Spring Boot Basic Authentication 和 OAuth2 在同一个项目中? [英] Spring boot Basic Authentication and OAuth2 in same project?
问题描述
是否可以对我的休息应用程序中的某些端点使用 OAuth2,并为其他一些端点使用基本身份验证.它应该都适用于 spring 安全版本 2.0.1.RELEASE.我希望有人能进一步帮助我.
Is it possible to use OAuth2 for certain endpoints in my rest application and use basic authentication too for some other endpoints. It should all work on spring security version 2.0.1.RELEASE. I hope someone can help me further.
推荐答案
是的,可以同时使用基本身份验证和 OAuth2 身份验证,但我怀疑您是否能够轻松地将其设置为 HttpSecurity 的 authenticated() 方法不允许您选择哪种身份验证方法 (oauth2Login/formLogin) 有效.
Yes, it's possible to use a basic authentication as well as an OAuth2 authentication intertwined, but I doubt you'll be able to set it up easily as HttpSecurity's authenticated() method doesn't allow you to pick which of your authentication method (oauth2Login/formLogin) will work.
但是,有一种方法可以轻松绕过:
However, there's a way to easily bypass that:
您可以添加自定义权限,我们称之为 ROLE_BASICAUTH,当用户使用基本身份验证连接时,当用户使用 OAuth2 连接时,我们称之为 ROLE_OAUTH2.这样,您可以使用
You could add a custom authority, let's call it ROLE_BASICAUTH, when an user connects using basic auth, and ROLE_OAUTH2 when an user connects using OAuth2. That way, you can use
.antMatchers("/endpoint-that-requires-basic-auth").hasRole("BASICAUTH")
.antMatchers("/endpoint-that-requires-oauth2").hasRole("OAUTH2")
.anyRequest().authenticated()
当他们到达您想要基本身份验证(而不是 OAuth2)的端点时,您检查他们当前的权限,如果不是 BASICAUTH,那么您使他们的会话无效,您会显示一个登录表单 没有 OAuth2(强制他们使用基本身份验证).
When they reach an endpoint that you want basic authentication (and not OAuth2), you check their current authorities, and if it's not BASICAUTH, then you invalidate their session you display a login form without OAuth2 (to force them to use the basic authentication).
这样做的缺点是您需要实现自定义 UserDetailsService 以及自定义 OAuth2UserService...
The downside to doing that is that you'd need to implement both a custom UserDetailsService as well as a custom OAuth2UserService...
但这其实并不难:
@Service
public class UserService extends DefaultOAuth2UserService implements UserDetailsService {
// ...
@Override
public OAuth2User loadUser(OAuth2UserRequest oAuth2UserRequest) throws OAuth2AuthenticationException {
OAuth2User user = super.loadUser(oAuth2UserRequest);
Map<String, Object> attributes = user.getAttributes();
Set<GrantedAuthority> authoritySet = new HashSet<>(user.getAuthorities());
String userNameAttributeName = oAuth2UserRequest.getClientRegistration().getProviderDetails()
.getUserInfoEndpoint().getUserNameAttributeName();
authoritySet.add(new SimpleGrantedAuthority("ROLE_OAUTH2"));
return new DefaultOAuth2User(authoritySet, attributes, userNameAttributeName);
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails user = getUserFromDatabase(username); // you'll need to provide that method (where are the username/password stored?)
if (user == null) { // UserDetailsService doesn't allow loadUserByUsername to return null, so throw exception
throw new UsernameNotFoundException("Couldn't find user with username '"+username+"'");
}
// add ROLE_BASICAUTH (you might need a custom UserDetails implementation here, because by defaut, UserDetails.getAuthorities() is immutable (I think, I might be a liar)
return user;
}
}
请注意,这是一个粗略的实现,因此您还必须在自己的终端上稍微解决一下.
Note that this is a rough implementation, so you'll have to work it out a bit on your end as well.
你也可以使用我制作的这个存储库 https://github.com/TwinProduction/spring-security-oauth2-client-example/tree/master/custom-userservice-sample 作为自定义 OAuth2UserService 的指南
You can also use this repository I made https://github.com/TwinProduction/spring-security-oauth2-client-example/tree/master/custom-userservice-sample as a guideline for the custom OAuth2UserService
祝你好运.
这篇关于Spring Boot Basic Authentication 和 OAuth2 在同一个项目中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
