0
votes

Trying to implement OAuth2 and running into a few issues following various resources on the web but could not find any resolutions. The issue is that when I access the /token endpoint I get a 404. Here is my config:

web.xml - Dispatcher servlet is mapped to /services/api/* and my security config security.xml is loaded by ContextLoaderListener.

OAuth2 mapping in security.xml:

    <!-- OAUTH2 Configuration -->

<!-- Token request Endpoint configuration -->
<http pattern="/services/api/oauth2/token" use-expressions="true" create-session="stateless" authentication-manager-ref="OAuth2ClientAuthenticationManager">
    <intercept-url pattern="/services/api/oauth2/token" access="hasAnyRole('ADMIN','USER')"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="OAuth2TokenEntryPoint"/>
    <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/> <!-- processes client credentials params on the request -->
    <access-denied-handler ref="OAuth2AccessDeniedHandler"/>        
</http>

<!-- Resource endpoints protected by Oauth2 -->
<http pattern="/services/api/oauth2/**" create-session="never" entry-point-ref="OAuth2EntryPoint" access-decision-manager-ref="OAuth2AccessDecisionManager">
    <anonymous enabled="false"/>
    <intercept-url pattern="/services/api/oauth2/**" access="hasAnyRole('ADMIN','USER')"/>
    <custom-filter ref="OAuth2ResourceServer" before="PRE_AUTH_FILTER"/>
    <access-denied-handler ref="OAuth2AccessDeniedHandler"/>        
</http>

<!-- Authentication entrypoint for calls to obtain access tokens -->
<b:bean id="OAuth2TokenEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <b:property name="realmName" value="oauth/oauthClient"/>
    <b:property name="typeName" value="Basic"/>     
</b:bean>

<!-- Authentication entrypoint for calls to access Oauth2 protected resources -->
<b:bean id="OAuth2EntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <b:property name="realmName" value="oauth"/>
</b:bean>

<b:bean id="OAuth2AccessDeniedHandler"  class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

<b:bean id="clientCredentialsTokenEndpointFilter"  class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <b:property name="authenticationManager" ref="OAuth2ClientAuthenticationManager" />
</b:bean>

<b:bean id="OAuth2AccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
 <b:constructor-arg>
  <b:list>
   <b:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
   <b:bean class="org.springframework.security.access.vote.RoleVoter" />
   <b:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
   <b:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
  </b:list>
 </b:constructor-arg>
</b:bean>

<!-- Authentication Manager for OAuth2 clients -->
<authentication-manager id="OAuth2ClientAuthenticationManager">
    <authentication-provider user-service-ref="OAuth2ClientDetailsUserService" />
</authentication-manager>

<b:bean id="OAuth2ClientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <b:constructor-arg ref="OAuth2ClientDetails" />
</b:bean>

<!-- Configure Oauth2 Token storage and services -->
<b:bean id="OAuth2TokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
 <b:constructor-arg ref="pvDataSource" />
</b:bean>

<b:bean id="OAuth2TokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <b:property name="tokenStore" ref="OAuth2TokenStore" />
    <b:property name="supportRefreshToken" value="true" />
    <b:property name="accessTokenValiditySeconds" value="120"/>
    <b:property name="clientDetailsService" ref="OAuth2ClientDetails" />
</b:bean>

<b:bean id="OAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
    <b:constructor-arg name="clientDetailsService" ref="OAuth2ClientDetails" />
</b:bean>

<b:bean id="OAuth2UserApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
    <b:property name="tokenStore" ref="OAuth2TokenStore"/>
    <b:property name="requestFactory" ref="OAuth2RequestFactory" />
</b:bean>   

<oauth:authorization-server client-details-service-ref="OAuth2ClientDetails" token-services-ref="OAuth2TokenServices">
    <oauth:authorization-code />
    <oauth:implicit/>
    <oauth:refresh-token/>
    <oauth:client-credentials />
    <oauth:password/>
</oauth:authorization-server>

<oauth:resource-server id="OAuth2ResourceServer" resource-id="oauth" token-services-ref="OAuth2TokenServices" /> 

<!-- Configuration of OAuth2 clients -->
<oauth:client-details-service id="OAuth2ClientDetails">
    <oauth:client client-id="client1" authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials" authorities="ROLE_ADMIN,ROLE_USER" scope="read,write,trust" secret="secret"/>    
</oauth:client-details-service>

In my database I have a record for the client in the oauth_client_details table with client_id = client1, client_secret = secret, authorities = ROLE_ADMIN, scope = read,trust, authorized_grant_types = client_credentials,authorization_code,implicit

My request is to URL: http://localhost:8080/springsec/services/api/oauth2/token?grant_type=client_credentials

Header: Basic Auth with username: client1, password: secret

In the log I see the following, note that the OAuth2 client account was found in the database and the Authorization was successful, after this point I expected it to return a valid OAuth2 token and populate the respective tables with token information but it goes off into a 404 because the endpoint pattern was not found which is really bizzare:

16:28:39.853 [tomcat-http--3] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'client1'
16:28:39.855 [tomcat-http--3] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
16:28:39.861 [tomcat-http--3] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c80a02b4: Principal: org.springframework.security.core.userdetails.User@334b85c6: Username: client1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
16:28:39.861 [tomcat-http--3] DEBUG o.s.security.web.FilterChainProxy - /services/api/oauth2/token?grant_type=client_credentials at position 7 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
16:28:39.863 [tomcat-http--3] DEBUG o.s.security.web.FilterChainProxy - /services/api/oauth2/token?grant_type=client_credentials at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
16:28:39.863 [tomcat-http--3] DEBUG o.s.security.web.FilterChainProxy - /services/api/oauth2/token?grant_type=client_credentials at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
Checking match of request : '/services/api/oauth2/token'; against '/services/api/oauth2/token'
16:28:39.863 [tomcat-http--3] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /services/api/oauth2/token?grant_type=client_credentials; Attributes: [hasAnyRole('ADMIN','USER')]
16:28:39.863 [tomcat-http--3] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c80a02b4: Principal: org.springframework.security.core.userdetails.User@334b85c6: Username: client1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
16:28:39.871 [tomcat-http--3] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2105b1f8, returned: 1
16:28:39.871 [tomcat-http--3] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
16:28:39.871 [tomcat-http--3] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
16:28:39.871 [tomcat-http--3] DEBUG o.s.security.web.FilterChainProxy - /services/api/oauth2/token?grant_type=client_credentials reached end of additional filter chain; proceeding with original chain
16:28:39.876 [tomcat-http--3] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'webservices' processing GET request for [/springsec/services/api/oauth2/token]
16:28:39.880 [tomcat-http--3] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Looking up handler method for path /oauth2/token
16:28:39.886 [tomcat-http--3] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Did not find handler method for [/oauth2/token]
16:28:39.886 [tomcat-http--3] DEBUG o.s.s.o.p.e.FrameworkEndpointHandlerMapping - Looking up handler method for path /oauth2/token
16:28:39.887 [tomcat-http--3] DEBUG o.s.s.o.p.e.FrameworkEndpointHandlerMapping - Did not find handler method for [/oauth2/token]
16:28:39.887 [tomcat-http--3] WARN  o.s.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/springsec/services/api/oauth2/token] in DispatcherServlet with name 'webservices'
16:28:39.887 [tomcat-http--3] DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request
16:28:39.888 [tomcat-http--3] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
16:28:39.888 [tomcat-http--3] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

What am I doing wrong here? Any help is appreciated.

1
I think I have a hunch to what is going on here:SBKDeveloper
Looking at TokenEndpoint.java it looks like the mapping is not in context with my DispatcherServlet configuration. I tried adding this line: <context:component-scan base-package="org.springframework.security.oauth2.provider.endpoint"/> into my configuration but got an error message: "Caused by: java.lang.IllegalStateException: TokenGranter must be providedSBKDeveloper
The TokenEndpoint's "oauth/token" mapping is not loaded as it isn't scanned into the config by any configuration.... how can I add this?SBKDeveloper

1 Answers

0
votes

I solved this issue by creating a new Dispatcher on the root (since I did not have one) and setting the Authorization server's endpoint to use the default "/oauth/token".

Now, the token is being generated in the database, however I get an empty block of Json instead of the token. In TokenEndpoint.postAccessToken() I can see the endpoint generating the ResponseEntity correctly but the response is blank {}, not sure why.

Here is the log:

10:50:52.837 [tomcat-http--3] DEBUG o.s.jdbc.core.JdbcTemplate - Executing prepared SQL statement [insert into oauth_refresh_token (token_id, token, authentication) values (?, ?, ?)] 10:50:52.837 [tomcat-http--3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Fetching JDBC Connection from DataSource 10:50:52.837 [tomcat-http--3] DEBUG o.s.j.d.DriverManagerDataSource - Creating new JDBC DriverManager Connection to [jdbc:oracle:thin:@localhost:1521:pvdev1] 10:50:52.865 [tomcat-http--3] DEBUG o.s.j.support.lob.DefaultLobHandler - Set bytes for BLOB with length 322 10:50:52.865 [tomcat-http--3] DEBUG o.s.j.support.lob.DefaultLobHandler - Set bytes for BLOB with length 1623 10:50:52.872 [tomcat-http--3] DEBUG o.s.jdbc.core.JdbcTemplate - SQL update affected 1 rows 10:50:52.872 [tomcat-http--3] DEBUG o.s.jdbc.datasource.DataSourceUtils - Returning JDBC Connection to DataSource 10:50:52.898 [tomcat-http--3] DEBUG o.s.w.s.m.m.a.HttpEntityMethodProcessor - Written [0244ec49-3bbd-43d9-8b3e-00c746114fa7] as "application/json" using [org.springframework.http.converter.json.GsonHttpMessageConverter@7c0eb476] 10:50:52.899 [tomcat-http--3] DEBUG o.s.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'root': assuming HandlerAdapter completed request handling 10:50:52.899 [tomcat-http--3] DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request 10:50:52.900 [tomcat-http--3] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally

A point to note is that there are attributes token-endpoint-url and authorization-server-url that can be added to the authorization-server definition but the TokenEndpoint mapping was appending this to the request which resulted in the endpoint mapping being duplicated.