1. 首页
  2. 问答
  3. 确保微服务春云安全Oauth2

确保微服务春云安全Oauth2

2017-10-05 110 views
0

我正在使用Spring云安全和Oauth2来保护我的微服务。现在出海如下:确保微服务春云安全Oauth2

http://maven.apache.org/xsd/maven-4.0.0.xsd“> 4.0.0

<groupId>com.oreilly.cloud</groupId> 
<artifactId>spring-microservices-oauth-server</artifactId> 
<version>0.0.1-SNAPSHOT</version> 
<packaging>jar</packaging> 

<name>spring-microservices-oauth-server</name> 
<description>Demo project for Spring Boot</description> 

<parent> 
    <groupId>org.springframework.boot</groupId> 
    <artifactId>spring-boot-starter-parent</artifactId> 
    <version>1.5.7.RELEASE</version> 
    <relativePath/> <!-- lookup parent from repository --> 
</parent> 

<properties> 
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> 
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> 
    <java.version>1.8</java.version> 
    <spring-cloud.version>Dalston.SR3</spring-cloud.version> 
</properties> 

<dependencies> 
    <dependency> 
     <groupId>org.springframework.cloud</groupId> 
     <artifactId>spring-cloud-starter-oauth2</artifactId> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework.boot</groupId> 
     <artifactId>spring-boot-starter-jdbc</artifactId> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework.boot</groupId> 
     <artifactId>spring-boot-starter-security</artifactId> 
    </dependency> 

    <dependency> 
     <groupId>org.hsqldb</groupId> 
     <artifactId>hsqldb</artifactId> 
     <scope>runtime</scope> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework.boot</groupId> 
     <artifactId>spring-boot-starter-test</artifactId> 
     <scope>test</scope> 
    </dependency> 
</dependencies> 

<dependencyManagement> 
    <dependencies> 
     <dependency> 
      <groupId>org.springframework.cloud</groupId> 
      <artifactId>spring-cloud-dependencies</artifactId> 
      <version>${spring-cloud.version}</version> 
      <type>pom</type> 
      <scope>import</scope> 
     </dependency> 
    </dependencies> 
</dependencyManagement> 

<build> 
    <plugins> 
     <plugin> 
      <groupId>org.springframework.boot</groupId> 
      <artifactId>spring-boot-maven-plugin</artifactId> 
     </plugin> 
    </plugins> 
</build> 

<repositories> 
    <repository> 
     <id>spring-snapshots</id> 
     <name>Spring Snapshots</name> 
     <url>https://repo.spring.io/snapshot</url> 
     <snapshots> 
      <enabled>true</enabled> 
     </snapshots> 
    </repository> 
    <repository> 
     <id>spring-milestones</id> 
     <name>Spring Milestones</name> 
     <url>https://repo.spring.io/milestone</url> 
     <snapshots> 
      <enabled>false</enabled> 
     </snapshots> 
    </repository> 
</repositories>

春天-boot主类是如下:

package com.oreilly.cloud; 

import org.springframework.boot.SpringApplication; 
import org.springframework.boot.autoconfigure.SpringBootApplication; 
import org.springframework.security.access.prepost.PreAuthorize; 
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.bind.annotation.RestController; 

@SpringBootApplication 
@EnableAuthorizationServer 
@EnableResourceServer 
@RestController 
@EnableGlobalMethodSecurity(prePostEnabled=true) 
public class SpringMicroservicesOauthServerApplication { 

    @RequestMapping("/resource/endpoint") 
    @PreAuthorize("hasRole('ADMIN')") 
    public String endpoint(){ 
     return "This message is protected by the resource server."; 
    } 

    public static void main(String[] args) { 
     SpringApplication.run(SpringMicroservicesOauthServerApplication.class, args); 
    } 
}

授权服务器配置如下:

package com.oreilly.cloud; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.authentication.AuthenticationManager; 
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; 
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; 
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; 

@Configuration 
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { 

    @Autowired 
    private AuthenticationManager authManager; 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
     endpoints.authenticationManager(authManager); 
    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     clients.inMemory().withClient("webapp").secret("websecret").authorizedGrantTypes("password") 
       .scopes("read,write,trust"); 
    } 

}

注意验证管理器自动连线到授权配置

在下面的类中的验证管理器进行配置和返回abean,以便它可以被装配到上面的类:

package com.oreilly.cloud; 

import org.springframework.context.annotation.Bean; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.authentication.AuthenticationManager; 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 

