i'm using oauth 2.0 on applications. have 2 apps developed using spring boot, 1 authentication url https://192.168.1.30:2999/autenticador , second, client, https://192.168.1.30:2901/.
when i'm using server without ssl (http://192.168.1.30:2999/autenticador , https://192.168.1.30:2901/) authorization has success. but, when i'm using self-sign certificate have problems, returning error 401, unauthorized, authentication failed: not obtain access token. don't know how , why it's happening.
observation: certificate registred on computer trusted i'm seeing address bar green.
the client:
@springbootapplication @enableoauth2sso public class application { public static void main(string[] args) throws keymanagementexception, nosuchalgorithmexception, keystoreexception { springapplication.run(application.class, args); } } the oauth 2.0 configuration on server:
@configuration @enableauthorizationserver public class oauthconfiguration extends authorizationserverconfigureradapter{ @autowired private authenticationmanager authenticationmanager; @override public void configure(authorizationserverendpointsconfigurer endpoints) throws exception { endpoints.authenticationmanager(authenticationmanager); } @override public void configure(clientdetailsserviceconfigurer clients) throws exception { clients.inmemory() .withclient("client") .authorizedgranttypes("authorization_code") .scopes("read", "trust") .resourceids("resource_id") .secret("secret"); } } here log of client after login success on server:
2016-06-06 16:47:27.376 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 1 of 12 in additional filter chain; firing filter: 'webasyncmanagerintegrationfilter' 2016-06-06 16:47:27.377 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 2 of 12 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 2016-06-06 16:47:27.378 debug [nio-2901-exec-4] w.c.httpsessionsecuritycontextrepository no httpsession exists 2016-06-06 16:47:27.378 debug [nio-2901-exec-4] w.c.httpsessionsecuritycontextrepository no securitycontext available httpsession: null. new 1 created. 2016-06-06 16:47:27.381 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 3 of 12 in additional filter chain; firing filter: 'headerwriterfilter' 2016-06-06 16:47:27.382 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 4 of 12 in additional filter chain; firing filter: 'csrffilter' 2016-06-06 16:47:27.383 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 5 of 12 in additional filter chain; firing filter: 'logoutfilter' 2016-06-06 16:47:27.383 debug [nio-2901-exec-4] o.s.s.w.u.matcher.antpathrequestmatcher request 'get /' doesn't match 'post /logout 2016-06-06 16:47:27.383 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 6 of 12 in additional filter chain; firing filter: 'oauth2clientauthenticationprocessingfilter' 2016-06-06 16:47:27.384 debug [nio-2901-exec-4] o.s.s.w.u.matcher.antpathrequestmatcher checking match of request : '/'; against '/login' 2016-06-06 16:47:27.384 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 7 of 12 in additional filter chain; firing filter: 'requestcacheawarefilter' 2016-06-06 16:47:27.384 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 8 of 12 in additional filter chain; firing filter: 'securitycontextholderawarerequestfilter' 2016-06-06 16:47:27.386 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 9 of 12 in additional filter chain; firing filter: 'anonymousauthenticationfilter' 2016-06-06 16:47:27.389 debug [nio-2901-exec-4] o.s.s.w.a.anonymousauthenticationfilter populated securitycontextholder anonymous token: 'org.springframework.security.authentication.anonymousauthenticationtoken@9055e4a6: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@957e: remoteipaddress: 192.168.1.30; sessionid: null; granted authorities: role_anonymous' 2016-06-06 16:47:27.389 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 10 of 12 in additional filter chain; firing filter: 'sessionmanagementfilter' 2016-06-06 16:47:27.389 debug [nio-2901-exec-4] o.s.s.w.session.sessionmanagementfilter requested session id cba2cc9f09d613f91d95fd4764e48a50 invalid. 2016-06-06 16:47:27.389 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 11 of 12 in additional filter chain; firing filter: 'exceptiontranslationfilter' 2016-06-06 16:47:27.389 debug [nio-2901-exec-4] o.s.security.web.filterchainproxy / @ position 12 of 12 in additional filter chain; firing filter: 'filtersecurityinterceptor' 2016-06-06 16:47:27.390 debug [nio-2901-exec-4] o.s.s.w.a.i.filtersecurityinterceptor secure object: filterinvocation: url: /; attributes: [authenticated] 2016-06-06 16:47:27.390 debug [nio-2901-exec-4] o.s.s.w.a.i.filtersecurityinterceptor authenticated: org.springframework.security.authentication.anonymousauthenticationtoken@9055e4a6: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@957e: remoteipaddress: 192.168.1.30; sessionid: null; granted authorities: role_anonymous 2016-06-06 16:47:27.399 debug [nio-2901-exec-4] o.s.s.access.vote.affirmativebased voter: org.springframework.security.web.access.expression.webexpressionvoter@3fcae110, returned: -1 2016-06-06 16:47:27.404 debug [nio-2901-exec-4] o.s.s.w.a.exceptiontranslationfilter access denied (user anonymous); redirecting authentication entry point org.springframework.security.access.accessdeniedexception: access denied
can check configuration in "spring-security.xml" , see if 'requires-channel' attribute set https , not http? if not, set https , try.
more info issue here. http://docs.spring.io/spring-security/site/faq/faq.html#faq-tomcat-https-session
sample:
<intercept-url pattern="/login.html" access="hasrole('role_anonymous')" requires-channel="https"/> <intercept-url pattern="/resources/**" access="permitall" requires-channel="https"/> <intercept-url pattern="/admin**" access="hasrole('role_admin')" requires-channel="https"/> <intercept-url pattern="/rest/**" access="hasrole('role_user')" requires-channel="https"/> <intercept-url pattern="/index" access="hasrole('role_user')" requires-channel="https"/> <intercept-url pattern="/upload/**" access="hasrole('role_user')" requires-channel="https"/> 