User must be authenticated with Spring Security before authorization can be completed.解决方法

原创已于 2022-11-26 22:20:21 修改 · 3.9k 阅读

5 ·

CC 4.0 BY-SA版权

文章标签：

#spring #java #servlet

于 2022-11-26 22:20:09 首次发布

JAVA 专栏收录该内容

317 篇文章

订阅专栏

在集成SpringCloud OAuth时遇到授权错误'User must be authenticated with Spring Security before authorization can be completed.'。问题源于请求中缺少用户信息，导致Principal为null。解决方法是正确配置登录页面，如将'/login'改为'/sso/login'，确保用户认证流程正常执行，避免 InsufficientAuthenticationException 异常并能正确跳转到登录界面。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

【现象】

springcloud集成OAuth时，访问/oauth/authorize时，报如下错误：

org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
	at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:143)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:892)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1039)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:897)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882)

【定位】

在这个方法中，如果principal为null时即生成User must be authenticated with Spring Security before authorization can be completed.异常。

principal在org.springframework.web.servlet.mvc.method.annotation.ServletRequestMethodArgumentResolver类的resolveArgument方法中生成的。在resolveArgument方法中第162行中 Principal userPrincipal = request.getUserPrincipal();如果request中不存在用户信息，则Principal 无法取得，造成参数为Null情况。

抛出InsufficientAuthenticationException异常后由过滤器拦截，跳转到登录界面，报这个错误的原因为无法跳转到登录界面。

【解决方法】

设置正确的登录界面，下面举例如下：

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .formLogin().loginPage("/login")
                .permitAll()
                .and().authorizeRequests().anyRequest().permitAll()
                .and().csrf().disable().cors()
                .and().addFilterAt(ignoreLogoutFilter, LogoutFilter.class)
                .addFilterAt(customBasicAuthenticationFilter(), BasicAuthenticationFilter.class);
    }

修改为：

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .formLogin().loginPage("/sso/login")
                .permitAll()
                .and().authorizeRequests().anyRequest().permitAll()
                .and().csrf().disable().cors()
                .and().addFilterAt(ignoreLogoutFilter, LogoutFilter.class)
                .addFilterAt(customBasicAuthenticationFilter(), BasicAuthenticationFilter.class);
    }