@Configuration 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Bean 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return super.authenticationManagerBean(); 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
     auth.inMemoryAuthentication().withUser("user1").password("password1").roles("USER").and().withUser("admin") 
       .password("password2").roles("ADMIN"); 
    } 

}

现在application.properties是如下:

server.port=9090

现在我运行SP如下环启动应用程序:

MVN春季启动:运行

的应用程序成功启动,并准备在本地主机上接受9090端口的请求

现在使用邮递员我发送POST请求得到access_token。有一点背景是,这里使用的Aoauth2流是密码授权。所以在上面的AuthorizationServerConfig类中,我定义了一个密码授权流程并注册了一个带有客户端名称和密码的简单Web应用程序。可以看出客户端配置在内存中。

从授权服务器获取访问令牌的post man请求如下所示:其基本身份验证标头具有 用户名作为webapp并且密码为websecret的发布请求。

http://localhost:9090/oauth/token?grant_type=password&username=user1&password=password1

这要求有一个访问令牌JSON成功返回如下:

{ 
    "access_token": "2d632e54-17c3-41f7-af3b-935ca3022d78", 
    "token_type": "bearer", 
    "expires_in": 43199, 
    "scope": "read,write,trust" 
}

现在,当我尝试上述访问令牌访问/地质矿产/端点:

http://localhost:9090/resource/endpoint?access_token=2d632e54-17c3-41f7-af3b-935ca3022d78

而不是返回从服务/资源/端点返回的文本它返回登录页面如下:

<html> 
    <head> 
     <title>Login Page</title> 
    </head> 
    <body onload='document.f.username.focus();'> 
     <h3>Login with Username and Password</h3> 
     <form name='f' action='/login' method='POST'> 
      <table> 
       <tr> 
        <td>User:</td> 
        <td> 
         <input type='text' name='username' value=''> 
        </td> 
       </tr> 
       <tr> 
        <td>Password:</td> 
        <td> 
         <input type='password' name='password'/> 
        </td> 
       </tr> 
       <tr> 
        <td colspan='2'> 
         <input name="submit" type="submit" value="Login"/> 
        </td> 
       </tr> 
       <input name="_csrf" type="hidden" value="8dbc1c38-6f89-43c5-a8f8-797c920722a1" /> 
      </table> 
     </form> 
    </body> 
</html>

任何人都可以请帮助我在这里失踪?????。

备注我同时在相同的应用程序中配置了授权服务器和资源服务器。这是一个POC,所以我尝试了Spring-Cloud的安全性,稍后我会将这两个分开......但以后再说。

来源

2017-10-05 santhoshbhatti

+0

你的问题到底是什么? –

+1

在你的令牌中,expires_in的值看起来很有趣..它映射到的是什么,当然不是蜱虫,你能检查它吗? –

+0

@WilliamHampshire我的问题是我通过点击以下URL获得访问令牌:http:// localhost:9090/oauth/token?grant_type = password&username = admin&password = password2带有指定客户端用户名和密码的基本auth头,但if我尝试访问受保护的资源(/资源/端点/)access_token参数设置为上述访问令牌,我得到一个登录页面,而不是我的端点应该返回的文本响应 – santhoshbhatti

回答

1

通过查看Spring Boot的根调试日志,我发现了这个问题。

如果您使用yml

src/main/resources/application.yml 
---------------------------------- 
logging: 
    level: 
    root: DEBUG

或者,如果properties

src/main/resources/application.properties 
---------------------------------- 
logging.level.root=DEBUG

我意识到我没有在任何用户身份验证信息传递与GET

o.s.s.w.a.ExceptionTranslationFilter: Access is denied (user is anonymous); ...

所以你可以做两件事之一:

1.通过url参数添加信誉例如。

curl -X GET \ 
    'http://localhost:9090/resource/endpoint? 
    username=user1&password=password1&access_token=xxxx'

2.通过基本的认证如添加creds。

curl -X GET \ 
    'http://localhost:9090/resource/endpoint?username=user1' \ 
    -H 'Authorization: Basic xxxxxxxxxxxxx

弄来这个离建设微服务使用Spring当然在safaribooksonline,太? :)

我发现为什么老师没有这个问题。他以前必须已经授权了用户名/密码 - 它似乎被缓存在某处,因为在您之后,如果您只用auth_token再次调用该资源,它就会起作用。

来源

2018-03-08 22:14:34

相关问题

 相关问题