![](/img/trans.png)
[英]OpenID (OAuth2) Authorization failing using Spring Boot and Spring Security
[英]Role hierarchy and OAuth2 Security using Spring Boot
我知道關於角色層次結構的線程很多,但是找不到與OAuth2結合的任何示例。
因此,大多數線程指出我需要實現RoleHierarchy
bean:
Beans.java
@EnableJpaRepositories(basePackages = "com.template.service.repository")
@EnableAspectJAutoProxy
@ComponentScan
@Configuration
public class Beans {
@Bean
public ItemService itemsService(ItemsRepository itemsRepository) {
return new ItemService(itemsRepository);
}
@Bean
public RoleHierarchy roleHierarchy(){
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_SUPREME > ROLE_DEVELOPER ROLE_DEVELOPER > ROLE_ADMIN ROLE_ADMIN > ROLE_USER");
return roleHierarchy;
}
@Bean
public DtoMapper dtoMapper() {
return new DtoMapper();
}
}
接下來,我需要@Autowire
這個bean到我的WebSecurityConfigurerAdapter
。 但是因為我使用的是OAuth2安全性,所以我在ResourceServerConfigurerAdapter
內部配置了HttpSecurity
。
OAuth2.java
public class OAuth2 {
@EnableAuthorizationServer
@Configuration
@ComponentScan
public static class AuthorizationServer extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManagerBean;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("trusted_client")
.authorizedGrantTypes("password", "refresh_token")
.scopes("read", "write");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManagerBean).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
}
@EnableResourceServer
@Configuration
@ComponentScan
public static class ResourceServer extends ResourceServerConfigurerAdapter {
@Autowired
private RoleHierarchy roleHierarchy;
private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
OAuth2WebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new OAuth2WebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
return defaultWebSecurityExpressionHandler;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().expressionHandler(webExpressionHandler())
.antMatchers("/api/**").hasRole("DEVELOPER");
}
}
}
Security.java
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@Configuration
@ComponentScan
public class Security extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public JpaAccountDetailsService userDetailsService(AccountsRepository accountsRepository) {
return new JpaAccountDetailsService(accountsRepository);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
但是,層次結構不起作用。 具有SUPREME用戶憑證的請求以以下結尾:
{
"error": "access_denied",
"error_description": "Access is denied"
}
當我將hasRole("DEVELOPER")
切換為hasRole("SUPREME")
-一切正常。
我正在使用Spring Boot 1.5.2和Spring Security OAuth 2.1.0.RELEASE
UPDATE
當我注釋所有OAuth2.java
類並將webExpressionHandler()
方法簽名移至Security.java
類時,角色層次結構可以正常工作。 那么OAuth2資源服務器怎么回事?
您如何看待ResourceServer中的這種方法?
@Bean
public RoleHierarchyImpl roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_SUPREME > ROLE_DEVELOPER ROLE_DEVELOPER > ROLE_ADMIN ROLE_ADMIN > ROLE_USER") return roleHierarchy;
}
@Bean
public RoleHierarchyVoter roleVoter() {
return new RoleHierarchyVoter(roleHierarchy());
}
@Bean
public AffirmativeBased defaultOauthDecisionManager(RoleHierarchy roleHierarchy){ //
List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();
// webExpressionVoter
OAuth2WebSecurityExpressionHandler expressionHandler = new OAuth2WebSecurityExpressionHandler();
expressionHandler.setRoleHierarchy(roleHierarchy);
WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
webExpressionVoter.setExpressionHandler(expressionHandler);
decisionVoters.add(webExpressionVoter);
decisionVoters.add(roleVoter());
return new AffirmativeBased(decisionVoters);
}
和
http
.authorizeRequests()
.accessDecisionManager(defaultOauthDecisionManager(roleHierarchy()))
//etc...
它可以更好地進行結構化和封裝,但是您知道我的意思,不是嗎?...我認為它可以正常工作。 我希望這能幫到您...
這就是成功的方式。我已經測試過。
ROLE_SUPREME> ROLE_DEVELOPER> ROLE_ADMIN
代碼博客如下
@Bean
public static RoleHierarchyImpl roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_SUPREME > ROLE_DEVELOPER > ROLE_ADMIN ");
return roleHierarchy;
}
希望對您有所幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.