目前我正在尝试将 Spring-Security-Oauth2、Zuul、OpenAM 集成为 OAuth2 授权服务器,并将 WCF REST API 集成为资源服务器。最终设置应如下所示:
我阅读了教程,其中解释了如何使用 spring 和 AngularJS 设置 SSO 环境(使用 spring 和 angularJS 的 sso),但是在我的情况下,我想使用 OpenAM 和密码授予流程来验证用户。所以在 Spring Boot 应用程序中,我当前的配置如下所示:
@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Client
public class ApolloUIProxyApplication {
public static void main(String[] args) {
SpringApplication.run(ApolloUIProxyApplication.class, args);
}
@Configuration
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and().antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/login").permitAll()
.anyRequest().authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterAfter(authenticationProcessingFilter(), CsrfFilter.class);
}
@Bean
public ZuulFilter tokenRelayFilter(){
JwtTokenRelayFilter filter = new JwtTokenRelayFilter();
filter.setRestTemplate(restTemplate());
return new JwtTokenRelayFilter();
}
@Bean
public ZuulFilter customTokenFilter(){
return new CustomZuulFilter();
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter(){
return new JwtAccessTokenConverter();
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
private OAuth2ClientAuthenticationProcessingFilter authenticationProcessingFilter(){
OAuth2ClientAuthenticationProcessingFilter processingFilter = new OAuth2ClientAuthenticationProcessingFilter("/login");
processingFilter.setRestTemplate(restTemplate());
processingFilter.setTokenServices(resourceServerTokenServices());
return processingFilter;
}
@Bean
public ResourceServerTokenServices resourceServerTokenServices(){
OpenAMRemoteTokenService remoteTokenServices = new OpenAMRemoteTokenService();
remoteTokenServices.setRestTemplate(restTemplate());
remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
remoteTokenServices.setClientId("...");
remoteTokenServices.setClientSecret("...");
remoteTokenServices.setCheckTokenEndpointUrl("http://...");
return remoteTokenServices;
}
@Bean
public OAuth2RestTemplate restTemplate(){
OAuth2RestTemplate template = new OAuth2RestTemplate(resourceDetails(), clientContext());
return template;
}
@Bean
public AccessTokenProvider accessTokenProvider(){
ResourceOwnerPasswordAccessTokenProvider provider = new ResourceOwnerPasswordAccessTokenProvider();
return provider;
}
@Bean
public OAuth2ClientContext clientContext(){
return new OpenAMClientContext();
}
@Bean
public OAuth2ProtectedResourceDetails resourceDetails(){
ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails();
details.setGrantType("password");
details.setAccessTokenUri("http://...");
details.setScope(Arrays.asList("openid");
details.setClientId("...");
details.setClientSecret("...");
return details;
}
@Bean
public AccessTokenConverter accessTokenConverter(){
DefaultAccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
tokenConverter.setUserTokenConverter(userAuthenticationConverter());
return tokenConverter;
}
@Bean
public UserAuthenticationConverter userAuthenticationConverter(){
return new OpenAMUserAuthenticationConverter();
}
}
}
我编写了一个自定义 RemoteTokenService,否则 Spring 无法访问 OpenAM 的 tokeninfo 端点,这需要 GET 请求而不是 Post。此连接现在可以正常工作,因此我可以从 OpenAM 获得有效的访问令牌,并且还可以在 tokeninfo.endpoint 中查询令牌/用户信息。Authentication 对象被创建并存储在 Spring 的安全上下文中。我还可以访问 ZuulFilter 中的身份验证对象。
我现在的问题是,我不得不调整“OAuth2ClientContext”以从 servletRequest 中获取用户凭据并将其放在“AccessTokenRequest”上。否则我将不得不在 ResourceDetails 中对它们进行硬编码,这在我的情况下是不合适的。
结果是,ClientContext(我猜也是 AccessTokenRequest)在系统的所有用户之间共享。我想要的是一个会话范围的客户端上下文,这样我就可以让多个用户登录,并且可以在每个请求上为每个用户访问正确的 SecurityContext。
所以我的问题是,
1)如何使 ClientContext 和 AccessTokenRequest 会话范围?
2) 我需要使用 Spring Session 模块吗?
3) 我需要设置 sessionStrategy
谢谢!