OAuth2 客户端主体在通过其他自定义授权服务器(SpringBoot2 和 OAuth2)进行身份验证时没有 GrantedAuthorities [英] OAuth2 Client Principal do not have GrantedAuthorities when authenticated by Other Custom Authorization Server (SpringBoot2 & OAuth2)
问题描述
我使用 Spring Boot2 作为框架,使用 Thymeleaf 作为模板引擎.
在我的授权服务器中,我将用户admin"添加为ROLE_ADMIN".
但在客户端应用程序中,当我以管理员"身份登录并从 SecurityContextHolder.getContext().getAuthentication()
, Granted Authorities 打印
属性只有ROLE_USER".Authentication
对象时
以下是我的授权服务器配置.
@Overrideprotected void configure(AuthenticationManagerBuilder auth) 抛出异常 {授权.inMemoryAuthentication().withUser("admin").password(passwordEncoder().encode("123")).roles("USER", "ADMIN");授权.inMemoryAuthentication().withUser("user").password(passwordEncoder().encode("123")).roles("USER");}
以下是来自 SecurityContextHolder.getContext().getAuthentication()
日志代码的 Authentication
对象.
Authentication auth = SecurityContextHolder.getContext().getAuthentication();System.out.println(auth.isAuthenticated());System.out.println(auth.getAuthorities());System.out.println(auth.getPrincipal());
结果是
//isAuthenticated()真的//获取权限()[ROLE_USER]//getPrincipal()名称:[admin],授予权限:[ROLE_USER],用户属性:[authorities=[{authority=ROLE_ADMIN}, {authority=ROLE_USER}],...
以下是我的百里香代码.
仅对经过身份验证的用户可见的文本.<!-- 主体名称-->认证用户名:<div sec:authentication="name"></div><div sec:authorize="hasRole('USER')">用户可见的文本.</div><!-- 我看不到这条消息--><div sec:authorize="hasRole('ADMIN')">管理员可见的文本.</div>经过身份验证的用户角色:<!-- 仅打印[ROLE_USER]"--><div sec:authentication="principal.authorities"></div><div sec:authorize="!isAuthenticated()">文本仅对未经身份验证的用户.
所以,我想访问 thymeleaf 中的 Principal.UserAttributes.authorities
.
我指的是 OAuth2AuthenticationToken
、OAuth2User.getAttributes()
和 DefaultOAuth2User.toString()
我该怎么做?
我解决了.
在授权服务器中,我是这样配置的.
- AuthorizationServer
WebSecurityConfigurerAdapter
配置
@Configuration@启用网络安全公共类 SecurityConfig 扩展了 WebSecurityConfigurerAdapter {...@覆盖protected void configure(AuthenticationManagerBuilder auth) 抛出异常 {授权.inMemoryAuthentication().withUser("admin").password(passwordEncoder().encode("123")).roles("USER", "ADMIN").authorities("USER", "ADMIN");授权.inMemoryAuthentication().withUser("user").password(passwordEncoder().encode("123")).roles("USER");}...}
以下是我的资源服务器的 /me
映射控制器
- ResourceServer
/me
映射控制器
@RestController公共类用户控制器{@RequestMapping("/我")公共主体用户(主体主体){返还本金;}}
以下是我客户端的 WebSecurityConfigurerAdapter
配置
- 客户端
WebSecurityConfigurerAdapter
配置
@Configuration@EnableOAuth2Client公共类 WebSecurityConfigurerAdapterImpl 扩展 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.csrf().disable().authorizeRequests().antMatchers("/", "/home", "/error", "/webjars/**", "/resources/**", "/login**").permitAll().anyRequest().authenticated().and().oauth2Login();}
在客户端的控制器中,我是这样登录的.
- 在客户端控制器中记录
Principal
@GetMapping("")公共字符串 git1() {身份验证 auth = SecurityContextHolder.getContext().getAuthentication();System.out.println(auth.getPrincipal());/** 百里香叶使用这个 **/Object authenticationProperty = AuthUtils.getAuthenticationProperty(auth, "principal.attributes['authorities']");System.out.println(authenticationProperty.toString());返回 VIEW_PATH + "git1";}
以下是结果
名称:[admin],授予权限:[ROLE_USER],用户属性:[authorities=[{authority=USER}, {authority=ADMIN}],details={remoteAddress=127.0.0.1, sessionId=null, tokenValue=82a7a532-a31e-4d0a-bd83-f15a9cbea3bc, tokenType=Bearer, decodedDetails=null},authenticated=true, userAuthentication={authorities=[{authority=USER}, {authority=ADMIN}], details=null,认证=真,主体=管理员,凭证=不适用,名称=管理员},oauth2Request={clientId=foo,范围=[read],requestParameters={client_id=foo},resourceIds=[],authorities=[],批准=真,刷新=假,redirectUri=null,responseTypes=[],扩展={},refreshTokenRequest=null,grantType=null},clientOnly=false,principal=admin,credentials=,name=admin][{authority=USER}, {authority=ADMIN}]
如您所见,我在授权服务器中添加了ROLE_USER"和ROLE_ADMIN"权限.
