Java 如何限制特定域使用Spring Boot和OAuth2登录
我已经使用spring boot和Google成功地完成了OAuth2登录,但我想将登录限制在特定域(我们使用Google应用程序进行工作) 我认为应该通过扩展类OAuth2ClientAuthenticationProcessingFilter(如指定的)来处理,但我不确定如何做到这一点Java 如何限制特定域使用Spring Boot和OAuth2登录,java,spring,oauth,spring-boot,Java,Spring,Oauth,Spring Boot,我已经使用spring boot和Google成功地完成了OAuth2登录,但我想将登录限制在特定域(我们使用Google应用程序进行工作) 我认为应该通过扩展类OAuth2ClientAuthenticationProcessingFilter(如指定的)来处理,但我不确定如何做到这一点 基本上,我希望使用Google OAuth 2.0作为身份提供者,但必须只接受公司用户(@company.com)。根据Stéphane的建议,我想到了这一点,并最终实现了这一点,这对我来说适用于Google
基本上,我希望使用Google OAuth 2.0作为身份提供者,但必须只接受公司用户(@company.com)。根据Stéphane的建议,我想到了这一点,并最终实现了这一点,这对我来说适用于Google+配置文件:
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String GOOGLE_PLUS_DOMAIN_ATTRIBUTE = "domain";
private static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";
private static final String CSRF_HEADER_NAME = "X-XSRF-TOKEN";
@Bean
public AuthoritiesExtractor authoritiesExtractor(
@Value("#{'${security.allowed-domains}'.split(',')}") final List<String> allowedDomains) {
return new AuthoritiesExtractor() {
@Override
public List<GrantedAuthority> extractAuthorities(final Map<String, Object> map) {
if (map != null && map.containsKey(GOOGLE_PLUS_DOMAIN_ATTRIBUTE)) {
final String domain = (String) map.get(GOOGLE_PLUS_DOMAIN_ATTRIBUTE);
if (!allowedDomains.contains(domain)) {
throw new BadCredentialsException("Not an allowed domain");
}
return AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
}
return null;
}
};
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/logout", "/api/mappings/**", "/public/**").permitAll()
.anyRequest().hasAuthority("ROLE_USER")
.and().logout().logoutUrl("/api/logout").logoutSuccessUrl("/logout")
.and().csrf().csrfTokenRepository(csrfTokenRepository()).ignoringAntMatchers("/api/mappings/**")
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
// @formatter:on
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, CSRF_COOKIE_NAME);
final String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie(CSRF_COOKIE_NAME, token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
final HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName(CSRF_HEADER_NAME);
return repository;
}
}
私有静态最终字符串托管\u域\u属性=“hd” 根据Stéphane的建议,我想到了这一点,并最终实现了这一点,这一点对我来说适用于Google+个人资料:
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String GOOGLE_PLUS_DOMAIN_ATTRIBUTE = "domain";
private static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";
private static final String CSRF_HEADER_NAME = "X-XSRF-TOKEN";
@Bean
public AuthoritiesExtractor authoritiesExtractor(
@Value("#{'${security.allowed-domains}'.split(',')}") final List<String> allowedDomains) {
return new AuthoritiesExtractor() {
@Override
public List<GrantedAuthority> extractAuthorities(final Map<String, Object> map) {
if (map != null && map.containsKey(GOOGLE_PLUS_DOMAIN_ATTRIBUTE)) {
final String domain = (String) map.get(GOOGLE_PLUS_DOMAIN_ATTRIBUTE);
if (!allowedDomains.contains(domain)) {
throw new BadCredentialsException("Not an allowed domain");
}
return AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
}
return null;
}
};
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/logout", "/api/mappings/**", "/public/**").permitAll()
.anyRequest().hasAuthority("ROLE_USER")
.and().logout().logoutUrl("/api/logout").logoutSuccessUrl("/logout")
.and().csrf().csrfTokenRepository(csrfTokenRepository()).ignoringAntMatchers("/api/mappings/**")
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
// @formatter:on
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, CSRF_COOKIE_NAME);
final String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie(CSRF_COOKIE_NAME, token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
final HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName(CSRF_HEADER_NAME);
return repository;
}
}
私有静态最终字符串托管\u域\u属性=“hd” 我找到了新的解决方案!您应该选择一个:非反应性或反应性案例重要的是不要忘记: 非反应性:
@Bean
fun oauth2UserService(rest: WebClient): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return OAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
user
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
fun oauth2UserService(rest: WebClient): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
Mono.just(user)
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
有趣的oauth2UserService(rest:WebClient):oauth2UserService{
val delegate=DefaultOAuth2UserService()
返回OAuth2UserService{request->
val user=delegate.loadUser(请求)
val hd=user.getAttribute(“hd”)
if(hd==“your.domain.name”)
用户
其他的
抛出OAuth2AuthenticationException(OAuth2Error(“无效的_令牌”,“不在团队中”,“不在团队中”)
}
}
@Bean
fun oauth2UserService(rest: WebClient): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return OAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
user
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
fun oauth2UserService(rest: WebClient): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
Mono.just(user)
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
有趣的oauth2UserService(rest:WebClient):ReactiveOAuth2UserService{
val delegate=DefaultOAuth2UserService()
返回ReactiveOAuth2UserService{request->
val user=delegate.loadUser(请求)
val hd=user.getAttribute(“hd”)
if(hd==“your.domain.name”)
Mono.just(用户)
其他的
抛出OAuth2AuthenticationException(OAuth2Error(“无效的_令牌”,“不在团队中”,“不在团队中”)
}
}
@Bean
fun oauth2UserService(rest: WebClient): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return OAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
user
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
fun oauth2UserService(rest: WebClient): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
Mono.just(user)
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
有趣的oauth2UserService(rest:WebClient):oauth2UserService{
val delegate=DefaultOAuth2UserService()
返回OAuth2UserService{request->
val user=delegate.loadUser(请求)
val hd=user.getAttribute(“hd”)
if(hd==“your.domain.name”)
用户
其他的
抛出OAuth2AuthenticationException(OAuth2Error(“无效的_令牌”,“不在团队中”,“不在团队中”)
}
}
@Bean
fun oauth2UserService(rest: WebClient): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return OAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
user
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
fun oauth2UserService(rest: WebClient): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
val delegate = DefaultOAuth2UserService()
return ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> { request ->
val user = delegate.loadUser(request)
val hd = user.getAttribute<String>("hd")
if (hd == "your.domain.name")
Mono.just(user)
else
throw OAuth2AuthenticationException(OAuth2Error("invalid_token", "Not in the Team", ""))
}
}
@Bean
有趣的oauth2UserService(rest:WebClient):ReactiveOAuth2UserService{
val delegate=DefaultOAuth2UserService()
返回ReactiveOAuth2UserService{request->
val user=delegate.loadUser(请求)
val hd=user.getAttribute(“hd”)
if(hd==“your.domain.name”)
Mono.just(用户)
其他的
抛出OAuth2AuthenticationException(OAuth2Error(“无效的_令牌”,“不在团队中”,“不在团队中”)
}
}
authorities extractorauthorities extractor