java - 使用Spring Boot的角色层次结构和OAuth2安全性

我知道关于角色层次结构的线程很多，但是找不到与OAuth2结合的任何示例。

所以，
大多数线程指出我需要实现RoleHierarchy bean：

Beans.java

@EnableJpaRepositories(basePackages = "com.template.service.repository")
@EnableAspectJAutoProxy
@ComponentScan
@Configuration
public class Beans {
@Bean
public ItemService itemsService(ItemsRepository itemsRepository) {
    return new ItemService(itemsRepository);
}

@Bean
public RoleHierarchy roleHierarchy(){
    RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
    roleHierarchy.setHierarchy("ROLE_SUPREME > ROLE_DEVELOPER ROLE_DEVELOPER > ROLE_ADMIN  ROLE_ADMIN > ROLE_USER");
    return roleHierarchy;
}

@Bean
public DtoMapper dtoMapper() {
    return new DtoMapper();
}
}

接下来，我需要将该豆@Autowire添加到我的WebSecurityConfigurerAdapter中。但是，因为我使用的是OAuth2安全性，所以我在HttpSecurity内部配置了ResourceServerConfigurerAdapter。

OAuth2.java

public class OAuth2 {
@EnableAuthorizationServer
@Configuration
@ComponentScan
public static class AuthorizationServer extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManagerBean;
    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("trusted_client")
                .authorizedGrantTypes("password", "refresh_token")
                .scopes("read", "write");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManagerBean).userDetailsService(userDetailsService);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients();
    }
}

@EnableResourceServer
@Configuration
@ComponentScan
public static class ResourceServer extends ResourceServerConfigurerAdapter {

    @Autowired
    private RoleHierarchy roleHierarchy;

    private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
        OAuth2WebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new OAuth2WebSecurityExpressionHandler();
        defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
        return defaultWebSecurityExpressionHandler;
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().expressionHandler(webExpressionHandler())
                .antMatchers("/api/**").hasRole("DEVELOPER");
    }
}
}

安全性

@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@Configuration
@ComponentScan
public class Security extends WebSecurityConfigurerAdapter {

@Autowired
private UserDetailsService userDetailsService;

@Bean
public JpaAccountDetailsService userDetailsService(AccountsRepository accountsRepository) {
    return new JpaAccountDetailsService(accountsRepository);
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Bean
public PasswordEncoder passwordEncoder(){
    return new BCryptPasswordEncoder();
}
}

但是，层次结构不起作用。具有SUPREME用户凭证的请求以以下结尾：

{
  "error": "access_denied",
  "error_description": "Access is denied"
}

当我将hasRole("DEVELOPER")切换为hasRole("SUPREME")时，一切正常。

我正在使用Spring Boot 1.5.2和Spring Security OAuth 2.1.0.RELEASE

更新

当我注释所有OAuth2.java类并将webExpressionHandler()方法签名移至Security.java类时-角色层次结构正常运行。那么OAuth2资源服务器怎么回事？

最佳答案

您如何看待ResourceServer中的这种方法？

   @Bean
    public RoleHierarchyImpl roleHierarchy() {
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ROLE_SUPREME > ROLE_DEVELOPER ROLE_DEVELOPER > ROLE_ADMIN  ROLE_ADMIN > ROLE_USER")         return roleHierarchy;
    }


    @Bean
    public RoleHierarchyVoter roleVoter() {
        return new RoleHierarchyVoter(roleHierarchy());
    }


    @Bean
    public AffirmativeBased defaultOauthDecisionManager(RoleHierarchy roleHierarchy){ //

      List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();

      // webExpressionVoter
      OAuth2WebSecurityExpressionHandler expressionHandler = new OAuth2WebSecurityExpressionHandler();
      expressionHandler.setRoleHierarchy(roleHierarchy);
      WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
      webExpressionVoter.setExpressionHandler(expressionHandler);
      decisionVoters.add(webExpressionVoter);
      decisionVoters.add(roleVoter());
      return new AffirmativeBased(decisionVoters);
    }

和

http
                .authorizeRequests()
                .accessDecisionManager(defaultOauthDecisionManager(roleHierarchy()))
                //etc...

它可以更好地进行结构化和封装，但是您知道我的意思，不是吗？...我认为它工作正常。我希望这能帮到您...

关于java - 使用Spring Boot的角色层次结构和OAuth2安全性，我们在Stack Overflow上找到一个类似的问题：https://stackoverflow.com/questions/42840249/

Oauth2

java - 使用Spring Boot的角色层次结构和OAuth2安全性