我正在尝试使用 Spring Security 5 实现一个受 oauth2 保护的 Spring Boot API。我希望该 API 成为一个 oauth2 资源服务器,并且能够使用 WebClient 访问外部 oauth2 资源服务器,并授予客户端凭据。
我可以将 API 配置为 oauth2 资源服务器或 oauth2 客户端,但不能同时配置两者。
下面是将 API 配置为具有 Spring security 5 的资源服务器的最小设置。我使用的是不透明令牌,因此服务器已为此配置。
应用程序.属性
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=http://localhost:8086/auth/oauth/check_token
spring.security.oauth2.resourceserver.opaquetoken.client-id=test-api
spring.security.oauth2.resourceserver.opaquetoken.client-secret=e61aa5d6-074d-4216-b15f-1bf3fc71b833
WebSecurity配置类
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
}
}
通过此设置,我可以使用有效令牌访问此 api 端点以访问其受保护的资源。因此资源服务器配置本身就可以正常工作。
下面是配置为使用 WebClient 的最小 Spring security 5 设置,通过客户端凭据授予来访问外部受保护资源。
应用程序.属性
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://127.0.0.1:8086/auth/oauth/token
spring.security.oauth2.client.registration.test-api.client-id=test-store
spring.security.oauth2.client.registration.test-api.client-secret=password
spring.security.oauth2.client.registration.test-api.provider=my-oauth-provider
spring.security.oauth2.client.registration.test-api.scope=read,write
spring.security.oauth2.client.registration.test-api.authorization-grant-type=client_credentials
WebSecurity配置类
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
@Autowired
ClientRegistrationRepository clientRegistrationRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Client(oauth2 -> oauth2
.clientRegistrationRepository(clientRegistrationRepository)
);
}
}
Oauth2Client配置类
@Configuration
public class Oauth2ClientConfig {
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
@Bean
WebClient webClient(OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(
oAuth2AuthorizedClientManager);
// default registrationId
oauth2Client.setDefaultClientRegistrationId("test-api");
// set client to use oauth2 by default globally
oauth2Client.setDefaultOAuth2AuthorizedClient(true);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}
}
通过此设置,我可以使用客户端凭据授予访问外部受保护端点以访问受保护资源。
但是,当我将这两个配置放在一起时,当我尝试访问我的 api 端点(该端点又尝试使用 WebClient 访问外部资源)时,它不起作用。
@Autowired
WebClient webClient;
@GetMapping("test")
public String test() {
String message = webClient
.get()
.uri("http://localhost:8084/external/api/endpoint")
.retrieve()
.bodyToMono(String.class)
.block();
return message;
}
Spring 安全性抛出 principalName 不能为空 错误。
java.lang.IllegalArgumentException: principalName cannot be empty
at org.springframework.util.Assert.hasText(Assert.java:287) ~[spring-core-5.2.8.RELEASE.jar:5.2.8.RELEASE]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
|_ checkpoint ⇢ Request to GET http://localhost:8084/ocr/document/test [DefaultWebClient]
Stack trace:
at org.springframework.util.Assert.hasText(Assert.java:287) ~[spring-core-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService.loadAuthorizedClient(InMemoryOAuth2AuthorizedClientService.java:73) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository.loadAuthorizedClient(AuthenticatedPrincipalOAuth2AuthorizedClientRepository.java:73) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager.authorize(DefaultOAuth2AuthorizedClientManager.java:144) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.lambda$authorizeClient$24(ServletOAuth2AuthorizedClientExchangeFilterFunction.java:534) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
...
非常感谢任何有关解决此问题的指示。当 API 也是资源服务器时,我应该使用不同的方式配置 WebClient 来工作吗?
我的 Maven 项目中有这些依赖项。 Spring安全版本是5.3.3.RELEASE pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.2.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
...
