5

Spring Boot SSO + Zuul を使用して単純な API ゲートウェイを作成しようとしています。ヘッダーに基づいて RBAC を実行するために、OAuth スコープを他のバックエンド サービスでさらに使用されるヘッダーに変換する必要があります。

バックエンドに送信する前に基本的にヘッダーを設定するこの CustomOAuth2TokenRelayFilter を使用しています。私の問題は、現在のトークンからスコープを取得する方法です。クラス OAuth2AuthenticationDetails はトークン値を提供しますが、スコープは提供しません。

そこにあるスコープを取得する方法がわかりません。

以下は、主に https://github.com/spring-cloud/spring-cloud-security/blob/master/spring-cloud-security/src/main/java/org/springframework/cloudから取得したカスタム Zuul フィルターです。 /security/oauth2/proxy/OAuth2TokenRelayFilter.java 

    import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.stereotype.Component;

@Component
    public class CustomOAuth2TokenRelayFilter extends ZuulFilter {

        private static Logger LOGGER = LoggerFactory.getLogger(CustomOAuth2TokenRelayFilter.class);

        private static final String ACCESS_TOKEN = "ACCESS_TOKEN";
        private static final String TOKEN_TYPE = "TOKEN_TYPE";

        private OAuth2RestOperations restTemplate;


        public void setRestTemplate(OAuth2RestOperations restTemplate) {
            this.restTemplate = restTemplate;
        }


        @Override
        public int filterOrder() {
            return 1;
        }

        @Override
        public String filterType() {
            return "pre";
        }

        @Override
        public boolean shouldFilter() {
            Authentication auth = SecurityContextHolder.getContext().getAuthentication();

            if (auth instanceof OAuth2Authentication) {
                Object details = auth.getDetails();
                if (details instanceof OAuth2AuthenticationDetails) {
                    OAuth2AuthenticationDetails oauth = (OAuth2AuthenticationDetails) details;
                    RequestContext ctx = RequestContext.getCurrentContext();

                    LOGGER.debug ("role " + auth.getAuthorities());

                    LOGGER.debug("scope", ctx.get("scope")); // How do I obtain the scope ??


                    ctx.set(ACCESS_TOKEN, oauth.getTokenValue());
                    ctx.set(TOKEN_TYPE, oauth.getTokenType()==null ? "Bearer" : oauth.getTokenType());
                    return true;
                }
            }
            return false;
        }

        @Override
        public Object run() {
            RequestContext ctx = RequestContext.getCurrentContext();
            ctx.addZuulRequestHeader("x-pp-user", ctx.get(TOKEN_TYPE) + " " + getAccessToken(ctx));
            return null;
        }

        private String getAccessToken(RequestContext ctx) {
            String value = (String) ctx.get(ACCESS_TOKEN);
            if (restTemplate != null) {
                // In case it needs to be refreshed
                OAuth2Authentication auth = (OAuth2Authentication) SecurityContextHolder
                        .getContext().getAuthentication();
                if (restTemplate.getResource().getClientId()
                        .equals(auth.getOAuth2Request().getClientId())) {
                    try {
                        value = restTemplate.getAccessToken().getValue();
                    }
                    catch (Exception e) {
                        // Quite possibly a UserRedirectRequiredException, but the caller
                        // probably doesn't know how to handle it, otherwise they wouldn't be
                        // using this filter, so we rethrow as an authentication exception
                        throw new BadCredentialsException("Cannot obtain valid access token");
                    }
                }
            }
            return value;
        }

    }
4

2 に答える 2

13

OAuth2ClientContextをフィルターに挿入し、スコープを取得するために使用できますoAuth2ClientContext.getAccessToken().getScope()

OAuth2ClientContext は、現在のアクセス トークンと保持された状態を含むセッション スコープの Bean です。

したがって、それをあなたの例に適用すると、次のようになります。

import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.stereotype.Component;

@Component
public class CustomOAuth2TokenRelayFilter extends ZuulFilter {

    private static Logger LOGGER = LoggerFactory.getLogger(CustomOAuth2TokenRelayFilter.class);

    private static final String ACCESS_TOKEN = "ACCESS_TOKEN";
    private static final String TOKEN_TYPE = "TOKEN_TYPE";

    private OAuth2RestOperations restTemplate;

    @Autowired
    private OAuth2ClientContext oAuth2ClientContext;

    public void setRestTemplate(OAuth2RestOperations restTemplate) {
        this.restTemplate = restTemplate;
    }


    @Override
    public int filterOrder() {
        return 1;
    }

    @Override
    public String filterType() {
        return "pre";
    }

    @Override
    public boolean shouldFilter() {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (auth instanceof OAuth2Authentication) {
            Object details = auth.getDetails();
            if (details instanceof OAuth2AuthenticationDetails) {
                OAuth2AuthenticationDetails oauth = (OAuth2AuthenticationDetails) details;
                RequestContext ctx = RequestContext.getCurrentContext();

                LOGGER.debug ("role " + auth.getAuthorities());

                LOGGER.debug("scope" + oAuth2ClientContext.getAccessToken().getScope());

                ctx.set(ACCESS_TOKEN, oauth.getTokenValue());
                ctx.set(TOKEN_TYPE, oauth.getTokenType()==null ? "Bearer" : oauth.getTokenType());
                return true;
            }
        }
        return false;
    }

    @Override
    public Object run() {
        RequestContext ctx = RequestContext.getCurrentContext();
        ctx.addZuulRequestHeader("x-pp-user", ctx.get(TOKEN_TYPE) + " " + getAccessToken(ctx));
        return null;
    }

    private String getAccessToken(RequestContext ctx) {
        String value = (String) ctx.get(ACCESS_TOKEN);
        if (restTemplate != null) {
            // In case it needs to be refreshed
            OAuth2Authentication auth = (OAuth2Authentication) SecurityContextHolder
                    .getContext().getAuthentication();
            if (restTemplate.getResource().getClientId()
                    .equals(auth.getOAuth2Request().getClientId())) {
                try {
                    value = restTemplate.getAccessToken().getValue();
                }
                catch (Exception e) {
                    // Quite possibly a UserRedirectRequiredException, but the caller
                    // probably doesn't know how to handle it, otherwise they wouldn't be
                    // using this filter, so we rethrow as an authentication exception
                    throw new BadCredentialsException("Cannot obtain valid access token");
                }
            }
        }
        return value;
    }

}
于 2016-05-24T14:13:13.557 に答える
6

SecurityContextHolderOAuth2Authenticationを使用して、OAuth2 トークンからスコープを取得できます。

private static Set<String> getOAuthTokenScopes() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    OAuth2Authentication oAuth2Authentication;

    if (authentication instanceof OAuth2Authentication) {
        oAuth2Authentication = (OAuth2Authentication) authentication;
    } else {
        throw new IllegalStateException("Authentication not supported!");
    }

    return oAuth2Authentication.getOAuth2Request().getScope();
}
于 2016-11-16T14:25:05.690 に答える