spring-boot 1.3.0.RC1 : ClassCastException in getting oauth2 user info from session persisted in Redis

橙三吉。 提交于 2019-12-11 01:07:51

问题


I'm working with a spring-boot application having OAuth2 single sign-on (in development, but already working).

and I changed session-store from Tomcat to Redis.

Problem

I got ClassCastException when I try to get my User object from SecurityContextHolder.

Storing User object to UsernamePasswordAuthenticationToken

@Service
@Transactional
public class MyTokenService implements ResourceServerTokenServices {

  @Setter
  private OAuth2RestOperations restTemplate;

  @Autowired
  ResourceServerProperties sso;

  @Override
  public OAuth2Authentication loadAuthentication(String accessToken)
      throws AuthenticationException, InvalidTokenException {

    // get from http://some-auth-provider/me
    MyUser myUser = getMyInfo();

    // persist to mysql
    UserEntity user = save(myUser);

    OAuth2Request request =
        new OAuth2Request(null, sso.getClientId(), null, true, null, null, null, null, null);

    // org.springframework.boot.devtools.restart.classloader.RestartClassLoader@3d66ad6e
    logger.info(user.getClass().getClassLoader().toString());

    UsernamePasswordAuthenticationToken token =
        new UsernamePasswordAuthenticationToken(user.getId(), "N/A", user.getAuthorities());
    token.setDetails(user);

    return new OAuth2Authentication(request, token);
  }

  @Override
  public OAuth2AccessToken readAccessToken(String accessToken) {
    throw new UnsupportedOperationException("Not supported: read access token");
  }
}

Session after authenticated

127.0.0.1:6379> keys *
1) "spring:session:expirations:1445309400000"
2) "spring:session:sessions:3447d160-5f41-49c9-abf9-2bf0ef2e6bc2"
127.0.0.1:6379> hkeys spring:session:sessions:3447d160-5f41-49c9-abf9-2bf0ef2e6bc2
1) "sessionAttr:SPRING_SECURITY_SAVED_REQUEST"
2) "sessionAttr:org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN"
3) "lastAccessedTime"
4) "maxInactiveInterval"
5) "sessionAttr:SPRING_SECURITY_LAST_EXCEPTION"
6) "sessionAttr:SPRING_SECURITY_CONTEXT"
7) "creationTime"
127.0.0.1:6379> type spring:session:sessions:3447d160-5f41-49c9-abf9-2bf0ef2e6bc2:sessionAttr:SPRING_SECURITY_CONTEXT
none

Retreiving User object (after authenticated)

public UserEntity getMyInfo() {

  OAuth2Authentication oAuth2Authentication =
      (OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();

  Long userId = (Long) oAuth2Authentication.getPrincipal();

  UsernamePasswordAuthenticationToken userAuthentication =
        (UsernamePasswordAuthenticationToken) oAuth2Authentication.getUserAuthentication();

  try {
    // sun.misc.Launcher$AppClassLoader@14dad5dc
    logger.info(userAuthentication.getDetails().getClass().getClassLoader().toString());

    return (UserEntity) userAuthentication.getDetails(); 
  } catch (Exception e) {
    // fixme ClassCastException

    // workaround
    return userRepository.accountDetail(userId);
  }
}

I debug userAuthentication object and I confirm userAuthentication.details having MyUser object. so ClassCastException occur on casting UserEntity to UserEntity, but why?

I can get principal (=UserEntity.id) correctly.

Does anyone have any solution?

below is part of current configuration.

Dependencies

springBootVersion = '1.3.0.RC1'

compile("org.springframework.boot:spring-boot-starter-redis")
compile("org.springframework.session:spring-session")
compile("com.github.kstyrc:embedded-redis:0.6")

Redis Configuration

@Configuration
@EnableRedisHttpSession
public class RedisConfig {

  private static RedisServer redisServer;

  @Profile({"local", "unit"})
  @Bean
  public RedisConnectionFactory connectionFactory() throws IOException {

    RedisExecProvider customProvider = RedisExecProvider.defaultProvider()
      .override(OS.MAC_OS_X, Architecture.x86_64, "/path/to/redis/3.0.2/redis-server");

    redisServer = new RedisServerBuilder()
      .redisExecProvider(customProvider)
      .port(Protocol.DEFAULT_PORT)
      .build();

    redisServer.start();

    return new JedisConnectionFactory();
  }

  @Profile({"local", "unit"})
  @PreDestroy
  public void destroy() {

    if (redisServer != null) {
      redisServer.stop();
    }
  }

  @Bean
  @ConditionalOnMissingBean(RequestContextFilter.class)
  public RequestContextFilter requestContextFilter() {

    return new RequestContextFilter();
  }

  @Bean
  public FilterRegistrationBean requestContextFilterChainRegistration(
  @Qualifier("requestContextFilter") Filter securityFilter) {

    FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter);
    registration.setOrder(SessionRepositoryFilter.DEFAULT_ORDER + 1);
    registration.setName("requestContextFilter");

    return registration;
  }

OAuth2 Sso configuration

@Configuration
@EnableOAuth2Sso
@EnableWebSecurity
public class OAuth2Config extends WebSecurityConfigurerAdapter {

  @Autowired
  ResourceServerProperties sso;

  @Autowired
  @Qualifier("userInfoRestTemplate")
  private OAuth2RestOperations restTemplate;

  @Primary
  @Bean
  public ResourceServerTokenServices userInfoTokenServices() {

    MyTokenService tokenService = new MyTokenService();
    tokenService.setRestTemplate(restTemplate);

    return tokenService;
  }

  // ...
}

Similar problem

OAuth2ClientContext (spring-security-oauth2) not persisted in Redis when using spring-session and spring-cloud-security

I change filter order (in RedisConfig.java) as above answer, but it doesn't work.

My current filter order is below.

o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'metricFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'springSessionRepositoryFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'requestContextFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'characterEncodingFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'OAuth2ClientContextFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'springSecurityFilterChain' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'webRequestLoggingFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'applicationContextIdFilter' to: [/*]

Update code

the cause of ClassCastException is ClassLoader's mismatch.

org.springframework.boot.devtools.restart.classloader.RestartClassLoader and sun.misc.Launcher$AppClassLoader

but I have no idea to solve this problem, as ever.

Solved!

I change filter order below and it works.

  1. requestContextFilter
  2. oAuth2ClientContextFilter
  3. springSessionRepositoryFilter

来源:https://stackoverflow.com/questions/33229311/spring-boot-1-3-0-rc1-classcastexception-in-getting-oauth2-user-info-from-sess

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!