java # oauth2方法级的安全表达式

b1payxdu  于 2023-05-15  发布在  Java
关注(0)|答案(6)|浏览(122)

我应该怎么做才能像下面的例子那样在方法级别上使用#oauth2安全表达式?

@RequestMapping(value = "email", method = RequestMethod.GET)
  @ResponseBody
  @PreAuthorize("#oauth2.hasScope('read')")
  public String email() {

    return "test@email.com";
  }

如果我对收到的资源发出请求

[INFO] java.lang.IllegalArgumentException: Failed to evaluate expression '#oauth2.hasScope('read')'
[INFO]  at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:14)
[INFO]  at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:44)
[INFO]  at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:57)
[INFO]  at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:25)
[INFO]  at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62)
[INFO]  at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232)
[INFO]  at org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor.invoke(AspectJMethodSecurityInterceptor.java:43)
[INFO]  at org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.ajc$around$org_springframework_security_access_intercept_aspectj_aspect_AnnotationSecurityAspect$1$c4d57a2b(AnnotationSecurityAspect.aj:63)
[INFO]  at pl.insert.controllers.ResourceController.email(ResourceController.java:22)

如果我在ResourceServerConfiguration中指定访问权限而不是@Controllers的方法,同样的事情也能很好地工作

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.requestMatchers().antMatchers("/oauth/resources/**");
    http.authorizeRequests().anyRequest().access("#oauth2.hasScope('read')");
  }
}

像@PreAuthorize(“permitAll”)或@PreAuthorize(“denyAll”)这样的标准安全表达式按预期工作。因此,可能我必须以某种方式告诉我的AspectJMethodSecurityInterceptor使用OAuth2 WebSecurityExpressionHandler。有什么想法吗

q9rjltbz

q9rjltbz1#

要启用#oAuth2安全表达式,只需将默认表达式处理程序设置为OAuth2MethodSecurityExpressionHandler而不是DefaultMethodSecurityExpressionHandler。因为OAuth2MethodSecurityExpressionHandler无论如何都要扩展它,所以整个先前的功能保持不变。在我的配置中,我同时使用GlobalMethodSecurityConfigurationWebSecurityConfigurerAdapter

@Configuration
@EnableGlobalMethodSecurity
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

  @Override
  protected MethodSecurityExpressionHandler createExpressionHandler() {
    return new OAuth2MethodSecurityExpressionHandler();
  }
}

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  ...
}

@Configuration
@Import({ SecurityConfiguration.class, MethodSecurityConfiguration.class })
public class AppConfiguration {
  ...
}
aij0ehis

aij0ehis2#

我想你还需要补充一下:@EnableGlobalMethodSecurity(prePostEnabled = true)以使其工作。
Answered on deferent page

ccrfmcuu

ccrfmcuu3#

更简单的解决方案是让Sping Boot 自动配置。添加以下依赖项为我解决了这个问题:

compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.4.RELEASE')
vddsk6oq

vddsk6oq4#

这是一个老问题,事情已经改变了。使用Spring Security 5时,应该用途:

.hasAuthority("SCOPE_scopename")

Spring根据从provider接收到的作用域向主体添加权限,前缀为“SCOPE_”。

更多信息:https://www.baeldung.com/spring-security-openid-connect

i1icjdpr

i1icjdpr5#

我遇到了同样的问题,但只是在单元测试(@WebMvcTest)中。我必须在定义测试配置的内部类上添加@EnableGlobalMethodSecurity

@RunWith(SpringRunner.class)
@WebMvcTest(MyController.class)
public class MyControllerTest {

  @TestConfiguration
  @Import({JacksonCustomizations.class,SecuritySettings.class,
        OAuth2ServerConfiguration.class, WebSecurityConfiguration.class,
        TokenGrantersConfiguration.class})
  @EnableGlobalMethodSecurity
  public static class TestConfig {
  }
}

更新:在Sping Boot 2.x中,您可能会得到:
java.lang.IllegalStateException:在所有全局方法配置的组合中,实际上没有激活任何注解支持
原因是您添加了@EnableGlobalMethodSecurity,但实际上没有启用任何东西。若要修复此问题,请将注解的至少一个属性设置为true。例如:

@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
jxct1oxe

jxct1oxe6#

对我来说,是this answer的组合

// spring configuration class annotation
@EnableGlobalMethodSecurity(prePostEnabled = true)

this other answer

// gradle dependencuy
compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.4.RELEASE')

相关问题