Spring Security OAuth2 token权限隔离
由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,
所有不同的模式下的token需要用 @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。
通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService
但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~
一、哪里重写?
资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities
@RestController
@Slf4j
public class UserController { @Autowired
HttpServletRequest request; @GetMapping("/user")
public Principal user(Principal principal) {
log.info("获取user信息:{}", JSON.toJSON(principal));
return principal;
}
返回的具体用户信息:
{
"principal": {
"password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
"phone": "13918438965",
"credentialsNonExpired": true,
"accountNonExpired": true,
"enabled": true,
"accountNonLocked": true,
"username": "4738195728608789333"
},
"authenticated": true,
"oAuth2Request": {
"redirectUri": "http://www.baidu.com",
"responseTypes": ["code"],
"approved": true,
"extensions": {},
"clientId": "external",
"scope": ["auth_base"],
"requestParameters": {
"code": "ovzMSk",
"grant_type": "authorization_code",
"scope": "auth_base",
"response_type": "code",
"redirect_uri": "http://www.baidu.com",
"state": "123",
"client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",
"client_id": "external"
},
"refresh": false,
"grantType": "authorization_code",
"authorities": [{
"authority": "auth_base"
}],
"resourceIds": []
},
"clientOnly": false,
"credentials": "",
"name": "4738195728608789333",
"userAuthentication": {
"principal": {
"password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
"phone": "13918438965",
"credentialsNonExpired": true,
"accountNonExpired": true,
"enabled": true,
"accountNonLocked": true,
"username": "4738195728608789333"
},
"authenticated": true,
"oAuth2Request": {
"responseTypes": [],
"approved": true,
"extensions": {},
"clientId": "gt",
"scope": ["frontend"],
"requestParameters": {
"auth_type": "sms",
"device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",
"grant_type": "password",
"client_id": "gt",
"username": "13918438965"
},
"refresh": false,
"grantType": "password",
"authorities": [{
"authority": "client"
}],
"resourceIds": []
},
"clientOnly": false,
"credentials": "",
"name": "4738195728608789333",
"userAuthentication": {
"principal": {
"password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
"phone": "13918438965",
"credentialsNonExpired": true,
"accountNonExpired": true,
"enabled": true,
"accountNonLocked": true,
"username": "4738195728608789333"
},
"authenticated": true,
"name": "4738195728608789333",
"details": {
"auth_type": "sms",
"device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",
"grant_type": "password",
"client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",
"client_id": "gt",
"username": "13918438965"
},
"authorities": []
},
"details": {
"tokenType": "Bearer",
"tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",
"remoteAddress": "0:0:0:0:0:0:0:1"
},
"authorities": []
},
"details": {
"tokenType": "Bearer",
"tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",
"remoteAddress": "0:0:0:0:0:0:0:1"
},
"authorities": []
}
二、如何重写?
principal是OAuth2Authentication实例,OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth2Authentication了。 为了改变authoritie重写:
@GetMapping("/user")
public Principal user(Principal principal) {
log.info("获取user信息:{}", JSON.toJSON(principal));
OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;
OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();
Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();
// 为了服务端进行token权限隔离 定制OAuth2Authentication
CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());
customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());
log.info("返回用户信息:{}", JSON.toJSON(customOAuth2Authentication));
return customOAuth2Authentication;
}
CustomOAuth2Authentication :
package com.brightcns.wuxi.citizencard.auth.domain; import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.CredentialsContainer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.OAuth2Request; import java.util.Collection; /**
* @author maxianming
* @date 2018/10/29 13:53
*/
public class CustomOAuth2Authentication extends AbstractAuthenticationToken { private static final long serialVersionUID = -4809832298438307309L; private final OAuth2Request storedRequest; private final Authentication userAuthentication; /**
* Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user
* authentication may be null.
* @param storedRequest The authorization request (must not be null).
* @param userAuthentication The user authentication (possibly null).
*/
public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {
/**
* 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth2Authentication使得支持改变authorities
*/
super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());
this.storedRequest = storedRequest;
this.userAuthentication = userAuthentication;
} public Object getCredentials() {
return "";
} public Object getPrincipal() {
return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication
.getPrincipal();
} /**
* Convenience method to check if there is a user associated with this token, or just a client application.
*
* @return true if this token represents a client app not acting on behalf of a user
*/
public boolean isClientOnly() {
return userAuthentication == null;
} /**
* The authorization request containing details of the client application.
*
* @return The client authentication.
*/
public OAuth2Request getOAuth2Request() {
return storedRequest;
} /**
* The user authentication.
*
* @return The user authentication.
*/
public Authentication getUserAuthentication() {
return userAuthentication;
} @Override
public boolean isAuthenticated() {
return this.storedRequest.isApproved()
&& (this.userAuthentication == null || this.userAuthentication.isAuthenticated());
} @Override
public void eraseCredentials() {
super.eraseCredentials();
if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {
CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();
}
} @Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (!(o instanceof CustomOAuth2Authentication)) {
return false;
}
if (!super.equals(o)) {
return false;
} CustomOAuth2Authentication that = (CustomOAuth2Authentication) o; if (!storedRequest.equals(that.storedRequest)) {
return false;
}
if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)
: that.userAuthentication != null) {
return false;
} if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {
// return false;
} return true;
} @Override
public int hashCode() {
int result = super.hashCode();
result = 31 * result + storedRequest.hashCode();
result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);
return result;
} }
主要在OAuth2Authentication基础上修改了30-35行代码
Spring Security OAuth2 token权限隔离的更多相关文章
- Spring Security OAuth2 授权失败(401) 问题整理
Spring Cloud架构中采用Spring Security OAuth2作为权限控制,关于OAuth2详细介绍可以参考 http://www.ruanyifeng.com/blog/2014/0 ...
- Spring Security 解析(七) —— Spring Security Oauth2 源码解析
Spring Security 解析(七) -- Spring Security Oauth2 源码解析 在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...
- Spring Security 解析(五) —— Spring Security Oauth2 开发
Spring Security 解析(五) -- Spring Security Oauth2 开发 在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...
- spring security oauth2搭建resource-server demo及token改造成JWT令牌
我们在上文讲了如何在spring security的环境中搭建基于oauth2协议的认证中心demo:https://www.cnblogs.com/process-h/p/15688971.html ...
- 关于 Spring Security OAuth2 中 Feign 调用 Token 问题
微服务体系中,避免不了服务之间链式调用,一般使用 Feign ,由于使用 Spring Security OAuth2 全局做了安全认证,简单的一种实现方式就是在服务提供方获得 Token 再次通过 ...
- 使用Redis作为Spring Security OAuth2的token存储
写在前边 本文对Spring Security OAuth2的token使用Redis保存,相比JWT实现的token存储,Redis可以随时吊销access_token,并且Redis响应速度很快, ...
- 使用JWT作为Spring Security OAuth2的token存储
序 Spring Security OAuth2的demo在前几篇文章中已经讲过了,在那些模式中使用的都是RemoteTokenService调用授权服务器来校验token,返回校验通过的用户信息供上 ...
- 【OAuth2.0】Spring Security OAuth2.0篇之初识
不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握 ...
- Spring security oauth2最简单入门环境搭建
关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...
随机推荐
- FTL页面常用到的一些方法combobox、combotree、datagrid
参考文件:点击下载 1.combobox: (1).js 1)初始化combobox //相似度 $('#same').combobox({ //url:"<@s.url value= ...
- Swift 的 pod 第三方库
#HTTPpod 'Alamofire' #Elegant HTTP Networking in Swiftpod 'SwiftHTTP' #Thin wrapper around NSURLSess ...
- spring概念简介、bean扫描与注册实现方式
写在前面:本文作为整理,包含很多个人理解,有跳跃成份,初学者如果看晕了,可以先看其它同类文章,或者……多看几遍. 一.概念部分: 1.spring概念:网上有很多 2.spring核心:IOC(DI) ...
- C# FTP操作类可用
public class FtpClient { #region 构造函数 /// <summary> /// 创建FTP工具 /// <para> /// 默认不使用SSL, ...
- 动态更新highcharts数据
<!doctype html> <html> <head> <script type="text/javascript" src=&quo ...
- location 设定某个文件的过期时间,并不记录访问日志
网页的根目录本来是: 6 root /app/www/default; [root@web01 default]# cat /app/server/nginx/conf/vhosts/default. ...
- Struts2初学 struts.xml详解 一
一.简介 Struts 2是一个MVC框架,以WebWork设计思想为核心,吸收了Struts 1的部分优点 二.详解 首先让我们看一下一个简单的struts.xml文件的结构 < ...
- FreeRTOS基础知识
前面一篇文章介绍了一些命名规范之类的基础知识,但是我觉得还缺少一定前言知识,就是裸机和操作系统有什么区别,为什么我们需要学freertos,因为招聘要求?那么为什么招聘网又会有这个要求呢?所以我们为什 ...
- C++ 百炼成钢20
题目56: 编写C++程序完成以下功能:(1)定义一个Point类,其属性包括点的坐标,提供计算两点之间距离的方法:(2)定义一个圆形类,其属性包括圆心和半径:(3)创建两个圆形对象,提示用户输入圆心 ...
- 【vijos】1164 曹冲养猪(中国剩余定理)
https://vijos.org/p/1164 好赞orz. 对于求一组线性同余方程 x=a[i](mod m[i]) 这里任意两个m[i]和m[j]都互质 那么可以用中国剩余定理来做. 对中国剩余 ...