如何限制 OAuth2 设置中定义的客户端访问?
Posted
技术标签:
【中文标题】如何限制 OAuth2 设置中定义的客户端访问?【英文标题】:How to limit client access defined in OAuth2 settings? 【发布时间】:2019-10-20 09:57:06 【问题描述】:在使用 Sping Boot 和 OAuth2 开发的 REST API 中,是否可以根据授权服务器设置中定义的客户端来限制用户访问?
例如,在授权服务器中,我有以下客户端配置:
clients.inMemory()
.withClient(uaaProperties.getWebClientConfiguration().getClientId())
.secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
.scopes("openid")
.authorities("ROLE_TESTE")
.autoApprove(true)
.authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
.accessTokenValiditySeconds(accessTokenValidity)
.refreshTokenValiditySeconds(refreshTokenValidity)
在 HttpSecurity 中 Spring 的安全配置部分我有以下配置:
@Override
public void configure(HttpSecurity http) throws Exception
http
.csrf()
.ignoringAntMatchers("/h2-console/**")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilterBefore(corsFilter, CsrfFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/management/health").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
如何限制具有“ROLE_TESTE”权限的 OAuth 客户端不访问仅为 ADMIN 设置的 api 地址?
已编辑...
我将代码编辑为如下所示:
UAA/OAuth2:
@Configuration
@EnableAuthorizationServer
public class UaaConfiguration extends AuthorizationServerConfigurerAdapter implements ApplicationContextAware
/**
* Access tokens will not expire any earlier than this.
*/
private static final int MIN_ACCESS_TOKEN_VALIDITY_SECS = 60;
private ApplicationContext applicationContext;
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
this.applicationContext = applicationContext;
@EnableResourceServer
public static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
private final TokenStore tokenStore;
private final JHipsterProperties jHipsterProperties;
private final CorsFilter corsFilter;
public ResourceServerConfiguration(TokenStore tokenStore, JHipsterProperties jHipsterProperties, CorsFilter corsFilter)
this.tokenStore = tokenStore;
this.jHipsterProperties = jHipsterProperties;
this.corsFilter = corsFilter;
@Override
public void configure(HttpSecurity http) throws Exception
http
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
.csrf()
.disable()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/activate").permitAll()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/account/reset-password/init").permitAll()
.antMatchers("/api/account/reset-password/finish").permitAll()
// .antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/v2/api-docs/**").permitAll()
.antMatchers("/swagger-resources/configuration/ui").permitAll()
.antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/api/**").access("#oauth2.clientHasRole('ROLE_TESTE')")
;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("jhipster-uaa").tokenStore(tokenStore);
private final JHipsterProperties jHipsterProperties;
private final UaaProperties uaaProperties;
private final PasswordEncoder passwordEncoder;
public UaaConfiguration(JHipsterProperties jHipsterProperties, UaaProperties uaaProperties, PasswordEncoder passwordEncoder)
this.jHipsterProperties = jHipsterProperties;
this.uaaProperties = uaaProperties;
this.passwordEncoder = passwordEncoder;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception
int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
/*
For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
*/
clients.inMemory()
.withClient(uaaProperties.getWebClientConfiguration().getClientId())
.secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
.scopes("openid")
.authorities("ROLE_TESTE")
.autoApprove(true)
.authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
.accessTokenValiditySeconds(accessTokenValidity)
.refreshTokenValiditySeconds(refreshTokenValidity)
.and()
.withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId())
.secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret()))
.scopes("web-app")
.authorities("ROLE_ADMIN")
.autoApprove(true)
.authorizedGrantTypes("client_credentials")
.accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
.refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception
//pick up all TokenEnhancers incl. those defined in the application
//this avoids changes to this class if an application wants to add its own to the chain
Collection<TokenEnhancer> tokenEnhancers = applicationContext.getBeansOfType(TokenEnhancer.class).values();
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(new ArrayList<>(tokenEnhancers));
endpoints
.authenticationManager(authenticationManager)
.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.reuseRefreshTokens(false); //don't reuse or we will run into session inactivity timeouts
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
/**
* Apply the token converter (and enhancer) for token store.
* @return the JwtTokenStore managing the tokens.
*/
@Bean
public JwtTokenStore tokenStore()
return new JwtTokenStore(jwtAccessTokenConverter());
/**
* This bean generates an token enhancer, which manages the exchange between JWT acces tokens and Authentication
* in both directions.
