在 Spring Security OAuth2 (provider) 中使用作用域作为角色
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22417780/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using scopes as roles in Spring Security OAuth2 (provider)
提问by Christophe L
Let's consider a fairly simple hypothetical application where users can read or write posts.
让我们考虑一个相当简单的假设应用程序,用户可以在其中阅读或撰写帖子。
Some users can read and write articles while some others can only read them. With Spring Security (3.2.1) I modeled this by having 2 roles:
一些用户可以阅读和编写文章,而另一些用户只能阅读它们。使用 Spring Security (3.2.1) 我通过有 2 个角色对此进行建模:
- ROLE_WRITE: this role grants users access to writing posts.
- ROLE_READ: this role grants users access to reading posts.
- ROLE_WRITE:此角色授予用户撰写帖子的权限。
- ROLE_READ:此角色授予用户阅读帖子的权限。
Implementing this with Spring security is fairly straightforward...
使用 Spring security 实现这一点相当简单......
Now I want to also allow third-party apps to read and write posts on behalf of users by implementing an OAuth2 provider using Spring Security OAuth (version 2.0.0.M3 ATM).
现在,我还想通过使用Spring Security OAuth(版本 2.0.0.M3 ATM)实现 OAuth2 提供程序,允许第三方应用程序代表用户读取和写入帖子。
During the authorization step, the app asks the user whether they are willing to grant the right to read and/or write posts on their behalf. The user here is granting scopes here (not roles).
在授权步骤中,应用程序会询问用户是否愿意代表他们授予阅读和/或撰写帖子的权利。这里的用户在这里授予范围(不是角色)。
Then when the OAuth2 consumer calls my REST API, Spring Sec OAuth authorizes the token granted and creates an authentication containing the user with all their roles and only the scopes granted.
然后,当 OAuth2 使用者调用我的 REST API 时,Spring Sec OAuth 会授权授予的令牌并创建一个包含用户及其所有角色和仅授予范围的身份验证。
The problem (and the question) is that I now have to write different security logic depending on whether the API is called by a user normally authenticated (just check the roles) or whether it's called through OAuth2 (check roles + scopes).
问题(和问题)是我现在必须编写不同的安全逻辑,具体取决于 API 是由正常身份验证的用户调用(仅检查角色)还是通过 OAuth2 调用(检查角色 + 范围)。
Is it possible to "merge" the concepts of roles and scopes in Spring Security OAuth2 so that during the authorization step, the user grants the app a subset of the rolesthey have (and have the OAuth2 authentication only report these in the granted authorities)? That way when the 3rd party app makes an API call, the roles on the authentication are the ones granted? That way I don't have to write any OAuth2 specific security logic.
是否可以在 Spring Security OAuth2 中“合并”角色和范围的概念,以便在授权步骤中,用户授予应用他们拥有的角色的子集(并且让 OAuth2 身份验证仅在授予的权限中报告这些) ? 这样,当第 3 方应用程序进行 API 调用时,身份验证中的角色是授予的角色吗?这样我就不必编写任何 OAuth2 特定的安全逻辑。
采纳答案by Dave Syer
Scopes (and roles) are arbitrary strings, so there is no problem if you want to make then the same. To make the access rule declarations identical you could write an ExpressionHandlerthat tested authorities or scopes with the same values depending on the type of Authenticationit found.
作用域(和角色)是任意字符串,所以如果你想使然后相同没有问题。为了使访问规则声明相同,您可以ExpressionHandler根据Authentication找到的类型编写具有相同值的测试权限或范围。
A different approach suggests itself after you read the comments: add a custom TokenStoreor ResourceServerTokenServices. These are easily accessible extension points and would permit modifying the OAuth2Authenticationso that its granted authorities were the same as the scopes.
阅读评论后,建议采用不同的方法:添加自定义TokenStore或ResourceServerTokenServices. 这些是易于访问的扩展点,并允许修改OAuth2Authentication以便其授予的权限与范围相同。
My preference, however, is to control the allowed scopes using a OAuth2RequestFactory, limiting them at the point of the token grant to values that are consistent with the user's authorities.
但是,我的偏好是使用 a 控制允许的范围OAuth2RequestFactory,在授予令牌时将它们限制为与用户权限一致的值。
回答by sciack
You can configure your own AccessTokenConverter (mainly for JWT) and extract the claims you want from the JWT access token and generate an Authority object. Just define a Bean factory that return an AccessTokenConverter
您可以配置自己的 AccessTokenConverter(主要用于 JWT)并从 JWT 访问令牌中提取您想要的声明并生成一个 Authority 对象。只需定义一个返回 AccessTokenConverter 的 Bean 工厂
