SpringBoot2.3和SpringSecurity5在一个模式中支持userdetailsservice和oauth2

rxztt3cl  于 2021-06-29  发布在  Java
关注(0)|答案(1)|浏览(379)

我正在使用SpringBoot2.3.x、SpringSecurity5和thymeleaf构建一个JavaWebApp,运行在Java11上。
应用程序需要支持某种用户帐户。作为一个起点,我遵循了johnthompson(又称spring框架Maven)在他的“spring安全核心:从初学者到Maven”课程中使用的方法。john的方法使用spring数据jpa和httpbasic身份验证,在这里我实现了spring接口 UserDetailsService 并允许应用程序在http基本身份验证期间按需从数据库加载用户凭据(用户名、密码、角色、权限)。这一切都很好。因为我将每个用户的角色/权限存储在数据库中,所以我拥有完全的控制权,可以将它们与spring安全方法级别的注解一起使用,如下所示: @PreAuthorize("hasAuthority('user.details.read')") . 再说一遍,这一切都很好。
从课程材料来看,john的方法的问题是,我仅限于httpbasic和存储/管理所有用户密码。
昨天我试用了SpringSecurity5的OAuth2.0特性,以“使用facebook登录”。我使用了本教程页面中的一些代码开始。单独来说,我的应用程序可以很好地将用户验证为facebook成员。不幸的是,这提供了另一种 @AuthenticationPrincipal 对象,该对象包含仅与facebook相关的角色和权限。

问题

我现在有两种断开连接的用户:
http基本身份验证用户,其凭据、角色和权限由我管理。他们的角色/授权适合我的应用程序。
oauth2已通过身份验证的用户,其凭据、角色和权限不受我的控制。他们的角色/权限与我的应用程序无关。
我想要的最终状态是:
我的应用程序数据库存储分配给每个用户的角色/权限
该应用程序将支持通过httpbasic或oauth2(最初到facebook)进行身份验证,但我的应用程序数据库将提供角色/权限
每个用户的“唯一标识符”将是他们的电子邮件地址(facebook oauth2将此作为一个属性提供),因此我希望可以使用它来关联httpbasic和oauth2身份验证对象
用户可以为自己的帐户设置httpbasic和oauth2,如果是这样的话,他们可以用这两种方法登录。不管怎样,他们在我的应用程序中仍然具有相同的角色/权限。
总而言之:我只想让facebook oauth2确认“这是一个活跃的facebook用户,其电子邮件地址是”xyz@example.com然后将他们的facebook帐户与我的应用程序中的一个用户帐户链接起来。

接下来呢?

spring在为每个单独用例的组件(httpbasic和oauth2)提供“合理的默认值”方面做得很好。我怀疑我需要重写和/或禁用这些组件的一些行为来获得我想要的东西。我只是不知道从哪里开始。

目前为止的代码

我在下面提供了一些代码示例。如上所述,与 UserDetailsService 而提供该服务的jpa实体已经运行良好。我的问题本质上是“如何将oauth2合并到已经工作的内容中?”。
我的 WebSecurityConfigurerAdapter 实现类

@RequiredArgsConstructor
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private final UserDetailsService userDetailsService;
    private final PersistentTokenRepository persistentTokenRepository;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        // @formatter:off
        httpSecurity
                .authorizeRequests(authorize -> {
                    authorize
                        // The following paths do not require the user to be authenticated by Spring Security
                        .antMatchers("/", "/favicon.ico", "/login", "/login-form", "/vendor/**", "/images/**").permitAll()
                        // Allow anonymous access to webjars
                        .antMatchers("/webjars/**").permitAll()
                        // Allow anonymous access to all enabled actuators
                        .antMatchers("/actuator/**").permitAll()
                        // This should only be relevant in a non-production environment
                        .antMatchers("/h2-console/**").permitAll();
                })
                // All other request paths not covered by the list above can only be viewed by an authenticated user
                .authorizeRequests().anyRequest().authenticated()
            .and()
                // Explicitly defining a login and logout configurer will implicitly disable
                // the built-in login/logout forms provided by Spring
                .formLogin(loginConfigurer -> {
                    // If the user enters the path "/login", then display the main page (at "/").
                    // The main page contains a login form.
                    loginConfigurer
                            .loginProcessingUrl("/login")
                            //.loginPage("/").permitAll()
                            .loginPage("/login-form").permitAll()
                            //.successForwardUrl("/")
                            //.defaultSuccessUrl("/")
                            .defaultSuccessUrl("/formLoginSuccess")
                            // Add an 'error' parameter to the success URL so a Thymeleaf template
                            // could conditionally display something if a login failure occurs
                            .failureUrl("/?error");
                })
                .logout(logoutConfigurer -> {
                    // If the user enters the path "/logout", then log them out and then navigate to the main page
                    logoutConfigurer
                            .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
                            // Add a 'logout' parameter to the success URL so the Thymeleaf template
                            // can conditionally display a friendly message upon successful logout
                            .logoutSuccessUrl("/?logout")
                            .permitAll();
                })
                // Use HTTP Basic authentication
                .httpBasic()
            .and()
                .oauth2Login()
                    .loginPage("/login-form").permitAll()
                    .defaultSuccessUrl("/oauth2LoginSuccess", true)
            .and()
                .rememberMe()
                .tokenRepository(persistentTokenRepository)
                .userDetailsService(userDetailsService)
            .and()
                .csrf()
                    // CSRF will break the H2 console, so ignore it
                    .ignoringAntMatchers("/h2-console/**")
                    // The OAuth2 tutorial for Facebook says that CSRF will interfere with "/logout" via HTTP GET (I never confirmed that)
                    // REFERENCE: https://medium.com/@mail2rajeevshukla/spring-security-5-3-oauth2-integration-with-facebook-along-with-form-based-login-767e10b02dbc
                    .ignoringAntMatchers("/logout")
            .and()
                // Needed to allow the H2 console to function correctly
                .headers().frameOptions().sameOrigin();
        // @formatter:on
    }

