Tag Archives: oauth2

Springboot2 oauth2 Error: Possible CSRF detected – state parameter was required but no state could

In the beginning, it was no problem to integrate oauth2 with springboot1.5, but now it has been upgraded to springboot2.1

question 1

Possible CSRF detected - state parameter was required but no state could be found

Client code

@EnableOAuth2Sso
@Configuration
public class UiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**")
                .authorizeRequests()
                .antMatchers("/", "/login**")
                .permitAll()
                .anyRequest()
                .authenticated();
    }

}

After getting the code, stayed on the landing page and found the following solutions on the Internet: 1. Configure server. Servlet. Session. Cookie. Name = upsessionid, but this attempt failed. 2. Set the code policy authcodeprovider. Setstatemandatory (false); A lot of code has been changed here

@Configuration
@EnableOAuth2Client
@EnableGlobalMethodSecurity(prePostEnabled=true)//open @PreAuthorize
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private OAuth2ClientContext oauth2ClientContext;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
//        // @formatter:off
        http.authorizeRequests()
                .anyRequest().authenticated().and()
                .formLogin().loginPage("/login").permitAll().and()
                .exceptionHandling().and()
                .logout().logoutSuccessUrl("/login").permitAll()
                .and().headers().frameOptions().sameOrigin()
                .and().csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);//Here it needs to be configured before basic
    }
    @Bean
    public FilterRegistrationBean oauth2ClientFilterRegistration(OAuth2ClientContextFilter filter) {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(filter);
        registration.setOrder(-100);
        return registration;
    }

    @Bean
    @ConfigurationProperties("security.oauth2")
    public ClientResources trina() {
        return new ClientResources();
    }

    private Filter ssoFilter() {
        CompositeFilter filter = new CompositeFilter();
        List<filter> filters = new ArrayList<filter>();
        filters.add(ssoFilter(trina(), "/login"));
        filter.setFilters(filters);
        return filter;
    }
    private Filter ssoFilter(ClientResources client, String path) {
        OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationFilter = new OAuth2ClientAuthenticationProcessingFilter(
                path);
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), this.oauth2ClientContext);
        oAuth2ClientAuthenticationFilter.setRestTemplate(oAuth2RestTemplate);
        AuthorizationCodeAccessTokenProvider authCodeProvider = new AuthorizationCodeAccessTokenProvider();
        authCodeProvider.setStateMandatory(false);
        AccessTokenProviderChain provider = new AccessTokenProviderChain(
                Arrays.asList(authCodeProvider));
        oAuth2RestTemplate.setAccessTokenProvider(provider);
        UserInfoTokenServices tokenServices = new UserInfoTokenServices(client.getResource().getUserInfoUri(),
                client.getClient().getClientId());
        tokenServices.setRestTemplate(oAuth2RestTemplate);
        oAuth2ClientAuthenticationFilter.setTokenServices(tokenServices);
        return oAuth2ClientAuthenticationFilter;
    }

}

class ClientResources {

    @NestedConfigurationProperty
    private AuthorizationCodeResourceDetails client = new AuthorizationCodeResourceDetails();

    @NestedConfigurationProperty
    private ResourceServerProperties resource = new ResourceServerProperties();

    public AuthorizationCodeResourceDetails getClient() {
        return client;
    }

    public ResourceServerProperties getResource() {
        return resource;
    }
}

Access the connection after modification, and jump to the specified page after login& </ filter>&</ filter>