Spring Security 6 -在OAuth2 ResourceServer中访问UserDetails

t1qtbnec  于 2023-08-02  发布在  Spring
关注(0)|答案(1)|浏览(160)

我正在尝试使用Springboot 3和SpringSecurity 6来设置OAuth2 Resource Server。
我能够正确配置身份验证;我实现了一个自定义的jwt转换器,它从我的数据库中获取用户的权限,并将它们分配给安全上下文。

  1. class CustomAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
  3.     AzureUserService azureUserService;
  5.     public CustomAuthenticationConverter(AzureUserService azureUserService) {
  6.         this.azureUserService = azureUserService;
  7.     }
  9.     public AbstractAuthenticationToken convert(@NonNull Jwt jwt) {
  10.         // Currently, creates a user in the database, if they don't exist yet. Guaranteed to get a user.
  11.         User user = azureUserService.retrieveOrCreateUserFromJwt(jwt);
  12.         JwtAuthenticationToken authentication = new JwtAuthenticationToken(jwt, user.getAuthorities(), user.getId());
  13.         SecurityContextHolder.getContext().setAuthentication(authentication);
  14.         return authentication;
  15.     }
  16. }

字符串
现在我可以用权威来保护我的路线了。下一步:我希望能够访问一些路由内部的有关当前用户的信息。然而,即使在注册了我的用户详细信息服务类之后:

  1. @Bean
  2. public DaoAuthenticationProvider authenticationProvider() {
  3.     DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
  4.     provider.setUserDetailsService(userDetailsService);
  5.     return provider;
  6. }


我无法访问路由中的UserDetails对象:

  1. @GetMapping("/api/admin/you")
  2.     public String showProfile(@AuthenticationPrincipal CustomUserDetails userDetails) {
  3.         return "Details"+ userDetails;
  5.     }


这将返回“Details null”。
我不确定UserDetails是否不可访问,因为我只是将此应用程序用作OAuthResource Server,或者我没有正确配置它。
我的UserDetails类的实现:

  1. public class CustomUserDetails implements UserDetails {
  3.     private final User user; // This is your own User entity class
  5.     public CustomUserDetails(User user) {
  6.         this.user = user;
  7.     }
  9.     @Override
  10.     public Collection<? extends GrantedAuthority> getAuthorities() {
  11.         return user.getAuthorities();
  12.     }
  14.     // We use OAuth2, hence no need for password
  15.     @Override
  16.     public String getPassword() {
  17.         return null;
  18.     }
  20.     @Override
  21.     public String getUsername() {
  22.         return user.getId();
  23.     }
  25.     @Override
  26.     public boolean isAccountNonExpired() {
  27.         return true;
  28.     }
  30.     @Override
  31.     public boolean isAccountNonLocked() {
  32.         return true;
  33.     }
  35.     @Override
  36.     public boolean isCredentialsNonExpired() {
  37.         return true;
  38.     }
  40.     @Override
  41.     public boolean isEnabled() {
  42.         return user.getEnabled();
  43.     }
  45.     public User getUser() {
  46.         return user;
  47.     }
  48. }


以及服务:

  1. @Transactional
  2. @Service
  3. public class CustomUserDetailsService implements UserDetailsService {
  4.     private final UserRepository userRepository;
  6.     public CustomUserDetailsService(UserRepository userRepository) {
  7.         this.userRepository = userRepository;
  8.     }
  10.     // Note that Spring calls the unique user identifier "username", but we're working with a unique identifier.
  11.     @Override
  12.     public CustomUserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  13.         Optional<User> optionalUser = userRepository.findById(username);
  15.         if (optionalUser.isPresent()) {
  16.             User user = optionalUser.get();
  17.             return new CustomUserDetails(user);
  18.         }
  19.         else {
  20.             throw new UsernameNotFoundException("User not found with id: " + username);
  21.         }
  22.     }
  23. }