}

我的登录窗体的控制器,支持“使用facebook登录”或http basic

@Slf4j
@RequiredArgsConstructor
@Controller
public class LoginFormController {

    @Autowired
    private final OAuth2AuthorizedClientService oauth2AuthorizedClientService;

    @RequestMapping("/login-form")
    public String getLoginForm() {
        return "login-form";
    }

    @RequestMapping("/oauth2LoginSuccess")
    public String getOauth2LoginInfo(
            Model model,
            @AuthenticationPrincipal OAuth2AuthenticationToken authenticationToken) {

        log.info("USER AUTHENTICATED WITH OAUTH2");

        // This will be something like 'facebook' or 'google' - describes the service that supplied the token
        log.info("auth token 'authorized client registration id': [{}]", authenticationToken.getAuthorizedClientRegistrationId());
        // A unique id for this user on the service that supplied the token (this is a long integer value on Facebook)
        log.info("auth token 'name': [{}]", authenticationToken.getName());

        if (!(authenticationToken.getPrincipal() instanceof OAuth2User)) {
            throw new IllegalStateException("Expected principal object to be of type '" + OAuth2User.class.getName() + "'");
        }
        final OAuth2User oauth2User = authenticationToken.getPrincipal();
        // 'oauth2User.getName()' returns the same long integer value on Facebook as the call to 'authenticationToken.getName()'
        log.info("oauth2User 'name': [{}]", oauth2User.getName());
        for (String key : oauth2User.getAttributes().keySet()) {
            // For Facebook OAuth2, the 'email' attribute is most important to me.
            // The 'name' attribute may also be useful. It contains a user-friendly name like 'Jim Tough'.
            log.info("oauth2User '{}' attribute value: [{}]", key, oauth2User.getAttributes().get(key));
        }

        OAuth2AuthorizedClient client =
                oauth2AuthorizedClientService.loadAuthorizedClient(
                        authenticationToken.getAuthorizedClientRegistrationId(),
                        authenticationToken.getName());
        log.info("Client token value: [{}]", client.getAccessToken().getTokenValue());

        model.addAttribute("authenticatedUsername", oauth2User.getAttribute("email"));
        model.addAttribute("authenticationType", "OAuth2");
        model.addAttribute("oauth2Provider", authenticationToken.getAuthorizedClientRegistrationId());

        return "login-form";
    }

    @RequestMapping("/formLoginSuccess")
    public String getFormLoginInfo(
            Model model,
            @AuthenticationPrincipal Authentication authentication) {

        log.info("USER AUTHENTICATED WITH HTTP BASIC");

        if (!(authentication.getPrincipal() instanceof UserDetails)) {
            throw new IllegalStateException("Expected principal object to be of type '" + UserDetails.class.getName() + "'");
        }
        // In form-based login flow you get UserDetails as principal
        final UserDetails userDetails = (UserDetails) authentication.getPrincipal();

        model.addAttribute("authenticatedUsername", userDetails.getUsername());
        model.addAttribute("authenticationType", "HttpBasic");
        model.addAttribute("oauth2Provider", null);

        return "login-form";
    }

}

我的 UserDetailsService 实现类(用于http基本身份验证)

@Slf4j
@RequiredArgsConstructor
@Service
public class JPAUserDetailsService implements UserDetailsService {

    private final UserRepository userRepository;

    @Transactional
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        log.debug("Retrieving user details for [{}] from database", username);
        return userRepository.findByUsername(username).orElseThrow(() ->
                new UsernameNotFoundException("username [" + username + "] not found in database")
        );
    }

}

我的 UserRepository 定义

public interface UserRepository extends JpaRepository<User, Integer> {

    Optional<User> findByUsername(String username);

