Spring Boot 애플리케이션에서 베어러 인증을 활성화하는 방법은?
제가 이루고자 하는 것은 다음과 같습니다.
- jdbc를 통해 액세스되는 데이터베이스(즉, MySQL)에 저장된 사용자, 권한, 클라이언트 및 액세스 토큰
- API는 엔드포인트를 노출하여 "OAuth2 베어러 토큰을 가질 수 있습니까?"라고 묻습니다.나는 고객 아이디와 비밀을 알고 있습니다"
- 요청 헤더에 베어러 토큰을 제공하는 경우 API를 통해 MVC 엔드포인트에 액세스할 수 있습니다.
나는 이것을 꽤 멀리 해냈어요. 처음 두 가지 점이 효과가 있어요.
표준 테이블 이름이 데이터베이스에서 이미 사용 중이기 때문에 Spring Boot 응용 프로그램에 완전히 기본 OAuth2 설정을 사용할 수 없었습니다(예를 들어 "users" 테이블이 이미 있습니다).
JdbcTokenStore, JdbcClientDetailsService 및 JdbcAuthorizationCodeServices의 인스턴스를 수동으로 구성하고 데이터베이스에서 사용자 정의 테이블 이름을 사용하도록 구성한 다음 이러한 인스턴스를 사용하도록 응용 프로그램을 설정했습니다.
자, 지금까지 제가 가진 것은 이렇습니다.베어러 토큰을 요청할 수 있습니다.
# The `-u` switch provides the client ID & secret over HTTP Basic Auth
curl -u8fc9d384-619a-11e7-9fe6-246798c61721:9397ce6c-619a-11e7-9fe6-246798c61721 \
'http://localhost:8080/oauth/token' \
-d grant_type=password \
-d username=bob \
-d password=tom
답장이 왔어요; 좋아요!
{"access_token":"1ee9b381-e71a-4e2f-8782-54ab1ce4d140","token_type":"bearer","refresh_token":"8db897c7-03c6-4fc3-bf13-8b0296b41776","expires_in":26321,"scope":"read write"}
이제 저는 그 토큰을 사용하려고 합니다.
curl 'http://localhost:8080/test' \
-H "Authorization: Bearer 1ee9b381-e71a-4e2f-8782-54ab1ce4d140"
아아:
{
"timestamp":1499452163373,
"status":401,
"error":"Unauthorized",
"message":"Full authentication is required to access this resource",
"path":"/test"
}
이는 (이 경우에는) 익명 인증으로 되돌아갔음을 의미합니다.제가 추가하면 진짜 오류를 알 수 있습니다..anonymous().disable()httpSecurity:
{
"timestamp":1499452555312,
"status":401,
"error":"Unauthorized",
"message":"An Authentication object was not found in the SecurityContext",
"path":"/test"
}
저는 이 문제를 좀 더 깊이 조사했습니다. 로깅에 대한 자세한 설명은 다음과 같습니다.
logging.level:
org.springframework:
security: DEBUG
여기에는 내 요청이 이동하는 10개의 필터가 표시됩니다.
o.s.security.web.FilterChainProxy : /test at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : /test at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy : /test at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy : /test at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.security.web.FilterChainProxy : /test at position 5 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
o.s.security.web.FilterChainProxy : /test at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.security.web.FilterChainProxy : /test at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.security.web.FilterChainProxy : /test at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
o.s.security.web.FilterChainProxy : /test at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.security.web.FilterChainProxy : /test at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /test; Attributes: [authenticated]
o.s.s.w.a.ExceptionTranslationFilter : Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379) ~[spring-security-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
Anonymous 사용자가 비활성화되어 있으면 이와 같습니다.활성화된 경우:AnonymousAuthenticationFilter다음에 필터 체인에 추가됩니다.SecurityContextHolderAwareRequestFilter, 그리고 순서는 다음과 같이 끝납니다.
o.s.security.web.FilterChainProxy : /test at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /test; Attributes: [authenticated]
o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5ff24abf, returned: -1
o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
어느 쪽이든: 소용없습니다.
