由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,

所有不同的模式下的token需要用  @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。

通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService

但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~

一、哪里重写?

资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities

@RestController

@Slf4j

public class UserController {

  @Autowired

  HttpServletRequest request;

  @GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));
    return principal;
 }

返回的具体用户信息:

 {

     "principal": {

         "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

         "phone": "13918438965",

         "credentialsNonExpired": true,

         "accountNonExpired": true,

         "enabled": true,

         "accountNonLocked": true,

         "username": "4738195728608789333"

     },

     "authenticated": true,

     "oAuth2Request": {

         "redirectUri": "http://www.baidu.com",

         "responseTypes": ["code"],

         "approved": true,

         "extensions": {},

         "clientId": "external",

         "scope": ["auth_base"],

         "requestParameters": {

             "code": "ovzMSk",

             "grant_type": "authorization_code",

             "scope": "auth_base",

             "response_type": "code",

             "redirect_uri": "http://www.baidu.com",

             "state": "123",

             "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",

             "client_id": "external"

         },

         "refresh": false,

         "grantType": "authorization_code",

         "authorities": [{

             "authority": "auth_base"

         }],

         "resourceIds": []

     },

     "clientOnly": false,

     "credentials": "",

     "name": "4738195728608789333",

     "userAuthentication": {

         "principal": {

             "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

             "phone": "13918438965",

             "credentialsNonExpired": true,

             "accountNonExpired": true,

             "enabled": true,

             "accountNonLocked": true,

             "username": "4738195728608789333"

         },

         "authenticated": true,

         "oAuth2Request": {

             "responseTypes": [],

             "approved": true,

             "extensions": {},

             "clientId": "gt",

             "scope": ["frontend"],

             "requestParameters": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "refresh": false,

             "grantType": "password",

             "authorities": [{

                 "authority": "client"

             }],

             "resourceIds": []

         },

         "clientOnly": false,

         "credentials": "",

         "name": "4738195728608789333",

         "userAuthentication": {

             "principal": {

                 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

                 "phone": "13918438965",

                 "credentialsNonExpired": true,

                 "accountNonExpired": true,

                 "enabled": true,

                 "accountNonLocked": true,

                 "username": "4738195728608789333"

             },

             "authenticated": true,

             "name": "4738195728608789333",

             "details": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "authorities": []

         },

         "details": {

             "tokenType": "Bearer",

             "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",

             "remoteAddress": "0:0:0:0:0:0:0:1"

         },

         "authorities": []

     },

     "details": {

         "tokenType": "Bearer",

         "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",

         "remoteAddress": "0:0:0:0:0:0:0:1"

     },

     "authorities": []

 }

二、如何重写?

principal是OAuth2Authentication实例,OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth2Authentication了。

为了改变authoritie重写:
@GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));

    OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;

    OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();

    Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();

    // 为了服务端进行token权限隔离 定制OAuth2Authentication

    CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());

    customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());

    log.info("返回用户信息:{}", JSON.toJSON(customOAuth2Authentication));

    return customOAuth2Authentication;

  }

  CustomOAuth2Authentication :

 package com.brightcns.wuxi.citizencard.auth.domain;

 import org.springframework.security.authentication.AbstractAuthenticationToken;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.core.CredentialsContainer;

 import org.springframework.security.core.GrantedAuthority;

 import org.springframework.security.oauth2.provider.OAuth2Request;

 import java.util.Collection;

 /**

  * @author maxianming

  * @date 2018/10/29 13:53

  */

 public class CustomOAuth2Authentication extends AbstractAuthenticationToken {

     private static final long serialVersionUID = -4809832298438307309L;

     private final OAuth2Request storedRequest;

     private final Authentication userAuthentication;

     /**

      * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user

      * authentication may be null.

      * @param storedRequest      The authorization request (must not be null).

      * @param userAuthentication The user authentication (possibly null).

      */

     public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {

         /**

          * 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth2Authentication使得支持改变authorities

          */

         super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());

         this.storedRequest = storedRequest;

         this.userAuthentication = userAuthentication;

     }

     public Object getCredentials() {

         return "";

     }

     public Object getPrincipal() {

         return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication

                 .getPrincipal();

     }

     /**

      * Convenience method to check if there is a user associated with this token, or just a client application.

      *

      * @return true if this token represents a client app not acting on behalf of a user

      */

     public boolean isClientOnly() {

         return userAuthentication == null;

     }

     /**

      * The authorization request containing details of the client application.

      *

      * @return The client authentication.

      */

     public OAuth2Request getOAuth2Request() {

         return storedRequest;

     }

     /**

      * The user authentication.

      *

      * @return The user authentication.

