Spring Security:多个OpenID连接客户端用于不同的路径?
Spring Security:多个OpenID连接客户端用于不同的路径?
提问于 2019-07-22 15:24:18
使用Spring Boot2.1.5和Spring Security5,我尝试使用两个不同的OpenID客户端(基于Keycloak)。这是我们在application.properties中拥有的内容。
spring.security.oauth2.client.registration.keycloak-endusersclient.client-id=endusersclient
spring.security.oauth2.client.registration.keycloak-endusersclient.client-secret=7b41aaa4-277f-47cf-9eab-91afacd55d2c
spring.security.oauth2.client.provider.keycloak-endusersclient.issuer-uri=https://mydomain/auth/realms/endusersrealm
spring.security.oauth2.client.registration.keycloak-employeesclient.client-id=employeesclient
spring.security.oauth2.client.registration.keycloak-employeesclient.client-secret=7b41aaa4-277f-47cf-9eab-91afacd55d2d
spring.security.oauth2.client.provider.keycloak-employeesclient.issuer-uri=https://mydomain/auth/realms/employeesrealm您可以从上面的代码片段中看到,我们正在尝试为最终用户(客户)使用一个OpenID客户端,并为员工使用另一个客户端。
在安全配置类中,我们将看到如何在不同的模式上配置安全性,如下所示:
public class OpenIDConnectSecurityConfig extends
WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception {
// avoid multiple concurrent sessions
http.sessionManagement().maximumSessions(1);
http.authorizeRequests()
.antMatchers("/endusers/**").authenticated()
.antMatchers("/employees/**").authenticated()
.anyRequest().permitAll().and()
.oauth2Login()
.successHandler(new OpenIDConnectAuthenticationSuccessHandler())
.and()
.logout().logoutSuccessUrl("/");我不明白的是,如何将每个OpenID客户端配置为在单独的URL模式上触发。在上面的例子中,我们希望在点击以"/endusers“开头的网址时使用终端用户客户端,在点击以"/employees”开头的网址时使用雇员客户端。
这可以做到吗?
回答 2
Stack Overflow用户
发布于 2019-12-26 20:31:21
对于多租户的情况,您需要使用AuthenticationManagerResolver,在这种情况下,endusersclient和employeesclient是您的租户。
public class CustomAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {
@Override
public AuthenticationManager resolve(HttpServletRequest request) {
return fromTenant();
}
private AuthenticationManager fromTenant(HttpServletRequest request) {
String[] pathParts = request.getRequestURI().split("/");
//TODO find your tanent from the path and return the auth manager
}//在您的类中,它应该如下所示
private CustomAuthenticationManagerResolver customAuthenticationManagerResolver;
http.authorizeRequests()
.antMatchers("/endusers/**").authenticated()
.antMatchers("/employees/**").authenticated()
.anyRequest().permitAll().and().oauth2ResourceServer().authenticationManagerResolver(this.customAuthenticationManagerResolver);Stack Overflow用户
发布于 2021-10-06 14:59:11
不透明令牌(多租户配置)的
@Component公共类CustomAuthenticationManagerResolver实现AuthenticationManagerResolver {
@Override
public AuthenticationManager resolve(HttpServletRequest request) {
String tenantId = request.getHeader("tenant");
OpaqueTokenIntrospector opaqueTokenIntrospector;
if (tenantId.equals("1")) {
opaqueTokenIntrospector = new NimbusOpaqueTokenIntrospector(
"https://test/authorize/oauth2/introspect",
"test",
"test"
);
} else {
opaqueTokenIntrospector = new NimbusOpaqueTokenIntrospector(
"https://test/authorize/oauth2/introspect",
"test",
"test");
}
return new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector)::authenticate;
}}
网络安全配置
@Autowired
private CustomAuthenticationManagerResolver customAuthenticationManagerResolver;
@Override
public void configure(HttpSecurity http) throws Exception {
http.anyRequest()
.authenticated().and().oauth2ResourceServer()
.authenticationEntryPoint(restEntryPoint).authenticationManagerResolver(customAuthenticationManagerResolver);
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/57140974
复制相关文章
相似问题
腾讯云开发者
