devbox
正经夜光杯
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

spring security oauth2 github 用户权限(GrantedAuthoritiesMapper)_set authorities

作者:正经夜光杯 | 2024-06-28 11:48:28

set authorities

spring security oauth2 github 用户权限(GrantedAuthoritiesMapper)

 

应用:为三方授权用户设置自定义的权限

 

 

*****************************

相关类及接口

 

*********************

默认权限设置

 

DefaultOAuth2UserService:获取用户信息的默认实现类,同时为三方用户添加权限

  1. public class DefaultOAuth2UserService implements OAuth2UserService<OAuth2UserRequest, OAuth2User> {
  2.     private static final String MISSING_USER_INFO_URI_ERROR_CODE = "missing_user_info_uri";
  3.     private static final String MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE = "missing_user_name_attribute";
  4.     private static final String INVALID_USER_INFO_RESPONSE_ERROR_CODE = "invalid_user_info_response";
  5.     private static final ParameterizedTypeReference<Map<String, Object>> PARAMETERIZED_RESPONSE_TYPE = new ParameterizedTypeReference<Map<String, Object>>() {
  6.     };
  7.     private Converter<OAuth2UserRequest, RequestEntity<?>> requestEntityConverter = new OAuth2UserRequestEntityConverter();
  8.     private RestOperations restOperations;
  9.  
  10.     public DefaultOAuth2UserService() {
  11.         RestTemplate restTemplate = new RestTemplate();
  12.         restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
  13.         this.restOperations = restTemplate;
  14.     }
  15.  
  16.     public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
  17.         Assert.notNull(userRequest, "userRequest cannot be null");
  18.         if (!StringUtils.hasText(userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri())) {
  19.             OAuth2Error oauth2Error = new OAuth2Error("missing_user_info_uri", "Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: " + userRequest.getClientRegistration().getRegistrationId(), (String)null);
  20.             throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
  21.         } else {
  22.             String userNameAttributeName = userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
  23.             if (!StringUtils.hasText(userNameAttributeName)) {
  24.                 OAuth2Error oauth2Error = new OAuth2Error("missing_user_name_attribute", "Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: " + userRequest.getClientRegistration().getRegistrationId(), (String)null);
  25.                 throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
  26.             } else {
  27.                 RequestEntity request = (RequestEntity)this.requestEntityConverter.convert(userRequest);
  28.  
  29.                 ResponseEntity response;
  30.                 OAuth2Error oauth2Error;
  31.                 try {
  32.                     response = this.restOperations.exchange(request, PARAMETERIZED_RESPONSE_TYPE);
  33.                 } catch (OAuth2AuthorizationException var10) {
  34.                     oauth2Error = var10.getError();
  35.                     StringBuilder errorDetails = new StringBuilder();
  36.                     errorDetails.append("Error details: [");
  37.                     errorDetails.append("UserInfo Uri: ").append(userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri());
  38.                     errorDetails.append(", Error Code: ").append(oauth2Error.getErrorCode());
  39.                     if (oauth2Error.getDescription() != null) {
  40.                         errorDetails.append(", Error Description: ").append(oauth2Error.getDescription());
  41.                     }
  42.  
  43.                     errorDetails.append("]");
  44.                     oauth2Error = new OAuth2Error("invalid_user_info_response", "An error occurred while attempting to retrieve the UserInfo Resource: " + errorDetails.toString(), (String)null);
  45.                     throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), var10);
  46.                 } catch (RestClientException var11) {
  47.                     oauth2Error = new OAuth2Error("invalid_user_info_response", "An error occurred while attempting to retrieve the UserInfo Resource: " + var11.getMessage(), (String)null);
  48.                     throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), var11);
  49.                 }
  50.  
  51.                 Map<String, Object> userAttributes = (Map)response.getBody();
  52.                 Set<GrantedAuthority> authorities = new LinkedHashSet();
  53.                 authorities.add(new OAuth2UserAuthority(userAttributes)); //为用户设置默认的权限
  54.  
  55.                 OAuth2AccessToken token = userRequest.getAccessToken();
  56.                 Iterator var8 = token.getScopes().iterator();
  57.  
  58.                 while(var8.hasNext()) {
  59.                     String authority = (String)var8.next();
  60.                     authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
  61.                 }  //遍历用户scope,添加前缀为SCOPE_的权限
  62.  
  63.                 return new DefaultOAuth2User(authorities, userAttributes, userNameAttributeName);
  64.             }
  65.         }
  66.     }
  67.  
  68.     public final void setRequestEntityConverter(Converter<OAuth2UserRequest, RequestEntity<?>> requestEntityConverter) {
  69.         Assert.notNull(requestEntityConverter, "requestEntityConverter cannot be null");
  70.         this.requestEntityConverter = requestEntityConverter;
  71.     }
  72.  
  73.     public final void setRestOperations(RestOperations restOperations) {
  74.         Assert.notNull(restOperations, "restOperations cannot be null");
  75.         this.restOperations = restOperations;
  76.     }
  77. }

 