본질적으로 이것은 우리가 필터 체인의 어떤 단계를 놓치고 있다는 것을 나타냅니다.서블릿 요청의 헤더를 읽고 보안 컨텍스트의 인증을 채우는 필터가 필요합니다.
SecurityContextHolder.getContext().setAuthentication(request: HttpServletRequest);
저는 어떻게 그런 필터를 얻을 수 있는지 궁금합니다.
이것이 제 어플의 모습입니다.코틀린입니다만 자바의 눈에 이해가 되기를 바랍니다.
Application.kt:
@SpringBootApplication(scanBasePackageClasses=arrayOf(
com.example.domain.Package::class,
com.example.service.Package::class,
com.example.web.Package::class
))
class MyApplication
fun main(args: Array<String>) {
SpringApplication.run(MyApplication::class.java, *args)
}
테스트 컨트롤러:
@RestController
class TestController {
@RequestMapping("/test")
fun Test(): String {
return "hey there"
}
}
My WebSecurityConfigurerAdapter:
@Configuration
@EnableWebSecurity
/**
* Based on:
* https://stackoverflow.com/questions/25383286/spring-security-custom-userdetailsservice-and-custom-user-class
*
* Password encoder:
* http://www.baeldung.com/spring-security-authentication-with-a-database
*/
class MyWebSecurityConfigurerAdapter(
val userDetailsService: MyUserDetailsService
) : WebSecurityConfigurerAdapter() {
private val passwordEncoder = BCryptPasswordEncoder()
override fun userDetailsService() : UserDetailsService {
return userDetailsService
}
override fun configure(auth: AuthenticationManagerBuilder) {
auth
.authenticationProvider(authenticationProvider())
}
@Bean
fun authenticationProvider() : AuthenticationProvider {
val authProvider = DaoAuthenticationProvider()
authProvider.setUserDetailsService(userDetailsService())
authProvider.setPasswordEncoder(passwordEncoder)
return authProvider
}
override fun configure(http: HttpSecurity?) {
http!!
.anonymous().disable()
.authenticationProvider(authenticationProvider())
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.csrf().disable()
}
}
My Authorization ServerConfigurerAdapter:
/**
* Based on:
* https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/jdbc/src/main/java/demo/Application.java#L68
*/
@Configuration
@EnableAuthorizationServer
class MyAuthorizationServerConfigurerAdapter(
val auth : AuthenticationManager,
val dataSource: DataSource,
val userDetailsService: UserDetailsService
) : AuthorizationServerConfigurerAdapter() {
private val passwordEncoder = BCryptPasswordEncoder()
@Bean
fun tokenStore(): JdbcTokenStore {
val tokenStore = JdbcTokenStore(dataSource)
val oauthAccessTokenTable = "auth_schema.oauth_access_token"
val oauthRefreshTokenTable = "auth_schema.oauth_refresh_token"
tokenStore.setDeleteAccessTokenFromRefreshTokenSql("delete from ${oauthAccessTokenTable} where refresh_token = ?")
tokenStore.setDeleteAccessTokenSql("delete from ${oauthAccessTokenTable} where token_id = ?")
tokenStore.setDeleteRefreshTokenSql("delete from ${oauthRefreshTokenTable} where token_id = ?")
tokenStore.setInsertAccessTokenSql("insert into ${oauthAccessTokenTable} (token_id, token, authentication_id, " +
"user_name, client_id, authentication, refresh_token) values (?, ?, ?, ?, ?, ?, ?)")
tokenStore.setInsertRefreshTokenSql("insert into ${oauthRefreshTokenTable} (token_id, token, authentication) values (?, ?, ?)")
tokenStore.setSelectAccessTokenAuthenticationSql("select token_id, authentication from ${oauthAccessTokenTable} where token_id = ?")
tokenStore.setSelectAccessTokenFromAuthenticationSql("select token_id, token from ${oauthAccessTokenTable} where authentication_id = ?")
tokenStore.setSelectAccessTokenSql("select token_id, token from ${oauthAccessTokenTable} where token_id = ?")
