404 Not Found when try getting OAuth2 access token in spring application
Asked Answered
K

0

1

I am trying to make a web application that we can get an access token in 'password' grant type by just call some http basic request

For example

When I call

http://localhost:8080/demo4ssh-security-oauth2/oauth/token?client_id=mobile_1&client_secret=secret_1&grant_type=password&username=zhangsan&password=123456

I can get the following token

{"access_token":"4219a91f-45d5-4a07-9e8e-3acbadd0c23e","token_type":"bearer","refresh_token":"d41df9fd-3d36-4a20-b0b7-1a1883c7439d","expires_in":43199,"scope":"read write trust"}

However my token site always return 404. I try to do some searches on web but still didn't help...

Here is my code:

web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/security-context.xml</param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<servlet>
    <servlet-name>user-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

security-context.xml

<http pattern="/user/operation/Registration" security="none"
    use-expressions="true" />
<http use-expressions="true" pattern="/oauth/token"
    create-session="stateless" authentication-manager-ref="oauth2AuthenticationManager">
    <anonymous enabled="false" />
    <csrf disabled="true" />
    <intercept-url pattern="/oauth/token" access="permitAll()" />
    <http-basic entry-point-ref="oauth2AuthenticationEntryPoint" />
    <custom-filter ref="clientCredentialsTokenEndpointFilter"
        before="BASIC_AUTH_FILTER" />
    <access-denied-handler ref="oauth2AccessDeniedHandler" />
</http>
<http auto-config="true">
    <intercept-url pattern="/user/operation/Healthcheck**"
        access="hasRole('ROLE_USER')" />
    <form-login login-page="/user/operation/Login"
        default-target-url="/user/operation/Healthcheck"
        authentication-failure-url="/user/operation/Error" />
    <anonymous />
</http>


<beans:bean id="customPasswordEncoder"
    class="com.test.custom.project.password.CustomPasswordEncoder" />

<authentication-manager alias="authenticationManager">
    <authentication-provider>
        <password-encoder ref="customPasswordEncoder" />
        <jdbc-user-service data-source-ref="jdbcTemplate"
            users-by-username-query="select 
            username, password, 1 from app_users where username = ?"
            authorities-by-username-query="select 
            u.username, r.role from app_users u left join app_role r on u.role_id=r.role_id 
            where username = ?" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="jdbcTemplate"
    class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <beans:property name="url"
        value="jdbc:mysql://test.test/test" />
    <beans:property name="username" value="root" />
    <beans:property name="password" value="root" />
</beans:bean>

<beans:bean id="tokenStore"
    class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<beans:bean id="tokenServices"
    class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <beans:property name="tokenStore" ref="tokenStore" />
    <beans:property name="supportRefreshToken" value="true" />
    <beans:property name="clientDetailsService" ref="clientDetailsService" />
</beans:bean>

<oauth2:client-details-service id="clientDetailsService">
    <oauth2:client client-id="mobile_1"
        authorized-grant-types="password,authorization_code,refresh_token,implicit"
        secret="secret_1" scope="read,write,trust" authorities="ROLE_USER" />
</oauth2:client-details-service>
<beans:bean id="oauth2ClientDetailsUserService"
    class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetailsService" />
</beans:bean>
<authentication-manager id="oauth2AuthenticationManager">
    <authentication-provider user-service-ref="oauth2ClientDetailsUserService" />
</authentication-manager>

<oauth2:authorization-server
    client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"
    user-approval-handler-ref="oauthUserApprovalHandler">
    <oauth2:authorization-code />
    <oauth2:implicit />
    <oauth2:refresh-token />
    <oauth2:client-credentials />
    <oauth2:password />
</oauth2:authorization-server>

<beans:bean id="oauth2AuthenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="test.com" />
</beans:bean>


<beans:bean id="oauth2AccessDeniedHandler"
    class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<beans:bean id="oauthUserApprovalHandler"
    class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler" />

<beans:bean id="oauth2AccessDecisionManager"
    class="org.springframework.security.access.vote.UnanimousBased">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean
                class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <beans:bean 
                class="org.springframework.security.access.vote.RoleVoter" />
            <beans:bean
                class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <beans:bean
                class="org.springframework.security.web.access.expression.WebExpressionVoter" />
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="clientCredentialsTokenEndpointFilter"
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <beans:property name="authenticationManager" ref="oauth2AuthenticationManager" />
</beans:bean>

My controller class

@Controller
@RequestMapping("/operation")
public class UserOperationController {

        private static final Logger logger = Logger.getLogger(UserOperationController.class);


        @RequestMapping("/Login")
        public ModelAndView home() {
            return new ModelAndView("login");
        }

