如何在Spring Security中配置资源服务器以使其使用JWT令牌中的其他信息 [英] How to configure Resource Server in Spring Security for it to use additional information in JWT token
问题描述
我有一个配置为设置有关用户权限的其他信息的oauth2 jwt令牌服务器.
I have an oauth2 jwt token server configured to set additional info about the user authorities.
@Configuration
@Component
public class CustomTokenEnhancer extends JwtAccessTokenConverter {
CustomTokenEnhancer(){
super();
}
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
// TODO Auto-generated method stub
MyUserDetails user = (MyUserDetails) authentication.getPrincipal();
final Map<String, Object> additionalInfo = new HashMap<>();
@SuppressWarnings("unchecked")
List<GrantedAuthority> authorities= (List<GrantedAuthority>) user.getAuthorities();
additionalInfo.put("authorities", authorities);
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
return accessToken;
}
}
我不确定如何配置资源服务器以提取由oauth2服务器设置的用户权限,并将该权限用于Spring Security框架中的@Secured带注释的控制器.
I am not sure how to configure my resource server to extract the user authorities set by the oauth2 server and use that authority to be used for @Secured annotated controllers in Spring Security framework.
我的Auth服务器配置如下:
My Auth server configuration looks like this:
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Value("${config.oauth2.privateKey}")
private String privateKey;
@Value("${config.oauth2.publicKey}")
private String publicKey;
@Value("{config.clienturl}")
private String clientUrl;
@Autowired
AuthenticationManager authenticationManager;
@Bean
public JwtAccessTokenConverter customTokenEnhancer(){
JwtAccessTokenConverter customTokenEnhancer = new CustomTokenEnhancer();
customTokenEnhancer.setSigningKey(privateKey);
return customTokenEnhancer;
}
@Bean
public JwtTokenStore tokenStore() {
return new JwtTokenStore(customTokenEnhancer());
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer
.tokenKeyAccess("isAnonymous() || hasRole('ROLE_TRUSTED_CLIENT')") // permitAll()
.checkTokenAccess("hasRole('TRUSTED_CLIENT')"); // isAuthenticated()
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenStore(tokenStore())
.accessTokenConverter(customTokenEnhancer())
;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
String url = clientUrl;
clients.inMemory()
.withClient("public")
.authorizedGrantTypes("client_credentials", "implicit")
.scopes("read")
.redirectUris(url)
.and()
.withClient("eagree_web").secret("eagree_web_dev")
//eagree_web should come from properties file?
.authorities("ROLE_TRUSTED_CLIENT")
.authorizedGrantTypes("client_credentials", "password", "authorization_code", "refresh_token")
.scopes("read", "write", "trust")
.redirectUris(url).resourceIds("dummy");
}
}
我的资源服务器配置如下:
And my Resource Server configuration looks like this:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Value("{config.oauth2.publicKey}")
private String publicKey;
@Autowired
CustomTokenEnhancer tokenConverter;
@Autowired
JwtTokenStore jwtTokenStore;
@Bean
public JwtTokenStore jwtTokenStore() {
tokenConverter.setVerifierKey(publicKey);
jwtTokenStore.setTokenEnhancer(tokenConverter);
return jwtTokenStore;
}
@Bean
public ResourceServerTokenServices defaultTokenServices() {
final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenEnhancer(tokenConverter);
defaultTokenServices.setTokenStore(jwtTokenStore());
return defaultTokenServices;
}
@Override
public void configure(HttpSecurity http) throws Exception {
super.configure(http);
// @formatter:off
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.requestMatchers()
.antMatchers("/**")
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll()
.antMatchers(HttpMethod.GET, "/api/**").access("#oauth2.hasScope('read')")
.antMatchers(HttpMethod.PATCH, "/api/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.POST, "/api/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PUT, "/api/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.DELETE, "/api/**").access("#oauth2.hasScope('write')")
.antMatchers("/admin/**").access("hasRole('ROLE_USER')");
// @formatter:on
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
System.out.println("Configuring ResourceServerSecurityConfigurer ");
resources.resourceId("dummy").tokenServices(defaultTokenServices());
}
}
我的测试用例失败了:
{错误":"invalid_token",错误说明":无法将访问令牌转换为JSON"}
{"error":"invalid_token","error_description":"Cannot convert access token to JSON"}
如何从JWT中获取身份验证对象? 如何使用客户端凭据对客户端进行身份验证? 如何在资源控制器上使用@Secured注释?
How do I get the Authentication object out of the JWT? How do I authenticate the client, with client credentials? How do I use @Secured annotation on my resource controllers?
资源服务器端使用什么代码按顺序解码令牌 提取客户端凭据以及验证用户角色的代码是什么?
What code is used on the resource server side to decode the token in order to extract client credentials and what code gets to user role verified?
请帮忙,因为我已经花了2天时间来敲打这个表头 简单的任务.
Please help, as I already spent 2 days banging my head on this seemingly easy task.
注意:我从身份验证服务器收到的令牌为: {access_token = b5d89a13-3c8b-4bda-b0f2-a6e9d7b7a285,token_type = bearer,refresh_token = 43777224-b6f2-44d7-bf36-4e1934d32cbb,expires_in = 43199,作用域=读写信任,权限= [{authority = author_author = ROLE_ADMIN}]}
Note: I receive the token from Auth server as: {access_token=b5d89a13-3c8b-4bda-b0f2-a6e9d7b7a285, token_type=bearer, refresh_token=43777224-b6f2-44d7-bf36-4e1934d32cbb, expires_in=43199, scope=read write trust, authorities=[{authority=ROLE_USER}, {authority=ROLE_ADMIN}]}
请解释一下这些概念,并指出我的配置中是否缺少任何内容.我需要了解配置资源和身份验证服务器的最佳做法.
Please explain the concepts and point out if anything is missing from my configuration. I need to know the best practices in configuring my resource and auth server please.
推荐答案
In the following I'm referring to this Baeldung tutorial that I already implemented successfully: http://www.baeldung.com/spring-security-oauth-jwt
首先:CustomTokenEnhancer用于AuthorizationServer端,以使用其他自定义信息来增强创建的令牌.您应该在ResourceServer端使用所谓的DefaultAccessTokenConverter来提取这些额外的声明.
First at all: The CustomTokenEnhancer is used on the AuthorizationServer side to enhance a created token with additional custom information. You should use the so called DefaultAccessTokenConverter on the ResourceServer side to extract these extra claims.
您可以将CustomAccessTokenConverter @Autowire
放入ResourceServerConfiguration类,然后将其设置为JwtTokenStore()
配置.
You can @Autowire
the CustomAccessTokenConverter into your ResourceServerConfiguration class and then set it to your JwtTokenStore()
configuration.
ResourceServerConfiguration:
@Autowired
private CustomAccessTokenConverter yourCustomAccessTokenConverter;
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setAccessTokenConverter(yourCustomAccessTokenConverter);
converter.setSigningKey(yourSigningKey);
return converter;
}
可以配置CustomAccessTokenConverter,以便在此处提取自定义声明.
The CustomAccessTokenConverter can be configured, so that the custom claims get extracted here.
CustomAccessTokenConverter:
@Component
public class CustomAccessTokenConverter extends DefaultAccessTokenConverter {
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
OAuth2Authentication authentication = super.extractAuthentication(claims);
authentication.setDetails(claims);
return authentication;
}
}
(请参阅: 查看全文