OAuth2UserAuthority:用户权限类

  1. public class OAuth2UserAuthority implements GrantedAuthority {
  2.     private static final long serialVersionUID = 520L;
  3.     private final String authority;
  4.     private final Map<String, Object> attributes;
  5.  
  6.     public OAuth2UserAuthority(Map<String, Object> attributes) {
  7.         this("ROLE_USER", attributes);
  8.     }  //authority的值默认为ROLE_USER
  9.  
  10.     public OAuth2UserAuthority(String authority, Map<String, Object> attributes) {
  11.         Assert.hasText(authority, "authority cannot be empty");
  12.         Assert.notEmpty(attributes, "attributes cannot be empty");
  13.         this.authority = authority;
  14.         this.attributes = Collections.unmodifiableMap(new LinkedHashMap(attributes));
  15.     }
  16.  
  17.     public String getAuthority() {
  18.     public Map<String, Object> getAttributes() {
  19.  
  20.     public boolean equals(Object obj) {
  21.     public int hashCode() {
  22.  
  23.     public String toString() {
  24.         return this.getAuthority();
  25.     }
  26. }

 

*********************

自定义用户权限

 

GrantedAuthoritiesMapper:自定义权限类接口

  1. public interface GrantedAuthoritiesMapper {
  2.     Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> var1);
  3. }

 

 

*****************************

示例

 

*********************

controller 层

 

HelloController

  1. @RestController
  2. public class HelloController {
  3.  
  4.     @RequestMapping("/hello")
  5.     public String hello(Principal principal){
  6.         System.out.println(principal.toString());
  7.  
  8.         return "hello "+principal.getName();
  9.     }
  10.  
  11.     @RequestMapping("/")
  12.     public String redirect(){
  13.         return "redirect";
  14.     }
  15. }

 

*********************

默认权限

 

WebSecurityConfig

  1. @Configuration
  2. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  3.  
  4.     @Resource
  5.     private UserService userService;
  6.  
  7.     @Bean
  8.     public PasswordEncoder initPasswordEncoder(){
  9.         return new BCryptPasswordEncoder();
  10.     }
  11.  
  12.     @Override
  13.     protected void configure(HttpSecurity http) throws Exception {
  14.         http.formLogin().loginPage("/login/github").loginProcessingUrl("/login/form")
  15.                 .and()
  16.                 .authorizeRequests()
  17.                 .antMatchers("/hello").hasAnyAuthority("ROLE_USER")
  18.                 .antMatchers("/**").permitAll()
  19.                 .and()
  20.                 .logout().deleteCookies("JSESSIONID")
  21.                 .logoutSuccessUrl("/").permitAll();
  22.  
  23.         http.oauth2Login().loginPage("/login/github");
  24.     }
  25.  
  26.     @Override
  27.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  28.         auth.userDetailsService(userService).passwordEncoder(initPasswordEncoder());
  29.     }
  30.  
  31. }

 

通过权限认证后控制台输出

  1. org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@c8e5585: 
  2. Principal: Name: [41827785], Granted Authorities: [[ROLE_USER, SCOPE_read:user]], User Attributes: [{login=lihu12344, id=41827785, node_id=MDQ6VXNlcjQxODI3Nzg1, avatar_url=https://avatars3.githubusercontent.com/u/41827785?v=4, gravatar_id=, url=https://api.github.com/users/lihu12344, html_url=https://github.com/lihu12344, followers_url=https://api.github.com/users/lihu12344/followers, following_url=https://api.github.com/users/lihu12344/following{/other_user}, gists_url=https://api.github.com/users/lihu12344/gists{/gist_id}, starred_url=https://api.github.com/users/lihu12344/starred{/owner}{/repo}, subscriptions_url=https://api.github.com/users/lihu12344/subscriptions, organizations_url=https://api.github.com/users/lihu12344/orgs, repos_url=https://api.github.com/users/lihu12344/repos, events_url=https://api.github.com/users/lihu12344/events{/privacy}, received_events_url=https://api.github.com/users/lihu12344/received_events, type=User, site_admin=false, name=null, company=null, blog=, location=null, email=null, hireable=null, bio=null, public_repos=83, public_gists=0, followers=0, following=0, created_at=2018-07-28T11:56:10Z, updated_at=2020-05-15T00:53:27Z, private_gists=0, total_private_repos=0, owned_private_repos=0, disk_usage=4269, collaborators=0, two_factor_authentication=false, plan={name=free, space=976562499, collaborators=0, private_repos=10000}}]; 
  3. Credentials: [PROTECTED];
  4. Authenticated: true; 
  5. Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; 
  6. SessionId: D4C6C91511D3A2717BC5EE8CBB539BFB; 
  7. Granted Authorities: ROLE_USER, SCOPE_read:user

 

 

*********************

自定义OAuth2User权限

 

