Spring Security OAuth2 token權(quán)限隔離的示例分析

這篇文章將為大家詳細(xì)講解有關(guān)Spring Security OAuth2 token權(quán)限隔離的示例分析，小編覺得挺實(shí)用的，因此分享給大家做個(gè)參考，希望大家閱讀完這篇文章后可以有所收獲。

一、哪里重寫？

資源服務(wù)器向授權(quán)服務(wù)服務(wù)器獲取資源時(shí)候，返回的user信息重寫，加入authorities

@RestController
@Slf4j
public class UserController {

 @Autowired
 HttpServletRequest request;

 @GetMapping("/user")
 public Principal user(Principal principal) {
  log.info("獲取user信息:{}", JSON.toJSON(principal));  return principal; }

返回的具體用戶信息：

{
  "principal": {
    "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
    "phone": "13918438965",
    "credentialsNonExpired": true,
    "accountNonExpired": true,
    "enabled": true,
    "accountNonLocked": true,
    "username": "4738195728608789333"
  },
  "authenticated": true,
  "oAuth3Request": {
    "redirectUri": "http://www.baidu.com",
    "responseTypes": ["code"],
    "approved": true,
    "extensions": {},
    "clientId": "external",
    "scope": ["auth_base"],
    "requestParameters": {
      "code": "ovzMSk",
      "grant_type": "authorization_code",
      "scope": "auth_base",
      "response_type": "code",
      "redirect_uri": "http://www.baidu.com",
      "state": "123",
      "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454",
      "client_id": "external"
    },
    "refresh": false,
    "grantType": "authorization_code",
    "authorities": [{
      "authority": "auth_base"
    }],
    "resourceIds": []
  },
  "clientOnly": false,
  "credentials": "",
  "name": "4738195728608789333",
  "userAuthentication": {
    "principal": {
      "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
      "phone": "13918438965",
      "credentialsNonExpired": true,
      "accountNonExpired": true,
      "enabled": true,
      "accountNonLocked": true,
      "username": "4738195728608789333"
    },
    "authenticated": true,
    "oAuth3Request": {
      "responseTypes": [],
      "approved": true,
      "extensions": {},
      "clientId": "gt",
      "scope": ["frontend"],
      "requestParameters": {
        "auth_type": "sms",
        "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",
        "grant_type": "password",
        "client_id": "gt",
        "username": "13918438965"
      },
      "refresh": false,
      "grantType": "password",
      "authorities": [{
        "authority": "client"
      }],
      "resourceIds": []
    },
    "clientOnly": false,
    "credentials": "",
    "name": "4738195728608789333",
    "userAuthentication": {
      "principal": {
        "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa",
        "phone": "13918438965",
        "credentialsNonExpired": true,
        "accountNonExpired": true,
        "enabled": true,
        "accountNonLocked": true,
        "username": "4738195728608789333"
      },
      "authenticated": true,
      "name": "4738195728608789333",
      "details": {
        "auth_type": "sms",
        "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d",
        "grant_type": "password",
        "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941",
        "client_id": "gt",
        "username": "13918438965"
      },
      "authorities": []
    },
    "details": {
      "tokenType": "Bearer",
      "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9",
      "remoteAddress": "0:0:0:0:0:0:0:1"
    },
    "authorities": []
  },
  "details": {
    "tokenType": "Bearer",
    "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e",
    "remoteAddress": "0:0:0:0:0:0:0:1"
  },
  "authorities": []
}

二、如何重寫？

principal是OAuth3Authentication實(shí)例，OAuth3Authentication主要包括OAuth3Request storedRequest、Authentication userAuthentication，

重寫目的是將storedRequest authorities復(fù)制到authoritie中，但問題是authoritie不讓修改的，沒辦法只能重寫這個(gè)OAuth3Authentication了。

