spring-security 为受信任空间自定义Spring Security

服务在可信空间中的网关之后工作（gateWay验证OAuth令牌，并仅向服务提供唯一的用户ID，否则它将重定向以验证服务）。
我希望在服务中使用Spring安全性，以便能够验证userId的权限。
所以我把CustomUserDetailsService

@Service("userDetailsService")
public class CustomUserDetailsService implements UserDetailsService {
    @Autowired(required = false)
    private ContextSsoActiveProfileIdProvider contextSsoActiveProfileIdProvider;
    @Autowired
    private GrantedAuthorityService grantedAuthorityService;

    @Override
    public User loadUserByUsername(final String username) throws UsernameNotFoundException {
        // verify it with authentication service, but there is not token, userId only, so trust to gateway service.
        return new User(
                String.valueOf(contextSsoActiveProfileIdProvider.getSsoActiveProfileId()),
                "authenticatedWithGateWay",
                grantedAuthorityService.getGrantedAuthoritiesForCurrentUser()
        );
    }
}

其中，* contextSsoActiveProfileId提供者。getSsoActiveProfileId（）* 返回唯一的用户ID，grantedAuthorityService。getGrantedAuthoritiesForCurrentUser（） 返回授权。
该服务在受信任区域中启动，因此我已按以下方式配置了安全性：

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/**").permitAll();
    }

    @Override
    protected UserDetailsService userDetailsService() {
        return userDetailsService;
    }
}

我需要为所有用户提供免费访问所有URI（http.authorizeRequests().antMatchers("/**").permitAll();）（不触发登录提供），但它似乎抑制了下一个注解@PreAuthorize，@PreFilter，@PostAuthorize和@PostFilter的触发处理程序。
我想我在这里把http.authorizeRequests().antMatchers("/**").permitAll();或其他配置部分搞错了。
更多问题症状：

从不调用CustomUserDetailsService.loadUserByUsername(..);
在REST API部分@AuthenticationPrincipal User activeUser为空
在REST API上，Principal principal部分也为空

可信空间问题的解决方案与匿名用户身份识别类似（我在研究它时得出了这个结论）。

简短回答

信任空间不需要授权，但不会调用 UserDetailsService，因为默认情况下只使用AnonymousAuthenticationProvider和AnonymousAuthenticationFilter。可以实现基于AnonymousAuthenticationFilter覆盖createAuthentication的自定义过滤器，并将默认过滤器（AnonymousAuthenticationFilter）替换为自定义过滤器（CustomAnonymousAuthenticationFilter）：

@Configuration
    public static class NoAuthConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Autowired
        private UserDetailsService userDetailsService;
        @Autowired
        private IdentifiableAnonymousAuthenticationFilter identifiableAnonymousAuthenticationFilter;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.anonymous().authenticationFilter(identifiableAnonymousAuthenticationFilter);
            http.antMatcher("/**").authorizeRequests()
                    .anyRequest().permitAll();
        }
    }

完整答案

我发现如果用户未授权，CustomUserDetailsService将永远不会被调用。继续研究时请注意AnonymousAuthenticationFilter，它负责创建匿名用户信息。因此，在非常和目的是用我的IdentifiableAnonymousAuthenticationFilter替换AnonymousAuthenticationFilter，其中一些方法应被覆盖：

@Component
public class IdentifiableAnonymousAuthenticationFilter extends AnonymousAuthenticationFilter {
    public static final String KEY_IDENTIFIABLE_ANONYMOUS_AUTHENTICATION_FILTER
            = "Key.IdentifiableAnonymousAuthenticationFilter";
    @Autowired
    private CustomUserDetailsService userDetailsService;
    @Autowired
    private GrantedAuthorityService grantedAuthorityService;
    private AuthenticationDetailsSource authenticationDetailsSource
            = new WebAuthenticationDetailsSource();

    public IdentifiableAnonymousAuthenticationFilter() {
        this(KEY_IDENTIFIABLE_ANONYMOUS_AUTHENTICATION_FILTER);
    }

    public IdentifiableAnonymousAuthenticationFilter(String key) {
        super(key);
    }

    @Override
    protected Authentication createAuthentication(HttpServletRequest request) {
        AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(
                KEY_IDENTIFIABLE_ANONYMOUS_AUTHENTICATION_FILTER,
                userDetailsService.loadCurrentUser(request),
                grantedAuthorityService.getGrantedAuthoritiesForCurrentUser());
        auth.setDetails(authenticationDetailsSource.buildDetails(request));
        return auth;
    }
}

将其注入到配置中

@Configuration
public class IdentifyAnonymousConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Autowired
    private IdentifiableAnonymousAuthenticationFilter identifiableAnonymousAuthenticationFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.anonymous().authenticationFilter(identifiableAnonymousAuthenticationFilter);
    // ... some other configurations
    }
}

现在看起来好多了，因为 identifiableAnonymousAuthenticationFilter 被注入到了AnonymousConfigurer中。请注意您基于WebSecurityConfigurerAdapter的配置。如果您有几个配置，其中一个不会设置 customAnonymousAuthenticationFilter，而是在 *custom.. * 之前配置，您将获得 AnonymousAuthenticationFilter 的默认示例（默认情况下在WebSecurityConfigurerAdapter中配置）：

protected final HttpSecurity getHttp() throws Exception {
      //...
      http
        .csrf().and()
        .addFilter(new WebAsyncManagerIntegrationFilter())
        .exceptionHandling().and()
        .headers().and()
        .sessionManagement().and()
        .securityContext().and()
        .requestCache().and()
        .anonymous().and()
      // ...

如果应用程序已修复，我不会关心它，但AnonymousAuthenticationFilter调用时间早于IdentifiableAnonymousAuthenticationFilter，并且 doFilter 将SecurityContextHolderincorrect身份验证放入SecurityContextHolder

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    if(SecurityContextHolder.getContext().getAuthentication() == null) {
        SecurityContextHolder.getContext().setAuthentication(this.createAuthentication((HttpServletRequest)req));
        if(this.logger.isDebugEnabled()) {
            this.logger.debug("Populated SecurityContextHolder with anonymous token: '" + SecurityContextHolder.getContext().getAuthentication() + "'");
        }
    } else if(this.logger.isDebugEnabled()) {
        this.logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '" + SecurityContextHolder.getContext().getAuthentication() + "'");
    }

    chain.doFilter(req, res);
}

因此，当下次为IdentifiableAnonymousAuthenticationFilter调用 doFilter 时，由于条件if(SecurityContextHolder.getContext().getAuthentication() == null)（请参见前面的方法），它不会替换Authentication。
因此，如果能够提供配置，其中使用magic annotation**@Order**修复WebSecurityConfigurerAdapter配置，以管理配置加载顺序，效果会非常好。

警告

或者有人可能会想-在IdentifiableAnonymousAuthenticationFilter中添加doFilter覆盖而不带条件（它是hack）：

@Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        SecurityContextHolder.getContext().setAuthentication(createAuthentication((HttpServletRequest) req));
        if (logger.isDebugEnabled()) {
            logger.debug("Populated SecurityContextHolder with anonymous token: '"
                    + SecurityContextHolder.getContext().getAuthentication() + "'");
        }
        chain.doFilter(req, res);
    }

如果您需要处理授权/已验证用户的Spring安全性，则这是不可接受的，但在某些情况下，这已经足够了。
附言
解决方案的某些部分可以改进，但我希望这个想法总体上是清楚的。

spring-security 为受信任空间自定义Spring Security

1条答案

简短回答

完整答案

警告

相关问题

热门标签

最新问答