone.toZoneId() : ZoneId.systemDefault());}// Should never happen...throw new UnsupportedOperationException("Unknown parameter type: " + paramType.getName());}

OAuth2.0授权码/oauth/authorize接口调用unauthorized异常相关推荐

oauth2.0授权码_OAUTH 2.0授权码授予
oauth2.0授权码 OAuth 2.0提供了许多安全流程(或授权类型),以允许一个应用程序访问另一个应用程序中的用户数据. 在此博客中,我们将介绍OAuth 2.0授权:授权代码授权. 首先,有许 ...
oauth2.0授权码模式详解
Python微信订餐小程序课程视频 https://edu.csdn.net/course/detail/36074 Python实战量化交易理财系统 https://edu.csdn.net/cou ...
java 32位授权码_Java实现OAuth2.0授权码方式
Java实现OAuth2.0授权码方式前面介绍了OAuth2.0和授权方式,可以参考以下文章: 今天就用Java来验证OAuth2.0授权方式的授权码式,我们Spring Cloud的OAuth来实 ...
OAuth2.0授权码模式学习
OAuth2.0授权码模式学习四种授权方式 1,授权码模式 2,简化模式 3,密码模式 4,客户端模式授权码模式四种授权模式中最完成,最严密的授权. (1)用户访问客户端,后者将前者导入认证服务 ...
OAuth2.0 授权码认证方式使用流程
第一步:获取授权码 /oauth/authorize?client_id=c1&response_type=code&scope=all&redirect_uri=http:/ ...
OAuth2.0授权码模式原理与实战
OAuth2.0是目前比较流行的一种开源授权协议,可以用来授权第三方应用,允许在不将用户名和密码提供给第三方应用的情况下获取一定的用户资源,目前很多网站或APP基于微信或QQ的第三方登录方式都是基于O ...
OAuth2.0授权码模式实战
OAuth2.0是目前比较流行的一种开源授权协议,可以用来授权第三方应用,允许在不将用户名和密码提供给第三方应用的情况下获取一定的用户资源,目前很多网站或APP基于微信或QQ的第三方登录方式都是基于O ...
OAuth2.0授权码认证流程介绍
Oauth2授权模式 Oauth2授权模式 Oauth2有以下授权模式: 1.授权码模式(Authorization Code) 2.隐式授权模式(Implicit) 3.密码模式(Resource ...
基于go-oauth2/oauth2实现OAuth 2.0 授权码方式
前言本文基于go-oauth2/oauth2,参考go-oauth2/oauth2/example.go-oauth2/gin-server.llaoj/oauth2,结合beego框架实现OAut ...

OAuth2.0授权码/oauth/authorize接口调用unauthorized异常

OAuth2.0授权码/oauth/authorize接口调用unauthorized异常相关推荐

最新文章

热门文章