Spring Session / Redis和Oauth2无法一起使用

时间:2018-11-26 12:04:32

标签: spring-security redis oauth-2.0 spring-security-oauth2 spring-session

Oauth2和Redis不能一起玩。启用S​​pring Session后,在我通过身份验证(OIDC)后会创建两个会话ID,并将其发送回应用程序-Redis的一个JSESSIONID和Spring Security Oauth的另一个。一旦我禁用Redis / Spring Session,一切都会很好。

我创建了一个非常小的Maven应用程序,可以从以下位置下载该应用程序: http://folk.uio.no/erlendfg/oidc/oidc.zip

如果我在本地主机上运行Jetty和Redis的应用程序,则可以在本地重现该问题。如Firefox的屏幕截图所示,创建了两个会话cookie: http://folk.uio.no/erlendfg/oidc/two-sessions.png

我遵循了Baeldung的指南,但是做了一些小的更改,以使该应用程序与我们的OIDC提供程序兼容。 https://www.baeldung.com/spring-security-openid-connect

所有这些类在zip文件中都可用(请参见上面的链接)。最重要的是:

RedisConfiguration.java

@Configuration
@EnableRedisHttpSession(redisNamespace = "oidc", maxInactiveIntervalInSeconds = 10800)
public class RedisConfiguration {

  @Bean
  public LettuceConnectionFactory connectionFactory() {
    return new LettuceConnectionFactory("localhost", 6379);
  }

}

FeideOpenIdConnectConfig.java

@Configuration
@EnableOAuth2Client
public class FeideOpenIdConnectConfig {

  @Value("${feide.auth.clientId}")
  private String clientId;

  @Value("${feide.auth.clientSecret}")
  private String clientSecret;

  @Value("${feide.auth.accessTokenUri}")
  private String accessTokenUri;

  @Value("${feide.auth.userAuthorizationUri}")
  private String userAuthorizationUri;

  @Value("${feide.auth.preEstablishedRedirectUri}")
  private String preEstablishedRedirectUri;


  @Bean
  public OAuth2ProtectedResourceDetails feideOpenId() {
    AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
    details.setClientId(clientId);
    details.setClientSecret(clientSecret);
    details.setAccessTokenUri(accessTokenUri);
    details.setUserAuthorizationUri(userAuthorizationUri);
    details.setScope(Arrays.asList("openid", "email", "userid-feide", "profile", "groups"));
    details.setPreEstablishedRedirectUri(preEstablishedRedirectUri);
    details.setUseCurrentUri(false);
    details.setGrantType("authorization_code");
    return details;
  }


  @Bean
  public OAuth2RestTemplate feideOpenIdTemplate(OAuth2ClientContext clientContext) {
    return new OAuth2RestTemplate(feideOpenId(), clientContext);
  }

}

FeideConnectFilter.java

public class FeideConnectFilter extends OAuth2ClientAuthenticationProcessingFilter {

  public FeideConnectFilter(String defaultFilterProcessesUrl) {
    super(defaultFilterProcessesUrl);
  }


  @Override
  public Authentication attemptAuthentication(final HttpServletRequest request, final HttpServletResponse response) throws AuthenticationException, IOException, ServletException {

    OAuth2AccessToken accessToken;
    try {
      accessToken = restTemplate.getAccessToken();
    } catch (OAuth2Exception e) {
      throw new BadCredentialsException("Could not obtain access token", e);
    }
    try {
      String idToken = accessToken.getAdditionalInformation().get("id_token").toString();
      Jwt tokenDecoded = JwtHelper.decodeAndVerify(idToken, verifier("https://auth.dataporten.no/openid/jwks"));

      @SuppressWarnings("unchecked")
      Map<String, String> authInfo = new ObjectMapper().readValue(tokenDecoded.getClaims(), Map.class);

      verifyClaims(authInfo, "https://auth.dataporten.no");

      request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, accessToken.getValue());
      request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, accessToken.getTokenType());

      OpenIdConnectUserDetails user = new OpenIdConnectUserDetails(authInfo, accessToken);
      return new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
    } catch (Exception e) {
      throw new BadCredentialsException("Could not obtain user details from token", e);
    }
  }


  @Override
  protected boolean requiresAuthentication(final HttpServletRequest request, final HttpServletResponse response) {
    if (super.requiresAuthentication(request, response)) {
      return true;
    }

    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

    // Already authenticated:
    if (authentication != null) {
      return false;
    }
    OAuth2AccessToken accessToken = restTemplate.getAccessToken();
    if (accessToken == null) {
        return true;
    }
    return true;
  }


  @SuppressWarnings("rawtypes")
  protected void verifyClaims(final Map claims, final String issuer) {
    int exp = (Integer) claims.get("exp");
    Date expireDate = new Date(exp * 1000L);
    Date now = new Date();
    if (expireDate.before(now) || !claims.get("iss").equals(issuer) ||
            !claims.get("aud").equals(restTemplate.getResource().getClientId())) {
      throw new RuntimeException("Invalid claims");
    }
  }


  protected RsaVerifier verifier(final String jwkSigningUri) throws Exception {
    CustomUrlJwkProvider provider = new CustomUrlJwkProvider(new URL(jwkSigningUri));
    Jwk jwk = provider.getJwk();
    return new RsaVerifier((RSAPublicKey) jwk.getPublicKey());
  }


  protected HttpHeaders getHttpHeaders() {
    HttpHeaders headers = new HttpHeaders();
    headers.set("Authorization", "Bearer " + restTemplate.getAccessToken());
    return headers;
  }

}

SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Inject
  private OAuth2RestTemplate restTemplate;


  @Bean
  public FeideConnectFilter feideConnectFilter() {
    FeideConnectFilter filter = new FeideConnectFilter("/oauth/login");
    filter.setRestTemplate(restTemplate);
    return filter;
  }


  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
        .addFilterAfter(feideConnectFilter(), OAuth2ClientContextFilter.class)
        .httpBasic()
        .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/oauth2/login"))
        .and()
        .authorizeRequests()
        .anyRequest().authenticated();
  }

}

按以下顺序添加过滤器(在WebInitializer.java中):

private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {
  container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class).addMappingForUrlPatterns(null, false, "/*");
  container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class).addMappingForUrlPatterns(null, false, "/*");
}

1 个答案:

答案 0 :(得分:0)

如果我使用Spring Security自己的OIDC实现(在版本5中引入),则OIDC可以与Spring Session一起使用。顺便说一句,它令人惊讶地易于实现,几乎没有代码。当Spring Security团队在Spring Security中增加了对OIDC和SAML2.0的支持时,他们做了出色的工作。换句话说,我找到了解决方案。