parent
1ad87dcaf5
commit
4ccd5ce84b
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2020 the original author or authors.
|
* Copyright 2020-2021 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -21,60 +21,50 @@ import java.util.Optional;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
import org.springframework.beans.factory.annotation.Value;
|
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
import org.springframework.security.authentication.AuthenticationManager;
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
import org.springframework.security.authentication.AuthenticationManagerResolver;
|
import org.springframework.security.authentication.AuthenticationManagerResolver;
|
||||||
|
import org.springframework.security.authentication.ProviderManager;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
||||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
|
||||||
import org.springframework.security.oauth2.jwt.JwtDecoder;
|
import org.springframework.security.oauth2.jwt.JwtDecoder;
|
||||||
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
|
|
||||||
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
|
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
|
||||||
import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter;
|
import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter;
|
||||||
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
|
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
|
||||||
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
|
|
||||||
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
|
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
|
||||||
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* OAuth Resource Security configuration.
|
* OAuth Resource Security configuration.
|
||||||
*
|
*
|
||||||
* @author Josh Cummings
|
* @author Josh Cummings
|
||||||
*/
|
*/
|
||||||
@EnableWebSecurity
|
@Configuration
|
||||||
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
|
public class OAuth2ResourceServerSecurityConfiguration {
|
||||||
|
|
||||||
@Value("${tenantOne.jwk-set-uri}")
|
@Bean
|
||||||
String jwkSetUri;
|
SecurityFilterChain apiSecurity(HttpSecurity http,
|
||||||
|
AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) throws Exception {
|
||||||
@Value("${tenantTwo.introspection-uri}")
|
|
||||||
String introspectionUri;
|
|
||||||
|
|
||||||
@Value("${tenantTwo.introspection-client-id}")
|
|
||||||
String introspectionClientId;
|
|
||||||
|
|
||||||
@Value("${tenantTwo.introspection-client-secret}")
|
|
||||||
String introspectionClientSecret;
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
http
|
http
|
||||||
.authorizeRequests((requests) -> requests
|
.authorizeRequests((requests) -> requests
|
||||||
.mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read")
|
.mvcMatchers("/**/message/**").hasAuthority("SCOPE_message:read")
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2ResourceServer((resourceServer) -> resourceServer
|
.oauth2ResourceServer((resourceServer) -> resourceServer
|
||||||
.authenticationManagerResolver(multitenantAuthenticationManager())
|
.authenticationManagerResolver(authenticationManagerResolver)
|
||||||
);
|
);
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
|
|
||||||
|
return http.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager() {
|
AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager(JwtDecoder jwtDecoder,
|
||||||
|
OpaqueTokenIntrospector opaqueTokenIntrospector) {
|
||||||
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
|
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
|
||||||
authenticationManagers.put("tenantOne", jwt());
|
authenticationManagers.put("tenantOne", jwt(jwtDecoder));
|
||||||
authenticationManagers.put("tenantTwo", opaque());
|
authenticationManagers.put("tenantTwo", opaque(opaqueTokenIntrospector));
|
||||||
return (request) -> {
|
return (request) -> {
|
||||||
String[] pathParts = request.getRequestURI().split("/");
|
String[] pathParts = request.getRequestURI().split("/");
|
||||||
String tenantId = (pathParts.length > 0) ? pathParts[1] : null;
|
String tenantId = (pathParts.length > 0) ? pathParts[1] : null;
|
||||||
|
@ -86,17 +76,14 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthenticationManager jwt() {
|
AuthenticationManager jwt(JwtDecoder jwtDecoder) {
|
||||||
JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
|
|
||||||
JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
|
JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
|
||||||
authenticationProvider.setJwtAuthenticationConverter(new JwtBearerTokenAuthenticationConverter());
|
authenticationProvider.setJwtAuthenticationConverter(new JwtBearerTokenAuthenticationConverter());
|
||||||
return authenticationProvider::authenticate;
|
return new ProviderManager(authenticationProvider);
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthenticationManager opaque() {
|
AuthenticationManager opaque(OpaqueTokenIntrospector introspectionClient) {
|
||||||
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(this.introspectionUri,
|
return new ProviderManager(new OpaqueTokenAuthenticationProvider(introspectionClient));
|
||||||
this.introspectionClientId, this.introspectionClientSecret);
|
|
||||||
return new OpaqueTokenAuthenticationProvider(introspectionClient)::authenticate;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,10 @@
|
||||||
tenantOne.jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
|
spring:
|
||||||
tenantTwo.introspection-uri: ${mockwebserver.url}/introspect
|
security:
|
||||||
tenantTwo.introspection-client-id: client
|
oauth2:
|
||||||
tenantTwo.introspection-client-secret: secret
|
resourceserver:
|
||||||
|
jwt:
|
||||||
|
jwk-set-uri: ${mockwebserver.url}/.well-known/jwks.json
|
||||||
|
opaquetoken:
|
||||||
|
introspection-uri: ${mockwebserver.url}/introspect
|
||||||
|
client-id: client
|
||||||
|
client-secret: secret
|
Loading…
Reference in New Issue