Giriş
Şu satırı dahil ederiz
import org.springframework.security.config.annotation.web.configurers.oauth2.server.
resource.OAuth2ResourceServerConfigurer;Resource Server ayarları içindir. Resource Server bir kaynağa erişmek istenirse doğrulama ve yetkilendirme ister. Bu sınıf ta bu işleri JWT token ile yapar
Maven
Örnek
Şu satırı dahil ederiz
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency>
Kullanım
Şöyle yaparız
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
}bearerTokenResolver metodu - Örnek - jwt Decoder
Örnek
Elimizde şöyle bir kod olsun. Burada JWT Bearer Token olarak değil Custom Header içinde gönderiliyor.
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuerUri;
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.headers().httpStrictTransportSecurity().disable();
http
.csrf().disable()
.sessionManagement()
.and()
.authorizeRequests()
// permit all requests to /customers/public/**
.requestMatchers("/customers/public/**").permitAll()
// authenticate all requests to /customers/private/**
.requestMatchers("/customers/private/**").authenticated()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
// added for custom bearer token
.bearerTokenResolver(customBearerTokenResolver())
.jwt().decoder(jwtDecoder());
return http.build();
}
}Resolver şöyledir
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.util.StringUtils;
public class CustomBearerTokenResolver implements BearerTokenResolver {
private String X_CUSTOM_HEADER = "x-custom-header";
@Override
public String resolve(HttpServletRequest request) {
String customHeader = request.getHeader(X_CUSTOM_HEADER);
System.out.println("customHeader: " + customHeader);
if (StringUtils.hasText(customHeader)) {
return customHeader;
}
return null;
}
}jwt metodu
Örnek
Şöyle yaparız.
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().permitAll()
.and()
.oauth2Login()
.and()
.oauth2ResourceServer().jwt();
}
Şöyle yaparız
@SpringBootApplicationpublic class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } @EnableGlobalMethodSecurity(prePostEnabled = true) public static class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated() .and() .oauth2ResourceServer().jwt(); } } @RestController public class RequestCotroller { @PreAuthorize("hasAuthority('SCOPE_mod_custom')") @GetMapping("/") public String getMessage(Principal principal) { return "Welcome, " + principal.getName(); } } }
Örnek - JWT Decoder
Burada JWT Bearer Token olarak gönderiliyor. Elimizde şöyle bir kod olsun
@Configuration @EnableWebSecurity public class SecurityConfig { @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}") private String issuerUri; protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.headers().httpStrictTransportSecurity().disable(); http .csrf().disable() .sessionManagement() .and() .authorizeRequests() // permit all requests to /customers/public/** .requestMatchers("/customers/public/**").permitAll() // authenticate all requests to /customers/private/** .requestMatchers("/customers/private/**").authenticated() .anyRequest().authenticated() .and() .oauth2ResourceServer() jwt().decoder(jwtDecoder()); return http.build(); } }
Şöyle yaparız
@Bean public JwtDecoder jwtDecoder() { JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(issuerUri).build(); return new JwtDecoder() { @Override public Jwt decode(String token) throws JwtException { System.out.println("token: " + token); Jwt jwt = jwtDecoder.decode(token); System.out.println("jwt: " + jwt); return jwt; } }; }
Örnek
Şöyle yaparız
Açıklaması şöyle@Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2ResourceServer() .jwt(jwt -> jwt.jwtAuthenticationConverter( jwtAuthenticationConverter())); } Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter() { JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter(); jwtConverter.setJwtGrantedAuthoritiesConverter(new RealmRoleConverter()); return jwtConverter; } public class RealmRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> { @Override public Collection<GrantedAuthority> convert(Jwt jwt) { Map<String, List<String>> realmAccess = (Map<String, List<String>>) jwt.getClaims() .get("realm_access"); return realmAccess.get("roles").stream() .map(roleName -> "ROLE_" + roleName) .map(SimpleGrantedAuthority::new) .collect(Collectors.toList()); } }
In this converter, we extract the “realm_access” claims and then convert them to roles, using the ROLE_ as a prefix. Spring security requires this prefix to interpret them as roles.
Hiç yorum yok:
Yorum Gönder