Spring Security OAuth2 token权限隔离的示例分析
发表于:2025-01-18 作者:千家信息网编辑
千家信息网最后更新 2025年01月18日,这篇文章将为大家详细讲解有关Spring Security OAuth2 token权限隔离的示例分析,小编觉得挺实用的,因此分享给大家做个参考,希望大家阅读完这篇文章后可以有所收获。一、哪里重写?资
千家信息网最后更新 2025年01月18日Spring Security OAuth2 token权限隔离的示例分析
这篇文章将为大家详细讲解有关Spring Security OAuth2 token权限隔离的示例分析,小编觉得挺实用的,因此分享给大家做个参考,希望大家阅读完这篇文章后可以有所收获。
一、哪里重写?
资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities
@RestController@Slf4jpublic class UserController { @Autowired HttpServletRequest request; @GetMapping("/user") public Principal user(Principal principal) { log.info("获取user信息:{}", JSON.toJSON(principal)); return principal; }
返回的具体用户信息:
{ "principal": { "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", "phone": "13918438965", "credentialsNonExpired": true, "accountNonExpired": true, "enabled": true, "accountNonLocked": true, "username": "4738195728608789333" }, "authenticated": true, "oAuth3Request": { "redirectUri": "http://www.baidu.com", "responseTypes": ["code"], "approved": true, "extensions": {}, "clientId": "external", "scope": ["auth_base"], "requestParameters": { "code": "ovzMSk", "grant_type": "authorization_code", "scope": "auth_base", "response_type": "code", "redirect_uri": "http://www.baidu.com", "state": "123", "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454", "client_id": "external" }, "refresh": false, "grantType": "authorization_code", "authorities": [{ "authority": "auth_base" }], "resourceIds": [] }, "clientOnly": false, "credentials": "", "name": "4738195728608789333", "userAuthentication": { "principal": { "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", "phone": "13918438965", "credentialsNonExpired": true, "accountNonExpired": true, "enabled": true, "accountNonLocked": true, "username": "4738195728608789333" }, "authenticated": true, "oAuth3Request": { "responseTypes": [], "approved": true, "extensions": {}, "clientId": "gt", "scope": ["frontend"], "requestParameters": { "auth_type": "sms", "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d", "grant_type": "password", "client_id": "gt", "username": "13918438965" }, "refresh": false, "grantType": "password", "authorities": [{ "authority": "client" }], "resourceIds": [] }, "clientOnly": false, "credentials": "", "name": "4738195728608789333", "userAuthentication": { "principal": { "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", "phone": "13918438965", "credentialsNonExpired": true, "accountNonExpired": true, "enabled": true, "accountNonLocked": true, "username": "4738195728608789333" }, "authenticated": true, "name": "4738195728608789333", "details": { "auth_type": "sms", "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d", "grant_type": "password", "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941", "client_id": "gt", "username": "13918438965" }, "authorities": [] }, "details": { "tokenType": "Bearer", "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9", "remoteAddress": "0:0:0:0:0:0:0:1" }, "authorities": [] }, "details": { "tokenType": "Bearer", "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e", "remoteAddress": "0:0:0:0:0:0:0:1" }, "authorities": []}
二、如何重写?
