当前位置: 首页 > 知识库问答 >
问题:

将用户角色映射到oauth2作用域/权限

谷梁建中
2023-03-14

忽略上面提到的权限数据库,我是否在下面的代码中将角色“用户”、“阅读器”、“编写器”映射到基于user和resourceId的oauth2范围/权限?

用户身份验证/授权配置

@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {

    ....

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // auth.parentAuthenticationManager(authenticationManager);
        // @formatter:off
        auth.inMemoryAuthentication()
            .withUser("admin").password("admin")
                .roles("ADMIN", "USER", "READER", "WRITER")
            .and()
            .withUser("user").password("password")
                .roles("USER")
            .and()
            .withUser("audit").password("audit")
                .roles("USER", "ADMIN", "READER");
        // @formatter:on
    }
}

OAuth2配置

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // @formatter:off
        clients.inMemory()
            .withClient("acme").secret("acmesecret")
                .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                .scopes("openid")
            .and()
            .withClient("trusted").secret("shuush")
                .authorizedGrantTypes("client_credentials")
                .scopes("openid");
        // @formatter:on
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.checkTokenAccess("isAuthenticated()");
    }
}

在配置中引入自定义的OAuth2RequestFactory以将checkUserScopes设置为true。虽然此设置对“client_credentails”有效,但对“code”授予失败。对于“代码”授予,DefaultOAuth2RequestFactory尝试在授权步骤期间为客户端(acme)而不是用户映射权限。另一种想法是实现ClientDetailsService,该服务基于登录用户(admin/user)添加客户端(acme)的权限,但不确定如何从SecurityContext中抓取登录用户,因为在授权步骤中,它被客户端(acme)覆盖。有什么想法吗?

public class ScopeMappingOAuth2RequestFactory extends DefaultOAuth2RequestFactory {

    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();

    public ScopeMappingOAuth2RequestFactory(ClientDetailsService clientDetailsService) {
        super(clientDetailsService);
        super.setCheckUserScopes(true);
    }

    /**
     * @param securityContextAccessor the security context accessor to set
     */
    @Override
    public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
        super.setSecurityContextAccessor(securityContextAccessor);
    }

    @Override
    public AuthorizationRequest createAuthorizationRequest(Map<String, String> authorizationParameters) {
        AuthorizationRequest request = super.createAuthorizationRequest(authorizationParameters);

        if (securityContextAccessor.isUser()) {
            request.setAuthorities(securityContextAccessor.getAuthorities());
        }

        return request;
    }

}

并将相关代码更新为

@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    private InMemoryClientDetailsService clientDetailsService;

    private Map<String, ClientDetails> clientDetailsStore;

    public InMemoryClientDetailsService clientDetailsService() {
        if (clientDetailsService == null) {
            clientDetailsStore = new HashMap<String, ClientDetails>();
            InMemoryClientDetailsService m = new InMemoryClientDetailsService() {

                @Override
                public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
                    ClientDetails details = clientDetailsStore.get(clientId);
                    if (details == null) {
                        throw new NoSuchClientException("No client with requested id: " + clientId);
                    }
                    return details;
                }

            };
            clientDetailsService = m;
        }
        return clientDetailsService;
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        InMemoryClientDetailsServiceBuilder builder = new InMemoryClientDetailsServiceBuilder() {

            @Override
            protected void addClient(String clientId, ClientDetails value) {
                clientDetailsStore.put(clientId, value);
            }

            @Override
            protected ClientDetailsService performBuild() {
                return clientDetailsService();
            }
        };
        clients.setBuilder(builder);

        // @formatter:off
        builder
            .withClient("acme").secret("acmesecret")
                .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                .scopes("openid", "apim.read", "apim.write")
            .and()
            .withClient("trusted").secret("shuush")
                .authorizedGrantTypes("client_credentials")
                .scopes("openid", "apim.read", "apim.write")
                .authorities("openid", "apim.read", "apim.write");
        // @formatter:on
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
        endpoints.requestFactory(new ScopeMappingOAuth2RequestFactory(clientDetailsService()));
    }

...}

Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {

....

