Spring 使用用户角色而不是范围的 oauth2Login 安全配置
Spring security config for oauth2Login using user's roles instead of scope
解码后的jwt为
{
"dateTime": 1643825042420,
"aud": [
"documentRepository",
"user"
],
"user_name": "admin",
"scope": [
"read",
"write"
],
"exp": 1643826842,
"userDetails": {
"userName": "admin",
"enable": true,
"department": null,
"empId": null,
"email": null
},
"authorities": [
"ROLE_ADMIN_USER",
"ROLE_OFFICE_USER"
],
"jti": "8c548137-1f55-4177-a562-8f333a905ee5",
"client_id": "xyz"
}
安全配置是
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(
"/", "/login**"
)
.permitAll()
.antMatchers("/**")
.access("user's role OFFICE_USER") // this is where only ROLE_USER / SCOPE_read / SCOPE_write works
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
尝试手动添加角色
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(
HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) throws IOException, ServletException
{
OAuth2AuthenticationToken token = (OAuth2AuthenticationToken) authentication;
token.getAuthorities().addAll(
AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_OFFICE_USER,ROLE_ADMIN_USER")
);
}
});
结果出错
2-02-03 Thu 01:35:08.955 ERROR o.a.c.c.C.[.[.[.[dispatcherServlet] Java : 175 : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.lang.UnsupportedOperationException: null
at java.util.Collections$UnmodifiableCollection.addAll(Collections.java:1067) ~[na:1.8.0_312]
log中的OAuth2AuthenticationToken是
22-02-03 Thu 01:35:08.953 DEBUG w.c.HttpSessionSecurityContextRepository Java : 361 : Stored SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [admin], Granted Authorities: [[ROLE_USER, SCOPE_read, SCOPE_write]], User Attributes: [{userName=admin, enable=true, department=null, empId=null, email=null, authorities=ROLE_ADMIN_USER,ROLE_OFFICE_USER}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=3724E2FBB58B689FB60A306CD18F7F5A], Granted Authorities=[ROLE_USER, SCOPE_read, SCOPE_write]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@3487af93]
是否可以根据解码的 JWT 中存在的 authorities 在 HttpSecurity 中包含 .access。
如果是,如何完成
查看 Using a GrantedAuthoritiesMapper 上的文档部分。您可以按照文档中的示例提供自定义映射器实现。
注意:一开始并不明显,但是因为OIDC认证收到了一个id_token,Spring Security放置了id_token在 OidcUserAuthority 类型的特殊权限中。这就是使您能够提取 JWT 的内容并进一步增强映射器中的权限列表的原因。
解码后的jwt为
{
"dateTime": 1643825042420,
"aud": [
"documentRepository",
"user"
],
"user_name": "admin",
"scope": [
"read",
"write"
],
"exp": 1643826842,
"userDetails": {
"userName": "admin",
"enable": true,
"department": null,
"empId": null,
"email": null
},
"authorities": [
"ROLE_ADMIN_USER",
"ROLE_OFFICE_USER"
],
"jti": "8c548137-1f55-4177-a562-8f333a905ee5",
"client_id": "xyz"
}
安全配置是
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(
"/", "/login**"
)
.permitAll()
.antMatchers("/**")
.access("user's role OFFICE_USER") // this is where only ROLE_USER / SCOPE_read / SCOPE_write works
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
尝试手动添加角色
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(
HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) throws IOException, ServletException
{
OAuth2AuthenticationToken token = (OAuth2AuthenticationToken) authentication;
token.getAuthorities().addAll(
AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_OFFICE_USER,ROLE_ADMIN_USER")
);
}
});
结果出错
2-02-03 Thu 01:35:08.955 ERROR o.a.c.c.C.[.[.[.[dispatcherServlet] Java : 175 : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.lang.UnsupportedOperationException: null
at java.util.Collections$UnmodifiableCollection.addAll(Collections.java:1067) ~[na:1.8.0_312]
log中的OAuth2AuthenticationToken是
22-02-03 Thu 01:35:08.953 DEBUG w.c.HttpSessionSecurityContextRepository Java : 361 : Stored SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [admin], Granted Authorities: [[ROLE_USER, SCOPE_read, SCOPE_write]], User Attributes: [{userName=admin, enable=true, department=null, empId=null, email=null, authorities=ROLE_ADMIN_USER,ROLE_OFFICE_USER}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=3724E2FBB58B689FB60A306CD18F7F5A], Granted Authorities=[ROLE_USER, SCOPE_read, SCOPE_write]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@3487af93]
是否可以根据解码的 JWT 中存在的 authorities 在 HttpSecurity 中包含 .access。
如果是,如何完成
查看 Using a GrantedAuthoritiesMapper 上的文档部分。您可以按照文档中的示例提供自定义映射器实现。
注意:一开始并不明显,但是因为OIDC认证收到了一个id_token,Spring Security放置了id_token在 OidcUserAuthority 类型的特殊权限中。这就是使您能够提取 JWT 的内容并进一步增强映射器中的权限列表的原因。