MAT*_*X81 6 oauth-2.0 spring-boot spring-security-oauth2 spring-oauth2
1-OAuth2AuthenticationToken 和 OAuth2Authentication 之间有什么区别?
2-在我的 Spring Boot 客户端 Web 应用程序中,我使用依赖项“spring-boot-starter-oauth2-client”通过授权服务器实现(单点登录)sso,因此客户端应用程序中的主体是 OAuth2AuthenticationToken。是对的吗?
3-我无法使用 @PreAuthorize(#oauth2.hasScope('xxx')) 因为它适用于 OAuth2Authentication 而不是 OAuth2AuthenticationToken,为什么?但是当我使用 @PreAuthorize(hasRole('SomeRole')) 时,它工作得很好。
4-这是身份验证对象(主体)的示例
{
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"details": null,
"authenticated": true,
"principal": {
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
},
"name": "bob"
},
"authorizedClientRegistrationId": "custom-client",
"credentials": "",
"name": "bob"
}
这些字段是什么?,为什么有一些冗余信息?,为什么有多个具有不同值的权限?
5-如果我转而在授权服务器中使用 JWT,我是否需要更改客户端应用程序中的任何内容?
谢谢
这是对您的多个问题的部分回答。
您应该首先注意到:
OAuth2AuthenticationToken是Spring Security 项目中打包到spring-security-oauth2-resource-server中的类。
OAuth2Authentication是已弃用的 Spring Security OAuth 项目中的一个类,已打包到spring-security-oauth2中
该类OAuth2Authentication带有注释@Deprecated,不应在新项目中使用。
如果您只需要实现资源服务器和 OAuth2 客户端,则应该使用来自spring-security-oauth2-resource-server和spring-boot-starter-oauth2-clientMaven 包的类,并摆脱来自spring-security-oauth2Maven 包的类。
如果您还需要授权服务器,您可以尝试使用新的Spring 授权服务器
| 归档时间: |
|
| 查看次数: |
1897 次 |
| 最近记录: |