[英]How can I evaluate the HTTP POST payload in spring cloud gateway using spring security custom authorization
I am trying to secure some of my spring cloud gateway routes:我正在尝试保护我的一些 spring 云网关路由:
Reading the documentation I found out how I can set up 1. and 2. Unfortunately, there seems to be very little information on how to achieve 3.阅读文档我发现了如何设置 1. 和 2. 不幸的是,关于如何实现 3. 的信息似乎很少。
Where I could I find a working example?我在哪里可以找到一个有效的例子?
Here's my spring security setup from application.yaml file:这是来自 application.yaml 文件的我的 spring 安全设置:
...
spring:
profiles: production
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ${AUTH_URL}/oidc
jwk-set-uri: ${AUTH_URL}/oidc/jwks.json
...
Configuation of my SecurityWebFilterChain:我的 SecurityWebFilterChain 的配置:
...
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE - 3)
public SecurityWebFilterChain secondFactorScopeApiHttpSecurity(ServerHttpSecurity http) {
final ServerWebExchangeMatcher baseScopeEndpointsMatcher = new OrServerWebExchangeMatcher(
new PathPatternParserServerWebExchangeMatcher("/api/fhir"),
new PathPatternParserServerWebExchangeMatcher("/api/fhir/List**"),
new PathPatternParserServerWebExchangeMatcher("/api/fhir/Observation**")
);
http.securityMatcher(baseScopeEndpointsMatcher)
.authorizeExchange(exchanges -> exchanges.anyExchange().hasAuthority("SCOPE_2fa"))
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::jwt);
return http.build();
}
...
I want the user to see a HTTP 403 in case the payloads "user" property does not match the sub claim from the JWT.我希望用户看到 HTTP 403,以防负载“用户”属性与 JWT 中的子声明不匹配。
What you want to achieve is an easy task on resource-servers and, in my opinion, resources access-control is the responsability of resource-server, not gateway, specially if access decision involves the resource itself.你想要实现的是资源服务器上的一项简单任务,在我看来,资源访问控制是资源服务器的责任,而不是网关,特别是如果访问决策涉及资源本身。
I would just let the gateway be transparent to OAuth2: leave requests authorization header as well as responses status code unchanged.我只想让网关对 OAuth2 透明:保留请求授权 header 以及响应状态代码不变。
I have samples in that series of tutorials which incrementally builds to advanced role based access control.我在该系列教程中有一些示例,这些示例逐步构建为基于角色的高级访问控制。 It should take you less than an hour to follow the first 3:
完成前 3 个步骤需要不到一个小时的时间:
spring-boot-starter-oauth2-resource-server
(what you've implemented on the gateway so far)spring-boot-starter-oauth2-resource-server
演示资源服务器安全配置(到目前为止你在网关上实现的)JwtAuthenticationToken
with an implementation of your choice exposing strongly typed private-claims.JwtAuthenticationToken
替换为您选择的公开强类型私有声明的实现。 It also greatly reduce Java conf with one of the thin wrappers I created around spring-boot one.@GetMapping("/on-behalf-of/{username}")
@PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
public String getGreetingFor(@PathVariable("username") String username) {
...
}
Of course, in your case, you would use a signature like myControllerMethod(@RequestBody MyDto dto, Authentication auth)
and an expression like #dto.sub eq #auth.name
, but you get the idea.当然,在你的情况下,你会使用像
myControllerMethod(@RequestBody MyDto dto, Authentication auth)
这样的签名和像#dto.sub eq #auth.name
这样的表达式,但你明白了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.