由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,

所有不同的模式下的token需要用  @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。

通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService

但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~

一、哪里重写?

资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities

@RestController

@Slf4j

public class UserController {

  @Autowired

  HttpServletRequest request;

  @GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));
    return principal;
 }

返回的具体用户信息:

 {

     "principal": {

         "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

         "phone": "13918438965",

         "credentialsNonExpired": true,

         "accountNonExpired": true,

         "enabled": true,

         "accountNonLocked": true,

         "username": "4738195728608789333"

     },

     "authenticated": true,

     "oAuth2Request": {

         "redirectUri": "http://www.baidu.com",

         "responseTypes": ["code"],

         "approved": true,

         "extensions": {},

         "clientId": "external",

         "scope": ["auth_base"],

         "requestParameters": {

             "code": "ovzMSk",

             "grant_type": "authorization_code",

             "scope": "auth_base",

             "response_type": "code",

             "redirect_uri": "http://www.baidu.com",

             "state": "123",

             "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",

             "client_id": "external"

         },

         "refresh": false,

         "grantType": "authorization_code",

         "authorities": [{

             "authority": "auth_base"

         }],

         "resourceIds": []

     },

     "clientOnly": false,

     "credentials": "",

     "name": "4738195728608789333",

     "userAuthentication": {

         "principal": {

             "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

             "phone": "13918438965",

             "credentialsNonExpired": true,

             "accountNonExpired": true,

             "enabled": true,

             "accountNonLocked": true,

             "username": "4738195728608789333"

         },

         "authenticated": true,

         "oAuth2Request": {

             "responseTypes": [],

             "approved": true,

             "extensions": {},

             "clientId": "gt",

             "scope": ["frontend"],

             "requestParameters": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "refresh": false,

             "grantType": "password",

             "authorities": [{

                 "authority": "client"

             }],

             "resourceIds": []

         },

         "clientOnly": false,

         "credentials": "",

         "name": "4738195728608789333",

         "userAuthentication": {

             "principal": {

                 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

                 "phone": "13918438965",

                 "credentialsNonExpired": true,

                 "accountNonExpired": true,

                 "enabled": true,

                 "accountNonLocked": true,

                 "username": "4738195728608789333"

             },

             "authenticated": true,

             "name": "4738195728608789333",

             "details": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "authorities": []

         },

         "details": {

             "tokenType": "Bearer",

             "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",

             "remoteAddress": "0:0:0:0:0:0:0:1"

         },

         "authorities": []

     },

     "details": {

         "tokenType": "Bearer",

         "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",

         "remoteAddress": "0:0:0:0:0:0:0:1"

     },

     "authorities": []

 }

二、如何重写?

principal是OAuth2Authentication实例,OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth2Authentication了。

为了改变authoritie重写:
@GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));

    OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;

    OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();

    Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();

    // 为了服务端进行token权限隔离 定制OAuth2Authentication

    CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());

    customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());

    log.info("返回用户信息:{}", JSON.toJSON(customOAuth2Authentication));

    return customOAuth2Authentication;

  }

  CustomOAuth2Authentication :

 package com.brightcns.wuxi.citizencard.auth.domain;

 import org.springframework.security.authentication.AbstractAuthenticationToken;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.core.CredentialsContainer;

 import org.springframework.security.core.GrantedAuthority;

 import org.springframework.security.oauth2.provider.OAuth2Request;

 import java.util.Collection;

 /**

  * @author maxianming

  * @date 2018/10/29 13:53

  */

 public class CustomOAuth2Authentication extends AbstractAuthenticationToken {

     private static final long serialVersionUID = -4809832298438307309L;

     private final OAuth2Request storedRequest;

     private final Authentication userAuthentication;

     /**

      * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user

      * authentication may be null.

      * @param storedRequest      The authorization request (must not be null).

      * @param userAuthentication The user authentication (possibly null).

      */

     public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {

         /**

          * 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth2Authentication使得支持改变authorities

          */

         super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());

         this.storedRequest = storedRequest;

         this.userAuthentication = userAuthentication;

     }

     public Object getCredentials() {

         return "";

     }

     public Object getPrincipal() {

         return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication

                 .getPrincipal();

     }

     /**

      * Convenience method to check if there is a user associated with this token, or just a client application.

      *

      * @return true if this token represents a client app not acting on behalf of a user

      */

     public boolean isClientOnly() {

         return userAuthentication == null;

     }

     /**

      * The authorization request containing details of the client application.

      *

      * @return The client authentication.

      */

     public OAuth2Request getOAuth2Request() {

         return storedRequest;

     }

     /**

      * The user authentication.

      *

      * @return The user authentication.