在资源服务器的 Principal
对象中同时授予ROLE_ADMIN"和ROLE_USER".
但是在客户端的 Principal
对象中没有授予ROLE_ADMIN".只有ROLE_USER".
和 Principal.atttibutes['authorities']
有 'USER', 'ADMIN'.
正如@Rahil Husain 所说,有 DefaultOAuth2UserService
并且此服务仅将ROLE_USER"授予 OAuth2User
对象.
首先,我通过 @Componenet
注释(也是 @Bean
)向客户端添加了 CustomAuthoritiesExtractor
.
但这在我的项目中不起作用.
所以,我实现了 CustomOAuth2User
和 CustomOAuth2UserService
.
像这样.
CustomOAuth2User
public class CustomOAuth2User 实现 OAuth2User {私人列表当局;私有映射<字符串,对象>属性;私人字符串名称;public CustomOAuth2User(Listauthority, Map attributes) {this.authorities = 权限;this.attributes = 属性;}@覆盖公共收藏getAuthorities() {返回 this.authorities;}@覆盖公共地图<字符串,对象>获取属性(){如果(this.attributes == null){this.attributes = new HashMap<>();this.attributes.put("name", this.getName());}返回属性;}@覆盖公共字符串 getName() {返回 this.name;}公共无效集名称(字符串名称){this.name = 名称;}}
以下是CustomOAuth2UserService
CustomOAuth2UserService
public class CustomOAuth2UserService extends DefaultOAuth2UserService {@覆盖公共 OAuth2User loadUser(OAuth2UserRequest userRequest) 抛出 OAuth2AuthenticationException {OAuth2User oAuth2User = super.loadUser(userRequest);AuthoritiesExtractor authorityExtractor = new CustomAuthoritiesExtractor();列表grantAuthorityList = authorityExtractor.extractAuthorities(oAuth2User.getAttributes());CustomOAuth2User customOAuth2User = new CustomOAuth2User(grantedAuthorityList, oAuth2User.getAttributes());customOAuth2User.setName(oAuth2User.getName());返回 customOAuth2User;}}
以下是我的CustomAuthoritiesExtractor
.此类未用作 @Bean
或 @Component
.直接在 CustomOAuth2Service
中用于映射 CustomOAuth2User
对象的权限
CustomAuthoritiesExtractor
public class CustomAuthoritiesExtractor 实现 AuthoritiesExtractor {@覆盖公共列表提取权限(地图<字符串,对象>地图){return AuthorityUtils.commaSeparatedStringToAuthorityList(asAuthorities(map));}private String asAuthorities(Map map) {列表<字符串>权限 = 新的 ArrayList<>();List>认证 =(List) map.get("authorities");for (LinkedHashMap entry : authz) {authority.add(entry.get("authority"));}return String.join(",", authority);}}
最后,我将客户端的端点更改为使用我的 CustomOAuth2User
和 CustomOAuth2UserService
.
所以,我像这样更改了客户端的 WebSecurityConfigurerAdapter
配置.
@Configuration@EnableOAuth2Client公共类 WebSecurityConfigurerAdapterImpl 扩展 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.csrf().disable().authorizeRequests().antMatchers("/", "/home", "/error", "/webjars/**", "/resources/**", "/login**").permitAll().anyRequest().authenticated().and().oauth2Login()/** 添加这个配置**/.userInfoEndpoint().customUserType(CustomOAuth2User.class, "teemo").userService(this.oauth2UserService());}私有 OAuth2UserServiceoauth2UserService() {返回新的 CustomOAuth2UserService();}
下面是我的百里香.
- 百里香叶
仅对经过身份验证的用户可见的文本.认证用户名:<div sec:authentication="name"></div><div sec:authorize="hasRole('USER')">hasRole('USER')</div><div sec:authorize="hasRole('ROLE_USER')">hasRole('ROLE_USER')<div sec:authorize="hasRole('ADMIN')">hasRole('ADMIN')</div><div sec:authorize="hasRole('ROLE_ADMIN')">hasRole('ROLE_ADMIN')</div><!-- 真的--><div sec:authorize="hasAuthority('USER')">hasAuthority('USER')</div><div sec:authorize="hasAuthority('ROLE_USER')">hasAuthority('ROLE_USER')</div><!-- 真的--><div sec:authorize="hasAuthority('ADMIN')">hasAuthority('ADMIN')</div><div sec:authorize="hasAuthority('ROLE_ADMIN')">hasAuthority('ROLE_ADMIN')</div>
<div sec:authorize="!isAuthenticated()">文本仅对未经身份验证的用户.
