【发布时间】:2018-05-10 14:24:42
【问题描述】:
如何在我的资源服务器中映射角色?
我在 Spring Boot 中创建了我认为最简单的资源服务器实现:
Application.java
@SpringBootApplication
@RestController
@EnableResourceServer
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@RequestMapping(value = "/user")
public Principal user(Principal principal) {
return principal;
}
}
application.properties
security.oauth2.resource.user-info-uri=myUserInfoUri
security.oauth2.client.client-id=myId
security.oauth2.client.client-secret=mySecret
pom.xml
...
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
</dependencies>
该应用运行良好。我调用我的身份验证服务器(在本例中为 KeyCloak)并检索令牌。然后,我使用作为 Authorization 标头传入的令牌对 http://localhost:8080/user/ 进行 http 获取。
HTTP 响应包含来自令牌的信息,但 authorities 属性设置为 ROLE_USER。这与令牌中的角色不匹配。
HTTP 响应
...
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_USER"
}
],
"details": {
"sub": "93f566bd-df68-4c68-b3c6-0173c476bc02",
"name": "Andrew Neeson",
"preferred_username": "andy",
"given_name": "Andrew",
"family_name": "Neeson",
...
令牌(已解析)
...
"realm_access": {
"roles": [
"role_1",
"role_2"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "Andrew Neeson",
"preferred_username": "andy",
"given_name": "Andrew",
"family_name": "Neeson",
...
如何从令牌中提取所需信息?
【问题讨论】:
标签: spring-security jwt spring-security-oauth2