另外,这里是我的SecurityConfiguration

  1. @Bean
  2.     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  4.         // Create RequestMatchers out of the Strings
  5.         List<RequestMatcher> publicMatchers = Arrays.stream(publicPaths)
  6.                 .map(AntPathRequestMatcher::new)
  7.                 .collect(Collectors.toList());
  9.         // Apply configuration
  10.         http
  11.                 .authenticationProvider(authenticationProvider())
  12.                 .authorizeHttpRequests(authorizeRequests -> {
  13.                     authorizeRequests
  15.                             // Allow public access to the routes specified in 'publicMatchers' list
  16.                             .requestMatchers(request ->
  17.                                     publicMatchers.stream().anyMatch(matcher -> matcher.matches(request))
  18.                             ).permitAll()
  20.                             // Require authentication for all other routes.
  21.                             .anyRequest().authenticated();
  22.                 })
  24.                 // Configure the OAuth 2.0 resource server to use JWT tokens provided by Azure AD B2C
  25.                 .oauth2ResourceServer(oauth2ResourceServer ->
  26.                         oauth2ResourceServer
  27.                                 .jwt(jwt ->
  28.                                         // Set the location where the server can find the JSON Web Key Set (JWK Set).
  29.                                         // The JWK Set contains public keys. The server uses these public keys to
  30.                                         // validate the signatures of incoming JWTs, ensuring they were issued by a trusted authorization server.
  31.                                         // In this case, the URI of the JWK Set is provided by the 'jwkSetUri' variable.
  32.                                         jwt.jwkSetUri(this.jwkSetUri)
  33.                                                 .jwtAuthenticationConverter(customAuthenticationConverter())
  34.                                 )
  35.                 )
  36.                 .userDetailsService(userDetailsService);
  38.         return http.build();
  39.     }

spring

1条答案

按热度按时间
du7egjpx

du7egjpx1#

在认证转换器bean中连接JPA存储库是可行的(例如,我做的是here),但是这是一个不好的实践,应该保留到不能在授权服务器上设置访问令牌私有声明的情况下,并且不能在它前面使用另一个(更可配置的)授权服务器。在Keycloak中,您使用“mappers”来完成,在Auth0中,您使用“actions”来完成,在Azure中,您使用“API connectors”来完成。
每次令牌发布时从授权服务器上的DB获取角色一次效率要高得多,而不是针对资源服务器上的每个传入请求获取角色。您可以使用缓存来缓解这种情况,但是创建、维护和调试缓存(分布式环境中的共享缓存)总是一件痛苦的事情。
使用授权转换器从DB获取角色的工作解决方案的细节(但是,如果你这样做,我打赌你迟早会后悔的):

  1. static interface AuthoritiesConverter extends Converter<Jwt, Set<SimpleGrantedAuthority>> {
  2. }
  4. static interface AuthenticationConverter extends Converter<Jwt, JwtAuthenticationToken> {
  5. }
  7. @Component
  8. @RequiredArgsConstructor
  9. public static class PersistedGrantedAuthoritiesRetriever implements AuthoritiesConverter {
  10.     private final UserAuthorityRepository authoritiesRepo;
  12.     @Override
  13.     @Transactional(readOnly = true)
  14.     public Set<SimpleGrantedAuthority> convert(Jwt jwt) {
  15.         final Collection<UserAuthority> authorities = authoritiesRepo.findBySubject(jwt.getSubject());
  17.         return authorities.stream().map(UserAuthority::getAuthority).map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
  18.     }
  19. }
  21. @Component
  22. @RequiredArgsConstructor
  23. public static class JpaAuthenticationConverter implements AuthenticationConverter {
  24.     private final Converter<String, ? extends Collection<? extends GrantedAuthority>> authoritiesConverter;
  26.     @Override
  27.     public JwtAuthenticationToken convert(Jwt jwt) {
  28.         return new JwtAuthenticationToken(jwt, authoritiesConverter.convert(jwt));
  29.     }
  30. }
  32. @EnableWebSecurity
  33. @EnableMethodSecurity
  34. @Configuration
  35. public static class WebSecurityConfig {
  37.     @Bean
  38.     SecurityFilterChain filterChain(
  39.             HttpSecurity http,
  40.             Converter<Jwt, ? extends AbstractAuthenticationToken> authenticationConverter) throws Exception {
  42.         http.oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(authenticationConverter)));
  43.         
  44.         ...
  46.     }
  47. }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2023-08-02
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com