快捷導(dǎo)航

Spring Security OAuth2 token權(quán)限隔離實(shí)例解析

更新時(shí)間：2019年11月15日 15:25:59 作者：技術(shù)與人生

這篇文章主要介紹了Spring Security OAuth2 token權(quán)限隔離實(shí)例解析,文中通過(guò)示例代碼介紹的非常詳細(xì)，對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友可以參考下

由于項(xiàng)目OAuth2采用了多種模式，授權(quán)碼模式為第三方系統(tǒng)接入，密碼模式用于用戶登錄，Client模式用于服務(wù)間調(diào)用，

所有不同的模式下的token需要用 @PreAuthorize("hasAuthority('client')") 進(jìn)行隔離，遇到問(wèn)題一直驗(yàn)證不通過(guò)。

通過(guò)調(diào)試發(fā)現(xiàn)資源服務(wù)從授權(quán)服務(wù)拿到的authrities字段一直為空， StackOverFlow說(shuō)低版本（項(xiàng)目中才2.0.15）的OAuth2實(shí)現(xiàn)權(quán)限隔離需要重寫(xiě)UserInfoTokenService

但是資源服務(wù)太多所以考慮重寫(xiě)授權(quán)服務(wù)的返回值，如何重寫(xiě)？在哪里重寫(xiě)？是下面要介紹的~

一、哪里重寫(xiě)？

資源服務(wù)器向授權(quán)服務(wù)服務(wù)器獲取資源時(shí)候，返回的user信息重寫(xiě)，加入authorities

@RestController
@Slf4j
public class UserController {

 @Autowired
 HttpServletRequest request;

 @GetMapping("/user")
 public Principal user(Principal principal) {
  log.info("獲取user信息:{}", JSON.toJSON(principal));  return principal; }

返回的具體用戶信息：

{
  "principal": {
    "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
    "phone": "13918438965",
    "credentialsNonExpired": true,
    "accountNonExpired": true,
    "enabled": true,
    "accountNonLocked": true,
    "username": "4738195728608789333"
  },
  "authenticated": true,
  "oAuth2Request": {
    "redirectUri": "http://www.baidu.com",
    "responseTypes": ["code"],
    "approved": true,
    "extensions": {},
    "clientId": "external",
    "scope": ["auth_base"],
    "requestParameters": {
      "code": "ovzMSk",
      "grant_type": "authorization_code",
      "scope": "auth_base",
      "response_type": "code",
      "redirect_uri": "http://www.baidu.com",
      "state": "123",
      "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",
      "client_id": "external"
    },
    "refresh": false,
    "grantType": "authorization_code",
    "authorities": [{
      "authority": "auth_base"
    }],
    "resourceIds": []
  },
  "clientOnly": false,
  "credentials": "",
  "name": "4738195728608789333",
  "userAuthentication": {
    "principal": {
      "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
      "phone": "13918438965",
      "credentialsNonExpired": true,
      "accountNonExpired": true,
      "enabled": true,
      "accountNonLocked": true,
      "username": "4738195728608789333"
    },
    "authenticated": true,
    "oAuth2Request": {
      "responseTypes": [],
      "approved": true,
      "extensions": {},
      "clientId": "gt",
      "scope": ["frontend"],
      "requestParameters": {
        "auth_type": "sms",
        "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",
        "grant_type": "password",
        "client_id": "gt",
        "username": "13918438965"
      },
      "refresh": false,
      "grantType": "password",
      "authorities": [{
        "authority": "client"
      }],
      "resourceIds": []
    },
    "clientOnly": false,
    "credentials": "",
    "name": "4738195728608789333",
    "userAuthentication": {
      "principal": {
        "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
        "phone": "13918438965",
        "credentialsNonExpired": true,
        "accountNonExpired": true,
        "enabled": true,
        "accountNonLocked": true,
        "username": "4738195728608789333"
      },
      "authenticated": true,
      "name": "4738195728608789333",
      "details": {
        "auth_type": "sms",
        "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",
        "grant_type": "password",
        "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",
        "client_id": "gt",
        "username": "13918438965"
      },
      "authorities": []
    },
    "details": {
      "tokenType": "Bearer",
      "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",
      "remoteAddress": "0:0:0:0:0:0:0:1"
    },
    "authorities": []
  },
  "details": {
    "tokenType": "Bearer",
    "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",
    "remoteAddress": "0:0:0:0:0:0:0:1"
  },
  "authorities": []
}

