带有 JWT 自定义 UserDetails 的 Spring OAuth - 在 JwtAccessTokenConverter 中设置主体 [英] Spring OAuth with JWT custom UserDetails - Set Principal inside JwtAccessTokenConverter
问题描述
一些附加信息是从 OAuth 授权服务器发送的,这些信息需要在资源服务器上的自定义 UserDetails 类中,最好在 SpringSecurity Principal 中.
Some additional info is sent from OAuth Authorization Server that is needed inside a custom UserDetails class on Resource Server, and preferably inside SpringSecurity Principal.
当前的方法是将用户名设置为 Principal 并添加附加信息作为 Authentication 对象的附加详细信息,如下所示.
Current approach is setting a username as Principal and adding additional info as an additional details of Authentication object like this.
public class CustomAccessTokenConverter extends JwtAccessTokenConverter{
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
OAuth2Authentication authentication = super.extractAuthentication(claims);
CustomUserDetails userDetails = new CustomUserDetails ();
userDetails.setUserId(((Integer)claims.get("id")).longValue());
userDetails.setName((String) claims.get("name"));
userDetails.setLastName((String) claims.get("lastName"));
authentication.setDetails(userDetails);
return authentication;
}
}
这种方法的好处是我们可以从应用程序内的任何地方访问自定义 UserDetails.坏事是 Pricipal 对象被困在只是用户名上,我们需要更多代码来访问自定义 UserDetails.
The good thing about this approach is we can access custom UserDetails from anywhere inside the app. The bad thing is that Pricipal object is stuck on being only users username, and we need a lot more code to access custom UserDetails.
// preferable way
(UserAuthDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
// current solution
(UserAuthDetails) ((OAuth2AuthenticationDetails) SecurityContextHolder.getContext().getAuthentication().getDetails()).getDecodedDetails();
是否有更简洁的解决方案来使用 JwtAccessTokenConverter 但仍然能够将 Principal 设置为自定义 UserDetails 而不是将其设置为(无用的)用户名并将附加信息作为 Authentication 对象的详细信息发送?
Is there a cleaner solution to use JwtAccessTokenConverter but still be able to set Principal as custom UserDetails instead of setting it to (useless) username and sending additional info as details of Authentication object?
推荐答案
我不能说这是否是首选解决方案,但在我自己尝试解决同样的事情后,我最终扩展了 DefaultUserAuthenticationConverter.
I can not say if this is the preferred solution, but after trying to solve the same thing myself, I ended up extending the DefaultUserAuthenticationConverter.
所以你可以做这样的事情
So you can do something like this
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
DefaultAccessTokenConverter defaultConverter = new DefaultAccessTokenConverter();
defaultConverter.setUserTokenConverter(new CustomUserAuthenticationConverter());
JwtAccessTokenConverter jwtConverter = new JwtAccessTokenConverter();
converter.setAccessTokenConverter(defaultConverter);
return converter;
}
那么 DefaultUserAuthenticationConverter 不是很可扩展,因为大多数方法和属性都是私有的.但这里有一个例子
Then the DefaultUserAuthenticationConverter is not very extendable since most methods and properties are private. But here is an example
public class CustomUserAuthenticationConverter extends DefaultUserAuthenticationConverter {
private static final String CUST_PROP = "custProp";
@Override
public Authentication extractAuthentication(Map<String, ?> map) {
if (map.containsKey(USERNAME) && map.containsKey(CUST_PROP)) {
String username = (String) map.get(USERNAME);
String custProp = (String) map.get(CUST_PROP);
CustomPrincipal principal = new CustomPrincipal();
pricipal.setUsername(username);
pricipal.setCustomProp(custProp);
Collection<? extends GrantedAuthority> authorities = getAuthorities(map);
return new UsernamePasswordAuthenticationToken(user, "N/A", authorities);
}
return null;
}
private Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {
//Copy this method from DefaultUserAuthenticationConverter or create your own.
}
}
这篇关于带有 JWT 自定义 UserDetails 的 Spring OAuth - 在 JwtAccessTokenConverter 中设置主体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
