由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,

所有不同的模式下的token需要用  @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。

通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService

但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~

一、哪里重写?

资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities

@RestController

@Slf4j

public class UserController {

  @Autowired

  HttpServletRequest request;

  @GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));
    return principal;
 }

返回的具体用户信息:

 {

     "principal": {

         "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

         "phone": "13918438965",

         "credentialsNonExpired": true,

         "accountNonExpired": true,

         "enabled": true,

         "accountNonLocked": true,

         "username": "4738195728608789333"

     },

     "authenticated": true,

     "oAuth2Request": {

         "redirectUri": "http://www.baidu.com",

         "responseTypes": ["code"],

         "approved": true,

         "extensions": {},

         "clientId": "external",

         "scope": ["auth_base"],

         "requestParameters": {

             "code": "ovzMSk",

             "grant_type": "authorization_code",

             "scope": "auth_base",

             "response_type": "code",

             "redirect_uri": "http://www.baidu.com",

             "state": "123",

             "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",

             "client_id": "external"

         },

         "refresh": false,

         "grantType": "authorization_code",

         "authorities": [{

             "authority": "auth_base"

         }],

         "resourceIds": []

     },

     "clientOnly": false,

     "credentials": "",

     "name": "4738195728608789333",

     "userAuthentication": {

         "principal": {

             "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

             "phone": "13918438965",

             "credentialsNonExpired": true,

             "accountNonExpired": true,

             "enabled": true,

             "accountNonLocked": true,

             "username": "4738195728608789333"

         },

         "authenticated": true,

         "oAuth2Request": {

             "responseTypes": [],

             "approved": true,

             "extensions": {},

             "clientId": "gt",

             "scope": ["frontend"],

             "requestParameters": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "refresh": false,

             "grantType": "password",

             "authorities": [{

                 "authority": "client"

             }],

             "resourceIds": []

         },

         "clientOnly": false,

         "credentials": "",

         "name": "4738195728608789333",

         "userAuthentication": {

             "principal": {

                 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",

                 "phone": "13918438965",

                 "credentialsNonExpired": true,

                 "accountNonExpired": true,

                 "enabled": true,

                 "accountNonLocked": true,

                 "username": "4738195728608789333"

             },

             "authenticated": true,

             "name": "4738195728608789333",

             "details": {

                 "auth_type": "sms",

                 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",

                 "grant_type": "password",

                 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",

                 "client_id": "gt",

                 "username": "13918438965"

             },

             "authorities": []

         },

         "details": {

             "tokenType": "Bearer",

             "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",

             "remoteAddress": "0:0:0:0:0:0:0:1"

         },

         "authorities": []

     },

     "details": {

         "tokenType": "Bearer",

         "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",

         "remoteAddress": "0:0:0:0:0:0:0:1"

     },

     "authorities": []

 }

二、如何重写?

principal是OAuth2Authentication实例,OAuth2Authentication主要包括OAuth2Request storedRequest、Authentication userAuthentication,
重写目的是将storedRequest authorities复制到authoritie中,但问题是authoritie不让修改的,没办法只能重写这个OAuth2Authentication了。

为了改变authoritie重写:
@GetMapping("/user")

  public Principal user(Principal principal) {

    log.info("获取user信息:{}", JSON.toJSON(principal));

    OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) principal;

    OAuth2Request storedRequest = oAuth2Authentication.getOAuth2Request();

    Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();

    // 为了服务端进行token权限隔离 定制OAuth2Authentication

    CustomOAuth2Authentication customOAuth2Authentication = new CustomOAuth2Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());

    customOAuth2Authentication.setDetails(oAuth2Authentication.getDetails());

    log.info("返回用户信息:{}", JSON.toJSON(customOAuth2Authentication));

    return customOAuth2Authentication;

  }

  CustomOAuth2Authentication :

 package com.brightcns.wuxi.citizencard.auth.domain;

 import org.springframework.security.authentication.AbstractAuthenticationToken;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.core.CredentialsContainer;

 import org.springframework.security.core.GrantedAuthority;

 import org.springframework.security.oauth2.provider.OAuth2Request;

 import java.util.Collection;

 /**

  * @author maxianming

  * @date 2018/10/29 13:53

  */

 public class CustomOAuth2Authentication extends AbstractAuthenticationToken {

     private static final long serialVersionUID = -4809832298438307309L;

     private final OAuth2Request storedRequest;

     private final Authentication userAuthentication;

     /**

      * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user

      * authentication may be null.

      * @param storedRequest      The authorization request (must not be null).

      * @param userAuthentication The user authentication (possibly null).

      */

     public CustomOAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {

         /**

          * 为了服务端进行token权限隔离 {@link @PreAuthorize("hasAuthority('server')")},自定义OAuth2Authentication使得支持改变authorities

          */

         super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());

         this.storedRequest = storedRequest;

         this.userAuthentication = userAuthentication;

     }

     public Object getCredentials() {

         return "";

     }

     public Object getPrincipal() {

         return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication

                 .getPrincipal();

     }

     /**

      * Convenience method to check if there is a user associated with this token, or just a client application.

      *

      * @return true if this token represents a client app not acting on behalf of a user

      */

     public boolean isClientOnly() {

         return userAuthentication == null;

     }

     /**

      * The authorization request containing details of the client application.

      *

      * @return The client authentication.

      */

     public OAuth2Request getOAuth2Request() {

         return storedRequest;

     }

     /**

      * The user authentication.

      *

      * @return The user authentication.

