春季安全与Azure:是否有活动目录组通配符?

huangapple go评论90阅读模式
英文:

Spring Security and Azure: is there a Active Directory group wildcard?

问题

这个教程在https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory解释了如何在Microsoft Azure Active Directory中设置带有身份验证的Spring Security。

除了两个小差异(在这里解释:https://stackoverflow.com/questions/43788333/openid-connect-log-in-in-with-office-365-and-spring-security/63517600#63517600),这个方法效果很好。

在我的application.properties文件中有这个属性:

azure.activedirectory.active-directory-groups=myADUserGroup

(提示:azure.activedirectory.active-directory-groups 似乎是较新的 azure.activedirectory.user-group.allowed-groups 的废弃版本...)

我不想限制在特定的组上。任何具有有效Microsoft帐户的用户都适用于我的用例。
将属性留空甚至删除属性会导致以下异常:

Caused by: java.lang.IllegalStateException: One of the User Group Properties must be populated. Please populate azure.activedirectory.user-group.allowed-groups
	at com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationProperties.validateUserGroupProperties(AADAuthenticationProperties.java:148) ~[azure-spring-boot-2.3.1.jar:na]

一个可能的解决方法是在application.properties中为属性输入一些任意的组名:

azure.activedirectory.active-directory-groups=some-arbitrary-group-name-doesnt-matter

然后不使用 @PreAuthorize("hasRole('[group / role name]')")

这个方法有效(只要您的应用程序不关心角色名称),但感觉不正确。
A)有没有一种“正确”的方法来设置通配符的活动目录组?
B)org.springframework.security.core.Authentication.getAuthorities() 似乎只提供在该属性中输入的组名/角色名,所以这个解决方法不会提供任何(但是ROLE_USER除外)。我想读取用户的所有组/角色。所以我提出第二个问题:如何在不知道所有组/角色并且特别是在不将它们全部输入“azure.activedirectory.active-directory-groups”属性”的情况下,从org.springframework.security.core.Authentication.getAuthorities()获取所有角色?

英文:

The tutorial at https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory explains how to set up Spring Security with authentication at Microsoft Azure Active Directory.

Disregarding from two little differences (explained here https://stackoverflow.com/questions/43788333/openid-connect-log-in-in-with-office-365-and-spring-security/63517600#63517600 ) this works fine.

In my application.properties there is this property:

azure.activedirectory.active-directory-groups=myADUserGroup

(Hint: azure.activedirectory.active-directory-groups seems to be the deprecated version of the newer azure.activedirectory.user-group.allowed-groups ...)

I don't want to limit on particular groups. Every user with a valid Microsoft account is OK for my use case.
Leaving the property blank or even deleting the property leads to this exception:

Caused by: java.lang.IllegalStateException: One of the User Group Properties must be populated. Please populate azure.activedirectory.user-group.allowed-groups
at com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationProperties.validateUserGroupProperties(AADAuthenticationProperties.java:148) ~[azure-spring-boot-2.3.1.jar:na]

A possible workaround is to enter some arbitrary group name for the property in application.properties:

azure.activedirectory.active-directory-groups=some-arbitrary-group-name-doesnt-matter

and just do not use @PreAuthorize("hasRole('[group / role name]')").

This works (as long as your app is not interested in the role names) but it does not feel correct.
A) Is there a "right" way to set a wildcard active-directory-group?
B) org.springframework.security.core.Authentication.getAuthorities() seems to deliver only those group names / role names that are entered in that property, so the workaround delivers none (but ROLE_USER). I want to read all the groups / roles at the user. So I ask a second question: How can I get all roles from org.springframework.security.core.Authentication.getAuthorities() without knowing all of them and especially without entering all of them into the "azure.activedirectory.active-directory-groups" property?

答案1

得分: 1

目前,不支持为 Azure Active Directory 群组设置通配符

您可以在 此处 向 Azure AD 提供反馈,如果其他人有相同的需求,他们会投票支持您。投票越多,就越有可能推动实现此功能。

英文:

For now, it does not support to set a wildcard for azure active directory group.

You can give you voice to azure ad feedback and if others have same demand will voteup you. Much vote will promote this feature to be achieve.

答案2

得分: 1

以下是翻译好的内容:

这不是一个群组通配符,但如果stateless processing适合您的需求,

azure.activedirectory.active-directory-groups=...

可以被替换为

azure.activedirectory.session-stateless=true

这将激活AADAppRoleStatelessAuthenticationFilter,而不是AADAuthenticationFilter,后者不需要通过azure.activedirectory.active-directory-groups指定群组。
您想要使用的角色必须在应用程序清单中声明

英文:

It's not a group wildcard, but if stateless processing suits your need,

azure.activedirectory.active-directory-groups=...

may be replaced with

azure.activedirectory.session-stateless=true

This will activate AADAppRoleStatelessAuthenticationFilter instead of AADAuthenticationFilter, which doesn't require specifying groups via azure.activedirectory.active-directory-groups.
The roles you want to use have to declared in the application manifest

答案3

得分: 0

由于目前不支持通配符来对用户组进行分组,我通过忽略用户组是否有效来构建了一个解决方法。

为此,我复制了com.microsoft.azure.spring.autoconfigure.aad.AzureADGraphClient,并注释掉了这段代码片段:

.filter(this::isValidUserGroupToGrantAuthority)

然后我复制了com.microsoft.azure.spring.autoconfigure.aad.AADOAuth2UserService,并使用以下代码:

graphClient = new MyAzureADGraphClient(...

而不是

graphClient = new AzureADGraphClient(...

在SecurityConfiguration中,我注入了AAD属性:

@Autowired(required = false) private AADAuthenticationProperties aadAuthenticationProperties;
@Autowired(required = false) private ServiceEndpointsProperties serviceEndpointsProps;

并在void configure(HttpSecurity http)中调用了我自己的AADOAuth2UserService:

EvaAADOAuth2UserService oidcUserService = new EvaAADOAuth2UserService(aadAuthenticationProperties, serviceEndpointsProps);
httpSecurity.oauth2Login().loginPage(LOGIN_URL).permitAll().userInfoEndpoint().oidcUserService(oidcUserService);
英文:

As there is no support for a wildcard for groups at the moment, I built a workaround by ignoring whether the user group is valid or not.

For this I made a copy of com.microsoft.azure.spring.autoconfigure.aad.AzureADGraphClient and commented out this code snippet:

.filter(this::isValidUserGroupToGrantAuthority)

and I made a copy of com.microsoft.azure.spring.autoconfigure.aad.AADOAuth2UserService with

graphClient = new MyAzureADGraphClient(...

instead of

graphClient = new AzureADGraphClient(...

And in the SecurityConfiguration I injected the AAD properties:

@Autowired(required = false) private AADAuthenticationProperties aadAuthenticationProperties;
@Autowired(required = false) private ServiceEndpointsProperties serviceEndpointsProps;

and called my own AADOAuth2UserService in void configure(HttpSecurity http):

EvaAADOAuth2UserService oidcUserService = new EvaAADOAuth2UserService(aadAuthenticationProperties, serviceEndpointsProps);
httpSecurity.oauth2Login().loginPage(LOGIN_URL).permitAll().userInfoEndpoint().oidcUserService(oidcUserService);

huangapple
  • 本文由 发表于 2020年8月21日 15:19:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/63518264.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定