NotFound403
commented
2 years ago 这个异常非常有趣,Spring Security在存在多个UserDetailsService实现时,Spring IoC中是一个全局缺省配置,这导致了如果一个UserDetailsService走不通之后,它会调用默认的去加载用户。因此需要这样设置一个全局的缺省配置:
@Bean
UserDetailsService notFoundUserDetailsService() {
return username -> {
throw new UsernameNotFoundException("用户未找到");
};
}该问题已经得到修复
【本地环境】JDK11 Win10 IDEA2022.1 Mysql8.0 Chrome最新版 【期望结果】登录授权确认后,返回资源 【实际结果】后台认证服务器报错,报错信息如下: `Hibernate: select authorizat0_.id as id10, authorizat0_.access_token_expires_at as access_t20, authorizat0_.access_token_issued_at as access_t30, authorizat0_.access_token_metadata as access_t40, authorizat0_.access_token_scopes as access_t50, authorizat0_.access_token_type as access_t60, authorizat0_.access_token_value as access_t70, authorizat0_.attributes as attribut80, authorizat0_.authorization_code_expires_at as authoriz90, authorizat0_.authorization_code_issued_at as authori100, authorizat0_.authorization_code_metadata as authori110, authorizat0_.authorization_code_value as authori120, authorizat0_.authorization_grant_type as authori130, authorizat0_.oidc_id_token_claims as oidc_id140, authorizat0_.oidc_id_token_expires_at as oidc_id150, authorizat0_.oidc_id_token_issued_at as oidc_id160, authorizat0_.oidc_id_token_metadata as oidc_id170, authorizat0_.oidc_id_token_value as oidc_id180, authorizat0_.principal_name as princip190, authorizat0_.refresh_token_expires_at as refresh200, authorizat0_.refresh_token_issued_at as refresh210, authorizat0_.refresh_token_metadata as refresh220, authorizat0_.refresh_token_value as refresh230, authorizat0_.registered_client_id as registe240, authorizat0_.state as state250 from authorization authorizat0 where authorizat0.state=? Hibernate: select oauth2clie0_.id as id1_40, clientauth1_.client_authentication_method as client_a1_21, clientauth1_.client_id as client_i2_21, oauth2toke2_.client_id as client_i1_82, redirectur3_.client_id as client_i1_103, redirectur3_.redirect_uri as redirect2_103, authorizat4_.client_id as client_i1_64, authorizat4_.grant_type_name as grant_ty2_64, oauth2clie5_.client_id as client_i1_55, scopes6_.client_id as client_i1_76, scopes6_.scope as scope2_76, oauth2clie0_.client_id as client_i2_40, oauth2clie0_.client_id_issued_at as client_i3_40, oauth2clie0_.client_name as client_n4_40, oauth2clie0_.client_secret as client_s5_40, oauth2clie0_.client_secret_expires_at as client_s6_40, clientauth1_.client_id as client_i2_2_0, clientauth1_.client_authentication_method as client_a1_2_0, oauth2toke2_.access_token_time_to_live as access_t2_82, oauth2toke2_.id_token_signature_algorithm as id_token3_82, oauth2toke2_.refresh_token_time_to_live as refresh_4_82, oauth2toke2_.reuse_refresh_tokens as reuse_re5_82, oauth2toke2_.token_format as token_fo6_82, redirectur3_.client_id as client_i1_10_1, redirectur3_.redirect_uri as redirect2_10_1, authorizat4_.client_id as client_i1_6_2, authorizat4_.grant_type_name as grant_ty2_6_2, oauth2clie5_.jwk_set_url as jwk_set_2_55, oauth2clie5_.require_authorization_consent as require_3_55, oauth2clie5_.require_proof_key as require_4_55, oauth2clie5_.signing_algorithm as signing_5_55, scopes6_.description as descript3_76, scopes6_.client_id as client_i1_7_3_, scopes6.scope as scope2_7_3__ from oauth2client oauth2clie0 left outer join client_authmethod clientauth1 on oauth2clie0_.clientid=clientauth1.client_id left outer join oauth2_tokensettings oauth2toke2 on oauth2clie0_.clientid=oauth2toke2.client_id left outer join redirecturi redirectur3 on oauth2clie0_.clientid=redirectur3.client_id left outer join oauth2_granttype authorizat4 on oauth2clie0_.clientid=authorizat4.client_id left outer join oauth2_clientsettings oauth2clie5 on oauth2clie0_.clientid=oauth2clie5.client_id left outer join oauth2scope scopes6 on oauth2clie0_.clientid=scopes6.clientid where oauth2clie0.id=? 