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // auth.parentAuthenticationManager(authenticationManager);
        // @formatter:off
        auth.inMemoryAuthentication()
            .withUser("admin").password("admin")
                .roles("APIM.READ", "APIM.WRITE")
            .and()
            .withUser("user").password("password")
                .roles("APIM.READ")
            .and()
            .withUser("audit").password("audit")
                .roles("APIM.READ");
        // @formatter:on
    }
}

共有1个答案

傅元章
2023-03-14

我遇到了同样的问题,并且我还注意到代码运行了CheckUserScopes方法两次。我发现缺少的是用户和客户端都需要拥有您想要返回的权限。

因此,以如下方式定义您的客户(根据您自己的角色调整角色):

    @Bean
    public ClientDetailsService clientDetailsService() {
        Map<String, ClientDetails> clientDetailsStore = new HashMap<>();

        Collection<String> scope = new HashSet<>();
        scope.add("user");
        scope.add("admin");

        Collection<GrantedAuthority> authorities = new HashSet<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));

        Collection<String> authorizedGrantTypes = new HashSet<>();
        authorizedGrantTypes.add("authorization_code");

        BaseClientDetails clientDetails = new BaseClientDetails();
        clientDetails.setClientId("clientid");
        clientDetails.setClientSecret("{noop}secret"); //noop for Spring Security 5
        clientDetails.setScope(scope);
        clientDetails.setAuthorities(authorities);
        clientDetails.setAuthorizedGrantTypes(authorizedGrantTypes);

        clientDetailsStore.put("clientid", clientDetails);

        InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService();
        clientDetailsService.setClientDetailsStore(clientDetailsStore);

        return clientDetailsService;
    }

现在客户端拥有了所需的权限user和ADMIN。

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {

        DefaultOAuth2RequestFactory defaultOAuth2RequestFactory = new DefaultOAuth2RequestFactory(clientDetailsService());
        defaultOAuth2RequestFactory.setCheckUserScopes(true);
        endpoints.requestFactory(defaultOAuth2RequestFactory);
    }
 类似资料:
  • 我是oAuth2安全系统的新手。关于访问REST资源的基于用户角色的授权,我有一个问题。我的互联网冲浪提供了关于oauth2的身份验证部分的输入。 让我提供给你困扰我的情况。

  • 在代码中使用XSLT 2.0的字符映射功能时,我遇到了以下错误。 名称空间中的元素“样式表”http://www.w3.org/1999/XSL/Transform'命名空间中的子元素'character map'无效'http://www.w3.org/1999/XSL/Transform“是的 这是我的XSLT声明 请提供有关如何在XSLT中使用字符映射的帮助。

  • 让我们考虑一个相当简单的假设应用程序,用户可以在其中读取或编写帖子。 一些用户可以阅读和写文章,而另一些用户只能阅读。在Spring Security(3.2.1)中,我通过两个角色对其进行建模: role_write:此角色授予用户编写文章的访问权限。 role_read:此角色授予用户读取文章的权限。 在授权步骤中,应用程序询问用户是否愿意授予代表他们阅读和/或撰写帖子的权限。这里的用户在这里

  • 有些企业会对向用户发送的营销内容进行严格的管理——基层的运营或营销经理拟定的活动必须经过上级管理者的审批,方可生效执行。为此,诸葛的智能触达中提供了基于用户角色的触达活动权限管理,以支撑上述的企业需求。 如果您的团队需要使用权限控制,可通过以下步骤开启使用: 开启权限控制:智能触达的权限控制默认是关闭的,需要开启后方能使用; 分配用户角色:为团队成员分别分配设定「管理员」和「运营人员」角色; 开始

  • 我试图使用KeyCloak的管理API,以便向用户角色映射添加客户端级别的角色。为此,我使用管理endpoint: 不确定这里的问题是什么,因为该角色存在于系统中。这里会出什么问题?