principal是OAuth3Authentication实例,OAuth3Authentication主要包括OAuth3Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth3Authentication了。
为了改变authoritie重写:
@GetMapping("/user") public Principal user(Principal principal) { log.info("获取user信息:{}", JSON.toJSON(principal)); OAuth3Authentication oAuth3Authentication = (OAuth3Authentication) principal; OAuth3Request storedRequest = oAuth3Authentication.getOAuth3Request(); Authentication userAuthentication = oAuth3Authentication.getUserAuthentication(); // 为了服务端进行token权限隔离 定制OAuth3Authentication CustomOAuth3Authentication customOAuth3Authentication = new CustomOAuth3Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities()); customOAuth3Authentication.setDetails(oAuth3Authentication.getDetails()); log.info("返回用户信息:{}", JSON.toJSON(customOAuth3Authentication)); return customOAuth3Authentication; }
CustomOAuth3Authentication :
package com.brightcns.wuxi.citizencard.auth.domain;import org.springframework.security.authentication.AbstractAuthenticationToken;import org.springframework.security.core.Authentication;import org.springframework.security.core.CredentialsContainer;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.oauth3.provider.OAuth3Request;import java.util.Collection;/** * @author maxianming * @date 2018/10/29 13:53 */public class CustomOAuth3Authentication extends AbstractAuthenticationToken { private static final long serialVersionUID = -4809832298438307309L; private final OAuth3Request storedRequest; private final Authentication userAuthentication; /** * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user * authentication may be null. * @param storedRequest The authorization request (must not be null). * @param userAuthentication The user authentication (possibly null). */ public CustomOAuth3Authentication(OAuth3Request storedRequest, Authentication userAuthentication, Collection extends GrantedAuthority> authorities) { /** * 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth3Authentication使得支持改变authorities */ super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities()); this.storedRequest = storedRequest; this.userAuthentication = userAuthentication; } public Object getCredentials() { return ""; } public Object getPrincipal() { return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication .getPrincipal(); } /** * Convenience method to check if there is a user associated with this token, or just a client application. * * @return true if this token represents a client app not acting on behalf of a user */ public boolean isClientOnly() { return userAuthentication == null; } /** * The authorization request containing details of the client application. * * @return The client authentication. */ public OAuth3Request getOAuth3Request() { return storedRequest; } /** * The user authentication. * * @return The user authentication. */ public Authentication getUserAuthentication() { return userAuthentication; } @Override public boolean isAuthenticated() { return this.storedRequest.isApproved() && (this.userAuthentication == null || this.userAuthentication.isAuthenticated()); } @Override public void eraseCredentials() { super.eraseCredentials(); if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) { CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials(); } } @Override public boolean equals(Object o) { if (this == o) { return true; } if (!(o instanceof CustomOAuth3Authentication)) { return false; } if (!super.equals(o)) { return false; } CustomOAuth3Authentication that = (CustomOAuth3Authentication) o; if (!storedRequest.equals(that.storedRequest)) { return false; } if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication) : that.userAuthentication != null) { return false; } if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) { // return false; } return true; } @Override public int hashCode() { int result = super.hashCode(); result = 31 * result + storedRequest.hashCode(); result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0); return result; }}
主要在OAuth3Authentication基础上修改了30-35行代码
关于"Spring Security OAuth2 token权限隔离的示例分析"这篇文章就分享到这里了,希望以上内容可以对大家有一定的帮助,使各位可以学到更多知识,如果觉得文章不错,请把它分享出去让更多的人看到。
信息
服务
权限
隔离
篇文章
示例
分析
更多
服务器
用户
资源
不错
实用
代码
内容
办法
基础
实例
文章
时候
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
简述浏览器服务器结构
服务器处理器有辐射吗
防诈骗网络安全知识竞赛答案
虚拟机服务器搭建感想
网络技术公司提成一般几个点
数据库查询最小两个
娄底哪里有软件开发
闵行区常规网络技术参考价格
国外服务器管理网页
软件开发 架构考证
大学生网络安全教育演讲
数据库clob类型清空
数据库表现
服务器如何设置u盘开机启动
php服务器怎么配制
网络技术员考试时间
电脑有几个数据库
数据库最大数据查询
河南邦爵网络技术服务有限公司
虚拟币量化交易软件开发
2021pubg怎么改服务器地区
网络安全设备配置与应用
闵行区常见网络技术售后服务
服务器为什么关机就会丢失数据
光头读书软件开发
软件开发螺旋递增
服务器系统用固态硬盘
虚拟机的数据库连接字符串在哪
网络安全境况
大学生 网络安全