如何限制OAuth2设置中定义的客户端访问权限? [英] How to limit client access defined in OAuth2 settings?
问题描述
在使用Sping Boot和OAuth2开发的REST API中,是否可以根据授权服务器设置中定义的客户端来限制用户访问权限?
In a REST API developed with Sping Boot and OAuth2 is it possible to limit user access according to client defined in the Authorization Server settings?
例如,在授权服务器中,我具有以下客户端配置:
For example, in the Authorization Server I have the following client configuration:
clients.inMemory()
.withClient(uaaProperties.getWebClientConfiguration().getClientId())
.secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
.scopes("openid")
.authorities("ROLE_TESTE")
.autoApprove(true)
.authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
.accessTokenValiditySeconds(accessTokenValidity)
.refreshTokenValiditySeconds(refreshTokenValidity)
在HttpSecurity的Spring的安全配置部分中,我具有以下配置:
And in the security configuration part of Spring in HttpSecurity I have the following configuration:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers("/h2-console/**")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilterBefore(corsFilter, CsrfFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/management/health").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
}
如何限制具有"ROLE_TESTE"权限的OAuth客户端不访问仅为ADMIN设置的api地址?
How can I limit an OAuth client with authorities "ROLE_TESTE" to not access the api addresses set only for ADMIN?
已编辑...
我编辑了代码,如下所示:
I edited the codes to look like this:
UAA/OAuth2:
UAA / OAuth2:
@Configuration
@EnableAuthorizationServer
public class UaaConfiguration extends AuthorizationServerConfigurerAdapter implements ApplicationContextAware {
/**
* Access tokens will not expire any earlier than this.
*/
private static final int MIN_ACCESS_TOKEN_VALIDITY_SECS = 60;
private ApplicationContext applicationContext;
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
this.applicationContext = applicationContext;
}
@EnableResourceServer
public static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private final TokenStore tokenStore;
private final JHipsterProperties jHipsterProperties;
private final CorsFilter corsFilter;
public ResourceServerConfiguration(TokenStore tokenStore, JHipsterProperties jHipsterProperties, CorsFilter corsFilter) {
this.tokenStore = tokenStore;
this.jHipsterProperties = jHipsterProperties;
this.corsFilter = corsFilter;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
.csrf()
.disable()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/activate").permitAll()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/account/reset-password/init").permitAll()
.antMatchers("/api/account/reset-password/finish").permitAll()
// .antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/v2/api-docs/**").permitAll()
.antMatchers("/swagger-resources/configuration/ui").permitAll()
.antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/api/**").access("#oauth2.clientHasRole('ROLE_TESTE')")
;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("jhipster-uaa").tokenStore(tokenStore);
}
}
private final JHipsterProperties jHipsterProperties;
private final UaaProperties uaaProperties;
private final PasswordEncoder passwordEncoder;
public UaaConfiguration(JHipsterProperties jHipsterProperties, UaaProperties uaaProperties, PasswordEncoder passwordEncoder) {
this.jHipsterProperties = jHipsterProperties;
this.uaaProperties = uaaProperties;
this.passwordEncoder = passwordEncoder;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
/*
For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
*/
clients.inMemory()
.withClient(uaaProperties.getWebClientConfiguration().getClientId())
.secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
.scopes("openid")
.authorities("ROLE_TESTE")
.autoApprove(true)
.authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
.accessTokenValiditySeconds(accessTokenValidity)
.refreshTokenValiditySeconds(refreshTokenValidity)
.and()
.withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId())
.secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret()))
.scopes("web-app")
.authorities("ROLE_ADMIN")
.autoApprove(true)
.authorizedGrantTypes("client_credentials")
.accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
.refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
//pick up all TokenEnhancers incl. those defined in the application
//this avoids changes to this class if an application wants to add its own to the chain
Collection<TokenEnhancer> tokenEnhancers = applicationContext.getBeansOfType(TokenEnhancer.class).values();
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(new ArrayList<>(tokenEnhancers));
endpoints
.authenticationManager(authenticationManager)
.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.reuseRefreshTokens(false); //don't reuse or we will run into session inactivity timeouts
}
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
/**
* Apply the token converter (and enhancer) for token store.
