Spring boot 基于Okta组的Spring安全角色
您好,我想根据Okta组分配Spring安全规则,并以Okta组命名。 假设我的组名为Foo和Bar 我已经设置了okta应用程序来申请团体Spring boot 基于Okta组的Spring安全角色,spring-boot,spring-security,okta,okta-api,Spring Boot,Spring Security,Okta,Okta Api,您好,我想根据Okta组分配Spring安全规则,并以Okta组命名。 假设我的组名为Foo和Bar 我已经设置了okta应用程序来申请团体 groups groups: matches regex .* Any access Always 我的POM如下所示: <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org
groups groups: matches regex .* Any access Always
我的POM如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>CLASSIFIED</groupId>
<artifactId>CLASSIFIED</artifactId>
<version>CLASSIFIED</version>
<name>CLASSIFIED</name>
<description>CLASSIFIED</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-couchbase</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.okta.spring</groupId>
<artifactId>okta-spring-boot-starter</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
okta.oauth2.redirect-uri=/authorization-code/callback
okta.oauth2.postLogoutRedirectUri=http://localhost:8080/
okta.oauth2.issuer=https://CLASSIFIEDURL/oauth2/default
okta.oauth2.client-id=CLASSIFIED
okta.oauth2.client-secret=CLASSIFIED
rolesClaim=groups
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
getHttp().authorizeRequests()
// Require authentication for all requests
.anyRequest().authenticated()
// enable OAuth2/OIDC
.and()
.oauth2Login();
@GetMapping("/classified")
@PreAuthorize("hasAuthority('ROLE_FOO')")
public String classified(@AuthenticationPrincipal OidcUser user,Model model) {
some unimportant logic
return "classified";
}
@GetMapping("/42")
@PreAuthorize("hasAuthority('ROLE_BAR')")
public String fortytwo(@AuthenticationPrincipal OidcUser user,Model model) {
some unimportant logic
return "fortytwo";
}
我的安全配置如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>CLASSIFIED</groupId>
<artifactId>CLASSIFIED</artifactId>
<version>CLASSIFIED</version>
<name>CLASSIFIED</name>
<description>CLASSIFIED</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-couchbase</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.okta.spring</groupId>
<artifactId>okta-spring-boot-starter</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
okta.oauth2.redirect-uri=/authorization-code/callback
okta.oauth2.postLogoutRedirectUri=http://localhost:8080/
okta.oauth2.issuer=https://CLASSIFIEDURL/oauth2/default
okta.oauth2.client-id=CLASSIFIED
okta.oauth2.client-secret=CLASSIFIED
rolesClaim=groups
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
getHttp().authorizeRequests()
// Require authentication for all requests
.anyRequest().authenticated()
// enable OAuth2/OIDC
.and()
.oauth2Login();
@GetMapping("/classified")
@PreAuthorize("hasAuthority('ROLE_FOO')")
public String classified(@AuthenticationPrincipal OidcUser user,Model model) {
some unimportant logic
return "classified";
}
@GetMapping("/42")
@PreAuthorize("hasAuthority('ROLE_BAR')")
public String fortytwo(@AuthenticationPrincipal OidcUser user,Model model) {
some unimportant logic
return "fortytwo";
}
受限页面的服务器如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>CLASSIFIED</groupId>
<artifactId>CLASSIFIED</artifactId>
<version>CLASSIFIED</version>
<name>CLASSIFIED</name>
<description>CLASSIFIED</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-couchbase</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.okta.spring</groupId>
<artifactId>okta-spring-boot-starter</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
okta.oauth2.redirect-uri=/authorization-code/callback
okta.oauth2.postLogoutRedirectUri=http://localhost:8080/
okta.oauth2.issuer=https://CLASSIFIEDURL/oauth2/default
okta.oauth2.client-id=CLASSIFIED
okta.oauth2.client-secret=CLASSIFIED
rolesClaim=groups
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
getHttp().authorizeRequests()
// Require authentication for all requests
.anyRequest().authenticated()
// enable OAuth2/OIDC
.and()
.oauth2Login();
@GetMapping("/classified")
@PreAuthorize("hasAuthority('ROLE_FOO')")
public String classified(@AuthenticationPrincipal OidcUser user,Model model) {
some unimportant logic
return "classified";
}
@GetMapping("/42")
@PreAuthorize("hasAuthority('ROLE_BAR')")
public String fortytwo(@AuthenticationPrincipal OidcUser user,Model model) {
some unimportant logic
return "fortytwo";
}
FOO和BAR角色未授予用户,因此它们无法访问受限制的页面
此外,非限制页面显示以下消息:
您是[角色\用户、范围\地址、范围\电子邮件、范围\脱机\访问、范围\ openid、范围\电话、范围\个人资料]
因此,可以肯定的是,问题是,用户没有从Okta接收角色。
(括号[]中的文本是user.getAuthories()的结果。)
现在我想知道是否缺少任何重要的类,或者我在配置时是否出错。如果将
组声明添加到ID令牌中,它应该可以工作
此外,您的rolesClaim=groups
不正确。密钥应命名为okta.oauth2.groupsClaim
(根据)。但是,由于默认设置为组
,因此您可以将其删除。登录本身可以正常工作,只是角色分配不起作用。非常感谢,它非常有效@zonk你能给我分享一下这个项目的github回购协议吗。我面临的正是这个问题。