4

我正在使用基于 Spring 的“后端”和 Android“前端”来试验 gRPC,其想法是我将使用 HTTP 上的密码授予类型请求访问令牌(使用标准 /oauth/token RESTful 端点)并使用通过 RPC 的所有后续请求中提供的访问令牌(设置授权标头)。

我的 spring '后端' 上有一个 gRPC 服务器拦截器,它将从服务器调用中获取授权标头并针对令牌存储验证访问令牌。

我不知道下一步该做什么,或者即使到目前为止我所拥有的是“正确”的方法。

这是我的拦截器:

@Component
public class GrpcRequestInterceptor implements ServerInterceptor {
private AuthenticationManager authenticationManager;

public GrpcRequestInterceptor(AuthenticationManager authenticationManager, AuthorizationCodeServices authorizationCodeServices) {
        this.authenticationManager = authenticationManager;
}

@Override
public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        String authorizationHeader = metadata.get(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER));

        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken =
                new PreAuthenticatedAuthenticationToken(authorizationHeader.substring("Bearer ".length()), "");

        PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider = new PreAuthenticatedAuthenticationProvider();
        preAuthenticatedAuthenticationProvider.setPreAuthenticatedUserDetailsService(new AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken>() {
            @Override
            public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken) throws UsernameNotFoundException {
                ????
            }
        });
        Authentication authentication = preAuthenticatedAuthenticationProvider.authenticate(preAuthenticatedAuthenticationToken);

        SecurityContextHolder.getContext().setAuthentication(authentication);

        return serverCallHandler.startCall(serverCall, metadata);
    }
}

如何获取令牌服务以及如何仅使用我自己提供的访问令牌针对该服务对我的用户进行身份验证。

我的安全配置如下:

@Configuration
@EnableAuthorizationServer
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private AccountDetailsService accountDetailsService;

    @Profile(value = "development")
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/h2-console/**");
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(accountDetailsService)
                .passwordEncoder(initPasswordEncoder());
    }

    @Bean
    public PasswordEncoder initPasswordEncoder() {
        return new BCryptPasswordEncoder(10);
    }
}

我应该在这里手动设置令牌服务,然后将其注入我的拦截器还是???完成这项工作的“最灵活”的方法是什么?

任何帮助是极大的赞赏!

4

4 回答 4

2

最好连接 ResourceServerTokenServices 而不是 TokenStore。ResourceServerTokenServices 将对访问令牌执行 TokenStore 不做的额外检查,例如确保令牌没有过期。

@Autowired
private ResourceServerTokenServices tokenServices;

...

OAuth2Authentication authentication = tokenServices.loadAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
于 2017-08-26T03:21:46.430 回答
1

我最终做了什么,我偏离了方向!

@Component
public class GrpcRequestInterceptor implements ServerInterceptor {
    @Autowired
    private TokenStore tokenStore;

    @Override
    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        boolean isAuthenticated = isAuthenticated(
            metadata.get(
                    Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER)
            ).substring("Bearer ".length())
        );

        if (isAuthenticated) {
            return serverCallHandler.startCall(serverCall, metadata);
        }

        throw new UnauthorizedClientException("Unauthorised client connection.");
    }

    private boolean isAuthenticated(String bearerToken) {
        OAuth2Authentication authentication = tokenStore.readAuthentication(bearerToken);
        if (authentication == null) {
            return false;
        }

        SecurityContextHolder.getContext().setAuthentication(authentication);

        return true;
    } 
}
于 2017-02-25T07:46:13.923 回答
1

您可能有一个 org.springframework.security.oauth2.provider.token.TokenStore bean,您可以注入它来获取身份验证。然后你可以做一些事情

@Autowired
private TokenStore tokenstore;

...

Authentication authentication = this.tokenstore.readAuthentication(authorizationHeader.substring("Bearer ".length())).getUserAuthentication();

(添加必要的空检查)。

于 2017-02-23T10:28:01.783 回答
0

而不是SecurityContextHolder,您应该使用 gRPCContext来传播安全凭证。

@Autowired
private ResourceServerTokenServices tokenServices;

private Context.Key<OAuth2Authentication> AUTH_KEY = Context.key("authentication");

...

OAuth2Authentication authentication = tokenServices.loadAuthentication(token);
Context ctx = Context.current().withValue(AUTH_KEY, authentication);
return Contexts.interceptCall(ctx, serverCall, metadata, serverCallHandler);
于 2020-05-08T09:35:39.847 回答