All geek questions in one place

Spring loading authorization based on OAuth2 role

We have a dedicated authorization server extending the AuthorizationServerConfigurerAdapter, where we set permissions that override the void configure method (ClientDetailsServiceConfigurer).

@Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Value('${oauth.clientId}') private String clientId @Value('${oauth.secret:}') private String secret @Value('${oauth.resourceId}') private String resourceId @Autowired @Qualifier('authenticationManagerBean') private AuthenticationManager authenticationManager @Bean public JwtAccessTokenConverter accessTokenConverter() { return new JwtAccessTokenConverter(); } @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.checkTokenAccess("permitAll()") oauthServer.allowFormAuthenticationForClients() } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager) .accessTokenConverter(accessTokenConverter()) } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient(clientId) .secret(secret) .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit") .authorities("USER", "ADMIN") .scopes("read", "write", "trust") .resourceIds(resourceId) }

Now, how to use permissions on a resource server for role-based authorization. We can authenticate using the token created by the authorization server. Need help.

+5
source share
2 answers

On the resource server, you must extend the ResourceServerConfigurerAdapter to configure requestMatchers and set the role for each resource.

 @Configuration @EnableResourceServer public class OAuth2Config extends ResourceServerConfigurerAdapter { @Value("${keys.public}") private String publicKey; @Override public void configure(HttpSecurity http) throws Exception { http .requestMatchers() .antMatchers("/**") .and() .authorizeRequests() .antMatchers("/service1/**").access("#oauth2.hasScope('ADMIN')") .antMatchers("/service2/**").access("#oauth2.hasScope('USER')"); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.tokenStore(tokenStore()); } @Bean public TokenStore tokenStore() { return new JwtTokenStore(jwtAccessTokenConverter()); } @Bean public JwtAccessTokenConverter jwtAccessTokenConverter() { JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter(); tokenConverter.setVerifierKey(publicKey); return tokenConverter; } }
+6
source

You received the token from the auth server. Now you can use this token to make another request to the auth server to retrieve the user object. This json object will contain roles (permissions). The request will look as follows.

  curl -H "Authorization: Bearer 2a953581-e9c9-4278-b42e-8af925f49a99" http://localhost:9999/uaa/user

To do this, you need to create an end user endpoint and implement UserDetailsService.

  @RequestMapping("/user") public Principal user(Principal user) { return user; } @Bean UserDetailsService userDetailsService.....

The role list is created and set in the org.springframework.security.core.userdetails file in UserDetailsService.User as follows.

 AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN"));
+1
source

Source: https://habr.com/ru/post/1238525/

More articles:


All Articles