}

我的 User 实体

@Setter
@Getter
@AllArgsConstructor
@NoArgsConstructor
@Builder
@Entity
public class User implements UserDetails, CredentialsContainer {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Integer id;

    private String username;
    private String password;

    @Singular
    @ManyToMany(cascade = {CascadeType.MERGE}, fetch = FetchType.EAGER)
    @JoinTable(name = "user_role",
        joinColumns = {@JoinColumn(name = "USER_ID", referencedColumnName = "ID")},
        inverseJoinColumns = {@JoinColumn(name = "ROLE_ID", referencedColumnName = "ID")})
    private Set<Role> roles;

    @Transient
    public Set<GrantedAuthority> getAuthorities() {
        return this.roles.stream()
                .map(Role::getAuthorities)
                .flatMap(Set::stream)
                .map(authority -> {
                    return new SimpleGrantedAuthority(authority.getPermission());
                })
                .collect(Collectors.toSet());
    }

    @Override
    public boolean isAccountNonExpired() {
        return this.accountNonExpired;
    }

    @Override
    public boolean isAccountNonLocked() {
        return this.accountNonLocked;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return this.credentialsNonExpired;
    }

    @Override
    public boolean isEnabled() {
        return this.enabled;
    }

    @Builder.Default
    private Boolean accountNonExpired = true;

    @Builder.Default
    private Boolean accountNonLocked = true;

    @Builder.Default
    private Boolean credentialsNonExpired = true;

    @Builder.Default
    private Boolean enabled = true;

    @Override
    public void eraseCredentials() {
        this.password = null;
    }

    @CreationTimestamp
    @Column(updatable = false)
    private Timestamp createdDate;

    @UpdateTimestamp
    private Timestamp lastModifiedDate;

}
``` `schema.sql` -在spring security中创建oauth2类用于持久令牌存储的表

CREATE TABLE oauth2_authorized_client (
client_registration_id varchar(100) NOT NULL,
principal_name varchar(200) NOT NULL,
access_token_type varchar(100) NOT NULL,
access_token_value blob NOT NULL,
access_token_issued_at timestamp NOT NULL,
access_token_expires_at timestamp NOT NULL,
access_token_scopes varchar(1000) DEFAULT NULL,
refresh_token_value blob DEFAULT NULL,
refresh_token_issued_at timestamp DEFAULT NULL,
created_at timestamp DEFAULT CURRENT_TIMESTAMP NOT NULL,
PRIMARY KEY (client_registration_id, principal_name)
);

我的日志输出 `LoginFormController` 当我使用自己的facebook帐户通过facebook oauth2登录时,看起来是这样的:

[INFO ] LoginFormController - USER AUTHENTICATED WITH OAUTH2
[INFO ] LoginFormController - auth token 'authorized client registration id': [facebook]
[INFO ] LoginFormController - auth token 'name': [10139295061993788]
[INFO ] LoginFormController - oauth2User 'name': [10139295061993788]
[INFO ] LoginFormController - oauth2User 'id' attribute value: [10139295061993788]
[INFO ] LoginFormController - oauth2User 'name' attribute value: [Jim Tough]
[INFO ] LoginFormController - oauth2User 'email' attribute value: [jim@jimtough.com]

我还看到了我的另一个监听器类的日志输出:

[INFO ] AuthenticationEventLogger - principal type: OAuth2LoginAuthenticationToken | authorities: [ROLE_USER, SCOPE_email, SCOPE_public_profile]

当局 `ROLE_USER, SCOPE_email, SCOPE_public_profile` 在我的申请中毫无意义。
dm7nw8vv

dm7nw8vv1#

我相信你要找的是 GrantedAuthoritiesMapper 您注册了一个bean,它将您的权限Map到要使用的角色。

@EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .oauth2Login(oauth2 -> oauth2
                .userInfoEndpoint(userInfo -> userInfo
                    .userAuthoritiesMapper(this.userAuthoritiesMapper())
                    ...
                )
            );
    }

    private GrantedAuthoritiesMapper userAuthoritiesMapper() {
        return (authorities) -> {
            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

            authorities.forEach(authority -> {
                if (OidcUserAuthority.class.isInstance(authority)) {
                    OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;

                    OidcIdToken idToken = oidcUserAuthority.getIdToken();
                    OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();

                    // Map the claims found in idToken and/or userInfo
                    // to one or more GrantedAuthority's and add it to mappedAuthorities

                } else if (OAuth2UserAuthority.class.isInstance(authority)) {
                    OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;

                    Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();

                    // Map the attributes found in userAttributes
                    // to one or more GrantedAuthority's and add it to mappedAuthorities

                }
            });

            return mappedAuthorities;
        };
    }
}

它还可以Map为bean,并由spring引导配置自动获取。

@EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .oauth2Login(withDefaults());
    }

    @Bean
    public GrantedAuthoritiesMapper userAuthoritiesMapper() {
        ...
    }
}

你可以在这里了解更多。

相关问题