在 Spring 雲安全中具有權限的用戶的訪問被拒絕

Question

我正在使用 spring 雲 oauth-2 和 spring 雲安全構建用戶身份驗證系統。 我希望有許多可以分配給用戶組的權限。 權限存儲為枚舉常量，如下所示：

public enum Authority {
    READ_USER(1, "View users and their details", "READ_USER"),
    WRITE_USER(2, "Create, Edit and Delete users and their details", "WRITE_USER"),
    // More authorities will be added
    ;

    Authority(int id, String description, String name) {
        this.id = id;
        this.description = description;
        this.name = name;
    }

    private final int id;
    private final String description;
    private final String name;

    public int getId() {
        return id;
    }

    public String getDescription() {
        return description;
    }

    public String getName() {
        return name;
    }
}

我已將身份驗證服務器設置為向內存中的客戶端發出 JWT 令牌。 一切正常（我認為）。

下面是我的 UserDetails 實現

public class AuthPrincipal implements UserDetails {
    private String email;
    private String password;
    private Collection<? extends GrantedAuthority> authoritySet;

    public AuthPrincipal(User user) {
        this.email = user.getEmail();
        this.password = user.getPassword();
        this.authoritySet = user.getGroup().getAuthorities().stream().map(authority -> new SimpleGrantedAuthority(authority.getName())).collect(Collectors.toList());
    }

// Necessary getters

}

就像我說的，身份驗證服務器正在發布令牌。 我面臨的問題是授權。 下面是我的資源服務器 http 配置：

@Configuration
@EnableWebSecurity()
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {


    @Override
    public void configure(HttpSecurity http) throws Exception{
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()


                // Users paths
                .antMatchers(HttpMethod.GET, "/users/**").hasAuthority(Authority.READ_USER.getName())
                .antMatchers(HttpMethod.POST, "/users/**").hasAuthority(Authority.WRITE_USER.getName())
                .antMatchers(HttpMethod.PUT, "/users/**").hasAuthority(Authority.WRITE_USER.getName())
                .antMatchers(HttpMethod.DELETE, "/users/**").hasAuthority(Authority.WRITE_USER.getName())
                .anyRequest().authenticated();
    }


}

成功驗證后，對於具有所需權限的用戶，我收到 403 access denied 錯誤，如下面的安全調試日志所示：

2021-11-29 14:34:42.567 DEBUG 9832 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing GET /users
2021-11-29 14:34:42.567 DEBUG 9832 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-11-29 14:34:42.591 DEBUG 9832 --- [nio-8080-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication success: OAuth2Authentication [Principal=superuser@email.com, Credentials=[PROTECTED], Authenticated=true, Details=remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>, Granted Authorities=[{authority=READ_USER}, {authority=WRITE_USER}]]
2021-11-29 14:34:42.595 DEBUG 9832 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [GET /users] with attributes [#oauth2.throwOnError(hasAuthority('READ_USER'))]
2021-11-29 14:34:42.604 DEBUG 9832 --- [nio-8080-exec-3] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="access_denied", error_description="Access is denied"] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@4cd51cd5]
2021-11-29 14:34:42.604 DEBUG 9832 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

從日志中可以看出，用戶擁有“READ_USERS”的權限，但 GET 請求仍然被拒絕。 我錯過了什么？

Answer 1

檢查這兩點：-

1. 確保user.getGroup()包含READ_USER權限

2. 在實現UserDetails的AuthPrincipal中， authoritySet您在 -

 @Override public Collection<? extends GrantedAuthority> getAuthorities() { return this.authoritySet; }