SpringSecurity5:为OAuth2认证用户提供角色
我已经有了带有SpringSecurity5和OAuth2客户端的现有SpringBoot应用程序,我已经成功地使用外部OAuth2提供程序(在我的例子中是GitLab)配置了身份验证 现在我在配置授权时遇到问题。我希望有一些方法可以让我编写代码来解析给定用户的角色(或者通过调用数据库,或者只是检查硬编码的用户名)SpringSecurity5:为OAuth2认证用户提供角色,spring,spring-security,spring-security-oauth2,Spring,Spring Security,Spring Security Oauth2,我已经有了带有SpringSecurity5和OAuth2客户端的现有SpringBoot应用程序,我已经成功地使用外部OAuth2提供程序(在我的例子中是GitLab)配置了身份验证 现在我在配置授权时遇到问题。我希望有一些方法可以让我编写代码来解析给定用户的角色(或者通过调用数据库,或者只是检查硬编码的用户名) 我发现它可以通过使用PrincipalExtractor和AuthoritiesExtractor来实现,这在一篇文章中有详细描述。但是,这些类在最近的SpringSecurity中
我发现它可以通过使用
PrincipalExtractor
和AuthoritiesExtractor
来实现,这在一篇文章中有详细描述。但是,这些类在最近的SpringSecurity中不再出现与Spring Security 5兼容的另一种方法是什么?您正在寻找的被称为GrantedAuthoritiesMapper
它被记录在官方的spring安全文档中
下面是一个代码示例:
@EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo
.userAuthoritiesMapper(this.userAuthoritiesMapper())
...
)
);
}
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
});
return mappedAuthorities;
};
}
}
@EnableWebSecurity
公共类OAuth2LoginSecurityConfig扩展了WebSecurity配置适配器{
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http
.oauth2Login(oauth2->oauth2
.userInfoEndpoint(userInfo->userInfo)
.userAuthoritiesMapper(此.userAuthoritiesMapper())
...
)
);
}
私有授权权限映射器userAuthoritiesMapper(){
返回(权限)->{
Set mappedAuthorities=new HashSet();
权限。forEach(权限->{
if(OidcUserAuthority.class.isInstance(权限)){
OidcUserAuthority OidcUserAuthority=(OidcUserAuthority)权限;
OidcIdToken idToken=oidcUserAuthority.getIdToken();
OidcUserInfo userInfo=oidcUserAuthority.getUserInfo();
//映射在idToken和/或userInfo中找到的声明
//添加到一个或多个授权,并将其添加到mappedAuthorities
}else if(OAuth2UserAuthority.class.isInstance(authority)){
OAuth2UserAuthority OAuth2UserAuthority=(OAuth2UserAuthority)权限;
Map userAttributes=oauth2UserAuthority.getAttributes();
//映射在userAttributes中找到的属性
//添加到一个或多个授权,并将其添加到mappedAuthorities
}
});
返回MappedAuthority;
};
}
}
spring安全文档中还有几个示例和解释