Spring Security:将OAuth2声明与角色映射以保护资源服务器端点 [英] Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
问题描述
我正在使用Spring Boot设置资源服务器,并使用Spring Security提供的OAuth2保护端点.因此,我使用的是Spring Boot 2.1.8.RELEASE,例如使用Spring Security 5.1.6.RELEASE.
I'm setting up a Resource Server with Spring Boot and to secure the endpoints I'm using OAuth2 provided by Spring Security. So I'm using the Spring Boot 2.1.8.RELEASE which for instance uses Spring Security 5.1.6.RELEASE.
作为授权服务器,我正在使用Keycloak.身份验证,发出访问令牌和对资源服务器中的令牌进行验证之间的所有过程均正常运行.这是一个已发行和已解码令牌的示例(其中一些部分被删减了):
As Authorization Server I'm using Keycloak. All processes between authentication, issuing access tokens and validation of the tokens in the Resource Server are working correctly. Here is an example of an issued and decoded token (with some parts are cut):
{
"jti": "5df54cac-8b06-4d36-b642-186bbd647fbf",
"exp": 1570048999,
"aud": [
"myservice",
"account"
],
"azp": "myservice",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"myservice": {
"roles": [
"ROLE_user",
"ROLE_admin"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email offline_access microprofile-jwt profile address phone",
}
如何配置Spring Security以使用访问令牌中的信息为不同的端点提供条件授权?
How can I configure Spring Security to use the information in the access token to provide conditional authorization for different endpoints?
最终我想编写一个像这样的控制器:
Ultimately I want to write a controller like this:
@RestController
public class Controller {
@Secured("ROLE_user")
@GetMapping("userinfo")
public String userinfo() {
return "not too sensitive action";
}
@Secured("ROLE_admin")
@GetMapping("administration")
public String administration() {
return "TOOOO sensitive action";
}
}
推荐答案
经过一番摸索之后,我找到了一个实现自定义jwtAuthenticationConverter的解决方案,该解决方案可以将特定于资源的角色附加到权限上集合.
After messing around a bit more, I was able to find a solution implementing a custom jwtAuthenticationConverter, which is able to append resource-specific roles to the authorities collection.
http.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(new JwtAuthenticationConverter()
{
@Override
protected Collection<GrantedAuthority> extractAuthorities(final Jwt jwt)
{
Collection<GrantedAuthority> authorities = super.extractAuthorities(jwt);
Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
Map<String, Object> resource = null;
Collection<String> resourceRoles = null;
if (resourceAccess != null &&
(resource = (Map<String, Object>) resourceAccess.get("my-resource-id")) !=
null && (resourceRoles = (Collection<String>) resource.get("roles")) != null)
authorities.addAll(resourceRoles.stream()
.map(x -> new SimpleGrantedAuthority("ROLE_" + x))
.collect(Collectors.toSet()));
return authorities;
}
});
my-resource-id 既是 resource_access 声明中出现的资源标识符,也是 ResourceServerSecurityConfigurer 中与API关联的值em>.
Where my-resource-id is both the resource identifier as it appears in the resource_access claim and the value associated to the API in the ResourceServerSecurityConfigurer.
请注意,实际上已经不推荐使用extractAuthorities,因此,应采用成熟的转换器来实现更具前瞻性的解决方案
Notice that extractAuthorities is actually deprecated, so a more future-proof solution should be implementing a full-fledged converter
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
public class CustomJwtAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken>
{
private static Collection<? extends GrantedAuthority> extractResourceRoles(final Jwt jwt, final String resourceId)
{
Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
Map<String, Object> resource;
Collection<String> resourceRoles;
if (resourceAccess != null && (resource = (Map<String, Object>) resourceAccess.get(resourceId)) != null &&
(resourceRoles = (Collection<String>) resource.get("roles")) != null)
return resourceRoles.stream()
.map(x -> new SimpleGrantedAuthority("ROLE_" + x))
.collect(Collectors.toSet());
return Collections.emptySet();
}
private final JwtGrantedAuthoritiesConverter defaultGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
private final String resourceId;
public CustomJwtAuthenticationConverter(String resourceId)
{
this.resourceId = resourceId;
}
@Override
public AbstractAuthenticationToken convert(final Jwt source)
{
Collection<GrantedAuthority> authorities = Stream.concat(defaultGrantedAuthoritiesConverter.convert(source)
.stream(),
extractResourceRoles(source, resourceId).stream())
.collect(Collectors.toSet());
return new JwtAuthenticationToken(source, authorities);
}
}
我已经使用Spring Boot 2.1.9.RELEASE,Spring Security 5.2.0.RELEASE和正式的Keycloak 7.0.0 Docker映像测试了这两种解决方案.
I have tested both solutions using Spring Boot 2.1.9.RELEASE, Spring Security 5.2.0.RELEASE and an official Keycloak 7.0.0 Docker image.
一般来说,我想无论实际使用什么授权服务器(即IdentityServer4,Keycloak ...),这似乎都是将声明转换为Spring Security赠款的适当位置.
Generally speaking, I suppose that whatever the actual Authorization Server (i.e. IdentityServer4, Keycloak...) this seems to be the proper place to convert claims into Spring Security grants.
这篇关于Spring Security:将OAuth2声明与角色映射以保护资源服务器端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
