Question

所以，我有一个oAuth2应用程序，它是jHipster应用程序（使用mongodb）。我想将3个资源应用程序连接到该应用程序，但所有应用程序应共享相同的用户群，以便用户只能登录一次。

有没有办法使用jHipster在Spring Boot中配置多个资源，这样它就不会成为在访问资源之前需要用户名和密码的单独客户端？

还有如何为每个资源服务器指定用户角色？

所有应用程序都基于spring-boot。

下图是我想要完成的事情的简单视图。

enter image description here

因此OAuth2应用程序具有授权服务器配置：

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends
        AuthorizationServerConfigurerAdapter implements EnvironmentAware {

    private static final String ENV_OAUTH = "authentication.oauth.";
    private static final String PROP_CLIENTID = "clientid";
    private static final String PROP_SECRET = "secret";
    private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";

    private RelaxedPropertyResolver propertyResolver;

    @Inject
    private OAuth2AccessTokenRepository oAuth2AccessTokenRepository;

    @Inject
    private OAuth2RefreshTokenRepository oAuth2RefreshTokenRepository;

    @Bean
    public TokenStore tokenStore() {
        return new MongoDBTokenStore(oAuth2AccessTokenRepository,
                oAuth2RefreshTokenRepository);
    }

    @Inject
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {

        endpoints.tokenStore(tokenStore()).authenticationManager(
                authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("app-auth")
                .scopes("read", "write")
                .authorities(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
                .authorizedGrantTypes("password", "refresh_token")
                .secret(propertyResolver.getProperty(PROP_SECRET))
                .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800))

                .and()

                .withClient("app-A")
                .scopes("read", "write")
                .authorities(AuthoritiesConstants.ADMIN,AuthoritiesConstants.USER)
                .authorizedGrantTypes("password", "refresh_token")
                .secret(propertyResolver.getProperty(PROP_SECRET))
                .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800))

                .and()

                .withClient("app-A")
                .scopes("read", "write")
                .authorities(AuthoritiesConstants.ADMIN,AuthoritiesConstants.USER)
                .authorizedGrantTypes("password", "refresh_token")
                .secret(propertyResolver.getProperty(PROP_SECRET))
                .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800))

                .and()

                .withClient("app-C")
                .scopes("read", "write")
                .authorities(AuthoritiesConstants.ADMIN,AuthoritiesConstants.USER)
                .authorizedGrantTypes("password", "refresh_token")
                .secret(propertyResolver.getProperty(PROP_SECRET))
                .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800));


    }

    @Override
    public void setEnvironment(Environment environment) {
        this.propertyResolver = new RelaxedPropertyResolver(environment,
                ENV_OAUTH);
    }
}

OAuth2应用程序也有资源服务器配置：

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
        ResourceServerConfigurerAdapter {

@Inject
private Http401UnauthorizedEntryPoint authenticationEntryPoint;

@Inject
private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;

@Override
public void configure(HttpSecurity http) throws Exception {
    http.exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
            .and()
            .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler)
            .and()
            .csrf()
            .requireCsrfProtectionMatcher(
                    new AntPathRequestMatcher("/oauth/authorize"))
            .disable().headers().frameOptions().disable()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().authorizeRequests().antMatchers("/api/authenticate")
            .permitAll().antMatchers("/api/register").permitAll()
            .antMatchers("/api/logs/**")
            .hasAnyAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/api/**").authenticated()
            .antMatchers("/metrics/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/health/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/trace/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/dump/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/shutdown/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/beans/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/configprops/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/info/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/autoconfig/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/env/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/trace/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/api-docs/**")
            .hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/protected/**").authenticated();
        }
    }

App A上的资源服务器（B和C几乎相同）：

@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
    http.requestMatchers().antMatchers("/api/**")
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
            .antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
            .antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
            .antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
            .antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')");
}

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId("app-A");
    }

}

Answer 1

默认情况下，

@EnableResourceServer注释会保护您的所有资源（如果同一应用程序中存在授权服务器，则AuthorizationEndpoint明确忽略或公开的资源除外）。

如果要在同一个应用程序中设置多个资源服务器，可以这样做：

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

import java.util.Collections;
import java.util.List;

@Configuration
public class ResourceServersConfig {

    @Bean
    protected ResourceServerConfiguration adminResources() {
        ResourceServerConfiguration resource = new ResourceServerConfiguration() {
            public void setConfigurers(List<ResourceServerConfigurer> configurers) {
                super.setConfigurers(configurers);
            }
        };
        resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
            @Override
            public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
                resources.resourceId("admin-resources");
            }

            @Override
            public void configure(HttpSecurity http) throws Exception {
                http.antMatcher("/rest/admin/**").authorizeRequests().anyRequest()
                        .access("#oauth2.hasScope('administration') and #oauth2.clientHasRole('admin')");
            }
        }));
        resource.setOrder(3);
        return resource;
    }

    @Bean
    protected ResourceServerConfiguration userResources() {
        ResourceServerConfiguration resource = new ResourceServerConfiguration() {
            public void setConfigurers(List<ResourceServerConfigurer> configurers) {
                super.setConfigurers(configurers);
            }
        };
        resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
            @Override
            public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
                resources.resourceId("user-resources");
            }

            @Override
            public void configure(HttpSecurity http) throws Exception {
                http.antMatcher("/rest/user/**").authorizeRequests().anyRequest()
                        .access("#oauth2.hasAnyScope('offer','order') and #oauth2.clientHasRole('user')");
            }
        }));
        resource.setOrder(4);
        return resource;
    }

}

请查看Dave Syer's example。

具有spring boot和jHipster的多个资源服务器的OAuth2 SSO

1 个答案: