如何在 Spring Boot 中从资源服务器中的令牌中提取声明

【问题标题】:How to extract claims from token in Resource Server, in Spring Boot如何在 Spring Boot 中从资源服务器中的令牌中提取声明
【发布时间】:2020-05-18 22:28:24
【问题描述】:

我的身份验证服务器配置为根据我的数据库上的表检索检查凭据,并使用令牌增强器传递其他声明 - 访问控制相关内容。

因此,我是这样写的:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Value("${security.signing-key}")
    private String signingKey;
    private @Autowired TokenStore tokenStore;
    private @Autowired AuthenticationManager authenticationManager;
    private @Autowired CustomUserDetailsService userDetailsService;

    private @Autowired JwtAccessTokenConverter accessTokenConverter;

    private static final Logger LOGGER = LogManager.getLogger(AuthorizationServerConfig.class);

    @Bean
    @ConfigurationProperties(prefix = "spring.datasource")
    public DataSource oauthDataSource() {
        DataSource ds = null;
        try {
            Context initialContex = new InitialContext();
            ds = (DataSource) (initialContex.lookup("java:/jdbc/oauthdatasource"));
            if (ds != null) {
                ds.getConnection();
            }
        } catch (NamingException ex) {
            LOGGER.error("Naming exception thrown: ", ex);
        } catch (SQLException ex) {
            LOGGER.info("SQL exception thrown: ", ex);
        }
        return ds;
    }

    @Bean
    public JdbcClientDetailsService clientDetailsServices() {
        return new JdbcClientDetailsService(oauthDataSource());
    }

    @Bean
    public TokenStore tokenStore() {
        return new CustomJdbcTokenStore(oauthDataSource());
    }

    @Bean
    public ApprovalStore approvalStore() {
        return new JdbcApprovalStore(oauthDataSource());
    }

    @Bean
    public AuthorizationCodeServices authorizationCodeServices() {
        return new JdbcAuthorizationCodeServices(oauthDataSource());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        CustomTokenEnhancer converter = new CustomTokenEnhancer();
        converter.setSigningKey(signingKey);
        return converter;
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(clientDetailsServices());
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore)
                .authenticationManager(authenticationManager)
                .accessTokenConverter(accessTokenConverter)
                .userDetailsService(userDetailsService)
                .reuseRefreshTokens(false);
    }
}

这很好用。当我通过 POSTMAN 拨打电话时,我得到如下信息:

{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2hhcmVwb3J0YWwiXSwiaW5mb19maXJzdCI6IlRoaXMgaXMgdGhlIGZpcnN0IEluZm8iLCJ1c2VyX25hbWUiOiJBdXRoZW50aWNhdGlvbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il0sImluZm9fc2Vjb25kIjoiVGhpcyBpcyB0aGUgc2Vjb25kIGluZm8iLCJleHAiOjE1ODA3MTMyOTQsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiJdLCJqdGkiOiI1MTg4MGJhZC00MGJiLTQ3ZTItODRjZS1lNDUyNGY1Y2Y3MzciLCJjbGllbnRfaWQiOiJzaGFyZXBvcnRhbC1jbGllbnQifQ.ABmBjwmVDb2acZtGSQrjKcCwfZwhw4R_rpW4y5JA1jY",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2hhcmVwb3J0YWwiXSwiaW5mb19maXJzdCI6IlRoaXMgaXMgdGhlIGZpcnN0IEluZm8iLCJ1c2VyX25hbWUiOiJBdXRoZW50aWNhdGlvbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il0sImF0aSI6IjUxODgwYmFkLTQwYmItNDdlMi04NGNlLWU0NTI0ZjVjZjczNyIsImluZm9fc2Vjb25kIjoiVGhpcyBpcyB0aGUgc2Vjb25kIGluZm8iLCJleHAiOjE1ODA3MTM0MzQsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiJdLCJqdGkiOiIyZDYxMDU2ZC01ZDMwLTRhZTQtOWMxZC0zZjliYjRiOWYxOGIiLCJjbGllbnRfaWQiOiJzaGFyZXBvcnRhbC1jbGllbnQifQ.qSLpJm4QxZTIVn1WYWH7EFBS8ryjF1hsD6RSRrEBZd0",
    "expires_in": 359,
    "scope": "read write trust"
}

现在的问题是我的资源服务器。这是在我向身份验证服务器添加令牌增强器之前的样子:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    private @Autowired CustomAuthenticationEntryPoint entryPoint;
    private @Autowired TokenStore tokenStore;
    private static final String RESOURCE_ID = "resourceid";

    private static final Logger LOGGER = LogManager.getLogger(ResourceServerConfig.class);

    @Bean
    @ConfigurationProperties(prefix = "spring.datasource")
    public DataSource oauthDataSource() {
        DataSource ds = null;
        try {
            Context initialContex = new InitialContext();
            ds = (DataSource) (initialContex.lookup("java:/jdbc/oauthdatasource"));
            if (ds != null) {
                ds.getConnection();
            }
        } catch (NamingException ex) {
            LOGGER.error("Naming exception thrown: ", ex);
        } catch (SQLException ex) {
            LOGGER.info("SQL exception thrown: ", ex);
        }
        return ds;
    }

    @Bean
    public TokenStore getTokenStore() {
        return new JdbcTokenStore(oauthDataSource());
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
                .antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')")
                .and()
                .headers().addHeaderWriter((request, response) -> {
                    response.addHeader("Access-Control-Allow-Origin", "*");
                    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
                    response.setHeader("Access-Control-Max-Age", "3600");
                    response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization");
                    if (request.getMethod().equals("OPTIONS")) {
                        response.setStatus(HttpServletResponse.SC_OK);
                    }
                })
                .and().exceptionHandling().authenticationEntryPoint(entryPoint);
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId(RESOURCE_ID).tokenStore(tokenStore).authenticationEntryPoint(entryPoint);
    }
}

我希望通过身份验证服务器检索我作为附加声明放置的访问控制信息,但我不知道如何去做。

我在互联网上看到了几个例子,包括:How to extract claims from Spring Security OAuht2 Boot in the Resource Server?,但没有一个对我有用。或者也许我错过了什么。

请问,我必须添加什么才能使这成为可能?

【问题讨论】:

  • 你可能想看看这个答案:stackoverflow.com/questions/46333945/…
  • @filip 该死的,我希望我在遇到这个问题时能看到这个。本来可以帮我减轻很多压力。但是,我将实施以供将来使用。谢谢

标签: java spring-boot oauth


【解决方案1】:

我不得不使用第三方库来实现这一点。

这是图书馆的链接:https://github.com/auth0/java-jwt

效果很好。

在我的资源服务器中,我可以获取我的令牌值,然后使用 java-jwt 库,我可以提取我在授权服务器中设置的任何声明:

public Map<String, Claim> getClaims() {
        Map<String, Claim> claims = new HashMap<>();

        String tokenValue = ((OAuth2AuthenticationDetails)((OAuth2Authentication) authenticationFacade.getAuthentication()).getDetails()).getTokenValue();
        try {
            DecodedJWT jwt = JWT.decode(tokenValue);
            claims = jwt.getClaims();
        } catch (JWTDecodeException ex) {
            LOGGER.info("Error decoding token value");
            LOGGER.error("Error decoding token value", ex);
        }

        return claims;
}

您应该查看 java-jwt 的文档以了解更多信息。

【讨论】:

    猜你喜欢
    • 2019-11-10
    • 2019-10-03
    • 2020-11-03
    • 2021-12-26
    • 2018-12-26
    • 2018-07-30
    • 2017-02-13
    • 2021-06-04
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode