在 Spring Security OAuth2 (provider) 中使用作用域作为角色 [英] Using scopes as roles in Spring Security OAuth2 (provider)
问题描述
让我们考虑一个相当简单的假设应用程序,用户可以在其中阅读或撰写帖子.
Let's consider a fairly simple hypothetical application where users can read or write posts.
有些用户可以阅读和撰写文章,而有些用户只能阅读文章.使用 Spring Security (3.2.1) 我通过有 2 个角色对此进行建模:
Some users can read and write articles while some others can only read them. With Spring Security (3.2.1) I modeled this by having 2 roles:
- ROLE_WRITE:此角色授予用户撰写帖子的权限.
- ROLE_READ:此角色授予用户阅读帖子的权限.
使用 Spring 安全性实现这一点相当简单...
Implementing this with Spring security is fairly straightforward...
现在我还想通过使用 Spring Security OAuth(版本 2.0.0.M3 ATM).
Now I want to also allow third-party apps to read and write posts on behalf of users by implementing an OAuth2 provider using Spring Security OAuth (version 2.0.0.M3 ATM).
在授权步骤中,应用会询问用户是否愿意代表他们授予阅读和/或撰写帖子的权利.此处的用户在此处授予范围(而非角色).
During the authorization step, the app asks the user whether they are willing to grant the right to read and/or write posts on their behalf. The user here is granting scopes here (not roles).
然后,当 OAuth2 使用者调用我的 REST API 时,Spring Sec OAuth 会授权授予的令牌并创建一个包含用户及其所有角色和仅授予范围的身份验证.
Then when the OAuth2 consumer calls my REST API, Spring Sec OAuth authorizes the token granted and creates an authentication containing the user with all their roles and only the scopes granted.
问题(和问题)是我现在必须编写不同的安全逻辑,具体取决于 API 是由正常身份验证的用户调用(仅检查角色)还是通过 OAuth2 调用(检查角色 + 范围).
The problem (and the question) is that I now have to write different security logic depending on whether the API is called by a user normally authenticated (just check the roles) or whether it's called through OAuth2 (check roles + scopes).
是否可以在 Spring Security OAuth2 中合并"角色和范围的概念,以便在授权步骤中,用户授予应用他们拥有的角色的子集(并拥有OAuth2 身份验证仅在授予的权限中报告这些)?这样,当第 3 方应用程序进行 API 调用时,身份验证中的角色是授予的角色吗?这样我就不必编写任何 OAuth2 特定的安全逻辑.
Is it possible to "merge" the concepts of roles and scopes in Spring Security OAuth2 so that during the authorization step, the user grants the app a subset of the roles they have (and have the OAuth2 authentication only report these in the granted authorities)? That way when the 3rd party app makes an API call, the roles on the authentication are the ones granted? That way I don't have to write any OAuth2 specific security logic.
推荐答案
作用域(和角色)是任意的字符串,所以如果你想使然后相同没有问题.为了使访问规则声明相同,您可以编写一个 ExpressionHandler,根据它找到的 Authentication 类型测试具有相同值的权限或范围.
Scopes (and roles) are arbitrary strings, so there is no problem if you want to make then the same. To make the access rule declarations identical you could write an ExpressionHandler that tested authorities or scopes with the same values depending on the type of Authentication it found.
在您阅读评论后,建议采用一种不同的方法:添加自定义 TokenStore 或 ResourceServerTokenServices.这些是易于访问的扩展点,并且允许修改 OAuth2Authentication 以便其授予的权限与范围相同.
A different approach suggests itself after you read the comments: add a custom TokenStore or ResourceServerTokenServices. These are easily accessible extension points and would permit modifying the OAuth2Authentication so that its granted authorities were the same as the scopes.
然而,我的偏好是使用 OAuth2RequestFactory 控制允许的范围,在授予令牌时将它们限制为与用户权限一致的值.
My preference, however, is to control the allowed scopes using a OAuth2RequestFactory, limiting them at the point of the token grant to values that are consistent with the user's authorities.
这篇关于在 Spring Security OAuth2 (provider) 中使用作用域作为角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
