问题描述
我们想使用uaa服务器(云代工厂)测试Spring数据云安全。请帮助我们解决身份验证失败。
第一步:从maven下载uaa server war
第 2 步:设置 uaa 捆绑的 spring boot 项目 一种。 git克隆https://github.com/pivotal/uaa-bundled.git 湾cd uaa 捆绑
c. Copy uaa server war to src/main/resources
d. ./mvnw clean install
e. java -jar target/uaa-bundled-1.0.0.BUILD-SNAPSHOT.jar
The uaa server is started on 8080 port
第 3 步:运行 uaac 命令
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac client add dataflow --name dataflow --secret dataflow --scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,sample.create,sample.view,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view --authorized_grant_types password,authorization_code,client_credentials,refresh_token --authorities uaa.resource,dataflowcreate,dataflow.view,sample.create --redirect_uri http://localhost:9393/login --autoapprove openid
uaac group add "sample.view"
uaac group add "sample.create"
uaac group add "dataflow.view"
uaac group add "dataflow.create"
uaac user add springrocks -p mysecret --emails springrocks@someplace.com
uaac user add vieweronly -p mysecret --emails mrviewer@someplace.com
uaac member add "sample.view" springrocks
uaac member add "sample.create" springrocks
uaac member add "dataflow.view" springrocks
uaac member add "dataflow.create" springrocks
uaac member add "sample.view" vieweronly
Run the below curl command if the authentication is successful...
C:\Users\rajesh>curl -v -d"username=springrocks&password=mysecret&client_id=dataflow&grant_type=password" -u "dataflow:dataflow" http://localhost:8080/uaa/oauth/token -d 'token_format=opaque'
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'dataflow'
> POST /uaa/oauth/token HTTP/1.1
> Host: localhost:8080
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 99
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 99 out of 99 bytes
< HTTP/1.1 200
< Cache-Control: no-store
< Pragma: no-cache
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri,21 May 2021 20:41:57 GMT
<
{"access_token":"eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJmNDYyMmY4NDJmZTE0ZjVkYjM2MmFhOWM1ZD
k5ZTU2NyIsInN1YiI6IjcxYjQ2NWI0LWFkZGItNDNhMi1iYjk3LTgxMjJjOTgwZWM5MiIsInNjb3BlIjpbImRhdGFmbG93LnZpZXciLCJzY2ltLnVzZXJpZHMiLCJzYW1wbGUuY3JlYXRlIiwib3BlbmlkIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwicGFzc
3dvcmQud3JpdGUiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwiZGF0YWZsb3cuY3JlYXRlIiwic2FtcGxlLnZpZXciXSwiY2xpZW50X2lkIjoiZGF0YWZsb3ciLCJjaWQiOiJkYXRhZmxvdyIsImF6cCI6ImRhdGFmbG93IiwiZ3JhbnRfdHlwZSI6InBhc3N
3b3JkIiwidXNlcl9pZCI6IjcxYjQ2NWI0LWFkZGItNDNhMi1iYjk3LTgxMjJjOTgwZWM5MiIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6InNwcmluZ3JvY2tzIiwiZW1haWwiOiJzcHJpbmdyb2Nrc0Bzb21lcGxhY2UuY29tIiwiYXV0aF90aW1lIjoxNj
IxNjI5NzE3LCJyZXZfc2lnIjoiODA1MTk3ODYiLCJpYXQiOjE2MjE2Mjk3MTcsImV4cCI6MTYyMTY3MjkxNywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDkwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJzY2ltIiwiY2xvdWRfY29ud
HJvbGxlciIsInBhc3N3b3JkIiwiZGF0YWZsb3ciLCJvcGVuaW QiLCJzYW1wbGUiXX0.cbT2p9agOAxDfv2-kwM9XdaL-m1lnVC5_gKPxdxRRPQ","token_type":"bearer","id_token":"eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYW
xob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI3MWI0NjViNC1hZGRiLTQzYTItYmI5Ny04MTIyYzk4MGVjOTIiLCJhdWQiOlsiZGF0YWZsb3ciXSwiaXNzIjoiaHR0cDovL2xvY
2FsaG9zdDo4MDkwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTYyMTY3MjkxNywiaWF0IjoxNjIxNjI5NzE3LCJhbXIiOlsicHdkIl0sImF6cCI6ImRhdGFmbG93Iiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoic3ByaW5ncm9ja3NAc29tZXBsYWNlLmNv
bSIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6ImY0NjIyZjg0MmZlMTRmNWRiMzYyYWE5YzVkOTllNTY3IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImRhdGFmbG93IiwiY2lkIjoiZGF0YWZsb3ciLCJncmFudF90eXBlIjo
icGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJzcHJpbmdyb2NrcyIsInJldl9zaWciOiI4MDUxOTc4NiIsInVzZXJfaWQiOiI3MWI0NjViNC1hZGRiLTQzYTItYmI5Ny04MTIyYzk4MGVjOTIiLCJhdXRoX3RpbWUiOjE2MjE2Mjk3MTd9.4COLuUIisv2PMvFHewFta
Bhm6BgykMV6nLskhUM3Qac","refresh_token":"eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODA vdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIxOTQ4OT
ZiNDBlMGM0YWE1ODhkNzg2ODM1Zjg4ZDYwZS1yIiwic3ViIjoiNzFiNDY1YjQtYWRkYi00M2EyLWJiOTctODEyMmM5ODBlYzkyIiwiaWF0IjoxNjIxNjI5NzE3LCJleHAiOjE2MjQyMjE3MTcsImNpZCI6ImRhdGFmbG93IiwiY2xpZW50X2lkIjoiZGF0YWZsb
3ciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwOTAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiLCJkYXRhZmxvdyIsIm9wZW5pZCIsInNhbXBsZSJdLCJncmFudGVkX3Nj
b3BlcyI6WyJkYXRhZmxvdy52aWV3Iiwic2NpbS51c2VyaWRzIiwic2FtcGxlLmNyZWF0ZSIsIm9wZW5pZCIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsImRhdGFmbG93LmNyZWF0ZSI
sInNhbXBsZS52aWV3Il0sImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxNjIxNjI5NzE3LCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJzcHJpbmdyb2NrcyIsIm9yaWdpbiI6InVhYSIsInVzZXJfaWQiOiI3MWI0NjViNC1hZGRiLTQzYT
ItYmI5Ny04MTIyYzk4MGVjOTIiLCJyZXZfc2lnIjoiODA1MTk3ODYifQ.xZfW4vo26DUOlByX6yLVG4jmvq0qprdP4AufGA4B40Q","expires_in":43199,"scope":"dataflow.view scim.use rids sample.create openid cloud_controller.
read password.write cloud_controller.write dataflow.create sample.view","jti":"f4622f842fe14f5db362aa9c5d99e567"}* Connection #0 to host localhost left intact
第 4 步:使用 application.yml 运行 spring cloud 数据流服务器
application.yml -
spring:
security:
oauth2:
client:
registration:
uaa:
client-id: springrocks
client-secret: mysecret
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
authorization-grant-type: authorization_code
scope:
- openid
provider:
uaa:
jwk-set-uri: http://localhost:8080/uaa/token_keys
token-uri: http://localhost:8080/uaa/oauth/token
user-info-uri: http://localhost:8080/uaa/userinfo
user-name-attribute: springrocks@someplace.com
authorization-uri: http://localhost:8080/uaa/oauth/authorize
resourceserver:
opaquetoken:
introspection-uri: http://localhost:8080/uaa/introspect
client-id: dataflow
client-secret: dataflow
Run the below command...
java -jar spring-cloud-dataflow-server-2.7.2.jar --spring.config.additional-location=application.yml
The server is started on 9393 port.
第 5 步:- 打开 url http://localhost:9393/dashboard
Click on the link OAuth2 Login
On the Cloud foundry page - give username and password
But the authentication fails.
