由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,

所有不同的模式下的token需要用  @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。

通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService

但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~

一、哪里重写?

资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities

@RestController

@Slf4j

public class UserController {

  @Autowired

  HttpServletRequest request;

  @GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));
    return principal;
 }

返回的具体用户信息:

 {

     "principal": {

         "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

         "phone": "13918438965",

         "credentialsNonExpired": true,

         "accountNonExpired": true,

         "enabled": true,

         "accountNonLocked": true,

         "username": "4738195728608789333"

     },

     "authenticated": true,

     "oAuth2Request": {

         "redirectUri": "http://www.baidu.com",

         "responseTypes": ["code"],

         "approved": true,

         "extensions": {},

         "clientId": "external",

         "scope": ["auth_base"],

         "requestParameters": {

             "code": "ovzMSk",

             "grant_type": "authorization_code",

             "scope": "auth_base",

             "response_type": "code",

             "redirect_uri": "http://www.baidu.com",

             "state": "123",

             "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",

             "client_id": "external"

         },

         "refresh": false,

         "grantType": "authorization_code",

         "authorities": [{

             "authority": "auth_base"

         }],

         "resourceIds": []

     },

     "clientOnly": false,

     "credentials": "",

     "name": "4738195728608789333",

     "userAuthentication": {

         "principal": {

             "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

             "phone": "13918438965",

             "credentialsNonExpired": true,

             "accountNonExpired": true,

             "enabled": true,

             "accountNonLocked": true,

             "username": "4738195728608789333"

         },

         "authenticated": true,

         "oAuth2Request": {

             "responseTypes": [],

             "approved": true,

             "extensions": {},

             "clientId": "gt",

             "scope": ["frontend"],

             "requestParameters": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "refresh": false,

             "grantType": "password",

             "authorities": [{

                 "authority": "client"

             }],

             "resourceIds": []

         },

         "clientOnly": false,

         "credentials": "",

         "name": "4738195728608789333",

         "userAuthentication": {

             "principal": {

                 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

                 "phone": "13918438965",

                 "credentialsNonExpired": true,

                 "accountNonExpired": true,

                 "enabled": true,

                 "accountNonLocked": true,

                 "username": "4738195728608789333"

             },

             "authenticated": true,

             "name": "4738195728608789333",

             "details": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "authorities": []

         },

         "details": {

             "tokenType": "Bearer",

             "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",

             "remoteAddress": "0:0:0:0:0:0:0:1"

         },

         "authorities": []

     },

     "details": {

         "tokenType": "Bearer",

         "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",

         "remoteAddress": "0:0:0:0:0:0:0:1"

     },

     "authorities": []

 }

二、如何重写?

principal是OAuth2Authentication实例,OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth2Authentication了。

为了改变authoritie重写:
@GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));

    OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;

    OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();

    Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();

    // 为了服务端进行token权限隔离 定制OAuth2Authentication

    CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());

    customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());

    log.info("返回用户信息:{}", JSON.toJSON(customOAuth2Authentication));

    return customOAuth2Authentication;

  }

  CustomOAuth2Authentication :

 package com.brightcns.wuxi.citizencard.auth.domain;

 import org.springframework.security.authentication.AbstractAuthenticationToken;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.core.CredentialsContainer;

 import org.springframework.security.core.GrantedAuthority;

 import org.springframework.security.oauth2.provider.OAuth2Request;

 import java.util.Collection;

 /**

  * @author maxianming

  * @date 2018/10/29 13:53

  */

 public class CustomOAuth2Authentication extends AbstractAuthenticationToken {

     private static final long serialVersionUID = -4809832298438307309L;

     private final OAuth2Request storedRequest;

     private final Authentication userAuthentication;

     /**

      * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user

      * authentication may be null.

      * @param storedRequest      The authorization request (must not be null).

      * @param userAuthentication The user authentication (possibly null).

      */

     public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {

         /**

          * 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth2Authentication使得支持改变authorities

          */

         super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());

         this.storedRequest = storedRequest;

         this.userAuthentication = userAuthentication;

     }

     public Object getCredentials() {

         return "";

     }

     public Object getPrincipal() {

         return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication

                 .getPrincipal();

     }

     /**

      * Convenience method to check if there is a user associated with this token, or just a client application.

      *

      * @return true if this token represents a client app not acting on behalf of a user

      */

     public boolean isClientOnly() {

         return userAuthentication == null;

     }

     /**

      * The authorization request containing details of the client application.

      *

      * @return The client authentication.

      */

     public OAuth2Request getOAuth2Request() {

         return storedRequest;

     }

     /**

      * The user authentication.

      *

      * @return The user authentication.

