Spring 5 Oauth2 – 如何在我的资源服务器中提供检查令牌(token)的URL?

huangapple go评论70阅读模式
英文:

Spring 5 Oauth2 - How to provide the check token URL in my Resource server?

问题

我需要一些帮助。。

我使用 Spring-security-oauth2 中的 @EnableAuthorizationServer 来设置 AuthorizationServer,用于 "client_credentials" 授权类型。能够创建、检查令牌,一切都很顺利。

/oauth/token
/oauth/checkToken

按照此示例设置授权服务器

我有一个单独的项目,其中包含需要进行安全保护的 REST API。我无法使用 @EnableResourceServer,因为该项目使用的是 Spring 5.2.8,而 spring-security-oauth2 2.5 引起冲突(因为它使用了 4.x 版本的 Spring jar 包,而排除它们会导致更多问题),尤其是在部署到 Weblogic 时,所以我在使用此示例

在这个示例中,我如何提供一个 Checktoken URL。这个示例需要一个 JWT JSON 类型的文件,但我没有这个文件。我只想保持简单,使用我创建的授权服务器的 checktoken URL,类似于 @EnableResourceServer 的工作方式(类似于这里提供的方式,只是不使用 @EnableResourceServer)。

我应该在哪里提供这个?非常感谢您的即时帮助。

英文:

I need some help..

I set up an AuthorizationServer using @EnableAuthorizationServer from Spring-security-oauth2 for grant type "client_credentials". Able to create, check tokens and everything good with this.

> /oauth/token
/oauth/checkToken

Followed this sample for Authorization server

I have a separate project that has the REST APIs to be secured. I can't use @EnableResourceServer because that project uses Spring 5.2.8 and the spring-security-oauth2 2.5 is causing conflicts (because it uses 4.x Spring jars and excluding them is causing more issues) while deploying over Weblogic, so I am using this sample.

Now in this sample how do I just provide a Checktoken url. This sample wants a JWT json type of file but I dont have it. I just want to keep it simple and use the checktoken url of the authorization server I created, similar to how @EnableResourceServer works.(like provided here except without @EnableResourceServer)

Where do I provide that? Any immediate help appreciated.

答案1

得分: 2

根据您的示例,以下代码对我有效:

@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${security.oauth2.resource.tokenInfoUri}") String tokenInfoUri;
    @Value("${security.oauth2.client.clientId}") String clientId;
    @Value("${security.oauth2.client.clientSecret}") String clientSecret;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .authorizeRequests((authorizeRequests) ->
                        authorizeRequests
                                .antMatchers(HttpMethod.GET, "/message/**").hasAuthority("SCOPE_message:read")
                                .antMatchers(HttpMethod.POST, "/message/**").hasAuthority("SCOPE_message:write")
                                .anyRequest().authenticated()
                )
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
        // @formatter:on
    }

    @Bean
    OpaqueTokenIntrospector opaqueTokenIntrospector() {
        return new NimbusOpaqueTokenIntrospector(tokenInfoUri, clientId, clientSecret);
    }
}

我使用了以下 Spring Security 依赖项:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>5.3.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
    <version>5.3.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>oauth2-oidc-sdk</artifactId>
    <version>8.22</version>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-resource-server</artifactId>
    <version>5.3.4.RELEASE</version>
</dependency>

请将您的 checkToken-Uri、client 和 clientSecret 放入您的 application.properties 文件中。

英文:

Following your example for the ResourceServer, this works for me:

@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value(&quot;${security.oauth2.resource.tokenInfoUri}&quot;) String tokenInfoUri;
    @Value(&quot;${security.oauth2.client.clientId}&quot;) String clientId;
    @Value(&quot;${security.oauth2.client.clientSecret}&quot;) String clientSecret;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .authorizeRequests((authorizeRequests) -&gt;
                        authorizeRequests
                                .antMatchers(HttpMethod.GET, &quot;/message/**&quot;).hasAuthority(&quot;SCOPE_message:read&quot;)
                                .antMatchers(HttpMethod.POST, &quot;/message/**&quot;).hasAuthority(&quot;SCOPE_message:write&quot;)
                                .anyRequest().authenticated()
                )
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
        // @formatter:on
    }

    @Bean
    OpaqueTokenIntrospector opaqueTokenIntrospector() {
        return new NimbusOpaqueTokenIntrospector(tokenInfoUri,clientId,clientSecret);
    }
}

I used the following spring security dependencies:

		&lt;dependency&gt;
			&lt;groupId&gt;org.springframework.security&lt;/groupId&gt;
			&lt;artifactId&gt;spring-security-config&lt;/artifactId&gt;
			&lt;version&gt;5.3.4.RELEASE&lt;/version&gt;
		&lt;/dependency&gt;
		&lt;dependency&gt;
			&lt;groupId&gt;org.springframework.security&lt;/groupId&gt;
			&lt;artifactId&gt;spring-security-oauth2-jose&lt;/artifactId&gt;
			&lt;version&gt;5.3.4.RELEASE&lt;/version&gt;
		&lt;/dependency&gt;
		&lt;dependency&gt;
			&lt;groupId&gt;com.nimbusds&lt;/groupId&gt;
			&lt;artifactId&gt;oauth2-oidc-sdk&lt;/artifactId&gt;
			&lt;version&gt;8.22&lt;/version&gt;
			&lt;scope&gt;runtime&lt;/scope&gt;
		&lt;/dependency&gt;

		&lt;dependency&gt;
			&lt;groupId&gt;org.springframework.security&lt;/groupId&gt;
			&lt;artifactId&gt;spring-security-oauth2-resource-server&lt;/artifactId&gt;
			&lt;version&gt;5.3.4.RELEASE&lt;/version&gt;
		&lt;/dependency&gt;

Put your checkToken-Uri, client and clientSecret into your application.properties.

答案2

得分: 0

我最终使用了Spring提供的JWT示例,该示例从认证服务器获取JWT公钥以进行资源服务器上的验证。
按照Spring源代码示例项目中提供的认证和资源服务器进行操作。
目前为止效果还不错,直到我们迁移到更好的身份管理解决方案为止。

英文:

I ended up using the JWT sample Spring had provided, which gets the JWT public keys for verification on the resource server.
Follow the auth and resource server provided in Spring source sample project.

Works good so far until we migrate to a better IDM solution

huangapple
  • 本文由 发表于 2020年9月22日 04:17:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/63999425.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定