search

bluesliverx / grails-spring-security-oauth2-provider

Grails Spring Security OAuth2 Provider Plugin
http://grails.org/plugin/spring-security-oauth2-provider
57 stars 58 forks source link

ClientCredentialsTokenEndpointFilter : Authentication success --> Secure object: FilterInvocation: URL: /oauth/token; Attributes: [_DENY_] #134

Closed bluscreen closed 7 years ago

bluscreen commented 7 years ago

Hello,

it seems to me like something might be wrong with the filter chain although it is configured like the recommendation in the docs

grails.plugin.springsecurity.filterChain.chainMap = [
        [pattern: '/oauth/token',               filters: 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter'],
        [pattern: '/securedOAuth2Resources/**', filters: 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter'],
        [pattern: '/**',                        filters: 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter']
]

I still cannot authenticate properly. this is what the debug log says..

2017-03-01 00:55:09.057 DEBUG --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/token'; against '/oauth/token'
2017-03-01 00:55:09.059 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 1 of 8 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter'
2017-03-01 00:55:09.071 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 2 of 8 in additional filter chain; firing Filter: 'StatelessSecurityContextPersistenceFilter'
2017-03-01 00:55:09.071 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 3 of 8 in additional filter chain; firing Filter: 'ClientCredentialsTokenEndpointFilter'
2017-03-01 00:55:09.072 DEBUG --- [nio-8080-exec-1] p.c.ClientCredentialsTokenEndpointFilter : Request is to process authentication
2017-03-01 00:55:09.073 DEBUG --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-03-01 00:55:09.412 DEBUG --- [nio-8080-exec-1] p.c.ClientCredentialsTokenEndpointFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@e21ba743: Principal: org.springframework.security.core.userdetails.User@a606a573: Username: becherhelden; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
2017-03-01 00:55:09.415 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 4 of 8 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-03-01 00:55:09.415 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-03-01 00:55:09.417 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 6 of 8 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
2017-03-01 00:55:09.424 DEBUG --- [nio-8080-exec-1] .w.f.GrailsAnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@e21ba743: Principal: org.springframework.security.core.userdetails.User@a606a573: Username: becherhelden; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER'
2017-03-01 00:55:09.425 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-03-01 00:55:09.425 DEBUG --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-03-01 00:55:09.528 DEBUG --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /oauth/token; Attributes: [_DENY_]
2017-03-01 00:55:09.529 DEBUG --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@e21ba743: Principal: org.springframework.security.core.userdetails.User@a606a573: Username: becherhelden; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER
2017-03-01 00:55:09.531 DEBUG --- [nio-8080-exec-1] o.s.s.a.h.RoleHierarchyImpl              : getReachableGrantedAuthorities() - From the roles [ROLE_USER] one can reach [ROLE_USER] in zero or more steps.
2017-03-01 00:55:09.550 DEBUG --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is not anonymous); delegating to AccessDeniedHandler

org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)

so it looks to me like the authentication is granted in position 3 of the chain and then revoked later (position 6 or 8?)

I have the following build.gradle

buildscript {
    repositories {
        mavenLocal()
        maven { url "https://repo.grails.org/grails/core" }
    }
    dependencies {
        classpath "org.grails:grails-gradle-plugin:$grailsVersion"
        classpath "org.grails.plugins:hibernate5:6.0.4"
        classpath "org.grails.plugins:views-gradle:1.1.2"
    }
}

version "0.1"
group "rest_bh"

apply plugin: "eclipse"
apply plugin: "idea"
apply plugin: "war"
apply plugin: "org.grails.grails-web"
apply plugin: "org.grails.plugins.views-json"

repositories {
    mavenLocal()
    maven { url "https://repo.grails.org/grails/core" }
    maven { url "https://dl.bintray.com/bluesliverx/grails-plugins" }
}

dependencyManagement {
    imports {
        mavenBom "org.grails:grails-bom:$grailsVersion"
    }
    applyMavenExclusions false
}

dependencies {
    compile "org.springframework.boot:spring-boot-starter-logging"
    compile "org.springframework.boot:spring-boot-autoconfigure"
    compile "org.grails:grails-core"
    compile "org.springframework.boot:spring-boot-starter-actuator"
    compile "org.springframework.boot:spring-boot-starter-tomcat"
    compile "org.grails:grails-plugin-url-mappings"
    compile "org.grails:grails-plugin-rest"
    compile "org.grails:grails-plugin-codecs"
    compile "org.grails:grails-plugin-interceptors"
    compile "org.grails:grails-plugin-services"
    compile "org.grails:grails-plugin-datasource"
    compile "org.grails:grails-plugin-databinding"
    compile "org.grails:grails-plugin-async"
    compile "org.grails:grails-web-boot"
    compile "org.grails:grails-logging"
    compile "org.grails.plugins:cache"
    compile "org.grails.plugins:hibernate5"
    compile "org.hibernate:hibernate-core:5.1.2.Final"
    compile "org.hibernate:hibernate-ehcache:5.1.2.Final"
    compile "org.grails.plugins:views-json"
    compile "org.grails.plugins:views-json-templates"
    compile "org.grails:grails-plugin-gsp"
    compile 'org.grails.plugins:spring-security-core:3.1.1' // kann raus?
    compile 'org.grails.plugins:spring-security-oauth2-provider:3.0.0-RC2'
    console "org.grails:grails-console"
    profile "org.grails.profiles:rest-api"
    runtime "com.h2database:h2"
    testCompile "org.grails:grails-plugin-testing"
    testCompile "org.grails.plugins:geb"
    testCompile "org.grails:grails-datastore-rest-client"
    testRuntime "org.seleniumhq.selenium:selenium-htmlunit-driver:2.47.1"
    testRuntime "net.sourceforge.htmlunit:htmlunit:2.18"
}

bootRun {
    jvmArgs = ['-Dspring.output.ansi.enabled=always']
}

any help would be much appreciated..

bluscreen commented 7 years ago

Got everything working now. Some more Details on the Filterchains helped