      */

     public Authentication getUserAuthentication() {

         return userAuthentication;

     }

     @Override

     public boolean isAuthenticated() {

         return this.storedRequest.isApproved()

                 && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());

     }

     @Override

     public void eraseCredentials() {

         super.eraseCredentials();

         if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {

             CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();

         }

     }

     @Override

     public boolean equals(Object o) {

         if (this == o) {

             return true;

         }

         if (!(o instanceof CustomOAuth2Authentication)) {

             return false;

         }

         if (!super.equals(o)) {

             return false;

         }

         CustomOAuth2Authentication that = (CustomOAuth2Authentication) o;

         if (!storedRequest.equals(that.storedRequest)) {

             return false;

         }

         if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)

                 : that.userAuthentication != null) {

             return false;

         }

         if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {

             // return false;

         }

         return true;

     }

     @Override

     public int hashCode() {

         int result = super.hashCode();

         result = 31 * result + storedRequest.hashCode();

         result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);

         return result;

     }

 }

主要在OAuth2Authentication基础上修改了30-35行代码

												


											
Spring Security OAuth2 token权限隔离的更多相关文章
	

    
								
  1. Spring Security OAuth2 授权失败(401) 问题整理
		
    Spring Cloud架构中采用Spring Security OAuth2作为权限控制,关于OAuth2详细介绍可以参考 http://www.ruanyifeng.com/blog/2014/0 ...
    
		
    2. 
						
  2. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
		
    Spring Security 解析(七) -- Spring Security Oauth2 源码解析   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...
    
		
    3. 
						
  3. Spring Security 解析(五) —— Spring Security Oauth2 开发
		
    Spring Security 解析(五) -- Spring Security Oauth2 开发   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...
    
		
    4. 
						
  4. spring security oauth2搭建resource-server  demo及token改造成JWT令牌
		
    我们在上文讲了如何在spring security的环境中搭建基于oauth2协议的认证中心demo:https://www.cnblogs.com/process-h/p/15688971.html ...
    
		
    5. 
						
  5. 关于 Spring Security OAuth2 中 Feign 调用 Token 问题
		
    微服务体系中,避免不了服务之间链式调用,一般使用 Feign ,由于使用 Spring Security OAuth2 全局做了安全认证,简单的一种实现方式就是在服务提供方获得 Token 再次通过  ...
    
		
    6. 
						
  6. 使用Redis作为Spring Security OAuth2的token存储
		
    写在前边 本文对Spring Security OAuth2的token使用Redis保存,相比JWT实现的token存储,Redis可以随时吊销access_token,并且Redis响应速度很快, ...
    
		
    7. 
						
  7. 使用JWT作为Spring Security OAuth2的token存储
		
    序 Spring Security OAuth2的demo在前几篇文章中已经讲过了,在那些模式中使用的都是RemoteTokenService调用授权服务器来校验token,返回校验通过的用户信息供上 ...
    
		
    8. 
						
  8. 【OAuth2.0】Spring Security OAuth2.0篇之初识
		
    不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握 ...
    
		
    9. 
						
  9. Spring security oauth2最简单入门环境搭建
		
    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. pip install mysql-connector 安装出错
			
    一.MySQL Connector/Python 2.2.3 的变化: 之前 mysql 官方说MySQL Connector/Python 是纯python语言写的,但是呢! 这个问题在2.2.3中 ...
    
			
    2. 
						
  2. Graphics View框架
			
    Qt4.2开始引入了Graphics View框架用来取代Qt3中的Canvas模块,并在很多地方作了改进,Graphics View框架实现了模型-视图结构的图形管理,能对大量图元进行管理,支持碰撞 ...
    
			
    3. 
						
  3. 50篇经典珍藏 | Docker、Mesos、微服务、云原生技术干货
			
    概念篇 全方位探(tian)索(keng)Mesos各种存储处理方式 老肖有话说@Mesos User Group第四次约会 技术实践 | Mesos 全方位“烹饪”指南 回顾 JAVA 发展轨迹,看 ...
    
			
    4. 
						
  4. Linux系统CPU频率调整工具使用
			
    现在的CPU耗电很大,按需调节CPU频率对普通桌面及移动设备节能有重要的意义,目前多数Linux发行版都已经默认启用了这个功能,但在一些像数据库,集群系统等特别需要CPU高性能的服务器环境中,Linu ...
    
			
    5. 
						
  5. WIN XP 命令汇总
			
    winver检查Windows版本dxdiag检查DirectX信息mem.exe显示内存使用情况Sndvol32音量控制程序sfc.exe系统文件检查器gpedit.msc 组策略regedit.e ...
    
			
    6. 
						
  6. python用time函数计算程序运行时间
			
    内置模块time包含很多与时间相关函数.我们可通过它获得当前的时间和格式化时间输出. time(),以浮点形式返回自Linux新世纪以来经过的秒数.在linux中,00:00:00 UTC, Janu ...
    
			
    7. 
						
  7. 应用DataAdapter对象填充DataSet数据集
			
    private void Form1_Load(object sender, EventArgs e) { string strCon = "Server=localhost;User Id ...
    
			
    8. 
						
  8. 干接点&湿接点
			
    干接点的定义: 无源开关:具有闭合和断开的2种状态:2个接点之间没有极性,可以互换: 常见的干接点信号有: 1.各种开关如:限位开关.行程开关.脚踏开关.旋转开关.温度开关.液位开关等: 2.各种按键 ...
    
			
    9. 
						
  9. js实现div的置底
			
    //-------------置底的div---------------------- <div class="mui-content lv-mrcd"  id=" ...
    
			
    10. 
						
  10. 回文自动机 + DFS --- The 2014 ACM-ICPC Asia Xi’an Regional Contest Problem G.The Problem to Slow Down You
			
    The Problem to Slow Down You Problem's Link: http://acm.hust.edu.cn/vjudge/problem/viewProblem.actio ...
    
			
    11.