        @RequestMapping("/Error")
        public ModelAndView error() {
            return new ModelAndView("error");
        }


        @RequestMapping("/Healthcheck")
        public ModelAndView healthCheck() {
            ...Some Operations....
            return new ModelAndView("healthcheck", "result", "positive");
        }

        @RequestMapping(value = "/Registration", method = RequestMethod.POST, consumes = "application/json")
        public @ResponseBody
        void registration(@RequestBody UserModel user) {
           ...Some Operations....
        }
}

After I submit a http request like using ajax post call, I got 404 error code and the following Tomcat7 log

2015-09-29 00:36:04 DEBUG AntPathRequestMatcher:151 - Checking match of request
: '/oauth/token'; against '/user/operation/registration'
2015-09-29 00:36:04 DEBUG AntPathRequestMatcher:151 - Checking match of request
: '/oauth/token'; against '/oauth/token'
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 1 of 8 in additional filter chain; firing Filter: 'SecurityCont
extPersistenceFilter'
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncMana
gerIntegrationFilter'
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 3 of 8 in additional filter chain; firing Filter: 'HeaderWriter
Filter'
2015-09-29 00:36:04 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since
 it did not match the requestMatcher org.springframework.security.web.header.wri
ters.HstsHeaderWriter$SecureRequestMatcher@2c3ed15e
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 4 of 8 in additional filter chain; firing Filter: 'ClientCreden
tialsTokenEndpointFilter'
2015-09-29 00:36:04 DEBUG ClientCredentialsTokenEndpointFilter:211 - Request is
to process authentication
2015-09-29 00:36:04 DEBUG ProviderManager:162 - Authentication attempt using org
.springframework.security.authentication.dao.DaoAuthenticationProvider
2015-09-29 00:36:04 DEBUG ClientCredentialsTokenEndpointFilter:317 - Authenticat
ion success. Updating SecurityContextHolder to contain: org.springframework.secu
rity.authentication.UsernamePasswordAuthenticationToken@93f5f9e4: Principal: org
.springframework.security.core.userdetails.User@d7e8fbd4: Username: mobile_1; Pa
ssword: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpir
ed: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [
PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 5 of 8 in additional filter chain; firing Filter: 'BasicAuthent
icationFilter'
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 6 of 8 in additional filter chain; firing Filter: 'SecurityCont
extHolderAwareRequestFilter'
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTra
nslationFilter'
2015-09-29 00:36:04 DEBUG FilterChainProxy:324 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecuri
tyInterceptor'
2015-09-29 00:36:04 DEBUG AntPathRequestMatcher:151 - Checking match of request
: '/oauth/token'; against '/oauth/token'
2015-09-29 00:36:04 DEBUG FilterSecurityInterceptor:218 - Secure object: FilterI
nvocation: URL: /oauth/token?username=user001&password=Passw0rd!&client_id=
mobile_1&client_secret=secret_1&grant_type=password; Attributes: [permitAll()]
2015-09-29 00:36:04 DEBUG FilterSecurityInterceptor:347 - Previously Authenticat
ed: org.springframework.security.authentication.UsernamePasswordAuthenticationTo
ken@93f5f9e4: Principal: org.springframework.security.core.userdetails.User@d7e8
fbd4: Username: mobile_1; Password: [PROTECTED]; Enabled: true; AccountNonExpire
d: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authoritie
s: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Gran
ted Authorities: ROLE_USER
2015-09-29 00:36:04 DEBUG AffirmativeBased:65 - Voter: org.springframework.secur
ity.web.access.expression.WebExpressionVoter@f1a22b, returned: 1
2015-09-29 00:36:04 DEBUG FilterSecurityInterceptor:242 - Authorization successf
ul
2015-09-29 00:36:04 DEBUG FilterSecurityInterceptor:255 - RunAsManager did not c
hange Authentication object
2015-09-29 00:36:04 DEBUG FilterChainProxy:309 - /oauth/token?username=user
001&password=Passw0rd!&client_id=mobile_1&client_secret=secret_1&grant_type=pass
word reached end of additional filter chain; proceeding with original chain
2015-09-29 00:36:04 DEBUG ExceptionTranslationFilter:116 - Chain processed norma
lly
2015-09-29 00:36:04 DEBUG SecurityContextPersistenceFilter:105 - SecurityContext
Holder now cleared, as request processing completed

Version of Spring Security I use:

4.0.2.RELEASE

Kaliningrad answered 28/9, 2015 at 16:55 Comment(2)
I got a little finding. It is related to endpoint url since I am not using default setting i.e. oauth/token. Still working on it...Kaliningrad
Are you able to find the solution? I got the same error. I'm currently stack on it.Enactment

© 2022 - 2024 — McMap. All rights reserved.