以下是结果.
文本仅对经过身份验证的用户可见.认证用户名:行政hasAuthority('用户')hasAuthority('管理员')
任何和我一样挖掘的人,我希望对这个问题和答案有所帮助.
但我不知道这是事实上的标准方式.
刚刚..正在工作.
i'm using Spring Boot2 as Framework and Thymeleaf as template engine.
in my authorization server, i added user 'admin' as 'ROLE_ADMIN'.
but in Client Application, when i loged in as 'admin' and print Authentication
Object from SecurityContextHolder.getContext().getAuthentication()
, Granted Authorities
property has only 'ROLE_USER'.
following is my authorization server config.
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder().encode("123")).roles("USER", "ADMIN");
auth
.inMemoryAuthentication()
.withUser("user").password(passwordEncoder().encode("123")).roles("USER");
}
and following is Authentication
Object from SecurityContextHolder.getContext().getAuthentication()
's logging code.
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
System.out.println(auth.isAuthenticated());
System.out.println(auth.getAuthorities());
System.out.println(auth.getPrincipal());
and result is
// isAuthenticated()
true
// getAuthorites()
[ROLE_USER]
// getPrincipal()
Name: [admin], Granted Authorities: [ROLE_USER], User Attributes: [authorities=[{authority=ROLE_ADMIN}, {authority=ROLE_USER}], ...
following is my thymeleaf code.
<div sec:authorize="isAuthenticated()">
Text visible only to authenticated users.
<!-- Principal name -->
Authenticated username:
<div sec:authentication="name"></div>
<div sec:authorize="hasRole('USER')">Text visible to user.</div>
<!-- i cant see this message -->
<div sec:authorize="hasRole('ADMIN')">Text visible to admin.</div>
Authenticated user roles:
<!-- print '[ROLE_USER]' only -->
<div sec:authentication="principal.authorities"></div>
</div>
<div sec:authorize="!isAuthenticated()">Text visible only to
unauthenticated users.
</div>
so, i want to access Principal.UserAttributes.authorities
in thymeleaf.
i'm refering OAuth2AuthenticationToken
, OAuth2User.getAttributes()
and DefaultOAuth2User.toString()
how can i do this?
I solved.
In Authorization Server, i configed like this.
- AuthorizationServer
WebSecurityConfigurerAdapter
config
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder().encode("123")).roles("USER", "ADMIN").authorities("USER", "ADMIN");
auth
.inMemoryAuthentication()
.withUser("user").password(passwordEncoder().encode("123")).roles("USER");
}
...
}
and following is my Resource Server's /me
mapping controller
- ResourceServer
/me
mapped Controller
@RestController
public class UserController {
@RequestMapping("/me")
public Principal user(Principal principal) {
return principal;
}
}
and following is my Client's WebSecurityConfigurerAdapter
config
- Client
WebSecurityConfigurerAdapter
config
@Configuration
@EnableOAuth2Client
public class WebSecurityConfigurerAdapterImpl extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/home", "/error", "/webjars/**", "/resources/**", "/login**").permitAll()
.anyRequest().authenticated()
.and().oauth2Login();
}
and in Client's Controller, i logged like this.
- logging
Principal
in Client Controller
@GetMapping("")
public String git1() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
System.out.println(auth.getPrincipal());
/** Thymeleaf using this **/
Object authenticationProperty = AuthUtils.getAuthenticationProperty(auth, "principal.attributes['authorities']");
System.out.println(authenticationProperty.toString());
return VIEW_PATH + "git1";
}
and following is the result
Name: [admin], Granted Authorities: [ROLE_USER], User Attributes: [authorities=[{authority=USER}, {authority=ADMIN}], details={remoteAddress=127.0.0.1, sessionId=null, tokenValue=82a7a532-a31e-4d0a-bd83-f15a9cbea3bc, tokenType=Bearer, decodedDetails=null}, authenticated=true, userAuthentication={authorities=[{authority=USER}, {authority=ADMIN}], details=null, authenticated=true, principal=admin, credentials=N/A, name=admin}, oauth2Request={clientId=foo, scope=[read], requestParameters={client_id=foo}, resourceIds=[], authorities=[], approved=true, refresh=false, redirectUri=null, responseTypes=[], extensions={}, refreshTokenRequest=null, grantType=null}, clientOnly=false, principal=admin, credentials=, name=admin]
[{authority=USER}, {authority=ADMIN}]
as you can see, i added 'ROLE_USER' and 'ROLE_ADMIN' Authorities in Authorization Server.
in Resource Server's Principal
Object granted both 'ROLE_ADMIN' and 'ROLE_USER'.
but in Client's Principal
Object doesn't granted 'ROLE_ADMIN'. there is 'ROLE_USER' Only.
and Principal.atttibutes['authorities']
has 'USER', 'ADMIN'.
as @Rahil Husain said, there is DefaultOAuth2UserService
and this service grant 'ROLE_USER' only to OAuth2User
Object.
first, i added CustomAuthoritiesExtractor
via @Componenet
annotation (@Bean
too.) to Client.
but this doesn't working in my projects.
so, i implemented CustomOAuth2User
and CustomOAuth2UserService
.
like this.
