问题
I'm working with a spring-boot application having OAuth2 single sign-on (in development, but already working).
and I changed session-store from Tomcat to Redis.
Problem
I got ClassCastException when I try to get my User object from SecurityContextHolder.
Storing User object to UsernamePasswordAuthenticationToken
@Service
@Transactional
public class MyTokenService implements ResourceServerTokenServices {
@Setter
private OAuth2RestOperations restTemplate;
@Autowired
ResourceServerProperties sso;
@Override
public OAuth2Authentication loadAuthentication(String accessToken)
throws AuthenticationException, InvalidTokenException {
// get from http://some-auth-provider/me
MyUser myUser = getMyInfo();
// persist to mysql
UserEntity user = save(myUser);
OAuth2Request request =
new OAuth2Request(null, sso.getClientId(), null, true, null, null, null, null, null);
// org.springframework.boot.devtools.restart.classloader.RestartClassLoader@3d66ad6e
logger.info(user.getClass().getClassLoader().toString());
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(user.getId(), "N/A", user.getAuthorities());
token.setDetails(user);
return new OAuth2Authentication(request, token);
}
@Override
public OAuth2AccessToken readAccessToken(String accessToken) {
throw new UnsupportedOperationException("Not supported: read access token");
}
}
Session after authenticated
127.0.0.1:6379> keys *
1) "spring:session:expirations:1445309400000"
2) "spring:session:sessions:3447d160-5f41-49c9-abf9-2bf0ef2e6bc2"
127.0.0.1:6379> hkeys spring:session:sessions:3447d160-5f41-49c9-abf9-2bf0ef2e6bc2
1) "sessionAttr:SPRING_SECURITY_SAVED_REQUEST"
2) "sessionAttr:org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN"
3) "lastAccessedTime"
4) "maxInactiveInterval"
5) "sessionAttr:SPRING_SECURITY_LAST_EXCEPTION"
6) "sessionAttr:SPRING_SECURITY_CONTEXT"
7) "creationTime"
127.0.0.1:6379> type spring:session:sessions:3447d160-5f41-49c9-abf9-2bf0ef2e6bc2:sessionAttr:SPRING_SECURITY_CONTEXT
none
Retreiving User object (after authenticated)
public UserEntity getMyInfo() {
OAuth2Authentication oAuth2Authentication =
(OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();
Long userId = (Long) oAuth2Authentication.getPrincipal();
UsernamePasswordAuthenticationToken userAuthentication =
(UsernamePasswordAuthenticationToken) oAuth2Authentication.getUserAuthentication();
try {
// sun.misc.Launcher$AppClassLoader@14dad5dc
logger.info(userAuthentication.getDetails().getClass().getClassLoader().toString());
return (UserEntity) userAuthentication.getDetails();
} catch (Exception e) {
// fixme ClassCastException
// workaround
return userRepository.accountDetail(userId);
}
}
I debug userAuthentication object and I confirm userAuthentication.details having MyUser object.
so ClassCastException occur on casting UserEntity to UserEntity, but why?
I can get principal (=UserEntity.id) correctly.
Does anyone have any solution?
below is part of current configuration.
Dependencies
springBootVersion = '1.3.0.RC1'
compile("org.springframework.boot:spring-boot-starter-redis")
compile("org.springframework.session:spring-session")
compile("com.github.kstyrc:embedded-redis:0.6")
Redis Configuration
@Configuration
@EnableRedisHttpSession
public class RedisConfig {
private static RedisServer redisServer;
@Profile({"local", "unit"})
@Bean
public RedisConnectionFactory connectionFactory() throws IOException {
RedisExecProvider customProvider = RedisExecProvider.defaultProvider()
.override(OS.MAC_OS_X, Architecture.x86_64, "/path/to/redis/3.0.2/redis-server");
redisServer = new RedisServerBuilder()
.redisExecProvider(customProvider)
.port(Protocol.DEFAULT_PORT)
.build();
redisServer.start();
return new JedisConnectionFactory();
}
@Profile({"local", "unit"})
@PreDestroy
public void destroy() {
if (redisServer != null) {
redisServer.stop();
}
}
@Bean
@ConditionalOnMissingBean(RequestContextFilter.class)
public RequestContextFilter requestContextFilter() {
return new RequestContextFilter();
}
@Bean
public FilterRegistrationBean requestContextFilterChainRegistration(
@Qualifier("requestContextFilter") Filter securityFilter) {
FilterRegistrationBean registration = new FilterRegistrationBean(securityFilter);
registration.setOrder(SessionRepositoryFilter.DEFAULT_ORDER + 1);
registration.setName("requestContextFilter");
return registration;
}
OAuth2 Sso configuration
@Configuration
@EnableOAuth2Sso
@EnableWebSecurity
public class OAuth2Config extends WebSecurityConfigurerAdapter {
@Autowired
ResourceServerProperties sso;
@Autowired
@Qualifier("userInfoRestTemplate")
private OAuth2RestOperations restTemplate;
@Primary
@Bean
public ResourceServerTokenServices userInfoTokenServices() {
MyTokenService tokenService = new MyTokenService();
tokenService.setRestTemplate(restTemplate);
return tokenService;
}
// ...
}
Similar problem
OAuth2ClientContext (spring-security-oauth2) not persisted in Redis when using spring-session and spring-cloud-security
I change filter order (in RedisConfig.java) as above answer, but it doesn't work.
My current filter order is below.
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'metricFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'springSessionRepositoryFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'OAuth2ClientContextFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'webRequestLoggingFilter' to: [/*]
o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'applicationContextIdFilter' to: [/*]
Update code
the cause of ClassCastException is ClassLoader's mismatch.
org.springframework.boot.devtools.restart.classloader.RestartClassLoader and sun.misc.Launcher$AppClassLoader
but I have no idea to solve this problem, as ever.
Solved!
I change filter order below and it works.
- requestContextFilter
- oAuth2ClientContextFilter
- springSessionRepositoryFilter
来源:https://stackoverflow.com/questions/33229311/spring-boot-1-3-0-rc1-classcastexception-in-getting-oauth2-user-info-from-sess