|
对于最新的稳定版本,请使用 Spring Security 6.5.3! |
OAuth 迁移
以下步骤与如何配置 OAuth 2.0 的更改有关。
更改默认值oauth2Login()当局
在 Spring Security 5 中,默认的GrantedAuthority提供给使用 OAuth2 或 OpenID Connect 1.0 提供程序进行身份验证的用户(通过oauth2Login()) 是ROLE_USER.
|
有关详细信息,请参阅映射用户权限。 |
在 Spring Security 6 中,授予使用 OAuth2 提供程序进行身份验证的用户的默认权限是OAUTH2_USER.
授予使用 OpenID Connect 1.0 提供程序进行身份验证的用户的缺省权限是OIDC_USER.
这些默认值允许更清楚地区分已使用 OAuth2 或 OpenID Connect 1.0 提供程序进行身份验证的用户。
如果您使用的是授权规则或表达式,例如hasRole("USER")或hasAuthority("ROLE_USER")要授权用户具有此特定权限,Spring Security 6 中的新默认值将影响您的应用程序。
要选择加入新的 Spring Security 6 默认值,可以使用以下配置。
-
Java
-
Kotlin
-
XML
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// ...
.oauth2Login((oauth2Login) -> oauth2Login
.userInfoEndpoint((userInfo) -> userInfo
.userAuthoritiesMapper(grantedAuthoritiesMapper())
)
);
return http.build();
}
private GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach((authority) -> {
GrantedAuthority mappedAuthority;
if (authority instanceof OidcUserAuthority) {
OidcUserAuthority userAuthority = (OidcUserAuthority) authority;
mappedAuthority = new OidcUserAuthority(
"OIDC_USER", userAuthority.getIdToken(), userAuthority.getUserInfo());
} else if (authority instanceof OAuth2UserAuthority) {
OAuth2UserAuthority userAuthority = (OAuth2UserAuthority) authority;
mappedAuthority = new OAuth2UserAuthority(
"OAUTH2_USER", userAuthority.getAttributes());
} else {
mappedAuthority = authority;
}
mappedAuthorities.add(mappedAuthority);
});
return mappedAuthorities;
};
}@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
oauth2Login {
userInfoEndpoint {
userAuthoritiesMapper = grantedAuthoritiesMapper()
}
}
}
return http.build()
}
private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
return GrantedAuthoritiesMapper { authorities ->
authorities.map { authority ->
when (authority) {
is OidcUserAuthority ->
OidcUserAuthority("OIDC_USER", authority.idToken, authority.userInfo)
is OAuth2UserAuthority ->
OAuth2UserAuthority("OAUTH2_USER", authority.attributes)
else -> authority
}
}
}
}<http>
<oauth2-login user-authorities-mapper-ref="userAuthoritiesMapper" ... />
</http>选择退出步骤
如果配置新权限给您带来麻烦,您可以选择退出并显式使用 5.8 权限ROLE_USER使用以下配置。
-
Java
-
Kotlin
-
XML
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// ...
.oauth2Login((oauth2Login) -> oauth2Login
.userInfoEndpoint((userInfo) -> userInfo
.userAuthoritiesMapper(grantedAuthoritiesMapper())
)
);
return http.build();
}
private GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach((authority) -> {
GrantedAuthority mappedAuthority;
if (authority instanceof OidcUserAuthority) {
OidcUserAuthority userAuthority = (OidcUserAuthority) authority;
mappedAuthority = new OidcUserAuthority(
"ROLE_USER", userAuthority.getIdToken(), userAuthority.getUserInfo());
} else if (authority instanceof OAuth2UserAuthority) {
OAuth2UserAuthority userAuthority = (OAuth2UserAuthority) authority;
mappedAuthority = new OAuth2UserAuthority(
"ROLE_USER", userAuthority.getAttributes());
} else {
mappedAuthority = authority;
}
mappedAuthorities.add(mappedAuthority);
});
return mappedAuthorities;
};
}@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
oauth2Login {
userInfoEndpoint {
userAuthoritiesMapper = grantedAuthoritiesMapper()
}
}
}
return http.build()
}
private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
return GrantedAuthoritiesMapper { authorities ->
authorities.map { authority ->
when (authority) {
is OidcUserAuthority ->
OidcUserAuthority("ROLE_USER", authority.idToken, authority.userInfo)
is OAuth2UserAuthority ->
OAuth2UserAuthority("ROLE_USER", authority.attributes)
else -> authority
}
}
}
}<http>
<oauth2-login user-authorities-mapper-ref="userAuthoritiesMapper" ... />
</http>解决 OAuth2 客户端弃用问题
在 Spring Security 6 中,已从 OAuth2 客户端中删除了已弃用的类和方法。 下面列出了每个弃用,以及直接替换。
ServletOAuth2AuthorizedClientExchangeFilterFunction
方法setAccessTokenExpiresSkew(…)可以用以下之一代替:
-
ClientCredentialsOAuth2AuthorizedClientProvider#setClockSkew(…) -
RefreshTokenOAuth2AuthorizedClientProvider#setClockSkew(…) -
JwtBearerOAuth2AuthorizedClientProvider#setClockSkew(…)
方法setClientCredentialsTokenResponseClient(…)可以用构造函数替换ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager).
|
有关详细信息,请参阅客户端凭据。 |
OAuth2AuthorizedClientArgumentResolver
方法setClientCredentialsTokenResponseClient(…)可以用构造函数替换OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager).
|
有关详细信息,请参阅客户端凭据。 |
OidcClientInitiatedLogoutSuccessHandler
方法setPostLogoutRedirectUri(URI)可以替换为setPostLogoutRedirectUri(String).
AuthorizationRequestRepository
方法removeAuthorizationRequest(HttpServletRequest)可以替换为removeAuthorizationRequest(HttpServletRequest, HttpServletResponse).
AbstractOAuth2AuthorizationGrantRequest
构造函数AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType)可以替换为AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType, ClientRegistration).
OAuth2AccessTokenResponseHttpMessageConverter
现场tokenResponseConverter没有直接替代品。
方法setTokenResponseConverter(…)可以替换为setAccessTokenResponseConverter(…).
现场tokenResponseParametersConverter没有直接替代品。
方法setTokenResponseParametersConverter(…)可以替换为setAccessTokenResponseParametersConverter(…).
NimbusAuthorizationCodeTokenResponseClient
班级NimbusAuthorizationCodeTokenResponseClient可以替换为DefaultAuthorizationCodeTokenResponseClient.
ImplicitGrantConfigurer
班级ImplicitGrantConfigurer没有直接替代品。
|
使用 |
地址JwtAuthenticationConverter折旧
方法extractAuthorities将被删除。
而不是扩展JwtAuthenticationConverter,请提供自定义授权的权限转换器JwtAuthenticationConverter#setJwtGrantedAuthoritiesConverter.