      */

     public Authentication getUserAuthentication() {

         return userAuthentication;

     }

     @Override

     public boolean isAuthenticated() {

         return this.storedRequest.isApproved()

                 && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());

     }

     @Override

     public void eraseCredentials() {

         super.eraseCredentials();

         if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {

             CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();

         }

     }

     @Override

     public boolean equals(Object o) {

         if (this == o) {

             return true;

         }

         if (!(o instanceof CustomOAuth2Authentication)) {

             return false;

         }

         if (!super.equals(o)) {

             return false;

         }

         CustomOAuth2Authentication that = (CustomOAuth2Authentication) o;

         if (!storedRequest.equals(that.storedRequest)) {

             return false;

         }

         if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)

                 : that.userAuthentication != null) {

             return false;

         }

         if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {

             // return false;

         }

         return true;

     }

     @Override

     public int hashCode() {

         int result = super.hashCode();

         result = 31 * result + storedRequest.hashCode();

         result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);

         return result;

     }

 }

主要在OAuth2Authentication基础上修改了30-35行代码

												


											
Spring Security OAuth2 token权限隔离的更多相关文章
	

    
								
  1. Spring Security OAuth2 授权失败(401) 问题整理
		
    Spring Cloud架构中采用Spring Security OAuth2作为权限控制,关于OAuth2详细介绍可以参考 http://www.ruanyifeng.com/blog/2014/0 ...
    
		
    2. 
						
  2. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
		
    Spring Security 解析(七) -- Spring Security Oauth2 源码解析   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...
    
		
    3. 
						
  3. Spring Security 解析(五) —— Spring Security Oauth2 开发
		
    Spring Security 解析(五) -- Spring Security Oauth2 开发   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...
    
		
    4. 
						
  4. spring security oauth2搭建resource-server  demo及token改造成JWT令牌
		
    我们在上文讲了如何在spring security的环境中搭建基于oauth2协议的认证中心demo:https://www.cnblogs.com/process-h/p/15688971.html ...
    
		
    5. 
						
  5. 关于 Spring Security OAuth2 中 Feign 调用 Token 问题
		
    微服务体系中,避免不了服务之间链式调用,一般使用 Feign ,由于使用 Spring Security OAuth2 全局做了安全认证,简单的一种实现方式就是在服务提供方获得 Token 再次通过  ...
    
		
    6. 
						
  6. 使用Redis作为Spring Security OAuth2的token存储
		
    写在前边 本文对Spring Security OAuth2的token使用Redis保存,相比JWT实现的token存储,Redis可以随时吊销access_token,并且Redis响应速度很快, ...
    
		
    7. 
						
  7. 使用JWT作为Spring Security OAuth2的token存储
		
    序 Spring Security OAuth2的demo在前几篇文章中已经讲过了,在那些模式中使用的都是RemoteTokenService调用授权服务器来校验token,返回校验通过的用户信息供上 ...
    
		
    8. 
						
  8. 【OAuth2.0】Spring Security OAuth2.0篇之初识
		
    不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握 ...
    
		
    9. 
						
  9. Spring security oauth2最简单入门环境搭建
		
    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 【Tips】【UE】总结自己常用的UltraEdit使用技巧
			
    如果您问我每天都要打开的软件是什么,那毫无疑问是UltraEdit!作为一位DBA,每天都要写各种脚本,尤其是在对具有超多行行的大文件进行精心编辑时,没有一个好的文本编辑器是不成的.掐指一算,哇塞,自 ...
    
			
    2. 
						
  2. 边沿检测电路设计verilog
			
    Abstract 边沿检测电路(edge detection circuit)是个常用的基本电路. Introduction 所谓边沿检测就是对前一个clock状态和目前clock状态的比较,如果是由 ...
    
			
    3. 
						
  3. 利用ngModel相关属性及方法自定义表单验证指令
			
    这是一个只能输入偶数的验证指令
    
			
    4. 
						
  4. ELK-“线上标准文档”——测试
			
    Elasticstack官网:https://www.elastic.co 本文档仅限搭建过程参考,使用相关的文档,不在本文档讨论范围之内. 一切依据的核心即是Elasticstack官网. 查看支持 ...
    
			
    5. 
						
  5. inline函数出现 undefined reference 错误
			
    原因:你把inline函数的implementation放到cpp文件里肯定要报这个错误 正确的做法:把inline函数的声明和实现都放到header里,例如 // declaration: retu ...
    
			
    6. 
						
  6. 使用JSTL的xml:parse标签(或者说x:parse)出现异常NoSuchMethodError,找不到doc的setter method
			
    症状: 如题 <c:import var="hz" url="/xyz/abc.xml" charEncoding="UTF-8"/& ...
    
			
    7. 
						
  7. dbcp 详细配置
			
    1.配置参数 username : 连接用户名 password:  连接密码 url :  连接 url( 如果连接 mysql ,格式为 jdbc:mysql://ip:port/dbname)  ...
    
			
    8. 
						
  8. poj3250单调栈
			
    有n只羊,(姑且算是羊吧,也有可能是牛啊猫啊什么之类的),每只羊都有一个身高,前面的羊要看到后面的羊的条件是,后面的羊高度要小于前面的羊,就问各位羊加起来看到的牛多少只....... #include ...
    
			
    9. 
						
  9. C语言  ·  三角形面积
			
     算法提高 三角形面积   时间限制:1.0s   内存限制:256.0MB      问题描述 由三角形的三边长,求其面积. 提示:由三角形的三边a,b,c求面积可以用如下的公式: s=(a+b+c ...
    
			
    10. 
						
  10. [内核]procfs和sysfs
			
    转自:https://www.ibm.com/developerworks/cn/linux/l-cn-sysfs/ 使用 sys 文件系统访问 Linux 内核 sysfs 的历史其与 proc 的 ...
    
			
    11.