      */

     public Authentication getUserAuthentication() {

         return userAuthentication;

     }

     @Override

     public boolean isAuthenticated() {

         return this.storedRequest.isApproved()

                 && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());

     }

     @Override

     public void eraseCredentials() {

         super.eraseCredentials();

         if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {

             CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();

         }

     }

     @Override

     public boolean equals(Object o) {

         if (this == o) {

             return true;

         }

         if (!(o instanceof CustomOAuth2Authentication)) {

             return false;

         }

         if (!super.equals(o)) {

             return false;

         }

         CustomOAuth2Authentication that = (CustomOAuth2Authentication) o;

         if (!storedRequest.equals(that.storedRequest)) {

             return false;

         }

         if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)

                 : that.userAuthentication != null) {

             return false;

         }

         if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {

             // return false;

         }

         return true;

     }

     @Override

     public int hashCode() {

         int result = super.hashCode();

         result = 31 * result + storedRequest.hashCode();

         result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);

         return result;

     }

 }

主要在OAuth2Authentication基础上修改了30-35行代码

												


											
Spring Security OAuth2 token权限隔离的更多相关文章
	

    
								
  1. Spring Security OAuth2 授权失败(401) 问题整理
		
    Spring Cloud架构中采用Spring Security OAuth2作为权限控制,关于OAuth2详细介绍可以参考 http://www.ruanyifeng.com/blog/2014/0 ...
    
		
    2. 
						
  2. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
		
    Spring Security 解析(七) -- Spring Security Oauth2 源码解析   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...
    
		
    3. 
						
  3. Spring Security 解析(五) —— Spring Security Oauth2 开发
		
    Spring Security 解析(五) -- Spring Security Oauth2 开发   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...
    
		
    4. 
						
  4. spring security oauth2搭建resource-server  demo及token改造成JWT令牌
		
    我们在上文讲了如何在spring security的环境中搭建基于oauth2协议的认证中心demo:https://www.cnblogs.com/process-h/p/15688971.html ...
    
		
    5. 
						
  5. 关于 Spring Security OAuth2 中 Feign 调用 Token 问题
		
    微服务体系中,避免不了服务之间链式调用,一般使用 Feign ,由于使用 Spring Security OAuth2 全局做了安全认证,简单的一种实现方式就是在服务提供方获得 Token 再次通过  ...
    
		
    6. 
						
  6. 使用Redis作为Spring Security OAuth2的token存储
		
    写在前边 本文对Spring Security OAuth2的token使用Redis保存,相比JWT实现的token存储,Redis可以随时吊销access_token,并且Redis响应速度很快, ...
    
		
    7. 
						
  7. 使用JWT作为Spring Security OAuth2的token存储
		
    序 Spring Security OAuth2的demo在前几篇文章中已经讲过了,在那些模式中使用的都是RemoteTokenService调用授权服务器来校验token,返回校验通过的用户信息供上 ...
    
		
    8. 
						
  8. 【OAuth2.0】Spring Security OAuth2.0篇之初识
		
    不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握 ...
    
		
    9. 
						
  9. Spring security oauth2最简单入门环境搭建
		
    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. Linux 用 shell 脚本 批量 导入 csv 文件 到 mysql 数据库
			
    前提: 每个csv文件第一行为字段名 创建的数据库字段名同csv 文件的字段名 1. 批量导入 多个 csv 文件 for file in ./*.csv;do mv $file tablename. ...
    
			
    2. 
						
  2. pcie dma的玩法
			
    There is some issue with the implement script. So I took the manual steps. 1. Created the pcie core  ...
    
			
    3. 
						
  3. word字号
			
    1 大特号 63 2 特 号 54 3 初 号 42 4 小初号 36 5 大一号 31.5 6 一 号 28 7 小一号 24 8 二 号 21 9 小二号 18 10 三 号 16 11 小三号  ...
    
			
    4. 
						
  4. (转)love2d有用的辅助库--gamework
			
    此文转自朱大仙,感谢他的劳作. 翻译来源地址:https://github.com/Kadoba/gamework gamework是控制LOVE2D游戏进程流的一个项目. ↑ 这个是按原文译的, 当 ...
    
			
    5. 
						
  5. c/c++常见关键字解释
			
    c语言中常见关键字:  char :    =>声明字符型变量或函数 double :=>声明双精度变量或函数 enum :  =>声明枚举类型 float:     =>声明 ...
    
			
    6. 
						
  6. 大数据(11) - kafka的安装与使用
			
    一.Kafka概述 1.Kafka是什么 在流式计算中,Kafka一般用来缓存数据,Storm通过消费Kafka的数据进行计算. 1)Apache Kafka是一个开源消息系统,由Scala写成.是由 ...
    
			
    7. 
						
  7. php7 扩展模块添加
			
    php 扩展模块添加   1. 新增安装扩展模块的位置 [root@node_22 ~]# ls /usr/local/php7/lib/php/extensions/no-debug-non-zts ...
    
			
    8. 
						
  8. Task Scheduling
			
    Introduction In the past, developers have generated a Cron entry for each task they need to schedule ...
    
			
    9. 
						
  9. 匿名内部类 Inner class
			
    先说结论 匿名内部类分两种,一种是接口的匿名实现,一种是类的匿名子类!后者往往用于修改特定方法. 再说起因 本来以为匿名内部类很简单,就是接口的匿名实现,直到我发现了下面这段代码: public cl ...
    
			
    10. 
						
  10. Spring Boot 是 Spring 的一套快速配置脚手架,可以基于Spring Boot 快速开发单个微服务
			
    Spring Boot 是 Spring 的一套快速配置脚手架,可以基于Spring Boot 快速开发单个微服务,Spring Cloud是一个基于Spring Boot实现的云应用开发工具:Spr ...
    
			
    11.