Spring Security 和 Azure AD PreAuthorize hasRole 不起作用
Posted
技术标签:
【中文标题】Spring Security 和 Azure AD PreAuthorize hasRole 不起作用【英文标题】:Spring Security and Azure AD PreAuthorize hasRole is not working 【发布时间】:2020-07-25 13:37:24 【问题描述】:我正在查看 Microsoft Docs 上的 tutorial,了解如何使用 Spring Boot Starter for Azure Active Directory 保护我的 Spring MVC 应用程序。我正在尝试保护我网站的管理区域。我在控制器方法上有一个 @PreAuthorize 注释,我只希望管理员组中的用户可以访问它。我能够获得登录提示,但在成功登录后,我得到了该控制器方法的 403。当我删除 @PreAuthorize 注释时,我可以登录并访问该方法就好了。
这里是控制器方法:
@Controller
public class PostController
...
@PreAuthorize("hasRole('admin')")
@RequestMapping(path = "/admin/post", method = RequestMethod.GET)
public String getPost(@ModelAttribute("post") Post post, Model model)
List<Tag> tags = tagService.getAll();
model.addAttribute("tags", tags);
return "post";
...
这里是 WebSecurityConfig.java:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
@Override
protected void configure(HttpSecurity http) throws Exception
http
.authorizeRequests()
.antMatchers("/admin/**").authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService);
这里是application.properties:
# Azure AD
# Specifies your Active Directory ID:
azure.activedirectory.tenant-id=<my-ad-tenant-id>
# Specifies your App Registration's Application ID:
spring.security.oauth2.client.registration.azure.client-id=<my-app-registration-app-id>
# Specifies your App Registration's secret key:
spring.security.oauth2.client.registration.azure.client-secret=<my-client-secret>
# Specifies the list of Active Directory groups to use for authorization:
azure.activedirectory.activeDirectoryGroups=admin
这是应用注册清单:
"id": "<id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": null,
"appId": "<app-id>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-04-10T23:37:26Z",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls":
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
,
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "test",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings":
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
,
"passwordCredentials": [
"customKeyIdentifier": null,
"endDate": "2299-12-31T05:00:00Z",
"keyId": "<key-id>",
"startDate": "2020-04-10T23:39:47.917Z",
"value": null,
"createdOn": "2020-04-10T23:39:48.4572747Z",
"hint": "SVb",
"displayName": "test key"
],
"preAuthorizedApplications": [],
"publisherDomain": "test.onmicrosoft.com",
"replyUrlsWithType": [
"url": "http://localhost:8080/login/oauth2/code/azure",
"type": "Web"
],
"requiredResourceAccess": [
"resourceAppId": "<resource-app-id>",
"resourceAccess": [
"id": "<resource-access-id>",
"type": "Scope"
]
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
这是 Azure 中的组:
与我登录的用户是该组的成员。根据文档,只有未经授权的用户才会收到 403。我尝试将 hasRole() 参数更改为“ROLE_admin”,但这不起作用。我还尝试像这样在 WebSecurityConfig.java 中配置 hasRole("admin"):
@Override
protected void configure(HttpSecurity http) throws Exception
http
.authorizeRequests()
.antMatchers("/admin/**").authenticated()
.antMatchers("/admin/**").hasRole("admin")
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService);
但这也不起作用。我已经在这里工作了几天,但是当我登录的用户在管理员组中时,我无法弄清楚为什么我会收到 403。
编辑
pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.5.RELEASE</version>
</parent>
<groupId>me.test</groupId>
<artifactId>test-me</artifactId>
<version>1.0</version>
<packaging>war</packaging>
<name>test.me</name>
<properties>
<java.version>1.8</java.version>
<azure.version>2.2.0</azure.version>
</properties>
<dependencies>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-active-directory-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>com.microsoft.sqlserver</groupId>
<artifactId>mssql-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>6.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.9</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>12.5.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>$azure.version</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<finalName>ROOT</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<artifactId>maven-failsafe-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
您可以在 GitHub 中查看Microsoft Spring Boot / Azure AD sample。
【问题讨论】:
您是否尝试过配置组声明(docs.microsoft.com/en-us/azure/active-directory/develop/…)? 【参考方案1】:根据我的研究,如果我们想使用图形 API 检索用户的组成员身份,这需要注册的应用程序具有 Direcory.AccessAsUser.All 权限。更多详情请参考document和document。
例如
更新权限
application.properties
# Azure AD
# Specifies your Active Directory ID:
azure.activedirectory.tenant-id=<my-ad-tenant-id>
# Specifies your App Registration's Application ID:
spring.security.oauth2.client.registration.azure.client-id=<my-app-registration-app-id>
# Specifies your App Registration's secret key:
spring.security.oauth2.client.registration.azure.client-secret=<my-client-secret>
# Specifies the list of Active Directory groups to use for authorization:
azure.activedirectory.activeDirectoryGroups=SQLAdmin
# Configure log level
logging.level.root=Debug
-
WebSecurityConfig.java
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
@Override
protected void configure(HttpSecurity http) throws Exception
http
.authorizeRequests()
.antMatchers("/admin/**").authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService);
-
控制器
@Autowired
@PreAuthorize("hasRole('SQLAdmin')")
@GetMapping("/admin")
@ResponseBody
public String helloWorld()
return "Hello World!";
【讨论】:
感谢您的精彩回答!一个问题。我看到您在公共 String helloWorld() 方法上有 Autowired 注释。当我将 Autowired 注释放在我的控制器方法上时,我收到以下错误:org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'me.model.Post' available: expected at least 1 bean that qualified as autowire候选人。依赖注解:org.springframework.web.bind.annotation.ModelAttribute(name="", value="post", binding=true)。 @slugophl 关于这个问题,请参考baeldung.com/spring-nosuchbeandefinitionexception以上是关于Spring Security 和 Azure AD PreAuthorize hasRole 不起作用的主要内容,如果未能解决你的问题,请参考以下文章
针对 Azure OIDC OAuth2 流的 Spring Security
如何从 angular localhost:4200 调用 spring security azure AD localhost:8080。天蓝色调用中的错误
如何使用 Azure AD 为应用服务上的 Spring Boot 应用设置重定向 URI