Please find the uaa server logs as below....
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/uaa/oauth/authorize response_type:code
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/uaa/oauth/authorize response_type:code
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'uiSecurity' processing request GET /uaa/oauth/authorize
[2021-05-23 11:43:15.647] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... INFO --- SamlKeyManagerFactory: Loaded service provider certificate legacy-saml-key
[2021-05-23 11:43:15.649] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... INFO --- NonSnarlMetadataManager: Initialized local service provider for entityID: cloudfoundry-saml-login
[2021-05-23 11:43:15.650] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- NonSnarlMetadataManager: Found metadata EntityDescriptor with ID
[2021-05-23 11:43:15.651] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- FixHttpsSchemeRequest: Request X-Forwarded-Proto null
[2021-05-23 11:43:15.651] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- UaaSavedRequestCache: Removing DefaultSavedRequest from session if present
[2021-05-23 11:43:15.676] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- SessionResetFilter: Evaluating user-id for session reset:e943b779-297b-4008-8a5d-4748cb2ef575
[2021-05-23 11:43:15.694] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... INFO --- UaaAuthorizationEndpoint: Handling OAuth2 error: error="invalid_client",error_description="No client with requested id: springrocks"
解决方法
client-id 和 client-secret 应该是“数据流”。这是我的工作配置:
uaac 脚本:
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac client add dataflow \
--name dataflow \
--secret dataflow \
--scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,sample.create,sample.view,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view \
--authorized_grant_types password,authorization_code,client_credentials,refresh_token \
--authorities uaa.resource,dataflow.view,sample.create\
--redirect_uri http://localhost:9393/login \
--autoapprove openid
uaac group add "sample.view"
uaac group add "sample.create"
uaac group add "dataflow.view"
uaac group add "dataflow.create"
uaac group add "dataflow.deploy"
uaac group add "dataflow.destroy"
uaac group add "dataflow.manage"
uaac group add "dataflow.modify"
uaac group add "dataflow.schedule"
uaac user add admindf -p password --emails admindf@someplace.com
uaac user add vieweronly -p password --emails mrviewer@someplace.com
uaac member add "sample.view" admindf
uaac member add "sample.create" admindf
uaac member add "dataflow.view" admindf
uaac member add "dataflow.create" admindf
uaac member add "dataflow.deploy" admindf
uaac member add "dataflow.destroy" admindf
uaac member add "dataflow.manage" admindf
uaac member add "dataflow.modify" admindf
uaac member add "dataflow.schedule" admindf
uaac member add "sample.view" vieweronly
uaac member add "dataflow.view" vieweronly
应用程序.yml
spring:
security:
oauth2:
client:
registration:
uaa:
client-id: dataflow
client-secret: dataflow
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
authorization-grant-type: authorization_code
scope:
- openid
- dataflow.view
- dataflow.create
- dataflow.manage
- dataflow.deploy
- dataflow.destroy
- dataflow.modify
- dataflow.schedule
provider:
uaa:
jwk-set-uri: http://localhost:8080/uaa/token_keys
token-uri: http://localhost:8080/uaa/oauth/token
user-info-uri: http://localhost:8080/uaa/userinfo
user-name-attribute: user_name
authorization-uri: http://localhost:8080/uaa/oauth/authorize
resourceserver:
opaquetoken:
introspection-uri: http://localhost:8080/uaa/introspect
client-id: dataflow
client-secret: dataflow
cloud:
dataflow:
security:
authorization:
provider-role-mappings:
uaa:
map-oauth-scopes: true
role-mappings:
ROLE_VIEW: dataflow.view
ROLE_CREATE: dataflow.create
ROLE_MANAGE: dataflow.manage
ROLE_DEPLOY: dataflow.deploy
ROLE_DESTROY: dataflow.destroy
ROLE_MODIFY: dataflow.modify
ROLE_SCHEDULE: dataflow.schedule
设置时间 控制面板
错误1:Request method ‘DELETE‘ not supported 错误还原:...