Spring security oauth2:在REST webservice中获取用户名

时间:2014-09-03 09:56:32

标签: java spring-security jersey spring-security-oauth2

我创建了一个RESTful Web服务来执行工作流上的操作。使用我自己的授权服务器使用oauth2保护Web服务。 我想在工作流程中添加有关谁对其执行操作的信息。我无法弄清楚是谁获取调用Web服务的用户名。

对于Web服务实现,我使用的是jersey(1.18.1),为了安全起见,我使用的是spring-security-oauth2(2.0.2.RELEASE)。

我正在使用数据库令牌存储,它包含一个表OAUTH_ACCESS_TOKEN(TOKEN_ID,TOKEN,AUTHENTICATION_ID,USER_NAME,CLIENT_ID,AUTHENTICATION,REFRESH_TOKEN),它们看起来像包含正确的信息。它有用户名和令牌,但令牌看起来像一个序列化的java对象,所以我不能自己查询。

网络服务:

@Component
@Path("/workflows")
public class WorkflowRestService {

    @POST
    @Path("/{id}/actions")
    @Produces(MediaType.APPLICATION_JSON)
    @Transactional
    public Response executeActions(@PathParam("id") String id, Map<String, Object> actionArgs) throws JAXBException, HealthDataException {

        //would like to have/get username here.

        Workflow workflow = workflowService.get(id);
        Action action = actionFactory.getAction(actionArgs);
        workflow.execute(action);
        Workflow update = workflowService.update(workflow);
        return Response.ok(update).build();
    }
}

Web服务安全配置:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/security/oauth2
        http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">

    <context:property-placeholder location="classpath:main.properties"/>

    <!-- Protected resources -->
    <http authentication-manager-ref="" pattern="/workflows/**"
          create-session="never"
          entry-point-ref="oauthAuthenticationEntryPoint"
          access-decision-manager-ref="accessDecisionManager"
          xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false"/>
        <intercept-url pattern="/workflows/**"
                       access="ROLE_USER"/>
        <custom-filter ref="resourceServerFilter"
                       before="PRE_AUTH_FILTER"/>
        <access-denied-handler
                ref="oauthAccessDeniedHandler"/>
    </http>

    <bean id="oauthAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="dstest"/>
    </bean>

    <bean id="oauthAccessDeniedHandler"
          class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
          xmlns="http://www.springframework.org/schema/beans">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
                <bean class="org.springframework.security.access.vote.RoleVoter"/>
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            </list>
        </constructor-arg>
    </bean>

    <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider>
            <jdbc-user-service data-source-ref="securityDataSource"/>
        </authentication-provider>
    </authentication-manager>

    <bean id="clientDetailsUserService"
          class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails"/>
    </bean>

    <!-- Token Store  -->
    <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
        <constructor-arg ref="securityDataSource" />
    </bean>

    <bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
        <constructor-arg ref="clientDetails"/>
    </bean>

    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="supportRefreshToken" value="true"/>
        <property name="clientDetailsService" ref="clientDetails"/>
        <!-- VIV -->
        <property name="accessTokenValiditySeconds" value="10"/>
    </bean>

    <oauth:resource-server id="resourceServerFilter"
                           resource-id="dstest"
                           token-services-ref="tokenServices"/>

    <!-- Client Definition -->
    <oauth:client-details-service id="clientDetails">

        <oauth:client client-id="healthdata-client"
                      authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
                      authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
                      redirect-uri="/web"
                      scope="read,write,trust"
                      access-token-validity="300"
                      refresh-token-validity="6000"/>

    </oauth:client-details-service>


    <sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
        <sec:expression-handler ref="oauthExpressionHandler"/>
    </sec:global-method-security>
    <oauth:expression-handler id="oauthExpressionHandler"/>
    <oauth:web-expression-handler id="oauthWebExpressionHandler"/>
</beans>

授权服务器配置:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/security/oauth2
        http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">