tokenStore.setSelectAccessTokensFromClientIdSql("select token_id, token from ${oauthAccessTokenTable} where client_id = ?")
tokenStore.setSelectAccessTokensFromUserNameAndClientIdSql("select token_id, token from ${oauthAccessTokenTable} where user_name = ? and client_id = ?")
tokenStore.setSelectAccessTokensFromUserNameSql("select token_id, token from ${oauthAccessTokenTable} where user_name = ?")
tokenStore.setSelectRefreshTokenAuthenticationSql("select token_id, authentication from ${oauthRefreshTokenTable} where token_id = ?")
tokenStore.setSelectRefreshTokenSql("select token_id, token from ${oauthRefreshTokenTable} where token_id = ?")
return tokenStore
}
override fun configure(security: AuthorizationServerSecurityConfigurer?) {
security!!.passwordEncoder(passwordEncoder)
}
override fun configure(clients: ClientDetailsServiceConfigurer?) {
val clientDetailsService = JdbcClientDetailsService(dataSource)
clientDetailsService.setPasswordEncoder(passwordEncoder)
val clientDetailsTable = "auth_schema.oauth_client_details"
val CLIENT_FIELDS_FOR_UPDATE = "resource_ids, scope, " +
"authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, " +
"refresh_token_validity, additional_information, autoapprove"
val CLIENT_FIELDS = "client_secret, ${CLIENT_FIELDS_FOR_UPDATE}"
val BASE_FIND_STATEMENT = "select client_id, ${CLIENT_FIELDS} from ${clientDetailsTable}"
clientDetailsService.setFindClientDetailsSql("${BASE_FIND_STATEMENT} order by client_id")
clientDetailsService.setDeleteClientDetailsSql("delete from ${clientDetailsTable} where client_id = ?")
clientDetailsService.setInsertClientDetailsSql("insert into ${clientDetailsTable} (${CLIENT_FIELDS}," +
" client_id) values (?,?,?,?,?,?,?,?,?,?,?)")
clientDetailsService.setSelectClientDetailsSql("${BASE_FIND_STATEMENT} where client_id = ?")
clientDetailsService.setUpdateClientDetailsSql("update ${clientDetailsTable} set " +
"${CLIENT_FIELDS_FOR_UPDATE.replace(", ", "=?, ")}=? where client_id = ?")
clientDetailsService.setUpdateClientSecretSql("update ${clientDetailsTable} set client_secret = ? where client_id = ?")
clients!!.withClientDetails(clientDetailsService)
}
override fun configure(endpoints: AuthorizationServerEndpointsConfigurer?) {
endpoints!!
.authorizationCodeServices(authorizationCodeServices())
.authenticationManager(auth)
.tokenStore(tokenStore())
.approvalStoreDisabled()
.userDetailsService(userDetailsService)
}
@Bean
protected fun authorizationCodeServices() : AuthorizationCodeServices {
val codeServices = JdbcAuthorizationCodeServices(dataSource)
val oauthCodeTable = "auth_schema.oauth_code"
codeServices.setSelectAuthenticationSql("select code, authentication from ${oauthCodeTable} where code = ?")
codeServices.setInsertAuthenticationSql("insert into ${oauthCodeTable} (code, authentication) values (?, ?)")
codeServices.setDeleteAuthenticationSql("delete from ${oauthCodeTable} where code = ?")
return codeServices
}
}
My Authorization ServerConfigurerAdapter:
@Service
class MyUserDetailsService(
val theDataSource: DataSource
) : JdbcUserDetailsManager() {
@PostConstruct
fun init() {
dataSource = theDataSource
val usersTable = "auth_schema.users"
val authoritiesTable = "auth_schema.authorities"
setChangePasswordSql("update ${usersTable} set password = ? where username = ?")
setCreateAuthoritySql("insert into ${authoritiesTable} (username, authority) values (?,?)")
setCreateUserSql("insert into ${usersTable} (username, password, enabled) values (?,?,?)")
setDeleteUserAuthoritiesSql("delete from ${authoritiesTable} where username = ?")
setDeleteUserSql("delete from ${usersTable} where username = ?")
setUpdateUserSql("update ${usersTable} set password = ?, enabled = ? where username = ?")
setUserExistsSql("select username from ${usersTable} where username = ?")
setAuthoritiesByUsernameQuery("select username,authority from ${authoritiesTable} where username = ?")
setUsersByUsernameQuery("select username,password,enabled from ${usersTable} " + "where username = ?")
}
}
무슨 생각 있어요?필터 체인에 어떻게든 을 설치해야 하는 것은 아닐까요?
스타트업을 시작할 때 이런 메시지가 뜨긴 합니다. 문제와 관련된 것일까요?
u.c.c.h.s.auth.MyUserDetailsService : No authentication manager set. Reauthentication of users when changing passwords will not be performed.
s.c.a.w.c.WebSecurityConfigurerAdapter$3 : No authenticationProviders and no parentAuthenticationManager defined. Returning null.
편집:
한 것처럼 .OAuth2AuthenticationProcessingFilter입니다.ResourceServerConfigurerAdapter 다음 클래스를 추가했습니다.
MyResourceServerConfigurerAdapter:
@Configuration
@EnableResourceServer
class MyResourceServerConfigurerAdapter : ResourceServerConfigurerAdapter()
증을 하는 거예요, ResourceServerSecurityConfigurer그 안에 들어가다configure(http: HttpSecurity)method, 그것은 그것이 설치하려고 시도하는 것처럼 보입니다.OAuth2AuthenticationProcessingFilter필터 체인에 삽입합니다.
하지만 성공한 것 같지는 않습니다.Spring Security의 디버그 출력에 따르면 다음과 같습니다.필터 체인에 여전히 같은 개수의 필터가 있습니다.OAuth2AuthenticationProcessingFilter그 안에 없습니다.무슨 일이야?
EDIT2 : 수업이 두개나 있는게 문제인지 궁금합니다 (WebSecurityConfigurerAdapter,ResourceServerConfigurerAdapter HttpSecurity를 구성하려고 합니다.상호 배타적인 건가요?
네! 문제는 제가 둘다 등록했다는 사실과 관련이 있습니다.WebSecurityConfigurerAdapter 그리고.ResourceServerConfigurerAdapter.
삭제: WebSecurityConfigurerAdapter. 그리고 이것을 사용합니다.ResourceServerConfigurerAdapter:
@Configuration
@EnableResourceServer
class MyResourceServerConfigurerAdapter(
val userDetailsService: MyUserDetailsService
) : ResourceServerConfigurerAdapter() {
private val passwordEncoder = BCryptPasswordEncoder()
override fun configure(http: HttpSecurity?) {
http!!
.authenticationProvider(authenticationProvider())
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.csrf().disable()
}
@Bean
fun authenticationProvider() : AuthenticationProvider {
val authProvider = DaoAuthenticationProvider()
authProvider.setUserDetailsService(userDetailsService)
authProvider.setPasswordEncoder(passwordEncoder)
return authProvider
}
}
EDIT: 베어러 인증을 모든 엔드포인트(예:/metrics)다Spring Actuator)도 .security.oauth2.resource.filter-order: 3나에게application.yml. 이 답을 보세요.
언급URL : https://stackoverflow.com/questions/44977972/how-to-enable-bearer-authentication-on-spring-boot-application
'programing' 카테고리의 다른 글
| 파이썬 데코레이터에게 추가 인수를 전달하려면 어떻게 해야 합니까? (0) | 2023.10.16 |
|---|---|
| malloc()는 연속된 메모리 블록을 할당합니까? (0) | 2023.10.16 |
| 마스터의 GTID가 슬레이브와 다를 경우 어떻게 경고를 받을 수 있습니까? (0) | 2023.10.11 |
| SQL: 전체 이름 필드에서 이름, 중간 및 성을 구문 분석합니다. (0) | 2023.10.11 |
| phphmyadmin을 사용하여 캐스케이드 삭제 및 업데이트 제한에 추가하는 방법은? (0) | 2023.10.11 |