* @return the JwtTokenStore managing the tokens.
*/
@Bean
public JwtTokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
/**
* This bean generates an token enhancer, which manages the exchange between JWT acces tokens and Authentication
* in both directions.
*
* @return an access token converter configured with the authorization server's public/private keys
*/
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
KeyPair keyPair = new KeyStoreKeyFactory(
new ClassPathResource(uaaProperties.getKeyStore().getName()), uaaProperties.getKeyStore().getPassword().toCharArray())
.getKeyPair(uaaProperties.getKeyStore().getAlias());
converter.setKeyPair(keyPair);
return converter;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
"isAuthenticated()");
}
}
网关:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {
private final OAuth2Properties oAuth2Properties;
private final CorsFilter corsFilter;
public SecurityConfiguration(OAuth2Properties oAuth2Properties, CorsFilter corsFilter) {
this.oAuth2Properties = oAuth2Properties;
this.corsFilter = corsFilter;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf() //.disable()
.ignoringAntMatchers("/h2-console/**")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilterBefore(corsFilter, CsrfFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// .antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
}
@Bean
public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
return new JwtTokenStore(jwtAccessTokenConverter);
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter(OAuth2SignatureVerifierClient signatureVerifierClient) {
return new OAuth2JwtAccessTokenConverter(oAuth2Properties, signatureVerifierClient);
}
@Bean
@Qualifier("loadBalancedRestTemplate")
public RestTemplate loadBalancedRestTemplate(RestTemplateCustomizer customizer) {
RestTemplate restTemplate = new RestTemplate();
customizer.customize(restTemplate);
return restTemplate;
}
@Bean
@Qualifier("vanillaRestTemplate")
public RestTemplate vanillaRestTemplate() {
return new RestTemplate();
}
}
尝试登录会在UAA控制台中显示此错误:
Attempting to log in appears this error in the UAA console:
2019-06-07 16:04:59.727 DEBUG 32186 --- [ XNIO-2 task-7] c.t.uaa.aop.logging.LoggingAspect : Enter: com.testando.uaa.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-06-07T19:04:59.727Z, principal=admin, type=AUTHORIZATION_FAILURE, data={details=remoteAddress=172.17.1.155, tokenType=BearertokenValue=<TOKEN>, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
2019-06-07 16:04:59.727 DEBUG 32186 --- [ XNIO-2 task-7] c.t.uaa.aop.logging.LoggingAspect : Enter: com.testando.uaa.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-06-07T19:04:59.727Z, principal=admin, type=AUTHORIZATION_FAILURE, data={details=remoteAddress=172.17.1.155, tokenType=BearertokenValue=<TOKEN>, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
推荐答案
在资源服务器配置中,您可以将Spring Security基于表达式的访问控制与#oauth2.clientHasRole一起使用,请参见
In your resource server configuration you could use Spring Security's expression-based access control with #oauth2.clientHasRole, see OAuth2SecurityExpressionMethods#clientHasRole:
检查OAuth2客户端(不是用户)是否具有指定的角色.要检查用户的角色,请参见#hasRole(String).
Check if the OAuth2 client (not the user) has the role specified. To check the user's roles see #hasRole(String).
另请参见: OAuth 2开发人员指南:
配置可识别OAuth的表达式处理程序
您可能想利用Spring Security的基于表达式的访问控制.默认情况下,表达式处理程序将在@EnableResourceServer设置中注册.表达式包括#oauth2.clientHasRole ,#oauth2.clientHasAnyRole 和#oath2.denyClient ,它们可用于根据角色提供访问权限oauth客户端(有关完整列表,请参见OAuth2SecurityExpressionMethods).
You may want to take advantage of Spring Security's expression-based access control. An expression handler will be registered by default in the @EnableResourceServer setup. The expressions include #oauth2.clientHasRole, #oauth2.clientHasAnyRole, and #oath2.denyClient which can be used to provide access based on the role of the oauth client (see OAuth2SecurityExpressionMethods for a comprehensive list).
这篇关于如何限制OAuth2设置中定义的客户端访问权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