    <context:property-placeholder location="classpath:main.properties"/>

    <!-- Definition of the Authentication Service -->
    <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
          xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
        <anonymous enabled="false"/>
        <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
        <!--     include this only if you need to authenticate clients via request parameters -->
        <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
    </http>

    <!-- Protected resources -->
    <http pattern="/users/**"
          create-session="never"
          entry-point-ref="oauthAuthenticationEntryPoint"
          access-decision-manager-ref="accessDecisionManager"
          xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false"/>
        <intercept-url pattern="/users/**"
                       access="ROLE_USER"/>
        <custom-filter ref="resourceServerFilter"
                       before="PRE_AUTH_FILTER"/>
        <access-denied-handler
                ref="oauthAccessDeniedHandler"/>
    </http>

    <bean id="oauthAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="dstest"/>
    </bean>

    <bean id="clientAuthenticationEntryPoint"
          class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
        <property name="realmName" value="dstest/client"/>
        <property name="typeName" value="Basic"/>
    </bean>

    <bean id="oauthAccessDeniedHandler"
          class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

    <bean id="clientCredentialsTokenEndpointFilter"
          class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="clientAuthenticationManager"/>
    </bean>

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
          xmlns="http://www.springframework.org/schema/beans">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
                <bean class="org.springframework.security.access.vote.RoleVoter"/>
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            </list>
        </constructor-arg>
    </bean>

    <!-- Authentication in config file -->
    <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider user-service-ref="clientDetailsUserService"/>
    </authentication-manager>

    <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider>
            <jdbc-user-service data-source-ref="securityDataSource"/>
        </authentication-provider>
    </authentication-manager>

    <bean id="clientDetailsUserService"
          class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails"/>
    </bean>

    <!-- Token Store  -->
    <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
        <constructor-arg ref="securityDataSource" />
    </bean>

    <bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
        <constructor-arg ref="clientDetails"/>
    </bean>

    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="supportRefreshToken" value="true"/>
        <property name="clientDetailsService" ref="clientDetails"/>
        <!-- VIV -->
        <property name="accessTokenValiditySeconds" value="10"/>
    </bean>

    <bean id="userApprovalHandler"
          class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
        <property name="tokenStore" ref="tokenStore"/>
        <property name="requestFactory" ref="oAuth2RequestFactory"/>
    </bean>

    <!-- Token management -->
    <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
                                user-approval-handler-ref="userApprovalHandler" token-endpoint-url="/oauth/token">
        <oauth:authorization-code/>
        <oauth:implicit/>
        <oauth:refresh-token/>
        <oauth:client-credentials/>
        <oauth:password/>
    </oauth:authorization-server>

    <oauth:resource-server id="resourceServerFilter"
                           resource-id="dstest"
                           token-services-ref="tokenServices"/>

    <!-- Client Definition -->
    <oauth:client-details-service id="clientDetails">

        <oauth:client client-id="healthdata-client"
                      authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
                      authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
                      redirect-uri="/web"
                      scope="read,write,trust"
                      access-token-validity="300"
                      refresh-token-validity="6000"/>

    </oauth:client-details-service>


    <sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
        <sec:expression-handler ref="oauthExpressionHandler"/>
    </sec:global-method-security>
    <oauth:expression-handler id="oauthExpressionHandler"/>
    <oauth:web-expression-handler id="oauthWebExpressionHandler"/>
</beans>

1 个答案:

答案 0 :(得分:16)

由于您使用Spring Security进行身份验证,我希望您可以访问SecurityContext(通过通常的线程本地访问者):

Authentication authentication = SecurityContextHolder.getContext()
    .getAuthentication();

或通过HttpServletRequest

Principal principal = request.getUserPrincipal();

(或者如果您使用的是Spring MVC,只需在Principal)中添加@Controller作为方法参数。在任何一种情况下,由于您是Spring OAuth过滤器的后面,您还应该发现Principal/AuthenticationOAuth2Authentication的实例,用户详细信息和客户端都在那里。