Spring引导基本身份验证和OAuth2在同一个项目中?
[英]Spring boot Basic Authentication and OAuth2 in same project?
问题描述
Is it possible to use OAuth2 for certain endpoints in my rest application and use basic authentication too for some other endpoints. 
是否可以在我的其余应用程序中对某些端点使用OAuth2,并对其他某些端点使用基本身份验证。 It should all work on spring security version 2.0.1.RELEASE. 它应该都适用于Spring安全性版本2.0.1.RELEASE。 I hope someone can help me further. 我希望有人可以帮助我。
1 个解决方案
解决方案1
1 已采纳 2018-04-27 12:07:03
Yes, it's possible to use a basic authentication as well as an OAuth2 authentication intertwined, but I doubt you'll be able to set it up easily as HttpSecurity's authenticated() method doesn't allow you to pick which of your authentication method (oauth2Login/formLogin) will work. 是的,可以使用基本身份验证以及交织在一起的OAuth2身份验证,但我怀疑您是否能够轻松设置它,因为HttpSecurity的authenticated()方法不允许您选择哪种身份验证方法(oauth2Login) / formLogin)会起作用。
However, there's a way to easily bypass that: 但是,有一种方法可以轻松绕过:
You could add a custom authority, let's call it ROLE_BASICAUTH , when an user connects using basic auth, and ROLE_OAUTH2 when an user connects using OAuth2. 你可以添加自定义权限,姑且称之为ROLE_BASICAUTH ,当用户连接使用基本身份验证,并ROLE_OAUTH2当用户连接使用的OAuth2。 That way, you can use 那样,你可以使用
.antMatchers("/endpoint-that-requires-basic-auth").hasRole("BASICAUTH")
.antMatchers("/endpoint-that-requires-oauth2").hasRole("OAUTH2")
.anyRequest().authenticated()
When they reach an endpoint that you want basic authentication (and not OAuth2), you check their current authorities, and if it's not BASICAUTH , then you invalidate their session you display a login form without OAuth2 (to force them to use the basic authentication). 当他们到达您想要基本身份验证(而不是OAuth2)的端点时,您检查他们当前的权限,如果它不是BASICAUTH ,那么您使其会话无效,您显示没有OAuth2的登录表单(强制他们使用基本身份验证) 。
The downside to doing that is that you'd need to implement both a custom UserDetailsService as well as a custom OAuth2UserService ... 这样做的缺点是您需要实现自定义UserDetailsService以及自定义OAuth2UserService ...
But that's actually not that hard: 但实际上并不那么难:
@Service
public class UserService extends DefaultOAuth2UserService implements UserDetailsService {
// ...
@Override
public OAuth2User loadUser(OAuth2UserRequest oAuth2UserRequest) throws OAuth2AuthenticationException {
OAuth2User user = super.loadUser(oAuth2UserRequest);
Map<String, Object> attributes = user.getAttributes();
Set<GrantedAuthority> authoritySet = new HashSet<>(user.getAuthorities());
String userNameAttributeName = oAuth2UserRequest.getClientRegistration().getProviderDetails()
.getUserInfoEndpoint().getUserNameAttributeName();
authoritySet.add(new SimpleGrantedAuthority("ROLE_OAUTH2"));
return new DefaultOAuth2User(authoritySet, attributes, userNameAttributeName);
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails user = getUserFromDatabase(username); // you'll need to provide that method (where are the username/password stored?)
if (user == null) { // UserDetailsService doesn't allow loadUserByUsername to return null, so throw exception
throw new UsernameNotFoundException("Couldn't find user with username '"+username+"'");
}
// add ROLE_BASICAUTH (you might need a custom UserDetails implementation here, because by defaut, UserDetails.getAuthorities() is immutable (I think, I might be a liar)
return user;
}
}
Note that this is a rough implementation, so you'll have to work it out a bit on your end as well. 请注意,这是一个粗略的实现,所以你必须在你的最后解决一些问题。
You can also use this repository I made https://github.com/TwinProduction/spring-security-oauth2-client-example/tree/master/custom-userservice-sample as a guideline for the custom OAuth2UserService 你也可以使用我的https://github.com/TwinProduction/spring-security-oauth2-client-example/tree/master/custom-userservice-sample这个存储库作为自定义OAuth2UserService的指南
Good luck. 祝好运。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.