      */

     public Authentication getUserAuthentication() {

         return userAuthentication;

     }

     @Override

     public boolean isAuthenticated() {

         return this.storedRequest.isApproved()

                 && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());

     }

     @Override

     public void eraseCredentials() {

         super.eraseCredentials();

         if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {

             CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();

         }

     }

     @Override

     public boolean equals(Object o) {

         if (this == o) {

             return true;

         }

         if (!(o instanceof CustomOAuth2Authentication)) {

             return false;

         }

         if (!super.equals(o)) {

             return false;

         }

         CustomOAuth2Authentication that = (CustomOAuth2Authentication) o;

         if (!storedRequest.equals(that.storedRequest)) {

             return false;

         }

         if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)

                 : that.userAuthentication != null) {

             return false;

         }

         if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {

             // return false;

         }

         return true;

     }

     @Override

     public int hashCode() {

         int result = super.hashCode();

         result = 31 * result + storedRequest.hashCode();

         result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);

         return result;

     }

 }

主要在OAuth2Authentication基础上修改了30-35行代码

												


											
Spring Security OAuth2 token权限隔离的更多相关文章
	

    
								
  1. Spring Security OAuth2 授权失败(401) 问题整理
		
    Spring Cloud架构中采用Spring Security OAuth2作为权限控制,关于OAuth2详细介绍可以参考 http://www.ruanyifeng.com/blog/2014/0 ...
    
		
    2. 
						
  2. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
		
    Spring Security 解析(七) -- Spring Security Oauth2 源码解析   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...
    
		
    3. 
						
  3. Spring Security 解析(五) —— Spring Security Oauth2 开发
		
    Spring Security 解析(五) -- Spring Security Oauth2 开发   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决 ...
    
		
    4. 
						
  4. spring security oauth2搭建resource-server  demo及token改造成JWT令牌
		
    我们在上文讲了如何在spring security的环境中搭建基于oauth2协议的认证中心demo:https://www.cnblogs.com/process-h/p/15688971.html ...
    
		
    5. 
						
  5. 关于 Spring Security OAuth2 中 Feign 调用 Token 问题
		
    微服务体系中,避免不了服务之间链式调用,一般使用 Feign ,由于使用 Spring Security OAuth2 全局做了安全认证,简单的一种实现方式就是在服务提供方获得 Token 再次通过  ...
    
		
    6. 
						
  6. 使用Redis作为Spring Security OAuth2的token存储
		
    写在前边 本文对Spring Security OAuth2的token使用Redis保存,相比JWT实现的token存储,Redis可以随时吊销access_token,并且Redis响应速度很快, ...
    
		
    7. 
						
  7. 使用JWT作为Spring Security OAuth2的token存储
		
    序 Spring Security OAuth2的demo在前几篇文章中已经讲过了,在那些模式中使用的都是RemoteTokenService调用授权服务器来校验token,返回校验通过的用户信息供上 ...
    
		
    8. 
						
  8. 【OAuth2.0】Spring Security OAuth2.0篇之初识
		
    不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握 ...
    
		
    9. 
						
  9. Spring security oauth2最简单入门环境搭建
		
    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. unity, GUIStyle and Skin
			
    例1: using UnityEngine; using System.Collections; using UnityEditor; using System.Collections.Generic ...
    
			
    2. 
						
  2. php AES加密解密的例子
			
    一共有两个文件:AES.php(aes算法类文件)和aesDemo.php(应用实例文件) aesDemo.php:例子, <?php require_once('./AES.php'); // ...
    
			
    3. 
						
  3. Atitit。D&D drag&drop拖拽功能c#.net java swing的对比与实现总结
			
    Atitit.D&D drag&drop拖拽功能c#.net java swing的对比与实现总结 1. 实现一个D&D操作一般包括三个步骤: 1 2. .net黑头的拖曳机制 ...
    
			
    4. 
						
  4. atitit.词法分析的实现token attilax总结
			
    atitit.词法分析的实现token attilax总结 1. 词法分析(英语:lexical analysis)跟token 1 1.1. 扫描器 2 2. 单词流必须识别为保留字,标识符(变量) ...
    
			
    5. 
						
  5. Windows 10 开发人员预览版中的新增功能(转自 IT之家)
			
    Windows 10 开发人员预览版中的新增功能 在Win10预览版中安装工具与SDK后,即可着手创建Windows通用应用或先浏览目前的环境与此前相比都发生了什么变化. 应用建模 文件资源管理器:  ...
    
			
    6. 
						
  6. xadmin 问题总结
			
    pip install django-import-export
    
			
    7. 
						
  7. Git中保存用户名和密码
			
    每次操作都需要输入用户名和密码感觉很繁琐,解决方法,在本地的工程文件夹的.git下打开config文件添加: [credential]     helper = store 再输入一次用户名密码后就可 ...
    
			
    8. 
						
  8. 算法 quick sort
			
    // ------------------------------------------------------------------------------------------------- ...
    
			
    9. 
						
  9. Unity3D中UGUI使用ScrollBar之后保存,工程启动报错原因跟踪
			
    笔者不久前将Unity3D版本更新为4.6.2之后.在使用新UI的时候发现关闭项目之后经常再次打开项目会出现一对的报错. 找了一圈,发现是ScrollBar控件出现了BUG.整个空间的滑块消失了. 在 ...
    
			
    10. 
						
  10. Go语言中字符串的查找方法小结
			
    这篇文章主要介绍了Go语言中字符串的查找方法小结,示例的main函数都是导入strings包然后使用其中的方法,需要的朋友可以参考下   1.func Contains(s, substr strin ...
    
			
    11.