Spring Boot基本身份验证和OAuth2在同一项目中? [英] Spring boot Basic Authentication and OAuth2 in same project?

问题描述

是否有可能将OAuth2用于我的其余应用程序中的某些端点，并将基本身份验证也用于某些其他端点. 一切都应该在Spring Security版本2.0.1.RELEASE上起作用.我希望有人能进一步帮助我.

Is it possible to use OAuth2 for certain endpoints in my rest application and use basic authentication too for some other endpoints. It should all work on spring security version 2.0.1.RELEASE. I hope someone can help me further.

推荐答案

是的，可以使用基本身份验证和OAuth2身份验证交织在一起，但是我怀疑您是否可以像HttpSecurity的authenticated()方法不允许您选择哪种身份验证方法(oauth2Login/formLogin)可以使用.

Yes, it's possible to use a basic authentication as well as an OAuth2 authentication intertwined, but I doubt you'll be able to set it up easily as HttpSecurity's authenticated() method doesn't allow you to pick which of your authentication method (oauth2Login/formLogin) will work.

但是，有一种方法可以轻松绕过它:

However, there's a way to easily bypass that:

您可以添加自定义权限，在用户使用基本身份验证进行连接时将其称为ROLE_BASICAUTH，而在用户使用OAuth2连接时将其称为ROLE_OAUTH2.这样，您可以使用

You could add a custom authority, let's call it ROLE_BASICAUTH, when an user connects using basic auth, and ROLE_OAUTH2 when an user connects using OAuth2. That way, you can use

.antMatchers("/endpoint-that-requires-basic-auth").hasRole("BASICAUTH")
.antMatchers("/endpoint-that-requires-oauth2").hasRole("OAUTH2")
    .anyRequest().authenticated()

当他们到达要进行基本身份验证的端点(而不是OAuth2)时，请检查其当前的权限；如果不是，则检查其会话，则您将显示登录表单，其中没有OAuth2 (强制他们使用基本身份验证).

When they reach an endpoint that you want basic authentication (and not OAuth2), you check their current authorities, and if it's not BASICAUTH, then you invalidate their session you display a login form without OAuth2 (to force them to use the basic authentication).

这样做的缺点是，您需要同时实现自定义UserDetailsService和自定义OAuth2UserService ...

The downside to doing that is that you'd need to implement both a custom UserDetailsService as well as a custom OAuth2UserService...

但这实际上并不难:

@Service
public class UserService extends DefaultOAuth2UserService implements UserDetailsService {

    // ...

    @Override
    public OAuth2User loadUser(OAuth2UserRequest oAuth2UserRequest) throws OAuth2AuthenticationException {
        OAuth2User user = super.loadUser(oAuth2UserRequest);

        Map<String, Object> attributes = user.getAttributes();
        Set<GrantedAuthority> authoritySet = new HashSet<>(user.getAuthorities());
        String userNameAttributeName = oAuth2UserRequest.getClientRegistration().getProviderDetails()
                .getUserInfoEndpoint().getUserNameAttributeName();

        authoritySet.add(new SimpleGrantedAuthority("ROLE_OAUTH2"));

        return new DefaultOAuth2User(authoritySet, attributes, userNameAttributeName);
    }


    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        UserDetails user = getUserFromDatabase(username); // you'll need to provide that method (where are the username/password stored?)
        if (user == null) { // UserDetailsService doesn't allow loadUserByUsername to return null, so throw exception
            throw new UsernameNotFoundException("Couldn't find user with username '"+username+"'");
        }
        // add ROLE_BASICAUTH (you might need a custom UserDetails implementation here, because by defaut, UserDetails.getAuthorities() is immutable (I think, I might be a liar)
        return user;
    }

}

请注意，这是一个粗略的实现，因此您还必须在端头进行一些处理.

Note that this is a rough implementation, so you'll have to work it out a bit on your end as well.

您还可以使用我制作的此存储库

You can also use this repository I made https://github.com/TwinProduction/spring-security-oauth2-client-example/tree/master/custom-userservice-sample as a guideline for the custom OAuth2UserService

祝你好运.

这篇关于Spring Boot基本身份验证和OAuth2在同一项目中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！