如何限制 OAuth2 设置中定义的客户端访问?

Posted

技术标签:

【中文标题】如何限制 OAuth2 设置中定义的客户端访问?【英文标题】:How to limit client access defined in OAuth2 settings? 【发布时间】:2019-10-20 09:57:06 【问题描述】:

在使用 Sping Boot 和 OAuth2 开发的 REST API 中,是否可以根据授权服务器设置中定义的客户端来限制用户访问?

例如,在授权服务器中,我有以下客户端配置:

clients.inMemory()
            .withClient(uaaProperties.getWebClientConfiguration().getClientId())
            .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
            .scopes("openid")
            .authorities("ROLE_TESTE")
            .autoApprove(true)
            .authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
            .accessTokenValiditySeconds(accessTokenValidity)
            .refreshTokenValiditySeconds(refreshTokenValidity)

在 HttpSecurity 中 Spring 的安全配置部分我有以下配置:

@Override
public void configure(HttpSecurity http) throws Exception 
http
    .csrf() 
    .ignoringAntMatchers("/h2-console/**")
    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
    .addFilterBefore(corsFilter, CsrfFilter.class)
    .headers()
    .frameOptions()
    .disable()
.and()
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
    .authorizeRequests()
    .antMatchers("/api/**").hasAuthority(AuthoritiesConstants.ADMIN)
    .antMatchers("/management/health").permitAll()
    .antMatchers("/management/info").permitAll()
    .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);

如何限制具有“ROLE_TESTE”权限的 OAuth 客户端不访问仅为 ADMIN 设置的 api 地址?

已编辑...

我将代码编辑为如下所示:

UAA/OAuth2:

@Configuration
@EnableAuthorizationServer
public class UaaConfiguration extends AuthorizationServerConfigurerAdapter implements ApplicationContextAware 
    /**
     * Access tokens will not expire any earlier than this.
     */
    private static final int MIN_ACCESS_TOKEN_VALIDITY_SECS = 60;

    private ApplicationContext applicationContext;

    @Override
    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException 
        this.applicationContext = applicationContext;
    

    @EnableResourceServer
    public static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter 

        private final TokenStore tokenStore;

        private final JHipsterProperties jHipsterProperties;

        private final CorsFilter corsFilter;

        public ResourceServerConfiguration(TokenStore tokenStore, JHipsterProperties jHipsterProperties, CorsFilter corsFilter) 
            this.tokenStore = tokenStore;
            this.jHipsterProperties = jHipsterProperties;
            this.corsFilter = corsFilter;
        

        @Override
        public void configure(HttpSecurity http) throws Exception 
            http
                .exceptionHandling()
                .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
            .and()
                .csrf()
                .disable()
                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
                .headers()
                .frameOptions()
                .disable()
            .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
                .authorizeRequests()
                .antMatchers("/api/register").permitAll()
                .antMatchers("/api/activate").permitAll()
                .antMatchers("/api/authenticate").permitAll()
                .antMatchers("/api/account/reset-password/init").permitAll()
                .antMatchers("/api/account/reset-password/finish").permitAll()
//                .antMatchers("/api/**").authenticated()
                .antMatchers("/management/health").permitAll()
                .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
                .antMatchers("/v2/api-docs/**").permitAll()
                .antMatchers("/swagger-resources/configuration/ui").permitAll()
                .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN)
                .antMatchers("/api/**").access("#oauth2.clientHasRole('ROLE_TESTE')")
                ;
        

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception 
            resources.resourceId("jhipster-uaa").tokenStore(tokenStore);
        
    

    private final JHipsterProperties jHipsterProperties;

    private final UaaProperties uaaProperties;

    private final PasswordEncoder passwordEncoder;

    public UaaConfiguration(JHipsterProperties jHipsterProperties, UaaProperties uaaProperties, PasswordEncoder passwordEncoder) 
        this.jHipsterProperties = jHipsterProperties;
        this.uaaProperties = uaaProperties;
        this.passwordEncoder = passwordEncoder;
    

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception 
        int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
        accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
        int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
        refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
        /*
        For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
         */
        clients.inMemory()
            .withClient(uaaProperties.getWebClientConfiguration().getClientId())
            .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
            .scopes("openid")
            .authorities("ROLE_TESTE")
            .autoApprove(true)
            .authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
            .accessTokenValiditySeconds(accessTokenValidity)
            .refreshTokenValiditySeconds(refreshTokenValidity)
            .and()
            .withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId())
            .secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret()))
            .scopes("web-app")
            .authorities("ROLE_ADMIN")
            .autoApprove(true)
            .authorizedGrantTypes("client_credentials")
            .accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
            .refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
    

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception 
        //pick up all  TokenEnhancers incl. those defined in the application
        //this avoids changes to this class if an application wants to add its own to the chain
        Collection<TokenEnhancer> tokenEnhancers = applicationContext.getBeansOfType(TokenEnhancer.class).values();
        TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
        tokenEnhancerChain.setTokenEnhancers(new ArrayList<>(tokenEnhancers));
        endpoints
            .authenticationManager(authenticationManager)
            .tokenStore(tokenStore())
            .tokenEnhancer(tokenEnhancerChain)
            .reuseRefreshTokens(false);             //don't reuse or we will run into session inactivity timeouts
    

