Spring Security 5 基于 JWT 声明填充权限 [英] Spring Security 5 populating authorities based on JWT claims
问题描述
如我所见,Spring Security OAuth2.x 项目已移至 Spring Security 5.2.x.我尝试以新的方式实现授权和资源服务器.除了一件事 - @PreAuthorize
注释之外,一切都正常工作.当我尝试将它与标准 @PreAuthorize("hasRole('ROLE_USER')")
一起使用时,我总是被禁止.我看到的是 org.springframework.security.oauth2.jwt.Jwt
类型的 Principal
对象无法解析权限,我不知道为什么.
As I see Spring Security OAuth2.x project was moved to Spring Security 5.2.x. I try to implement authorization and resource server in new way. Everythin is working correctly except one thing - @PreAuthorize
annotation. When I try to use this with standard @PreAuthorize("hasRole('ROLE_USER')")
I always get forbidden. What I see is that the Principal
object which is type of org.springframework.security.oauth2.jwt.Jwt
is not able to resolve authorities and I have no idea why.
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken@44915f5f: Principal: org.springframework.security.oauth2.jwt.Jwt@2cfdbd3; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 172.19.0.1; SessionId: null; Granted Authorities: SCOPE_read, SCOPE_write
并在将其转换为 Jwt
{user_name=user, scope=["read","write"], exp=2019-12-18T13:19:29Z, iat=2019-12-18T13:19:28Z, authorities=["ROLE_USER","READ_ONLY"], client_id=sampleClientId}
安全服务器配置
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private AuthenticationManager authenticationManager;
@Bean
public KeyPair keyPair() {
ClassPathResource ksFile = new ClassPathResource("mytest.jks");
KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(ksFile, "mypass".toCharArray());
return keyStoreKeyFactory.getKeyPair("mytest");
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setKeyPair(keyPair());
return converter;
}
@Bean
public JWKSet jwkSet() {
RSAKey key = new Builder((RSAPublicKey) keyPair().getPublic()).build();
return new JWKSet(key);
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore())
.accessTokenConverter(accessTokenConverter())
.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
security.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
}
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
public SecurityConfiguration(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers("/.well-known/jwks.json")
.permitAll()
.anyRequest()
.authenticated();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
}
资源服务器配置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResuorceServerConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
}
也许有人有类似的问题?
Maybe someone had similar issue?
推荐答案
默认情况下,资源服务器根据 "scope"
声明填充权限.
如果 Jwt
包含名称为 "scope"
或 "scp"
的声明,则 Spring Security 将使用该声明中的值来构造通过在每个值前面加上 "SCOPE_"
前缀来授权.
By default, the resource server populates the authorities based on the "scope"
claim.
If the Jwt
contains a claim with the name "scope"
or "scp"
, then Spring Security will use the value in that claim to construct the authorities by prefixing each value with "SCOPE_"
.
在您的示例中,其中一项声明是 scope=["read","write"]
.
这意味着权限列表将由"SCOPE_read"
和"SCOPE_write"
组成.
In your example, one of the claims is scope=["read","write"]
.
This means that the authority list will consist of "SCOPE_read"
and "SCOPE_write"
.
您可以通过在安全配置中提供自定义身份验证转换器来修改默认权限映射行为.
You can modify the default authority mapping behaviour by providing a custom authentication converter in your security configuration.
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(getJwtAuthenticationConverter());
然后在您的 getJwtAuthenticationConverter
实现中,您可以配置 Jwt
如何映射到权限列表.
Then in your implementation of getJwtAuthenticationConverter
, you can configure how the Jwt
maps to the list of authorities.
Converter<Jwt, AbstractAuthenticationToken> getJwtAuthenticationConverter() {
JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
converter.setJwtGrantedAuthoritiesConverter(jwt -> {
// custom logic
});
return converter;
}
这篇关于Spring Security 5 基于 JWT 声明填充权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!