GithubOAuth2User

  1. public class GithubOAuth2User implements OAuth2User {
  2.  
  3.     private String id;
  4.     private String login;
  5.     private String email;
  6.  
  7.     private List<GrantedAuthority> authorities= AuthorityUtils.createAuthorityList("ROLE_USER");
  8.     private Map<String,Object> attributes;
  9.  
  10.     @Override
  11.     public List<GrantedAuthority> getAuthorities() {
  12.         return authorities;
  13.     }
  14.  
  15.     @Override
  16.     public Map<String, Object> getAttributes() {
  17.         if (attributes==null){
  18.             attributes=new HashMap<>();
  19.  
  20.             attributes.put("id",this.getId());
  21.             attributes.put("name",this.getName());
  22.             attributes.put("login",this.getLogin());
  23.             attributes.put("email",this.getEmail());
  24.         }
  25.  
  26.         return attributes;
  27.     }
  28.  
  29.     public String getId() {
  30.     public void setId(String id) {
  31.  
  32.     @Override
  33.     public String getName() {
  34.         return this.id;
  35.     }
  36.  
  37.     public String getLogin() {
  38.     public void setLogin(String login) {
  39.  
  40.     public String getEmail() {
  41.     public void setEmail(String email) {
  42.  
  43.     @Override
  44.     public boolean equals(Object o) {
  45.  
  46.     @Override
  47.     public int hashCode() {
  48.  
  49.     @Override
  50.     public String toString() {

 

WebSecurityConfig

  1. @Configuration
  2. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  3.  
  4.     @Resource
  5.     private UserService userService;
  6.  
  7.     @Bean
  8.     public PasswordEncoder initPasswordEncoder(){
  9.         return new BCryptPasswordEncoder();
  10.     }
  11.  
  12.     @Override
  13.     protected void configure(HttpSecurity http) throws Exception {
  14.         http.formLogin().loginPage("/login/github").loginProcessingUrl("/login/form")
  15.                 .and()
  16.                 .authorizeRequests()
  17.                 .antMatchers("/hello").hasAnyAuthority("ROLE_USER")
  18.                 .antMatchers("/**").permitAll()
  19.                 .and()
  20.                 .logout().deleteCookies("JSESSIONID")
  21.                 .logoutSuccessUrl("/").permitAll();
  22.  
  23.         http.oauth2Login().loginPage("/login/github")
  24.                 .userInfoEndpoint().customUserType(GithubOAuth2User.class,"github");
  25.     }
  26.  
  27.     @Override
  28.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  29.         auth.userDetailsService(userService).passwordEncoder(initPasswordEncoder());
  30.     }
  31.  
  32. }

 

通过认证后控制台输出

  1. org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@e402384d: 
  2. Principal: GithubOAuth2User{id='41827785', login='lihu12344', email='null', authorities=[ROLE_USER], attributes={name=41827785, id=41827785, login=lihu12344, email=null}}; 
  3. Credentials: [PROTECTED]; 
  4. Authenticated: true; 
  5. Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; 
  6. SessionId: 6C7A7C9AD0275652B4B8286F7BCEE53F; 
  7. Granted Authorities: ROLE_USER

说明:默认权限为自定义的用户权限ROLE_USER

 

 

*********************

自定义权限

 

WebSecurityConfig

  1. @Configuration
  2. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  3.  
  4.     @Resource
  5.     private UserService userService;
  6.  
  7.     @Bean
  8.     public PasswordEncoder initPasswordEncoder(){
  9.         return new BCryptPasswordEncoder();
  10.     }
  11.  
  12.     @Override
  13.     protected void configure(HttpSecurity http) throws Exception {
  14.         http.formLogin().loginPage("/login/github").loginProcessingUrl("/login/form")
  15.                 .and()
  16.                 .authorizeRequests()
  17.                 .antMatchers("/hello").hasAnyAuthority("ROLE_USER")
  18.                 .antMatchers("/**").permitAll()
  19.                 .and()
  20.                 .logout().deleteCookies("JSESSIONID")
  21.                 .logoutSuccessUrl("/").permitAll();
  22.  
  23.         http.oauth2Login().loginPage("/login/github")
  24.                 .userInfoEndpoint().customUserType(GithubOAuth2User.class,"github");
  25.     }
  26.  
  27.     @Override
  28.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  29.         auth.userDetailsService(userService).passwordEncoder(initPasswordEncoder());
  30.     }
  31.  
  32.     @Bean
  33.     public GrantedAuthoritiesMapper initGrantedAuthoritiesMapper(){
  34.         return collection -> {
  35.             Set<GrantedAuthority> authorities=new HashSet<>();
  36.  
  37.             authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
  38.             authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
  39.  
  40.             return authorities;
  41.         };
  42.     }
  43. }

 

通过认证后控制台输出

  1. org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@5b5d3dfb: 
  2. Principal: GithubOAuth2User{id='41827785', login='lihu12344', email='null', authorities=[ROLE_USER], attributes={name=41827785, id=41827785, login=lihu12344, email=null}}; 
  3. Credentials: [PROTECTED]; 
  4. Authenticated: true; 
  5. Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; 
  6. SessionId: 8CF27F8FB80EBC68844C00764E0ECD4E; 
  7. Granted Authorities: ROLE_USER, ROLE_ADMIN

说明:使用自定义的权限ROLE_USER、ROLE_ADMIN

 

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/正经夜光杯/article/detail/765904
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号