2022-05-16 16:07:13.493 ERROR 27552 --- [nio-9000-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.lang.IllegalArgumentException: The class with cn.felord.idserver.entity.UserInfo and name of cn.felord.idserver.entity.UserInfo is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details at cn.felord.idserver.service.JpaOAuth2AuthorizationService.parseMap(JpaOAuth2AuthorizationService.java:240) ~[classes/:na] at cn.felord.idserver.service.JpaOAuth2AuthorizationService.lambda$toObject$0(JpaOAuth2AuthorizationService.java:120) ~[classes/:na] at org.springframework.security.oauth2.server.authorization.OAuth2Authorization$Builder.attributes(OAuth2Authorization.java:504) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at cn.felord.idserver.service.JpaOAuth2AuthorizationService.toObject(JpaOAuth2AuthorizationService.java:120) ~[classes/:na] at java.base/java.util.Optional.map(Optional.java:265) ~[na:na] at cn.felord.idserver.service.JpaOAuth2AuthorizationService.findByToken(JpaOAuth2AuthorizationService.java:106) ~[classes/:na] at org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationProvider.authenticateAuthorizationConsent(OAuth2AuthorizationCodeRequestAuthenticationProvider.java:327) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationProvider.authenticate(OAuth2AuthorizationCodeRequestAuthenticationProvider.java:121) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.6.2.jar:5.6.2] at org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter.doFilterInternal(OAuth2AuthorizationEndpointFilter.java:149) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.oauth2.server.authorization.web.ProviderContextFilter.doFilterInternal(ProviderContextFilter.java:63) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.6.2.jar:5.6.2] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.18.jar:5.3.18] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) ~[spring-boot-actuator-2.6.6.jar:2.6.6] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.18.jar:5.3.18] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.18.jar:5.3.18] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.60.jar:9.0.60] at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na] Caused by: java.lang.IllegalArgumentException: The class with cn.felord.idserver.entity.UserInfo and name of cn.felord.idserver.entity.UserInfo is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:253) ~[spring-security-core-5.6.2.jar:5.6.2] at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:125) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:110) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:213) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:781) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4650) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2831) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at org.springframework.security.jackson2.UsernamePasswordAuthenticationTokenDeserializer.getPrincipal(UsernamePasswordAuthenticationTokenDeserializer.java:104) ~[spring-security-core-5.6.2.jar:5.6.2] at org.springframework.security.jackson2.UsernamePasswordAuthenticationTokenDeserializer.deserialize(UsernamePasswordAuthenticationTokenDeserializer.java:75) ~[spring-security-core-5.6.2.jar:5.6.2] at org.springframework.security.jackson2.UsernamePasswordAuthenticationTokenDeserializer.deserialize(UsernamePasswordAuthenticationTokenDeserializer.java:51) ~[spring-security-core-5.6.2.jar:5.6.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:144) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:110) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:213) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:781) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4650) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2831) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at org.springframework.security.oauth2.server.authorization.jackson2.UnmodifiableMapDeserializer.deserialize(UnmodifiableMapDeserializer.java:52) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at org.springframework.security.oauth2.server.authorization.jackson2.UnmodifiableMapDeserializer.deserialize(UnmodifiableMapDeserializer.java:42) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:144) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:110) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:482) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4674) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3629) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3612) ~[jackson-databind-2.13.2.2.jar:2.13.2.2] at cn.felord.idserver.service.JpaOAuth2AuthorizationService.parseMap(JpaOAuth2AuthorizationService.java:237) ~[classes/:na] ... 68 common frames omitted
`