【发布时间】:2022-03-03 04:20:06
【问题描述】:
您好,我一直在网上搜索,但收效甚微,希望 SO 的人能够提供帮助。
目前我的 Spring Boot API(版本 2.5.4)接受 Auth0 提供的 JWT。现在我在那里创建了第二个租户,但我很难理解如何支持两个或多个 issuer-uri。
这是我目前的做法:
@Configuration
@EnableWebSecurity(debug = false)
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth0.audience}")
private String audience;
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://localhost:3010"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
configuration.setAllowCredentials(true);
configuration.addAllowedHeader("Authorization");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.headers().referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN)
.and()
.xssProtection()
.and()
.contentSecurityPolicy("script-src 'self'").and()
.and()
.csrf()
.disable()
.formLogin()
.disable()
.httpBasic()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/api/v1/user/profile/**").permitAll()
.antMatchers("/user/profile/**").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer().jwt();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/health", "/health/**");
}
@Bean
JwtDecoder jwtDecoder() {
/*
By default, Spring Security does not validate the "aud" claim of the token, to ensure that this token is
indeed intended for our app. Adding our own validator is easy to do:
*/
NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
}
任何人都可以解释一下吗,使用 Node 我可以将 issuer-uri 设置为一个字符串数组,它可以开箱即用。希望 Spring 也有类似的东西?
编辑: 如果需要这里是我的版本构建文件:
plugins {
id "org.springframework.boot" version "2.5.4"
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'java'
id "com.github.davidmc24.gradle.plugin.avro" version "1.2.0"
id "idea"
id 'com.google.cloud.tools.jib' version '3.0.0'
}
apply plugin: 'idea'
group 'org.example'
version '1.0'
java {
sourceCompatibility = JavaVersion.VERSION_14
targetCompatibility = JavaVersion.VERSION_14
}
jib.from.image = 'openjdk:15-jdk-buster'
jib.to.image = 'gcr.io/thefullstack/tfs-project-service'
ext {
avroVersion = "1.10.1"
}
repositories {
mavenCentral()
jcenter()
maven {
url "https://packages.confluent.io/maven/"
}
}
avro {
createSetters = true
fieldVisibility = "PRIVATE"
}
dependencies {
implementation('org.springframework.boot:spring-boot-starter-data-elasticsearch')
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-mongodb'
implementation group: 'org.springframework.data', name: 'spring-data-elasticsearch'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security'
implementation group: 'org.springframework.security', name: 'spring-security-oauth2-client'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-validation'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-resource-server'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-cache'
implementation("org.springframework.boot:spring-boot-starter-actuator")
implementation group: 'org.springframework.integration', name: 'spring-integration-core', version: '5.5.3'
// implementation group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-logging'
implementation group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-logging', version: '1.2.8.RELEASE'
implementation("org.springframework.cloud:spring-cloud-gcp-starter-pubsub:1.2.5.RELEASE")
implementation("org.springframework.integration:spring-integration-core")
implementation group: 'com.amazonaws', name: 'aws-java-sdk', version: '1.11.860'
implementation group: 'com.mashape.unirest', name: 'unirest-java', version: '1.4.9'
implementation group: 'javax.validation', name: 'validation-api', version: '2.0.1.Final'
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: '2.12.3'
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: '2.12.3'
implementation group: 'io.jsonwebtoken', name: 'jjwt', version: '0.9.1'
implementation group: 'org.openapitools', name: 'jackson-databind-nullable', version: '0.2.1'
implementation group: 'commons-io', name: 'commons-io', version: '2.6'
implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.11'
implementation group: 'com.auth0', name: 'java-jwt', version: '3.12.0'
implementation "org.apache.avro:avro:1.10.1"
implementation "org.apache.avro:avro:${avroVersion}"
implementation 'org.projectlombok:lombok:1.18.20'
annotationProcessor 'org.projectlombok:lombok:1.18.20'
implementation 'com.amazonaws:aws-java-sdk-s3'
implementation 'org.springframework.boot:spring-boot-starter-web'
testImplementation group: 'junit', name: 'junit', version: '4.12'
testImplementation 'org.projectlombok:lombok:1.18.20'
testAnnotationProcessor 'org.projectlombok:lombok:1.18.20'
testImplementation('org.springframework.boot:spring-boot-starter-test') {
exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
}
}
【问题讨论】:
-
非常感谢您的回复。我不确定你是否知道,但我怎样才能让我的 jwtDecoder() 使用这种方法?再次感谢您!
-
您可以使用
AuthenticationManagerResolver解析为不同的JwtAuthenticationProviders,每个JwtDecoder都不同。请参阅此example。该方法将非常相似,除了OpaqueTokenIntrospector,您将拥有 2 个JwtDecoder。 -
感谢 Eleftheria 的回复!对不起,狗出了事故需要手术,所以我现在才回到电脑前。我对该代码示例的某些部分有一些问题(可能更多的是理解)如果我更新了我的主要问题并看看你是否仍然可以提供帮助,你介意吗?再次感谢!
-
随时用您尝试过的内容更新问题,或者如果没有直接相关,请打开一个新问题。
标签: java spring spring-boot spring-security auth0