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    /**
     * Apply the token converter (and enhancer) for token store.
     * @return the JwtTokenStore managing the tokens.
     */
    @Bean
    public JwtTokenStore tokenStore() 
        return new JwtTokenStore(jwtAccessTokenConverter());
    

    /**
     * This bean generates an token enhancer, which manages the exchange between JWT acces tokens and Authentication
     * in both directions.
     *
     * @return an access token converter configured with the authorization server's public/private keys
     */
    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() 
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        KeyPair keyPair = new KeyStoreKeyFactory(
             new ClassPathResource(uaaProperties.getKeyStore().getName()), uaaProperties.getKeyStore().getPassword().toCharArray())
             .getKeyPair(uaaProperties.getKeyStore().getAlias());
        converter.setKeyPair(keyPair);
        return converter;
    

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception 
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
                "isAuthenticated()");
    

网关:

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter 
    private final OAuth2Properties oAuth2Properties;

    private final CorsFilter corsFilter;

    public SecurityConfiguration(OAuth2Properties oAuth2Properties, CorsFilter corsFilter) 
        this.oAuth2Properties = oAuth2Properties;
        this.corsFilter = corsFilter;
    

    @Override
    public void configure(HttpSecurity http) throws Exception 
        http
            .csrf() //.disable()
            .ignoringAntMatchers("/h2-console/**")
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .and()
            .addFilterBefore(corsFilter, CsrfFilter.class)
            .headers()
            .frameOptions()
            .disable()
        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
//            .antMatchers("/api/**").authenticated()
            .antMatchers("/management/health").permitAll()
            .antMatchers("/management/info").permitAll()
            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
    

    @Bean
    public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) 
        return new JwtTokenStore(jwtAccessTokenConverter);
    

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter(OAuth2SignatureVerifierClient signatureVerifierClient) 
        return new OAuth2JwtAccessTokenConverter(oAuth2Properties, signatureVerifierClient);
    

    @Bean
    @Qualifier("loadBalancedRestTemplate")
    public RestTemplate loadBalancedRestTemplate(RestTemplateCustomizer customizer) 
        RestTemplate restTemplate = new RestTemplate();
        customizer.customize(restTemplate);
        return restTemplate;
    

    @Bean
    @Qualifier("vanillaRestTemplate")
    public RestTemplate vanillaRestTemplate() 
        return new RestTemplate();
    

尝试登录在 UAA 控制台中出现此错误:

2019-06-07 16:04:59.727 DEBUG 32186 --- [ XNIO-2 task-7] c.t.uaa.aop.logging.LoggingAspect : Enter: com.testando.uaa.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-06-07T19:04:59.727Z, principal=admin, type=AUTHORIZATION_FAILURE, data=details=remoteAddress=172.17.1.155, tokenType=BearertokenValue=<TOKEN>, type=org.springframework.security.access.AccessDeniedException, message=Access is denied]]

【问题讨论】:

【参考方案1】:

在您的资源服务器配置中,您可以通过 #oauth2.clientHasRole 使用 Spring Security 的基于表达式的访问控制,请参阅 OAuth2SecurityExpressionMethods#clientHasRole

检查 OAuth2 客户端(不是用户)是否具有指定的角色。要检查用户的角色,请参阅#hasRole(String)。

另见:OAuth 2 Developers Guide:

配置 OAuth 感知表达式处理程序

您可能希望利用 Spring Security 的基于表达式的访问控制。默认情况下,表达式处理程序将在@EnableResourceServer 设置中注册。表达式包括 #oauth2.clientHasRole#oauth2.clientHasAnyRole#oath2.denyClient,可用于提供基于角色的访问权限oauth 客户端(完整列表请参阅OAuth2SecurityExpressionMethods)。

【讨论】:

@user2831852:您添加了`.antMatchers("/api/**").access("#oauth2.clientHasRole('ROLE_TESTE')")`,因此只有具有ROLE_TESTE角色的客户端可以访问/api/**。你想要这个吗? @user2831852 我问了,因为在您的问题中您写道:* "ROLE_TESTE" 不访问 api 地址* 您做了相反的事情。 @user2831852 我不认识 JHipster。什么是网关配置?你的资源配置是什么?您能否添加完整的类,以便我可以看到继承? 很抱歉给您带来了困惑!在这种情况下,当尝试登录系统时,OAuth 未能应用该规则,即它通过允许或拒绝对 ROLE_TESTE 的访问而失败。我将在问题中添加类,以便您查看。谢谢。 我通过添加完整的类和错误更改了问题中的代码,我没有资源代码,因为测试无法登录并且我无法测试对资源的访问。代码来自网关和 UAA。如果你想测试(link),我还在 GitHub 中添加了代码,如果你想查看这个link of JHipster,这里有关于我在测试中使用的结构的信息。

以上是关于如何限制 OAuth2 设置中定义的客户端访问?的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security OAUTH2 - 如何根据客户端 ID 限制对 API 的访问?

GitHub OAuth2 令牌:如何限制访问以读取单个私有仓库

OAuth2之介绍及授权方式

OAUTH2 刷新令牌

OAuth2.0笔记

OAuth1.0与OAuth2.0的区别与联系