CustomOAuth2User
public class CustomOAuth2User implements OAuth2User {
private List<GrantedAuthority> authorities;
private Map<String, Object> attributes;
private String name;
public CustomOAuth2User(List<GrantedAuthority> authorities, Map<String, Object> attributes) {
this.authorities = authorities;
this.attributes = attributes;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return this.authorities;
}
@Override
public Map<String, Object> getAttributes() {
if (this.attributes == null) {
this.attributes = new HashMap<>();
this.attributes.put("name", this.getName());
}
return attributes;
}
@Override
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
}
and following is CustomOAuth2UserService
CustomOAuth2UserService
public class CustomOAuth2UserService extends DefaultOAuth2UserService {
@Override
public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
OAuth2User oAuth2User = super.loadUser(userRequest);
AuthoritiesExtractor authoritiesExtractor = new CustomAuthoritiesExtractor();
List<GrantedAuthority> grantedAuthorityList = authoritiesExtractor.extractAuthorities(oAuth2User.getAttributes());
CustomOAuth2User customOAuth2User = new CustomOAuth2User(grantedAuthorityList, oAuth2User.getAttributes());
customOAuth2User.setName(oAuth2User.getName());
return customOAuth2User;
}
}
and following is my CustomAuthoritiesExtractor
. this class not used as @Bean
or @Component
. directly used in CustomOAuth2Service
for mapping CustomOAuth2User
object's authorities
CustomAuthoritiesExtractor
public class CustomAuthoritiesExtractor implements AuthoritiesExtractor {
@Override
public List<GrantedAuthority> extractAuthorities(Map<String, Object> map) {
return AuthorityUtils.commaSeparatedStringToAuthorityList(asAuthorities(map));
}
private String asAuthorities(Map<String, Object> map) {
List<String> authorities = new ArrayList<>();
List<LinkedHashMap<String, String>> authz =
(List<LinkedHashMap<String, String>>) map.get("authorities");
for (LinkedHashMap<String, String> entry : authz) {
authorities.add(entry.get("authority"));
}
return String.join(",", authorities);
}
}
and final, i changed Client's endpoint to using my CustomOAuth2User
and CustomOAuth2UserService
.
so, i changed Client's WebSecurityConfigurerAdapter
config like this.
@Configuration
@EnableOAuth2Client
public class WebSecurityConfigurerAdapterImpl extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/home", "/error", "/webjars/**", "/resources/**", "/login**").permitAll()
.anyRequest().authenticated()
.and().oauth2Login()
/** add this config**/
.userInfoEndpoint()
.customUserType(CustomOAuth2User.class, "teemo")
.userService(this.oauth2UserService());
}
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
return new CustomOAuth2UserService();
}
and following is my thymeleaf.
- thymeleaf
<div sec:authorize="isAuthenticated()">
Text visible only to authenticated users.
Authenticated username:
<div sec:authentication="name"></div>
<div sec:authorize="hasRole('USER')">hasRole('USER')</div>
<div sec:authorize="hasRole('ROLE_USER')">hasRole('ROLE_USER')</div>
<div sec:authorize="hasRole('ADMIN')">hasRole('ADMIN')</div>
<div sec:authorize="hasRole('ROLE_ADMIN')">hasRole('ROLE_ADMIN')</div>
<!-- TRUE -->
<div sec:authorize="hasAuthority('USER')">hasAuthority('USER')</div>
<div sec:authorize="hasAuthority('ROLE_USER')">hasAuthority('ROLE_USER')</div>
<!-- TRUE -->
<div sec:authorize="hasAuthority('ADMIN')">hasAuthority('ADMIN')</div>
<div sec:authorize="hasAuthority('ROLE_ADMIN')">hasAuthority('ROLE_ADMIN')</div>
</div>
<div sec:authorize="!isAuthenticated()">Text visible only to
unauthenticated users.
</div>
and following is the result.
Text visible only to authenticated users. Authenticated username:
admin
hasAuthority('USER')
hasAuthority('ADMIN')
anyone who digging like me, i hope help this question and answers.
but i don't know this is de facto-standard way.
just.. working now.
这篇关于OAuth2 客户端主体在通过其他自定义授权服务器(SpringBoot2 和 OAuth2)进行身份验证时没有 GrantedAuthorities的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!