问题:
将用户角色映射到oauth2作用域/权限
谷梁建中
忽略上面提到的权限数据库,我是否在下面的代码中将角色“用户”、“阅读器”、“编写器”映射到基于user和resourceId的oauth2范围/权限?
用户身份验证/授权配置
@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
....
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.parentAuthenticationManager(authenticationManager);
// @formatter:off
auth.inMemoryAuthentication()
.withUser("admin").password("admin")
.roles("ADMIN", "USER", "READER", "WRITER")
.and()
.withUser("user").password("password")
.roles("USER")
.and()
.withUser("audit").password("audit")
.roles("USER", "ADMIN", "READER");
// @formatter:on
}
}
OAuth2配置
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password")
.scopes("openid")
.and()
.withClient("trusted").secret("shuush")
.authorizedGrantTypes("client_credentials")
.scopes("openid");
// @formatter:on
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.checkTokenAccess("isAuthenticated()");
}
}
在配置中引入自定义的OAuth2RequestFactory以将checkUserScopes设置为true。虽然此设置对“client_credentails”有效,但对“code”授予失败。对于“代码”授予,DefaultOAuth2RequestFactory尝试在授权步骤期间为客户端(acme)而不是用户映射权限。另一种想法是实现ClientDetailsService,该服务基于登录用户(admin/user)添加客户端(acme)的权限,但不确定如何从SecurityContext中抓取登录用户,因为在授权步骤中,它被客户端(acme)覆盖。有什么想法吗?
public class ScopeMappingOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
public ScopeMappingOAuth2RequestFactory(ClientDetailsService clientDetailsService) {
super(clientDetailsService);
super.setCheckUserScopes(true);
}
/**
* @param securityContextAccessor the security context accessor to set
*/
@Override
public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
this.securityContextAccessor = securityContextAccessor;
super.setSecurityContextAccessor(securityContextAccessor);
}
@Override
public AuthorizationRequest createAuthorizationRequest(Map<String, String> authorizationParameters) {
AuthorizationRequest request = super.createAuthorizationRequest(authorizationParameters);
if (securityContextAccessor.isUser()) {
request.setAuthorities(securityContextAccessor.getAuthorities());
}
return request;
}
}
并将相关代码更新为
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
private InMemoryClientDetailsService clientDetailsService;
private Map<String, ClientDetails> clientDetailsStore;
public InMemoryClientDetailsService clientDetailsService() {
if (clientDetailsService == null) {
clientDetailsStore = new HashMap<String, ClientDetails>();
InMemoryClientDetailsService m = new InMemoryClientDetailsService() {
@Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
ClientDetails details = clientDetailsStore.get(clientId);
if (details == null) {
throw new NoSuchClientException("No client with requested id: " + clientId);
}
return details;
}
};
clientDetailsService = m;
}
return clientDetailsService;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
InMemoryClientDetailsServiceBuilder builder = new InMemoryClientDetailsServiceBuilder() {
@Override
protected void addClient(String clientId, ClientDetails value) {
clientDetailsStore.put(clientId, value);
}
@Override
protected ClientDetailsService performBuild() {
return clientDetailsService();
}
};
clients.setBuilder(builder);
// @formatter:off
builder
.withClient("acme").secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "password")
.scopes("openid", "apim.read", "apim.write")
.and()
.withClient("trusted").secret("shuush")
.authorizedGrantTypes("client_credentials")
.scopes("openid", "apim.read", "apim.write")
.authorities("openid", "apim.read", "apim.write");
// @formatter:on
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
endpoints.requestFactory(new ScopeMappingOAuth2RequestFactory(clientDetailsService()));
}
...}
Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
....
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.parentAuthenticationManager(authenticationManager);
// @formatter:off
auth.inMemoryAuthentication()
.withUser("admin").password("admin")
.roles("APIM.READ", "APIM.WRITE")
.and()
.withUser("user").password("password")
.roles("APIM.READ")
.and()
.withUser("audit").password("audit")
.roles("APIM.READ");
// @formatter:on
}
}
共有1个答案
傅元章
我遇到了同样的问题,并且我还注意到代码运行了CheckUserScopes方法两次。我发现缺少的是用户和客户端都需要拥有您想要返回的权限。
因此,以如下方式定义您的客户(根据您自己的角色调整角色):
@Bean
public ClientDetailsService clientDetailsService() {
Map<String, ClientDetails> clientDetailsStore = new HashMap<>();
Collection<String> scope = new HashSet<>();
scope.add("user");
scope.add("admin");
Collection<GrantedAuthority> authorities = new HashSet<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
Collection<String> authorizedGrantTypes = new HashSet<>();
authorizedGrantTypes.add("authorization_code");
BaseClientDetails clientDetails = new BaseClientDetails();
clientDetails.setClientId("clientid");
clientDetails.setClientSecret("{noop}secret"); //noop for Spring Security 5
clientDetails.setScope(scope);
clientDetails.setAuthorities(authorities);
clientDetails.setAuthorizedGrantTypes(authorizedGrantTypes);
clientDetailsStore.put("clientid", clientDetails);
InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService();
clientDetailsService.setClientDetailsStore(clientDetailsStore);
return clientDetailsService;
}
现在客户端拥有了所需的权限user和ADMIN。
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
DefaultOAuth2RequestFactory defaultOAuth2RequestFactory = new DefaultOAuth2RequestFactory(clientDetailsService());
defaultOAuth2RequestFactory.setCheckUserScopes(true);
endpoints.requestFactory(defaultOAuth2RequestFactory);
}
类似资料:
-
我是oAuth2安全系统的新手。关于访问REST资源的基于用户角色的授权,我有一个问题。我的互联网冲浪提供了关于oauth2的身份验证部分的输入。 让我提供给你困扰我的情况。
-
在代码中使用XSLT 2.0的字符映射功能时,我遇到了以下错误。 名称空间中的元素“样式表”http://www.w3.org/1999/XSL/Transform'命名空间中的子元素'character map'无效'http://www.w3.org/1999/XSL/Transform“是的 这是我的XSLT声明 请提供有关如何在XSLT中使用字符映射的帮助。
-
null null
-
让我们考虑一个相当简单的假设应用程序,用户可以在其中读取或编写帖子。 一些用户可以阅读和写文章,而另一些用户只能阅读。在Spring Security(3.2.1)中,我通过两个角色对其进行建模: role_write:此角色授予用户编写文章的访问权限。 role_read:此角色授予用户读取文章的权限。 在授权步骤中,应用程序询问用户是否愿意授予代表他们阅读和/或撰写帖子的权限。这里的用户在这里
-
有些企业会对向用户发送的营销内容进行严格的管理——基层的运营或营销经理拟定的活动必须经过上级管理者的审批,方可生效执行。为此,诸葛的智能触达中提供了基于用户角色的触达活动权限管理,以支撑上述的企业需求。 如果您的团队需要使用权限控制,可通过以下步骤开启使用: 开启权限控制:智能触达的权限控制默认是关闭的,需要开启后方能使用; 分配用户角色:为团队成员分别分配设定「管理员」和「运营人员」角色; 开始
-
我试图使用KeyCloak的管理API,以便向用户角色映射添加客户端级别的角色。为此,我使用管理endpoint: 不确定这里的问题是什么,因为该角色存在于系统中。这里会出什么问题?