<!-- Spring Boot Web starter -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Security Starter -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Oauth2 resource server -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
</dependency>
<!-- Oauth2 client -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<!-- WebClient -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
从这里: https://www.gitmemory.com/issue/spring-projects/spring-security/8398/614615036
这是预期行为 ->“principalName 不能为空”。
OAuth2AuthorizedClient 需要principalName,因为访问 令牌始终与主体相关联。这 ReactiveOAuth2AuthorizedClientService 验证principalName 和 如果principalName不可用,预计会失败。
principalName 不可用的原因是 JwtAuthenticationToken.getName() 将默认为 sub 声明,其中 根据您的令牌,在 Jwt 的声明集中不可用 上面的例子。您需要做的是指定 user_name 声明 用作principalName。
看看这个 样品 这向您展示了如何将 JwtDecoder 配置为默认值 JwtAuthenticationToken.getName() 的 user_name。
链接的示例无法按原样工作,因为 conversionClaims 中没有“user_name”值,所以我只是编写了自己的用户名。 这是我添加到配置中的内容:
http.authorizeExchange(exchangeSpec -> exchangeSpec.anyExchange().authenticated())
.oauth2ResourceServer(oAuth2 -> oAuth2.jwt(jwt -> jwt.jwtDecoder(jwtDecoder())));
http.oauth2Login();
和
public class UsernameSubClaimAdapter implements Converter<Map<String, Object>, Map<String, Object>> {
private final MappedJwtClaimSetConverter delegate =
MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
public Map<String, Object> convert(Map<String, Object> claims) {
Map<String, Object> convertedClaims = this.delegate.convert(claims);
String username = "anonymous_user";
convertedClaims.put("sub", username);
return convertedClaims;
}
}
@Bean
public NimbusReactiveJwtDecoder jwtDecoder() {
NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(processor());
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(_jwtIssuerUrl));
jwtDecoder.setClaimSetConverter(new UsernameSubClaimAdapter());
return jwtDecoder;
}
问题是您的应用程序同时是
resourceServer
和 oauth2Client
,这听起来很奇怪。
将 .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken)
配置包含到 httpSecurity
中后,所有身份验证现在都将是 BearerTokenAuthentication
的实例。这些不会有与之关联的名称,因为您的不透明令牌没有 name
字段。如果您排除 .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken)
,则所有身份验证都将是 AnonymousAuthenticationToken
的实例,并具有默认主体 anonymousUser
。
此问题的解决方案是实现您自己的不透明令牌内省器,它将为身份验证设置主体名称。我通过扩展
NimbusReactiveOpaqueTokenIntrospector
并使用默认主体名称复制 Oauth2Authentication 来快速而肮脏地完成此操作。
内省者:
class ExtendedNimbusReactiveOpaqueTokenIntrospector(introspectionUri: String, clientId: String, clientSecret: String) : NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret) {
override fun introspect(token: String?): Mono<OAuth2AuthenticatedPrincipal> {
return super.introspect(token).map { auth ->
val name = SecurityContextHolder.getContext().authentication?.name ?: "defaultPrincipal"
DefaultOAuth2AuthenticatedPrincipal(name, auth.attributes, auth.authorities)
}
}
}
网络安全配置:
@Configuration
@EnableWebFluxSecurity
class OAuthConfig
@Autowired constructor(@Value("\${spring.security.oauth2.resourceserver.opaquetoken.introspection-uri}") private val introspectionUri: String,
@Value("\${spring.security.oauth2.resourceserver.opaquetoken.client-id}") private val clientId: String,
@Value("\${spring.security.oauth2.resourceserver.opaquetoken.client-secret}") private val clientSecret: String){
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http
.oauth2Client {
}
.authorizeExchange { authExchange ->
authExchange.pathMatchers(
"/apidoc",
"/swagger-ui.html",
"/webjars/**",
"/swagger-resources/**",
"/v2/api-docs")
.permitAll()
.anyExchange()
.permitAll()
}
.oauth2Client {}
.oauth2ResourceServer {
it.opaqueToken {opaqueTokenSpec ->
opaqueTokenSpec.introspector(ReweNimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret))
}
}
.build()
}
}
Web客户端配置:
@Configuration
class WebClientConfig @Autowired constructor() {
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository?,
authorizedClientService: ReactiveOAuth2AuthorizedClientService?
): ReactiveOAuth2AuthorizedClientManager? {
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientService)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}
@Bean
fun webClientBuilder(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager?): WebClient.Builder? {
val oauth = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth.setDefaultClientRegistrationId("rewe")
return WebClient.builder()
.filter(oauth)
}
@Bean
fun authorizedWebClient(webClientBuilder: WebClient.Builder, @Value("\${host}") host: String): WebClient {
return webClientBuilder.baseUrl(host).build()
}
}
我不知道这是否适用于您的情况,但我遇到了同样的问题,我通过将 @Async 放在负责使用 WebClient 执行请求的服务上来修复它。 IE。如果您传递到另一个线程,则身份验证上下文将被清除,您将不再尝试将其作为下游授权的上下文传递。