徐晓伟微服务

Appearance

Security 获取权限数据配置、设置权限前缀、手动检查 Token

  • Security 会查找 JwtAuthenticationConverterBean
  • 如果项目中没有 JwtAuthenticationConverterBean,则使用默认配置,即:new JwtAuthenticationConverter()
  • 如果项目中存在多个 JwtAuthenticationConverterBean,则程序启动会报错
  • 如果项目中不可避免的出现了多个 JwtAuthenticationConverterBean, 请查看:项目中存在多个 JwtAuthenticationConverter Bean 时的处理
java
package cloud.xuxiaowei.oauth2.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;

/**
 * Security 获取权限数据配置、设置权限前缀
 *
 * @author xuxiaowei
 * @since 0.0.1
 */
@Configuration
public class JwtAuthenticationConverterConfig {

    /**
     * 权限数据从 JWT 中读取位置、设置权限前缀
     */
    @Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();

        // 设置 JWT Token 中获取权限数据的声明名称,如果不设置,将尝试从 scope 或 scp 中获取
        grantedAuthoritiesConverter.setAuthoritiesClaimName("authorities");

        // 设置权限前缀,默认值:SCOPE_
        grantedAuthoritiesConverter.setAuthorityPrefix("");

        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
        return jwtAuthenticationConverter;
    }

}
java
package cloud.xuxiaowei.oauth2.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;

/**
 * Security 获取权限数据配置、设置权限前缀
 *
 * @author xuxiaowei
 * @since 0.0.1
 */
@Configuration
public class JwtAuthenticationConverterConfig {

    /**
     * 权限数据从 JWT 中读取位置、设置权限前缀
     */
    @Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();

        // 设置 JWT Token 中获取权限数据的声明名称,如果不设置,将尝试从 scope 或 scp 中获取
        grantedAuthoritiesConverter.setAuthoritiesClaimName("authorities");

        // 设置权限前缀,默认值:SCOPE_
        grantedAuthoritiesConverter.setAuthorityPrefix("");

        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);

        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwt -> {

            // 此处可以检测 JWT 是否被撤销权限

            return new JwtGrantedAuthoritiesConverter().convert(jwt);
        });

        return jwtAuthenticationConverter;
    }

}

项目中存在多个 JwtAuthenticationConverter Bean 时的处理

  • 用于强制指定使用哪个 JwtAuthenticationConverterBean
  • 如果项目中只有一个 JwtAuthenticationConverterBean,则不需要设置下列配置
  • 也可不使用 Bean 的形式,下方配置的时候,创建一个对象进行设置
shell
package cloud.xuxiaowei.oauth2.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;

/**
 * @author xuxiaowei
 * @since 0.0.1
 */
@Configuration
public class ResourceServerConfig {

	private JwtAuthenticationConverter jwtAuthenticationConverter;

	@Autowired
	public void setJwtAuthenticationConverter(@Qualifier("你使用的 Bean 的名称") JwtAuthenticationConverter jwtAuthenticationConverter) {
		this.jwtAuthenticationConverter = jwtAuthenticationConverter;
	}

	@Bean
	public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {

		http.oauth2ResourceServer().jwt(oauth2ResourceServer -> {

			oauth2ResourceServer.jwtAuthenticationConverter(jwtAuthenticationConverter);
		});

		return http.build();
	}

}
shell
package cloud.xuxiaowei.oauth2.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;

/**
 * @author xuxiaowei
 * @since 0.0.1
 */
@Configuration
public class ResourceServerConfig {

	private JwtAuthenticationConverter jwtAuthenticationConverter;

	@Autowired
	public void setJwtAuthenticationConverter(@Qualifier("你使用的 Bean 的名称") JwtAuthenticationConverter jwtAuthenticationConverter) {
		this.jwtAuthenticationConverter = jwtAuthenticationConverter;
	}

	@Bean
	public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {

		http.oauth2ResourceServer(oauth2ResourceServerCustomizer -> {
			oauth2ResourceServerCustomizer.jwt(oauth2ResourceServer -> {

				oauth2ResourceServer.jwtAuthenticationConverter(jwtAuthenticationConverter);

			});
		});

		return http.build();
	}

}