堆栈内存溢出
  简体   繁体   English

如何使用 spring 安全自定义授权评估 spring 云网关中的 HTTP POST 负载

[英]How can I evaluate the HTTP POST payload in spring cloud gateway using spring security custom authorization

 原文  2022-11-28 13:24:35       java/ spring-security/ spring-webflux/ spring-cloud-gateway

问题描述

I am trying to secure some of my spring cloud gateway routes:我正在尝试保护我的一些 spring 云网关路由:

  1. Users must be authenticated using OAUTH2 to be able to use those routes (if not -> respond with http 401)用户必须使用 OAUTH2 进行身份验证才能使用这些路由(如果没有 -> 响应 http 401)
  2. The JWT access token must include a specific value in the "scp" claim ("2fa" in my case) (if not, respond with http 403) JWT 访问令牌必须在“scp”声明中包含一个特定的值(在我的例子中是“2fa”)(如果不是,请回复 http 403)
  3. The JSON payload contains one property "user" that must have the same value as the "sub" claim in the JWT access token. JSON 有效载荷包含一个属性“user”,该属性必须与 JWT 访问令牌中的“sub”声明具有相同的值。 (if not, respond with http 403) (如果没有,请回复 http 403)

Reading the documentation I found out how I can set up 1. and 2. Unfortunately, there seems to be very little information on how to achieve 3.阅读文档我发现了如何设置 1. 和 2. 不幸的是,关于如何实现 3. 的信息似乎很少。

Where I could I find a working example?我在哪里可以找到一个有效的例子?

Here's my spring security setup from application.yaml file:这是来自 application.yaml 文件的我的 spring 安全设置:

...
spring:
  profiles: production

  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ${AUTH_URL}/oidc
          jwk-set-uri: ${AUTH_URL}/oidc/jwks.json
...

Configuation of my SecurityWebFilterChain:我的 SecurityWebFilterChain 的配置:

...
 @Bean
  @Order(Ordered.HIGHEST_PRECEDENCE - 3)
  public SecurityWebFilterChain secondFactorScopeApiHttpSecurity(ServerHttpSecurity http) {
    final ServerWebExchangeMatcher baseScopeEndpointsMatcher = new OrServerWebExchangeMatcher(
        new PathPatternParserServerWebExchangeMatcher("/api/fhir"),
        new PathPatternParserServerWebExchangeMatcher("/api/fhir/List**"),
        new PathPatternParserServerWebExchangeMatcher("/api/fhir/Observation**")
    );

    http.securityMatcher(baseScopeEndpointsMatcher)
        .authorizeExchange(exchanges -> exchanges.anyExchange().hasAuthority("SCOPE_2fa"))
        .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::jwt);
    return http.build();
  }
...

I want the user to see a HTTP 403 in case the payloads "user" property does not match the sub claim from the JWT.我希望用户看到 HTTP 403,以防负载“用户”属性与 JWT 中的子声明不匹配。

1 个解决方案

解决方案1
 1  2022-11-28 17:54:08

What you want to achieve is an easy task on resource-servers and, in my opinion, resources access-control is the responsability of resource-server, not gateway, specially if access decision involves the resource itself.你想要实现的是资源服务器上的一项简单任务,在我看来,资源访问控制是资源服务器的责任,而不是网关,特别是如果访问决策涉及资源本身。

I would just let the gateway be transparent to OAuth2: leave requests authorization header as well as responses status code unchanged.我只想让网关对 OAuth2 透明:保留请求授权 header 以及响应状态代码不变。

I have samples in that series of tutorials which incrementally builds to advanced role based access control.我在该系列教程中有一些示例,这些示例逐步构建为基于角色的高级访问控制。 It should take you less than an hour to follow the first 3:完成前 3 个步骤需要不到一个小时的时间:

  • 1st demoes resource-server security conf with spring-boot-starter-oauth2-resource-server (what you've implemented on the gateway so far)第一次使用spring-boot-starter-oauth2-resource-server演示资源服务器安全配置(到目前为止你在网关上实现的)
  • 2nd shows how to replace JwtAuthenticationToken with an implementation of your choice exposing strongly typed private-claims.第 2 部分展示了如何将JwtAuthenticationToken替换为您选择的公开强类型私有声明的实现。 It also greatly reduce Java conf with one of the thin wrappers I created around spring-boot one.它还大大减少了 Java conf 与我在 spring-boot 周围创建的薄包装之一。
  • 3rd demoes security SpEL customization to write stuff like第三次演示安全 SpEL 定制以编写类似
@GetMapping("/on-behalf-of/{username}")
@PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
public String getGreetingFor(@PathVariable("username") String username) {
   ... 
}

Of course, in your case, you would use a signature like myControllerMethod(@RequestBody MyDto dto, Authentication auth) and an expression like #dto.sub eq #auth.name , but you get the idea.当然,在你的情况下,你会使用像myControllerMethod(@RequestBody MyDto dto, Authentication auth)这样的签名和像#dto.sub eq #auth.name这样的表达式,但你明白了。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我可以使用 Spring Cloud Gateway 进行基于角色的授权吗? - Can I use Spring Cloud Gateway for role based authorization? 使用Spring Security,我如何使用HTTP方法(例如GET,PUT,POST)来确定特定URL模式的安全性? - Using Spring Security, how can I use HTTP methods (e.g. GET, PUT, POST) to distingush security for particular URL patterns? 使用Spring Security授权 - Authorization using Spring Security Spring云网关+Spring安全资源服务器 - Spring Cloud Gateway + Spring security resource server 定制用户组的Spring Security授权 - Spring Security authorization for custom usergroups Keycloak + Spring Cloud Gateway + 认证授权 - Keycloak + spring cloud gateway + authentication and authorization 使用Spring Security无需身份验证和授权 - No Authentication and authorization using Spring Security 我应该如何在http post请求(spring boot)的请求负载中传递json数据 - How should I pass json data in the request payload of http post request (spring boot) Spring Security 基于角色的 HTTP 请求授权 - Spring security Role based HTTP request Authorization Spring 云网关 - 如何修改后过滤器中的响应正文 - Spring Cloud Gateway - How To Modify Response Body In Post Filter
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM