我可以使用spring集成和spring security来创建OAuth 2.0反向代理吗?

时间:2014-02-26 16:21:03

标签: spring-security spring-integration spring-security-oauth2

Spring Integration Yoda在那里

我正致力于对从JSF应用程序启动的JavaScript小部件启用REST Web服务调用。 REST上已经存在服务的实现,并且不包括OAuth 2.0安全性。目标是在通过安全网关传递所有JS调用时保持服务不变。

为了实现这一目标,我开始使用我的第一个Mule Enterprise原型,其中包括对Spring spring和HTTP入站/出站端点的OAuth扩充。这是Mule提出的方法。

之后,我的第二个原型是Spring Security / Spring集成。并且本质上是相同的OAuth 2.0提供程序,安全规则和HTTP入站/出站网关。在使用弹簧支撑时,我被告知这不起作用(原因如下)。根据我的理解,Mule和SI非常相似,我应该能够用另一个替换一个“胶水”。这可能不是SI的预想用途,我想验证我是否仍然可以使用它。

此外,网关的配置是什么,它将基本上创建一个管道并减少开销?

感谢您花时间验证或反驳我的理论。

伊雷娜

配置代码摘录:

    <sec:http pattern="/mycompany/api/myws/service/v[^/]+/.*" request-matcher="regex"
    create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    use-expressions="true" >
    <sec:anonymous enabled="false" />
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/gateway1/op1\?([^&amp;]+&amp;)*tenant=[0-9]+(&amp;[^&amp;]+)*"
        access="#oauth2.hasAnyScope('SCOPE1', 'SCOPE2', 'SCOPE3') and #mycompany.tenantAllowed()"
        method="GET" /> 
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/gateway2/op1\?([^&amp;]+&amp;)*tenant=[0-9]+(&amp;[^&amp;]+)*"
        access="#oauth2.hasAnyScope('SCOPE1', 'SCOPE2', 'SCOPE3') and #mycompany.tenantAllowed() and hasRole('ROLE1')"
        method="GET" /> 
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/gateway3/tenant/[0-9]+/identifier1/[0-9]+(/identifier2/[0-9]+)?(\?.+)?"
        access="#oauth2.hasAnyScope('SCOPE1', 'SCOPE2', 'SCOPE3') and #mycompany.tenantAllowed() and #mycompany.identifier1Allowed() and hasRole('ROLE1')"
        method="GET" /> 
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/gateway3/tenant/[0-9]+/identifier1/[0-9]+/op1(\?.+)?"
        access="#oauth2.hasAnyScope('SCOPE1', 'SCOPE2', 'SCOPE3') and #mycompany.tenantAllowed() and #mycompany.identifier1Allowed() and #mycompany.issuedForIdentifier1() and hasRole('ROLE1')"
        method="POST" /> 
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/gateway3/tenant/[0-9]+/identifier1/[0-9]+/op2(\?.+)?"
        access="#oauth2.hasAnyScope('SCOPE1', 'SCOPE2', 'SCOPE3') and #mycompany.tenantAllowed() and #mycompany.identifier1Allowed() and hasRole('ROLE1')"
        method="POST" /> 
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/gateway3/op3/tenant/[0-9]+/identifier1/[0-9]+/identifier3/[^/]+/identifier4/[0-9]+(\?.+)?"
        access="#oauth2.hasAnyScope('SCOPE1', 'SCOPE2', 'SCOPE3') and #mycompany.tenantAllowed() and #mycompany.identifier1Allowed() and #mycompany.issuedForIdentifier1() and hasRole('ROLE2')"
        method="POST" /> 
    <sec:intercept-url pattern="/mycompany/api/myws/service/v[^/]+/.*" access="denyAll()" />
    <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    <sec:expression-handler ref="oauthWebExpressionHandler" />
</sec:http>

<int-http:inbound-gateway id="gateway1op1"      
    request-payload-type="java.lang.String"
    supported-methods="GET" 
    request-channel="mywsRequest"
    reply-channel="mywsResponse"
    path="/mycompany/api/myws/service/{version}/gateway1/op1"
    >
    <int-http:header name="outboundMethod" expression="'GET'"/>
    <int-http:header name="version" expression="#pathVariables.version"/>
    <int-http:header name="pathInfo" expression="'gateway1/op1'"/>
    <int-http:header name="queryString" expression="'?tenant=' + #requestParams['tenant']
        + '&amp;query=' +  #requestParams['query']
        + (#requestParams['format'] != null?'&amp;format=' + #requestParams['format']:'') 
        + (#requestParams['identifier0'] != null?'&amp;identifier0=' + #requestParams['identifier0']:'') "/>
</int-http:inbound-gateway> 


<int-http:inbound-gateway id="gateway2op1"      
    request-payload-type="java.lang.String"
    supported-methods="GET" 
    request-channel="mywsRequest"
    reply-channel="mywsResponse"
    path="/mycompany/api/myws/service/{version}/gateway2/op1"
    >
    <int-http:header name="outboundMethod" expression="'GET'"/>
    <int-http:header name="version" expression="#pathVariables.version"/>
    <int-http:header name="pathInfo" expression="'gateway2/op1'"/>
    <int-http:header name="queryString" expression="'?tenant=' + #requestParams['tenant']
        + (#requestParams['format'] != null?'&amp;format=' + #requestParams['format']:'') 
        + T(com.google.common.base.Joiner).on('').skipNulls().join(#requestParams['type'] .!['&amp;type=' + #this]) "/>
</int-http:inbound-gateway> 

<int-http:inbound-gateway id="gateway3op1"      
    request-payload-type="java.lang.String"
    supported-methods="GET" 
    request-channel="mywsRequest"
    reply-channel="mywsResponse"
    path="/mycompany/api/myws/service/{version}/gateway3/tenant/{tenant}/identifier1/{identifier1}"
    >
    <int-http:header name="outboundMethod" expression="'GET'"/>
    <int-http:header name="version" expression="#pathVariables.version"/>
    <int-http:header name="pathInfo" expression="'gateway3/tenant/' + #pathVariables.tenant + '/identifier1/' + #pathVariables.identifier1"/>
    <int-http:header name="queryString" expression="(#requestParams['format'] != null?'?format=' + #requestParams['format']:'') "/>
</int-http:inbound-gateway> 

<int-http:inbound-gateway id="gateway3Info"      
    request-payload-type="java.lang.String"
    supported-methods="GET" 
    request-channel="mywsRequest"
    reply-channel="mywsResponse"
    path="/mycompany/api/myws/service/{version}/gateway3/tenant/{tenant}/identifier1/{identifier1}/identifier2/{identifier2}"
    >
    <int-http:header name="outboundMethod" expression="'GET'"/>
    <int-http:header name="version" expression="#pathVariables.version"/>
    <int-http:header name="pathInfo" expression="'gateway3/tenant/' + #pathVariables.tenant + '/identifier1/' + #pathVariables.identifier1 + '/identifier2/' + #pathVariables.identifier2"/>
    <int-http:header name="queryString" expression="(#requestParams['format'] != null?'?format=' + #requestParams['format']:'') "/>
</int-http:inbound-gateway> 

<int-http:inbound-gateway id="gateway3op1op2"      
    supported-methods="POST" 
    request-channel="mywsRequest"
    reply-channel="mywsResponse"
    path="/mycompany/api/myws/service/{version}/gateway3/tenant/{tenant}/identifier1/{identifier1}/{command}"
    >
    <int-http:header name="outboundMethod" expression="'POST'"/>
    <int-http:header name="version" expression="#pathVariables.version"/>
    <int-http:header name="pathInfo" expression="'gateway3/tenant/' + #pathVariables.tenant + '/identifier1/' + #pathVariables.identifier1 + '/' + #pathVariables.command"/>
    <int-http:header name="queryString" expression="(#requestParams['format'] != null?'?format=' + #requestParams['format']:'') "/>
</int-http:inbound-gateway> 

<int-http:inbound-gateway id="gateway3op3"      
    supported-methods="POST" 
    request-channel="mywsRequest"
    reply-channel="mywsResponse"
    path="/mycompany/api/myws/service/{version}/gateway3/op3/tenant/{tenant}/identifier1/{identifier1}/identifier3/{identifier3}/identifier4/{identifier4}"
    >
    <int-http:header name="outboundMethod" expression="'POST'"/>
    <int-http:header name="version" expression="#pathVariables.version"/>
    <int-http:header name="pathInfo" expression="'gateway3/op3/tenant/' + #pathVariables.tenant + '/identifier1/' + #pathVariables.identifier1 + '/identifier3/' + #pathVariables.identifier3 + '/identifier4/' + #pathVariables.identifier4"/>
    <int-http:header name="queryString" expression="(#requestParams['format'] != null?'?format=' + #requestParams['format']:'') "/>
</int-http:inbound-gateway> 

<int:channel id="mywsRequest" />
<int:channel id="mywsResponse" />

<int-http:outbound-gateway  request-channel="mywsRequest" reply-channel="mywsResponse"
      url-expression="@accessor.mywsEndpoint + headers.pathInfo + headers.queryString"
      http-method-expression="headers.outboundMethod"
      expected-response-type="java.lang.String"
      request-factory="customRequestFactory"
      >

支持回复:

  

SI可能不适合这种功能。这是   原因:

     
      
  • spring集成使用“Message”类型的消息。进入频道的所有内容都必须是“消息”类型。这有效   意味着每个HttpRequest都需要转换为SI消息和副消息   反之亦然。与HttpResponse相同。

  •   
  • spring集成不会直接暴露HttpRequest对象。相反,它们在SI内部隐式处理,这简化了   请求处理。即对请求参数的简单访问,标题   值,路径变量......但在你的情况下,这是一个复杂的问题。和   复杂性在入站网关配置中可见。

  •   
  • 以后可能会出现更普遍的问题,特别是在大请求(即文件上传)的情况下。将处理所有此类请求   在代理的内存中,可能会导致问题

  •   
  • 可能存在并发性能问题,因为每个请求都将在单独的线程中处理,但是这个问题不是SI   具体

  •   
     

我给了你一些理由重新考虑使用SI代理。我   不知道是什么激励你做出这个决定,你见过没有   关于这个例子,教程或博客文章?如果,请告诉我   是的,我会看看它。

     

由你决定你做出的决定取决于你。但同时   时间我没有给你任何关于使用什么的想法,因为这是   超出范围的技术支持。但是如果你有兴趣的话   我可以联系我们的工程师并安排咨询服务   你。

0 个答案:

没有答案