Open vicmosin opened 9 years ago
RemoteTokenServices
uses a stock RestTemplate
that it creates itself unless you inject one yourself. I suspect you have changed the default settings somehow if it is sending Accept: ...
in any form.
Nope.. There is no any overrides from my side... Here is the bean:
@Bean
ResourceServerTokenServices remoteTokenService() {
RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
remoteTokenServices.setAccessTokenConverter(jwtAccessTokenConverter());
remoteTokenServices.setCheckTokenEndpointUrl(authServerCheckTokenUrl);
remoteTokenServices.setClientId(authServerClientId);
remoteTokenServices.setClientSecret(authServerClientSecret);
return remoteTokenServices;
}
RestTemplate.doExecute uses requestCallback
instance which extends AcceptHeaderRequestCallback
and adds the header
Hi, This is still an issue.
The stock RestTemplate used by RemoteTokenServices will include MappingJackson2XmlHttpMessageConverter
in its messageConverter list in front of the JSON one when that converter bean exists in the context.
The MappingJackson2XmlHttpMessageConverter bean is created when the XmlMapper
class exists in the classpath, which is typically provided by the com.fasterxml.jackson.dataformat:jackson-dataformat-xml
maven dependency:
https://github.com/spring-projects/spring-boot/blob/master/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/http/JacksonHttpMessageConvertersConfiguration.java#L62
Basically, the Spring Security Authorization Server and Resource Server interaction is broken when letting Spring use the default RestTemplates for them when XmlMapper
is in the classpath.
One main issue is that it silently "works" until it doesn't, for example if the user has more than one scope items and the one making it back to the RemoteTokenServices isn't the required one.
See the attached minimal app to reproduce the issue. The unmodified code doesn't work (Executing the tests in AppTest
), then commenting out build.gradle:18
will fix it: removing the jackson-dataformat-xml
dependency.
There is an OAuth2 server based on
spring-security-oauth2 2.0.7.RELEASE
. All the configurations are default except of usingJwtAccessTokenConverter
as a token converter.Resource server uses the same oauth library. In order to validate the token, it calls oauth server's
/check_token
endpoint which returns eitherJSON
orXML
representation of token. This call is made within theRemoteTokenServices.loadAuthentication
method which uses aRestTemplate
as a transport layer. The problem is that somewhere inside the template's implementation there is a code, which add aAccept: application/xml;...
header. This behavior causes oauth server response with XML andRestTemplate
can't parse correctly the nested collections (i.e.authorities
andscope
fields) within the response - they are always treated asString
and not asCollection
.The solution is either override the
RemoteTokenServices
and add manually theAccept: application/json;
header or change oauth server's behavior to ignore this header and returnJSON
by default.