由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,

所有不同的模式下的token需要用  @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。

通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService

但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~

一、哪里重写?

资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities

@RestController

@Slf4j

public class UserController {

  @Autowired

  HttpServletRequest request;

  @GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));
    return principal;
 }

返回的具体用户信息:

 {

     "principal": {

         "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

         "phone": "13918438965",

         "credentialsNonExpired": true,

         "accountNonExpired": true,

         "enabled": true,

         "accountNonLocked": true,

         "username": "4738195728608789333"

     },

     "authenticated": true,

     "oAuth2Request": {

         "redirectUri": "http://www.baidu.com",

         "responseTypes": ["code"],

         "approved": true,

         "extensions": {},

         "clientId": "external",

         "scope": ["auth_base"],

         "requestParameters": {

             "code": "ovzMSk",

             "grant_type": "authorization_code",

             "scope": "auth_base",

             "response_type": "code",

             "redirect_uri": "http://www.baidu.com",

             "state": "123",

             "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",

             "client_id": "external"

         },

         "refresh": false,

         "grantType": "authorization_code",

         "authorities": [{

             "authority": "auth_base"

         }],

         "resourceIds": []

     },

     "clientOnly": false,

     "credentials": "",

     "name": "4738195728608789333",

     "userAuthentication": {

         "principal": {

             "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

             "phone": "13918438965",

             "credentialsNonExpired": true,

             "accountNonExpired": true,

             "enabled": true,

             "accountNonLocked": true,

             "username": "4738195728608789333"

         },

         "authenticated": true,

         "oAuth2Request": {

             "responseTypes": [],

             "approved": true,

             "extensions": {},

             "clientId": "gt",

             "scope": ["frontend"],

             "requestParameters": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "refresh": false,

             "grantType": "password",

             "authorities": [{

                 "authority": "client"

             }],

             "resourceIds": []

         },

         "clientOnly": false,

         "credentials": "",

         "name": "4738195728608789333",

         "userAuthentication": {

             "principal": {

                 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

                 "phone": "13918438965",

                 "credentialsNonExpired": true,

                 "accountNonExpired": true,

                 "enabled": true,

                 "accountNonLocked": true,

                 "username": "4738195728608789333"

             },

             "authenticated": true,

             "name": "4738195728608789333",

             "details": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "authorities": []

         },

         "details": {

             "tokenType": "Bearer",

             "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",

             "remoteAddress": "0:0:0:0:0:0:0:1"

         },

         "authorities": []

     },

     "details": {

         "tokenType": "Bearer",

         "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",

         "remoteAddress": "0:0:0:0:0:0:0:1"

     },

     "authorities": []

 }

二、如何重写?

principal是OAuth2Authentication实例,OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth2Authentication了。

为了改变authoritie重写:
@GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));

    OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;

    OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();

    Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();

    // 为了服务端进行token权限隔离 定制OAuth2Authentication

    CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());

    customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());

    log.info("返回用户信息:{}", JSON.toJSON(customOAuth2Authentication));

    return customOAuth2Authentication;

  }

  CustomOAuth2Authentication :

 package com.brightcns.wuxi.citizencard.auth.domain;

 import org.springframework.security.authentication.AbstractAuthenticationToken;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.core.CredentialsContainer;

 import org.springframework.security.core.GrantedAuthority;

 import org.springframework.security.oauth2.provider.OAuth2Request;

 import java.util.Collection;

 /**

  * @author maxianming

  * @date 2018/10/29 13:53

  */

 public class CustomOAuth2Authentication extends AbstractAuthenticationToken {

     private static final long serialVersionUID = -4809832298438307309L;

     private final OAuth2Request storedRequest;

     private final Authentication userAuthentication;

     /**

      * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user

      * authentication may be null.

      * @param storedRequest      The authorization request (must not be null).

      * @param userAuthentication The user authentication (possibly null).

      */

     public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {

         /**

          * 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth2Authentication使得支持改变authorities

          */

         super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());

         this.storedRequest = storedRequest;

         this.userAuthentication = userAuthentication;

     }

     public Object getCredentials() {

         return "";

     }

     public Object getPrincipal() {

         return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication

                 .getPrincipal();

     }

     /**

      * Convenience method to check if there is a user associated with this token, or just a client application.

      *

      * @return true if this token represents a client app not acting on behalf of a user

      */

     public boolean isClientOnly() {

         return userAuthentication == null;

     }

     /**

      * The authorization request containing details of the client application.

      *

      * @return The client authentication.

      */

     public OAuth2Request getOAuth2Request() {

         return storedRequest;

     }

     /**

      * The user authentication.

      *

      * @return The user authentication.

