如何使用Spring Security在单个端点上启用OAuth2

pjngdqdw  于 2023-11-19  发布在  Spring
关注(0)|答案(1)|浏览(137)

我有一个Sping Boot 应用程序(spring- Boot -starter-parent 3.1.5),它公开了具有不同安全需求的REST端点。
一些端点将接受会话cookie,其他端点将接受由我自己的服务器签名的JWT。我需要添加一个端点,该端点将接受来自身份验证服务器的JWT,因此我选择使用与Sping Boot 集成的Auth 0库,以便我可以发现身份验证服务器的签名密钥并验证JWT。
this tutorial之后,我最终得到了以下配置:

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authManager) throws Exception {
        return http
                .httpBasic(AbstractHttpConfigurer::disable)
                .csrf(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .logout(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests((authorize) -> authorize.requestMatchers("/login").permitAll())
                .authorizeHttpRequests((authorize) -> authorize.requestMatchers(getRequestMatchers()).authenticated())
                .addFilterBefore(getCustomAuthenticationProcessingFilter(authManager), AnonymousAuthenticationFilter.class)
                .authorizeHttpRequests((authorize) -> authorize.requestMatchers("/sso/login").authenticated())
                .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
                .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll())
                .build();
    }

字符串
为了支持这个新端点(“/sso/login”)而添加的内容是:

.authorizeHttpRequests((authorize) -> authorize.requestMatchers("/sso/login").authenticated())
                .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))


这个想法是,从getRequestMatchers()返回的请求匹配器应该经过我的CustomAuthenticationProcessingFilter,并且单个“/sso/login”端点将是我需要oauth2 ResourceServer功能的唯一端点。值得注意的是,我在从getRequestMatchers()返回的匹配器中显式排除了“/sso/login”端点。然而,我只能配置这个过滤器链,使任何请求都以BearerTokenAuthenticationFilter开始(因此它被视为资源服务器端点),如果失败,(因为它使用的是会话cookie或由我的服务器签名的JWT),则整个链被中止,并且它不尝试使用CustomAuthenticationProcessingFilter进行身份验证。
开放的想法,如何分离出这种配置,使其工作。

wqsoz72f

wqsoz72f1#

Steve Riesenberg链接的文档在这里很有帮助,尽管我已经阅读了Spring Security的架构和过滤器的工作原理,但我还是错过了这部分。下面是一个例子:

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    @Order(1)
    public SecurityFilterChain oauth2FilterChain(HttpSecurity http) throws Exception {
        return http
                .httpBasic(AbstractHttpConfigurer::disable)
                .csrf(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .logout(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .securityMatcher("/api/sso/login")
                .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
                .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
                .build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain customAuthFilterChain(HttpSecurity http, AuthenticationManager authManager) throws Exception {
        return http
                .httpBasic(AbstractHttpConfigurer::disable)
                .csrf(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .logout(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .securityMatcher("/api/**")
                .authorizeHttpRequests((authorize) -> authorize.requestMatchers("/api/login").permitAll())
                .authorizeHttpRequests((authorize) -> authorize.requestMatchers(getRequestMatchers()).authenticated())
                .addFilterBefore(getCustomAuthenticationProcessingFilter(authManager), AnonymousAuthenticationFilter.class)
                .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll())
                .build();
    }
}

字符串

相关问题