Shulou(Shulou.com)06/03 Report--

这篇文章将为大家详细讲解有关Spring Security OAuth2 token权限隔离的示例分析，小编觉得挺实用的，因此分享给大家做个参考，希望大家阅读完这篇文章后可以有所收获。

一、哪里重写？

资源服务器向授权服务服务器获取资源时候，返回的user信息重写，加入authorities

@RestController@Slf4jpublic class UserController { @Autowired HttpServletRequest request; @GetMapping("/user") public Principal user(Principal principal) { log.info("获取user信息:{}", JSON.toJSON(principal)); return principal; }

返回的具体用户信息：

{ "principal": { "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", "phone": "13918438965", "credentialsNonExpired": true, "accountNonExpired": true, "enabled": true, "accountNonLocked": true, "username": "4738195728608789333" }, "authenticated": true, "oAuth3Request": { "redirectUri": "http://www.baidu.com", "responseTypes": ["code"], "approved": true, "extensions": {}, "clientId": "external", "scope": ["auth_base"], "requestParameters": { "code": "ovzMSk", "grant_type": "authorization_code", "scope": "auth_base", "response_type": "code", "redirect_uri": "http://www.baidu.com", "state": "123", "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454", "client_id": "external" }, "refresh": false, "grantType": "authorization_code", "authorities": [{ "authority": "auth_base" }], "resourceIds": [] }, "clientOnly": false, "credentials": "", "name": "4738195728608789333", "userAuthentication": { "principal": { "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", "phone": "13918438965", "credentialsNonExpired": true, "accountNonExpired": true, "enabled": true, "accountNonLocked": true, "username": "4738195728608789333" }, "authenticated": true, "oAuth3Request": { "responseTypes": [], "approved": true, "extensions": {}, "clientId": "gt", "scope": ["frontend"], "requestParameters": { "auth_type": "sms", "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d", "grant_type": "password", "client_id": "gt", "username": "13918438965" }, "refresh": false, "grantType": "password", "authorities": [{ "authority": "client" }], "resourceIds": [] }, "clientOnly": false, "credentials": "", "name": "4738195728608789333", "userAuthentication": { "principal": { "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", "phone": "13918438965", "credentialsNonExpired": true, "accountNonExpired": true, "enabled": true, "accountNonLocked": true, "username": "4738195728608789333" }, "authenticated": true, "name": "4738195728608789333", "details": { "auth_type": "sms", "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d", "grant_type": "password", "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941", "client_id": "gt", "username": "13918438965" }, "authorities": [] }, "details": { "tokenType": "Bearer", "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9", "remoteAddress": "0:0:0:0:0:0:0:1" }, "authorities": [] }, "details": { "tokenType": "Bearer", "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e", "remoteAddress": "0:0:0:0:0:0:0:1" }, "authorities": []}

二、如何重写？

principal是OAuth3Authentication实例，OAuth3Authentication主要包括OAuth3Request storedRequest、Authentication userAuthentication，

重写目的是将storedRequest authorities复制到authoritie中，但问题是authoritie不让修改的，没办法只能重写这个OAuth3Authentication了。

为了改变authoritie重写：

@GetMapping("/user") public Principal user(Principal principal) { log.info("获取user信息:{}", JSON.toJSON(principal)); OAuth3Authentication oAuth3Authentication = (OAuth3Authentication) principal; OAuth3Request storedRequest = oAuth3Authentication.getOAuth3Request(); Authentication userAuthentication = oAuth3Authentication.getUserAuthentication(); // 为了服务端进行token权限隔离 定制OAuth3Authentication CustomOAuth3Authentication customOAuth3Authentication = new CustomOAuth3Authentication(storedRequest, userAuthentication, storedRequest.getAuthorities()); customOAuth3Authentication.setDetails(oAuth3Authentication.getDetails()); log.info("返回用户信息:{}", JSON.toJSON(customOAuth3Authentication)); return customOAuth3Authentication; }

CustomOAuth3Authentication ：

package com.brightcns.wuxi.citizencard.auth.domain;import org.springframework.security.authentication.AbstractAuthenticationToken;import org.springframework.security.core.Authentication;import org.springframework.security.core.CredentialsContainer;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.oauth3.provider.OAuth3Request;import java.util.Collection;/** * @author maxianming * @date 2018/10/29 13:53 */public class CustomOAuth3Authentication extends AbstractAuthenticationToken { private static final long serialVersionUID = -4809832298438307309L; private final OAuth3Request storedRequest; private final Authentication userAuthentication; /** * Construct an OAuth 2 authentication. Since some grant types don't require user authentication, the user * authentication may be null. * @param storedRequest The authorization request (must not be null). * @param userAuthentication The user authentication (possibly null). */ public CustomOAuth3Authentication(OAuth3Request storedRequest, Authentication userAuthentication, Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.