如何限制到特定域以使用Spring-Boot和OAuth2登录
我已经使用Spring Boot" title="Spring Boot">Spring Boot和Google成功完成了OAuth2登录,但是我想将登录限制为特定的域(我们正在使用Google Apps for
Work)。
我认为我应该通过扩展类OAuth2ClientAuthenticationProcessingFilter来处理所指定,但是我不确定该怎么做。
基本上,我想使用Google OAuth 2.0作为身份提供者,但必须只接受公司用户(@ company.com)。
回答:
根据Stéphane的建议,我进入了本教程,并最终实现了该方法,该方法适用于我的Google+个人资料:
@Configuration@EnableOAuth2Sso
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String GOOGLE_PLUS_DOMAIN_ATTRIBUTE = "domain";
private static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";
private static final String CSRF_HEADER_NAME = "X-XSRF-TOKEN";
@Bean
public AuthoritiesExtractor authoritiesExtractor(
@Value("#{'${security.allowed-domains}'.split(',')}") final List<String> allowedDomains) {
return new AuthoritiesExtractor() {
@Override
public List<GrantedAuthority> extractAuthorities(final Map<String, Object> map) {
if (map != null && map.containsKey(GOOGLE_PLUS_DOMAIN_ATTRIBUTE)) {
final String domain = (String) map.get(GOOGLE_PLUS_DOMAIN_ATTRIBUTE);
if (!allowedDomains.contains(domain)) {
throw new BadCredentialsException("Not an allowed domain");
}
return AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
}
return null;
}
};
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/logout", "/api/mappings/**", "/public/**").permitAll()
.anyRequest().hasAuthority("ROLE_USER")
.and().logout().logoutUrl("/api/logout").logoutSuccessUrl("/logout")
.and().csrf().csrfTokenRepository(csrfTokenRepository()).ignoringAntMatchers("/api/mappings/**")
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
// @formatter:on
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, CSRF_COOKIE_NAME);
final String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie(CSRF_COOKIE_NAME, token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
final HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName(CSRF_HEADER_NAME);
return repository;
}
}
我的application.yml文件包含有关oauth的以下条目:
security: oauth2:
client:
access-token-uri: https://www.googleapis.com/oauth2/v3/token
user-authorization-uri: https://accounts.google.com/o/oauth2/auth
client-authentication-scheme: form
scope: profile,email
resource:
user-info-uri: https://www.googleapis.com/plus/v1/people/me
prefer-token-info: false
使用Google+个人资料时,地图中提供的资源服务器响应包含域条目。我只是将此值与配置的允许域进行了比较。
希望这可以帮助。
更新:2019年3月7日,谷歌将弃用Google+
API。如果您像我一样,将会收到Google的电子邮件,建议您更新软件。在我们的情况下,网址https://www.googleapis.com/plus/v1/people/me将会被弃用。因此,我在这里发布了更新的配置(使用Spring
Boot 1.3.5构建)。
security: oauth2:
client:
clientId: *your client id from Google*
clientSecret: *your client secret from Google*
accessTokenUri: https://www.googleapis.com/oauth2/v4/token
userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
clientAuthenticationScheme: form
scope:
- email
- profile
resource:
userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
preferTokenInfo: false
# Comma-separated list of domains
allowed-domains: *your allowed domains*
请注意,由于属性域已更改其名称,因此必须在WebSecurityConfigurerAdapter中进行较小的更改。因此,您需要替换以下行:
私有静态最终字符串GOOGLE_PLUS_DOMAIN_ATTRIBUTE =“域”;
与
私有静态最终字符串HOSTED_DOMAIN_ATTRIBUTE =“ hd”;
以上是 如何限制到特定域以使用Spring-Boot和OAuth2登录 的全部内容, 来源链接: utcz.com/qa/418450.html