      */

     public Authentication getUserAuthentication() {

         return userAuthentication;

     }

     @Override

     public boolean isAuthenticated() {

         return this.storedRequest.isApproved()

                 && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());

     }

     @Override

     public void eraseCredentials() {

         super.eraseCredentials();

         if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {

             CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();

         }

     }

     @Override

     public boolean equals(Object o) {

         if (this == o) {

             return true;

         }

         if (!(o instanceof CustomOAuth2Authentication)) {

             return false;

         }

         if (!super.equals(o)) {

             return false;

         }

         CustomOAuth2Authentication that = (CustomOAuth2Authentication) o;

         if (!storedRequest.equals(that.storedRequest)) {

             return false;

         }

         if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)

                 : that.userAuthentication != null) {

             return false;

         }

         if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {

             // return false;

         }

         return true;

     }

     @Override

     public int hashCode() {

         int result = super.hashCode();

         result = 31 * result + storedRequest.hashCode();

         result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);

         return result;

     }

 }

主要在OAuth2Authentication基础上修改了30-35行代码

												


											
Spring Security OAuth2 token权限隔离的更多相关文章
	

    
								
  1. Spring Security OAuth2 授权失败(401) 问题整理
		
    Spring Cloud架构中采用Spring Security OAuth2作为权限控制,关于OAuth2详细介绍可以参考 http://www.ruanyifeng.com/blog/2014/0 ...
    
		
    2. 
						
  2. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
		
    Spring Security 解析(七) -- Spring Security Oauth2 源码解析   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...
    
		
    3. 
						
  3. Spring Security 解析(五) —— Spring Security Oauth2 开发
		
    Spring Security 解析(五) -- Spring Security Oauth2 开发   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...
    
		
    4. 
						
  4. spring security oauth2搭建resource-server  demo及token改造成JWT令牌
		
    我们在上文讲了如何在spring security的环境中搭建基于oauth2协议的认证中心demo:https://www.cnblogs.com/process-h/p/15688971.html ...
    
		
    5. 
						
  5. 关于 Spring Security OAuth2 中 Feign 调用 Token 问题
		
    微服务体系中,避免不了服务之间链式调用,一般使用 Feign ,由于使用 Spring Security OAuth2 全局做了安全认证,简单的一种实现方式就是在服务提供方获得 Token 再次通过  ...
    
		
    6. 
						
  6. 使用Redis作为Spring Security OAuth2的token存储
		
    写在前边 本文对Spring Security OAuth2的token使用Redis保存,相比JWT实现的token存储,Redis可以随时吊销access_token,并且Redis响应速度很快, ...
    
		
    7. 
						
  7. 使用JWT作为Spring Security OAuth2的token存储
		
    序 Spring Security OAuth2的demo在前几篇文章中已经讲过了,在那些模式中使用的都是RemoteTokenService调用授权服务器来校验token,返回校验通过的用户信息供上 ...
    
		
    8. 
						
  8. 【OAuth2.0】Spring Security OAuth2.0篇之初识
		
    不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握 ...
    
		
    9. 
						
  9. Spring security oauth2最简单入门环境搭建
		
    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 浅谈AngularJS的$parse服务
			
    $parse 作用:将一个AngularJS表达式转换成一个函数 Usage$parse(expression) arguments expression:需要被编译的AngularJS语句 retu ...
    
			
    2. 
						
  2. Java模拟公司置办货物系统(二)
			
    採用MVC风格,将数据写入文件,模拟公司置办货物系统.  A类表示普通员工,B类表示部门精力,C类表示採购部,D类表示资源管理部. 订单状态 1.表示申请状态 2.表示通过审批 3.表示未通过审批 4 ...
    
			
    3. 
						
  3. mongod安装
			
    mongod.exe --dbpath "D:\Program Files\MongoDB\log\log.txt" mongod.exe --dbpath "D:\Pr ...
    
			
    4. 
						
  4. OpenCV3+Python3
			
    OpenCV3计算机视觉Python语言实现笔记 图像处理与OpenCV Python3与OpenCV3.3 图像处理 OpenCV文摘 基于Python3 + OpenCV3.3.1的远程监控程序  ...
    
			
    5. 
						
  5. linux 清内存
			
    注意:首先我们需要使用sync指令,将所有未写的系统缓冲区写到磁盘中,包含已修改的 i-node.已延迟的块 I/O 和读写映射文件.否则在释放缓存的过程中,可能会丢失未保存的文件. 的值可以为0~3 ...
    
			
    6. 
						
  6. 【C语言】18-变量类型
			
    一.变量的作用域 C语言根据变量作用域的不同,将变量分为局部变量和全局变量. 1.局部变量 1> 定义:在函数内部定义的变量,称为局部变量.形式参数也属于局部变量. 2> 作用域:局部变量 ...
    
			
    7. 
						
  7. MySQL编程API
			
    1.MySQL API数据结构 MySQL API中用到了很多结构体类型,下面就简单说一下常用的结构体. MYSQL 连接数据库前,必须先创建MYSQL变量,此变量在很多MySQL API函数中会用到 ...
    
			
    8. 
						
  8. oracle锁表,杀死进程
			
    查询锁表数据 select object_name,machine,s.sid,s.serial#from v$locked_object l,dba_objects o ,v$session swh ...
    
			
    9. 
						
  9. C++-教程2-VS2010C++相关文件说明
			
    stdafx.h说明:stdafx的英文全称为:Standard Application Framework Extensions(标准应用程序框架的扩展).所谓头文件预编译,就是把一个工程(Proj ...
    
			
    10. 
						
  10. python学习笔记(4)--聊天记录处理
			
    说明: 1.把冒号和前面的名字去掉 2.男的台词放一个txt文件,女的台词放一个txt文件 3.遇到======就重新生成一个文件 record.txt: 婷婷:迪迪早啊! 迪迪:早啊! 婷婷:111 ...
    
			
    11.