我有使用OAuth2保护的Spring Boot REST API。我的身份验证服务器和资源服务器是两个应用程序。所有REST API安全性均可与REST客户端正常使用。 然后,我需要编写安全测试用例。我使用以下代码生成访问令牌。一些端点需要在REST方法中手动添加声明。 程序已提供有效的访问令牌,但声明不包含在此令牌中。
private String generateToken(String... authorities) {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
tokenService = new DefaultTokenServices();
JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
tokenService.setTokenStore(jwtTokenStore);
tokenService.setTokenEnhancer(converter);
Collection<GrantedAuthority> grantAuthorities = new ArrayList<>();
if (authorities != null) {
for (String authority: authorities) {
grantAuthorities.add(new SimpleGrantedAuthority(authority));
}
}
Set<String> resourceIds = Collections.emptySet();
Set<String> scopes = Collections.emptySet();
Map<String, String> requestParameters = Collections.emptyMap();
boolean approved = true;
String redirectUrl = null;
Set<String> responseTypes = Collections.emptySet();
Map<String, Serializable> extensionProperties = Collections.emptyMap();
OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, "web-client", grantAuthorities,
approved, scopes, resourceIds, redirectUrl, responseTypes, extensionProperties);
User userPrincipal = new User("user", "", true, true,
true, true, grantAuthorities);
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(userPrincipal, null, grantAuthorities);
OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);
OAuth2AccessToken accessToken = tokenService.createAccessToken(auth);
Map<String, Object> claims = new HashMap<>();
List<Long> tenantIds = new ArrayList<>();
tenantIds.add(1L);
claims.put("role", 1L);
claims.put("tenants", tenantIds);
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(claims);
return accessToken.getValue();
}
我如何对此令牌添加声明。
答案 0 :(得分:-1)
最后找到了解决方案。将 TokenEnhancerChain 添加到代码中
以下是最终代码
private String generateToken(String... authorities) {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
tokenService = new DefaultTokenServices();
JwtTokenStore jwtTokenStore = new JwtTokenStore(converter);
tokenService.setTokenStore(jwtTokenStore);
Collection<GrantedAuthority> grantAuthorities = new ArrayList<>();
if (authorities != null) {
for (String authority: authorities) {
grantAuthorities.add(new SimpleGrantedAuthority(authority));
}
}
Set<String> resourceIds = Collections.emptySet();
Set<String> scopes = Collections.emptySet();
Map<String, String> requestParameters = Collections.emptyMap();
boolean approved = true;
String redirectUrl = null;
Set<String> responseTypes = Collections.emptySet();
Map<String, Serializable> extensionProperties = Collections.emptyMap();
OAuth2Request oAuth2Request = new OAuth2Request(requestParameters, "web-client", grantAuthorities,
approved, scopes, resourceIds, redirectUrl, responseTypes, extensionProperties);
User userPrincipal = new User("user", "", true, true,
true, true, grantAuthorities);
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(userPrincipal, null, grantAuthorities);
OAuth2Authentication auth = new OAuth2Authentication(oAuth2Request, authenticationToken);
Map<String, Object> claims = new HashMap<>();
List<Long> tenantIds = new ArrayList<>();
tenantIds.add(1L);
claims.put("role", 1L);
claims.put("tenants", tenantIds);
OAuth2AccessToken accessToken = tokenService.createAccessToken(auth);
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(
Arrays.asList(new CustomTokenEnhancer(), converter));
accessToken = tokenEnhancerChain.enhance(accessToken, auth);
return accessToken.getValue();
}
重要提示:将JwtAccessTokenConverter添加为令牌增强器列表的最后一个元素
以下是CustomTokenEnhancer类。
public class CustomTokenEnhancer extends JwtAccessTokenConverter {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
Map<String, Object> claims = new HashMap<>();
List<Long> tenantIds = new ArrayList<>();
tenantIds.add(1L);
claims.put("role", 1L);
claims.put("tenants", tenantIds);
claims.put("userId", "admin@abc.com");
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(claims);
return accessToken;
}
}