二、如何重寫(xiě)？

principal是OAuth2Authentication實(shí)例，OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication，

重寫(xiě)目的是將storedRequest authorities復(fù)制到authoritie中，但問(wèn)題是authoritie不讓修改的，沒(méi)辦法只能重寫(xiě)這個(gè)OAuth2Authentication了。

為了改變authoritie重寫(xiě)：

@GetMapping("/user")
 public Principal user(Principal principal) {
  log.info("獲取user信息:{}", JSON.toJSON(principal));
  OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;
  OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();
  Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();
  // 為了服務(wù)端進(jìn)行token權(quán)限隔離 定制OAuth2Authentication
  CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());
  customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());
  log.info("返回用戶信息:{}", JSON.toJSON(customOAuth2Authentication));
  return customOAuth2Authentication;
 }

CustomOAuth2Authentication ：

package com.brightcns.wuxi.citizencard.auth.domain;

import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.CredentialsContainer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.OAuth2Request;

import java.util.Collection;

/**
 * @author maxianming
 * @date 2018/10/29 13:53
 */
public class CustomOAuth2Authentication extends AbstractAuthenticationToken {

  private static final long serialVersionUID = -4809832298438307309L;

  private final OAuth2Request storedRequest;

  private final Authentication userAuthentication;

  /**
   * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user
   * authentication may be null.
   * @param storedRequest   The authorization request (must not be null).
   * @param userAuthentication The user authentication (possibly null).
   */
  public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {
    /**
     * 為了服務(wù)端進(jìn)行token權(quán)限隔離 {@link @PreAuthorize("hasAuthority('server')")}，自定義OAuth2Authentication使得支持改變authorities
     */
    super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());
    this.storedRequest = storedRequest;
    this.userAuthentication = userAuthentication;
  }

  public Object getCredentials() {
    return "";
  }

  public Object getPrincipal() {
    return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication
        .getPrincipal();
  }

  /**
   * Convenience method to check if there is a user associated with this token, or just a client application.
   *
   * @return true if this token represents a client app not acting on behalf of a user
   */
  public boolean isClientOnly() {
    return userAuthentication == null;
  }

  /**
   * The authorization request containing details of the client application.
   *
   * @return The client authentication.
   */
  public OAuth2Request getOAuth2Request() {
    return storedRequest;
  }

  /**
   * The user authentication.
   *
   * @return The user authentication.
   */
  public Authentication getUserAuthentication() {
    return userAuthentication;
  }

  @Override
  public boolean isAuthenticated() {
    return this.storedRequest.isApproved()
        && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());
  }

  @Override
  public void eraseCredentials() {
    super.eraseCredentials();
    if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {
      CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();
    }
  }

  @Override
  public boolean equals(Object o) {
    if (this == o) {
      return true;
    }
    if (!(o instanceof CustomOAuth2Authentication)) {
      return false;
    }
    if (!super.equals(o)) {
      return false;
    }

    CustomOAuth2Authentication that = (CustomOAuth2Authentication) o;

    if (!storedRequest.equals(that.storedRequest)) {
      return false;
    }
    if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)
        : that.userAuthentication != null) {
      return false;
    }

    if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {
      // return false;
    }

    return true;
  }
  @Override
  public int hashCode() {
    int result = super.hashCode();
    result = 31 * result + storedRequest.hashCode();
    result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);
    return result;
  }

}

主要在OAuth2Authentication基礎(chǔ)上修改了30-35行代碼

以上就是本文的全部?jī)?nèi)容，希望對(duì)大家的學(xué)習(xí)有所幫助，也希望大家多多支持腳本之家。

您可能感興趣的文章: