PrincipalExtractor 和 AuthoritiesExtractor 没有被调用 [英] PrincipalExtractor and AuthoritiesExtractor are not getting called
问题描述
我有一个简单的 OAuth2 应用程序.我首先创建了一个扩展 WebSecurityConfigurerAdapter 的 SecurityConfig,并用 @EnableOAuth2Sso 进行了注释.我还在控制器中创建了一个 API 来测试身份验证是否有效.Principal 被注入到控制器中,并给出了正确的名称.
我现在正在尝试通过实现 AuthoritiesExtractor 并将其创建为 bean 来向主体添加一些权限.我也对 PrincipalExtractor 做了同样的事情来检查它是否工作.在从浏览器发出任何请求时,它们都不会被调用.
这实际上只是使用 OIDC 进行身份验证,因此我的客户端和资源位于同一个应用程序上.
//这是我的安全配置类.
@Configuration@EnableOAuth2Sso公共类 SecurityConfig 扩展了 WebSecurityConfigurerAdapter {@覆盖公共无效配置(HttpSecurity http)抛出异常{http.antMatcher("/**").authorizeRequests().antMatchers("/登录**","/错误**").permitAll().anyRequest().authenticated();}@豆公共 PrincipalExtractor principalExtractor() {返回地图 ->{System.out.println("提取主体.");用户用户 = 新用户();user.setUsername((String)map.get("username"));返回用户;};}@豆公共 AuthoritiesExtractor authorityExtractor() {返回新的 PrismAuthoritiesExtractor();}}//这是我单独定义的 AuthoritiesExtractor 类,只是为了检查这样做是否有效.
公共类 PrismAuthoritiesExtractor 实现 AuthoritiesExtractor {@覆盖公共列表提取权限(地图<字符串,对象>地图){return AuthorityUtils.commaSeparatedStringToAuthorityList("AUTH1,AUTH2");}} 我为此纠结了一段时间.没有调用我的 AuthoritiesExtractor bean 的原因是因为较新版本的 Spring 不使用 spring oauth2 自动配置,而 AuthoritiesExtractor 是覆盖角色映射的 oauth2 自动配置方式.>
在当前版本的 spring-security 中,您可以使用 使用 OAuth2UserService 的基于委托的策略.文档中的示例应该足以让您前进.我使用的是 Kotlin,所以我的示例可能不适合你.
还有 GrantedAuthoritiesMapper 应该更接近于 AuthoritiesExtractor 方法.
I have a simple OAuth2 application. I started off by creating a SecurityConfig extending WebSecurityConfigurerAdapter and annotated with @EnableOAuth2Sso. I've created an API as well in a controller to test if authentication is working. Principal gets injected into the controller and it gives the correct name.
I'm now trying to add some authorities to the principal by implementing AuthoritiesExtractor and creating it as bean. I also did the same with PrincipalExtractor to check if it is working. None of them are getting called while making any request from the browser.
Edit: This is actually doing only authentication with OIDC and hence my client and resources are on the same application.
// This is my security configuration class.
@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/login**","/error**")
.permitAll()
.anyRequest()
.authenticated();
}
@Bean
public PrincipalExtractor principalExtractor() {
return map -> {
System.out.println("Principal extracted.");
User user = new User();
user.setUsername((String)map.get("username"));
return user;
};
}
@Bean
public AuthoritiesExtractor authoritiesExtractor() {
return new PrismAuthoritiesExtractor();
}
}
// And this is my AuthoritiesExtractor class defined separately just to check if doing so works.
public class PrismAuthoritiesExtractor implements AuthoritiesExtractor {
@Override
public List<GrantedAuthority> extractAuthorities(Map<String, Object> map) {
return AuthorityUtils.commaSeparatedStringToAuthorityList("AUTH1,AUTH2");
}
}
I struggled with this for a while. The reason why my AuthoritiesExtractor bean isn't called is because newer version of Spring do not use spring oauth2 autoconfigure and AuthoritiesExtractor is the oauth2 autoconfigure way to overwrite role mapping.
In current versions of spring-security you can use the delegation-based strategy with OAuth2UserService. The sample in the documentation should be enough to get you going. I'm using Kotlin, so my sample probably won't work for you.
There is also the GrantedAuthoritiesMapper which should be closer to the AuthoritiesExtractor method.
这篇关于PrincipalExtractor 和 AuthoritiesExtractor 没有被调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
