由于项目OAuth2采用了多种模式,授权码模式为第三方系统接入,密码模式用于用户登录,Client模式用于服务间调用,
所有不同的模式下的token需要用 @PreAuthorize("hasAuthority('client')") 进行隔离,遇到问题一直验证不通过。
通过调试发现资源服务从授权服务拿到的authrities字段一直为空, StackOverFlow说低版本(项目中才2.0.15)的OAuth2实现权限隔离需要 重写UserInfoTokenService
但是资源服务太多所以考虑重写授权服务的返回值,如何重写?在哪里重写?是下面要介绍的~
一、哪里重写?
资源服务器向授权服务服务器获取资源时候,返回的user信息重写,加入authorities
@RestController @Slf4j public class UserController { @Autowired HttpServletRequest request; @GetMapping("/user") public Principal user(Principal principal) { log.info("获取user信息:{}", JSON.toJSON(principal));
return principal;
}
返回的具体用户信息:
1 { 2 "principal": { 3 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", 4 "phone": "13918438965", 5 "credentialsNonExpired": true, 6 "accountNonExpired": true, 7 "enabled": true, 8 "accountNonLocked": true, 9 "username": "4738195728608789333" 10 }, 11 "authenticated": true, 12 "oAuth2Request": { 13 "redirectUri": "http://www.baidu.com", 14 "responseTypes": ["code"], 15 "approved": true, 16 "extensions": {}, 17 "clientId": "external", 18 "scope": ["auth_base"], 19 "requestParameters": { 20 "code": "ovzMSk", 21 "grant_type": "authorization_code", 22 "scope": "auth_base", 23 "response_type": "code", 24 "redirect_uri": "http://www.baidu.com", 25 "state": "123", 26 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A9454", 27 "client_id": "external" 28 }, 29 "refresh": false, 30 "grantType": "authorization_code", 31 "authorities": [{ 32 "authority": "auth_base" 33 }], 34 "resourceIds": [] 35 }, 36 "clientOnly": false, 37 "credentials": "", 38 "name": "4738195728608789333", 39 "userAuthentication": { 40 "principal": { 41 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", 42 "phone": "13918438965", 43 "credentialsNonExpired": true, 44 "accountNonExpired": true, 45 "enabled": true, 46 "accountNonLocked": true, 47 "username": "4738195728608789333" 48 }, 49 "authenticated": true, 50 "oAuth2Request": { 51 "responseTypes": [], 52 "approved": true, 53 "extensions": {}, 54 "clientId": "gt", 55 "scope": ["frontend"], 56 "requestParameters": { 57 "auth_type": "sms", 58 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d", 59 "grant_type": "password", 60 "client_id": "gt", 61 "username": "13918438965" 62 }, 63 "refresh": false, 64 "grantType": "password", 65 "authorities": [{ 66 "authority": "client" 67 }], 68 "resourceIds": [] 69 }, 70 "clientOnly": false, 71 "credentials": "", 72 "name": "4738195728608789333", 73 "userAuthentication": { 74 "principal": { 75 "password": "$2a$10$OjTFAZEzS6qypY4nRZtnM.MzS6F3XsIlkAO/kIFCu30kAk8Yasowa", 76 "phone": "13918438965", 77 "credentialsNonExpired": true, 78 "accountNonExpired": true, 79 "enabled": true, 80 "accountNonLocked": true, 81 "username": "4738195728608789333" 82 }, 83 "authenticated": true, 84 "name": "4738195728608789333", 85 "details": { 86 "auth_type": "sms", 87 "device_id": "5c5d1d7b-50ae-4347-9aee-7a7686055f4d", 88 "grant_type": "password", 89 "client_secret": "D524C1A0811DA49592F841085CC0063EB62B3001252A94542795D1CA9824A941", 90 "client_id": "gt", 91 "username": "13918438965" 92 }, 93 "authorities": [] 94 }, 95 "details": { 96 "tokenType": "Bearer", 97 "tokenValue": "f7870e71-7b0f-4a4a-9c6f-bb6d1f903ad9", 98 "remoteAddress": "0:0:0:0:0:0:0:1" 99 }, 100 "authorities": [] 101 }, 102 "details": { 103 "tokenType": "Bearer", 104 "tokenValue": "7829005c-5ebe-4428-b951-89477b24316e", 105 "remoteAddress": "0:0:0:0:0:0:0:1" 106 }, 107 "authorities": [] 108 }