Spring oAuth2具有用户权限

Question

我对oauth非常新，尤其是spring oauth2。在我的项目中，我通过xml config启用spring security provider来使用基本的spring oauth。

当前配置支持使用ROLE_CLIENT访问我的服务。 db的内容只是Spring参考文档中指定的参考db

但是现在我需要在用户级别使用USER RIGHTS扩展spring安全授权，而不是像Spring默认的那样扩展ROLE。

现在我有以下表格

使用oauth2的方法是什么，并使用spring security来使用用户权限授权我的apis。

这是我的上下文securty.xml

＆＃13;

＆＃13;

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xmlns:sec="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans  
	http://www.springframework.org/schema/beans/spring-beans.xsd  
	http://www.springframework.org/schema/context  
	http://www.springframework.org/schema/context/spring-context.xsd  
	http://www.springframework.org/schema/security  
	http://www.springframework.org/schema/security/spring-security-3.2.xsd  
	http://www.springframework.org/schema/security/oauth2  
	http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">

	
	<http pattern="/oauth/token" create-session="stateless"
		authentication-manager-ref="clientAuthenticationManager"
		xmlns="http://www.springframework.org/schema/security">
		<anonymous enabled="false" />
		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
		<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
		<!-- include this only if you need to authenticate clients via request  parameters -->
		<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>

	<!--OAuth2 protected resources are separated out into their own block so 
		can deal with authorization and error handling separately -->
	<http pattern="/api/**" create-session="never"
		entry-point-ref="oauthAuthenticationEntryPoint"
		access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">
		<anonymous enabled="false" />
		<intercept-url pattern="/api/**" access="ROLE_CLIENT" requires-channel="https"/>
		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>
	
	<bean id="clientDetails" class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService">
		<constructor-arg index="0">
			<ref bean="dataSource" />
		</constructor-arg>
	</bean>
	
	<!-- Configure Authentication manager -->
	<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
		<constructor-arg name="strength" value="11" />
	</bean>
	
	<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
		<constructor-arg ref="clientDetails" />
	</bean>
	<!-- Used for the persistence of tokens (currently an in memory implementation) 
	<bean id="tokenStore"
		class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
	-->
	<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
		<constructor-arg ref="dataSource" />
	</bean>
	
	<!-- Used to create token and every thing about them except for their persistence 
		that is reposibility of TokenStore -->
	<bean id="tokenServices"  class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
		<property name="tokenStore" ref="tokenStore" />
		<property name="supportRefreshToken" value="true" />
		<property name="clientDetailsService" ref="clientDetails" />
		<property name="accessTokenValiditySeconds" value="4500" />
	</bean>
	<!-- <bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler"> 
		<property name="tokenServices" ref="tokenServices" /> </bean> -->

	<bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
		<constructor-arg ref="clientDetails" />
	</bean>
	
	<bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
		<property name="requestFactory" ref="oAuth2RequestFactory" />
		<property name="tokenStore" ref="tokenStore" />
	</bean>

	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
		<property name="realmName" value="Authorization" />
	</bean>

	<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
		<property name="realmName" value="Authorization/client" />
		<property name="typeName" value="Basic" />
	</bean>

	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

	<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>

	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
		xmlns="http://www.springframework.org/schema/beans">
		<constructor-arg>
			<list>
				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
				<bean class="org.springframework.security.access.vote.RoleVoter" />
				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>

	<!--  
	<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
		<authentication-provider user-service-ref="clientDetailsUserService" />
	</authentication-manager>
	
	<authentication-manager alias="authenticationManager"
		xmlns="http://www.springframework.org/schema/security">
		<authentication-provider>
			<user-service id="userDetailsService">
				<user name="user" password="user123" authorities="ROLE_CLIENT" />
			</user-service>
		</authentication-provider>
	</authentication-manager>
	-->
	
	<authentication-manager alias="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
		<authentication-provider user-service-ref="clientDetailsUserService">
			<password-encoder ref="passwordEncoder" />
		</authentication-provider>
	</authentication-manager>
	
	<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
		<authentication-provider>
		    <!--  password-encoder hash="sha" />-->
		    <password-encoder ref="passwordEncoder" />
			<jdbc-user-service  data-source-ref="dataSource"/>
		</authentication-provider>
		<authentication-provider user-service-ref="clientDetailsUserService" />
	</authentication-manager>

	
	<!--AuthorizationServerTokenServices is an interface that defines everything 
		necessary for token management -->
	<oauth:authorization-server 
	    client-details-service-ref="clientDetails" 
	    token-services-ref="tokenServices"
		user-approval-handler-ref="userApprovalHandler">
		<oauth:authorization-code />
		<oauth:implicit />
		<oauth:refresh-token />
		<oauth:client-credentials />
		<oauth:password authentication-manager-ref="authenticationManager"/>
	</oauth:authorization-server>

	<oauth:resource-server 
	    id="resourceServerFilter" 
	    resource-id="rest_api" 
	    token-services-ref="tokenServices" />

	<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
		<!--you could also wire in the expression handler up at the layer of the 
			http filters. See https://jira.springsource.org/browse/SEC-1452 -->
		<sec:expression-handler ref="oauthExpressionHandler" />
	</sec:global-method-security>
	<oauth:expression-handler id="oauthExpressionHandler" />
	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>

＆＃13;

＆＃13;

＆＃13;

Answer 1

在你的userDetails类中添加检查给定RIGHT然后在

中的方法

   <http pattern="/api/**" create-session="never"
        entry-point-ref="oauthAuthenticationEntryPoint"
        access-decision-manager-ref="accessDecisionManager"
        xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false" />
        <intercept-url pattern="/api/**" access="ROLE_CLIENT" requires-channel="https"/>
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>

而不是

<intercept-url pattern="/api/**" access="ROLE_CLIENT" requires-channel="https"/>

使用

<intercept-url pattern="/api/**" access="getPrincipal().hasHasSpecificRight()" requires-channel="https"/>

其中hasHasSpecificRight()是检查所需权利的方法