我正在使用 springboot v3.2.3 并具有以下依赖项
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
这是我的配置
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers("swagger-ui/**", "/v3/api-docs/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
return http.build();
}
}
我在 applications.properties 中有这个
spring.security.oauth2.resourceserver.jwt.issuer-uri=<issuer-uri>
spring.security.oauth2.resourceserver.jwt.audiences=<app>
jwt 令牌验证工作正常(通过仅允许指定的受众并且应用程序使用正确的发行者公共证书)。但是,我想根据其他“声明”(例如角色)进行过滤。最干净的方法是什么?
org.springframework.security.oauth2.core.OAuth2TokenValidator
,例如
org.springframework.security.oauth2.jwt.JwtClaimValidator
声明的自定义 roles
可以添加如下:import org.springframework.context.annotation.Bean;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.*;
@Bean
public JwtDecoder jwtDecoder(HttpServletRequest request) {
NimbusJwtDecoder jwtDecoder = JwtDecoders.fromIssuerLocation(issuerUri);
List<OAuth2TokenValidator<Jwt>> validators = List.of(
// add default validators
JwtValidators.createDefaultWithIssuer(issuerUri),
// add custom validator for roles claim
new JwtClaimValidator<>(
"roles",
predicateToValidateRoles)
)
);
jwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(validators));
return jwtDecoder;
}
Spring 文档链接:https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-validation-custom