為了改變authoritie重寫：

@GetMapping("/user")
 public Principal user(Principal principal) {
  log.info("獲取user信息:{}", JSON.toJSON(principal));
  OAuth3Authentication oAuth3Authentication = (OAuth3Authentication) principal;
  OAuth3Request storedRequest = oAuth3Authentication.getOAuth3Request();
  Authentication userAuthentication = oAuth3Authentication.getUserAuthentication();
  // 為了服務(wù)端進(jìn)行token權(quán)限隔離 定制OAuth3Authentication
  CustomOAuth3Authentication customOAuth3Authentication = new CustomOAuth3Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities());
  customOAuth3Authentication.setDetails(oAuth3Authentication.getDetails());
  log.info("返回用戶信息:{}", JSON.toJSON(customOAuth3Authentication));
  return customOAuth3Authentication;
 }

CustomOAuth3Authentication ：

package com.brightcns.wuxi.citizencard.auth.domain;

import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.CredentialsContainer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth3.provider.OAuth3Request;

import java.util.Collection;

/**
 * @author maxianming
 * @date 2018/10/29 13:53
 */
public class CustomOAuth3Authentication extends AbstractAuthenticationToken {

  private static final long serialVersionUID = -4809832298438307309L;

  private final OAuth3Request storedRequest;

  private final Authentication userAuthentication;

  /**
   * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user
   * authentication may be null.
   * @param storedRequest   The authorization request (must not be null).
   * @param userAuthentication The user authentication (possibly null).
   */
  public CustomOAuth3Authentication(OAuth3Request storedRequest, Authentication userAuthentication, Collection<? extends GrantedAuthority> authorities) {
    /**
     * 為了服務(wù)端進(jìn)行token權(quán)限隔離 {@link @PreAuthorize("hasAuthority('server')")}，自定義OAuth3Authentication使得支持改變authorities
     */
    super(authorities != null ? authorities : userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());
    this.storedRequest = storedRequest;
    this.userAuthentication = userAuthentication;
  }

  public Object getCredentials() {
    return "";
  }

  public Object getPrincipal() {
    return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication
        .getPrincipal();
  }

  /**
   * Convenience method to check if there is a user associated with this token, or just a client application.
   *
   * @return true if this token represents a client app not acting on behalf of a user
   */
  public boolean isClientOnly() {
    return userAuthentication == null;
  }

  /**
   * The authorization request containing details of the client application.
   *
   * @return The client authentication.
   */
  public OAuth3Request getOAuth3Request() {
    return storedRequest;
  }

  /**
   * The user authentication.
   *
   * @return The user authentication.
   */
  public Authentication getUserAuthentication() {
    return userAuthentication;
  }

  @Override
  public boolean isAuthenticated() {
    return this.storedRequest.isApproved()
        && (this.userAuthentication == null || this.userAuthentication.isAuthenticated());
  }

  @Override
  public void eraseCredentials() {
    super.eraseCredentials();
    if (this.userAuthentication != null && CredentialsContainer.class.isAssignableFrom(this.userAuthentication.getClass())) {
      CredentialsContainer.class.cast(this.userAuthentication).eraseCredentials();
    }
  }

  @Override
  public boolean equals(Object o) {
    if (this == o) {
      return true;
    }
    if (!(o instanceof CustomOAuth3Authentication)) {
      return false;
    }
    if (!super.equals(o)) {
      return false;
    }

    CustomOAuth3Authentication that = (CustomOAuth3Authentication) o;

    if (!storedRequest.equals(that.storedRequest)) {
      return false;
    }
    if (userAuthentication != null ? !userAuthentication.equals(that.userAuthentication)
        : that.userAuthentication != null) {
      return false;
    }

    if (getDetails() != null ? !getDetails().equals(that.getDetails()) : that.getDetails() != null) {
      // return false;
    }

    return true;
  }
  @Override
  public int hashCode() {
    int result = super.hashCode();
    result = 31 * result + storedRequest.hashCode();
    result = 31 * result + (userAuthentication != null ? userAuthentication.hashCode() : 0);
    return result;
  }

}

主要在OAuth3Authentication基礎(chǔ)上修改了30-35行代碼

關(guān)于“Spring Security OAuth2 token權(quán)限隔離的示例分析”這篇文章就分享到這里了，希望以上內(nèi)容可以對(duì)大家有一定的幫助，使各位可以學(xué)到更多知識(shí)，如果覺得文章不錯(cuò)，請(qǐng)把它分享出去讓更多的人看到。