*
* @return an access token converter configured with the authorization server's public/private keys
*/
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
KeyPair keyPair = new KeyStoreKeyFactory(
new ClassPathResource(uaaProperties.getKeyStore().getName()), uaaProperties.getKeyStore().getPassword().toCharArray())
.getKeyPair(uaaProperties.getKeyStore().getAlias());
converter.setKeyPair(keyPair);
return converter;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
"isAuthenticated()");
网关:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter
private final OAuth2Properties oAuth2Properties;
private final CorsFilter corsFilter;
public SecurityConfiguration(OAuth2Properties oAuth2Properties, CorsFilter corsFilter)
this.oAuth2Properties = oAuth2Properties;
this.corsFilter = corsFilter;
@Override
public void configure(HttpSecurity http) throws Exception
http
.csrf() //.disable()
.ignoringAntMatchers("/h2-console/**")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilterBefore(corsFilter, CsrfFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// .antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
@Bean
public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter)
return new JwtTokenStore(jwtAccessTokenConverter);
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter(OAuth2SignatureVerifierClient signatureVerifierClient)
return new OAuth2JwtAccessTokenConverter(oAuth2Properties, signatureVerifierClient);
@Bean
@Qualifier("loadBalancedRestTemplate")
public RestTemplate loadBalancedRestTemplate(RestTemplateCustomizer customizer)
RestTemplate restTemplate = new RestTemplate();
customizer.customize(restTemplate);
return restTemplate;
@Bean
@Qualifier("vanillaRestTemplate")
public RestTemplate vanillaRestTemplate()
return new RestTemplate();
尝试登录在 UAA 控制台中出现此错误:
2019-06-07 16:04:59.727 DEBUG 32186 --- [ XNIO-2 task-7] c.t.uaa.aop.logging.LoggingAspect : Enter: com.testando.uaa.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-06-07T19:04:59.727Z, principal=admin, type=AUTHORIZATION_FAILURE, data=details=remoteAddress=172.17.1.155, tokenType=BearertokenValue=<TOKEN>, type=org.springframework.security.access.AccessDeniedException, message=Access is denied]]
【问题讨论】:
【参考方案1】:在您的资源服务器配置中,您可以通过 #oauth2.clientHasRole
使用 Spring Security 的基于表达式的访问控制,请参阅 OAuth2SecurityExpressionMethods#clientHasRole
:
检查 OAuth2 客户端(不是用户)是否具有指定的角色。要检查用户的角色,请参阅#hasRole(String)。
另见:OAuth 2 Developers Guide:
配置 OAuth 感知表达式处理程序
您可能希望利用 Spring Security 的基于表达式的访问控制。默认情况下,表达式处理程序将在
@EnableResourceServer
设置中注册。表达式包括 #oauth2.clientHasRole、#oauth2.clientHasAnyRole 和 #oath2.denyClient,可用于提供基于角色的访问权限oauth 客户端(完整列表请参阅OAuth2SecurityExpressionMethods
)。
【讨论】:
@user2831852:您添加了`.antMatchers("/api/**").access("#oauth2.clientHasRole('ROLE_TESTE')")`,因此只有具有ROLE_TESTE
角色的客户端可以访问/api/**
。你想要这个吗?
@user2831852 我问了,因为在您的问题中您写道:* "ROLE_TESTE" 不访问 api 地址* 您做了相反的事情。
@user2831852 我不认识 JHipster。什么是网关配置?你的资源配置是什么?您能否添加完整的类,以便我可以看到继承?
很抱歉给您带来了困惑!在这种情况下,当尝试登录系统时,OAuth 未能应用该规则,即它通过允许或拒绝对 ROLE_TESTE 的访问而失败。我将在问题中添加类,以便您查看。谢谢。
我通过添加完整的类和错误更改了问题中的代码,我没有资源代码,因为测试无法登录并且我无法测试对资源的访问。代码来自网关和 UAA。如果你想测试(link),我还在 GitHub 中添加了代码,如果你想查看这个link of JHipster,这里有关于我在测试中使用的结构的信息。以上是关于如何限制 OAuth2 设置中定义的客户端访问?的主要内容,如果未能解决你的问题,请参考以下文章
Spring Security OAUTH2 - 如何根据客户端 ID 限制对 API 的访问?