Vaadin应用程序(Java:19,Vaadin:24.0.5,Spring Boot:3.0.6) 在SSO登录后未获取角色
我有一个VAADIN项目,想确保我的观点.MainView.java
应允许访问具有@RolesAllowed({"ROLE_ADMIN", "ADMIN"})
的用户.通过我的SSO服务登录后,用户将通过身份验证并获得必要的角色:
Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [USERTEST], Granted Authorities: [[OAUTH2_USER, SCOPE_company]], User Attributes: [{userCode=USERTEST, userTeam=T_X, userEmail=user@company.at, userKtksnr=0, roles=[ADMIN, ROLE_ADMIN], principal={authorities=[], details={remoteAddress=127.0.0.1, sessionId=null, tokenValue=H7G7LR-Ghiq5BmPFqcuGrAt5ZxI, tokenType=Bearer, decodedDetails=null}, authenticated=true, userAuthentication={authorities=[], details={remoteAddress=0:0:0:0:0:0:0:1, sessionId=BFE069B0209E3DADDEFBCFC1BACB23A9}, authenticated=true, principal={userCode=USERTEST, userTeam=T_X, userEmail=user@company.at, userKtksnr=0, roles=[ADMIN, ROLE_ADMIN]}, credentials=null, name=User{userCode='USERTEST', userTeam='T_X', userEmail='user@company.at', userKtksnr=0, roles=[ADMIN, ROLE_ADMIN]}}, clientOnly=false, credentials=, oauth2Request={clientId=company, scope=[company], requestParameters={code=PSVUul, grant_type=authorization_code, scope=company, response_type=code, state=R6czQI2wlFbfNwfqoulg6ckrthGnTS4JJjS7nkdAlg0=, redirect_uri=http://localhost:7060/company/login/oauth2/code/company, client_id=company}, resourceIds=[], authorities=[], approved=true, refresh=false, redirectUri=http://localhost:7060/company/login/oauth2/code/company, responseTypes=[code], extensions={}, refreshTokenRequest=null, grantType=authorization_code}, principal={userCode=USERTEST, userTeam=T_X, userEmail=user@company.at, userKtksnr=0, roles=[ADMIN, ROLE_ADMIN]}, name=User{userCode='USERTEST', userTeam='T_X', userEmail='user@company.at', userKtksnr=0, roles=[ADMIN, ROLE_ADMIN]}}, applicationRoles=ADMIN,ROLE_ADMIN}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=5278B052E19AD339C2CCF1A20E5ACA8D], Granted Authorities=[OAUTH2_USER, SCOPE_company]]]
带有注释@PermitAll
的TestView.java按照预期的方式工作(无需身份验证,重定向到SSO,带有身份验证的视图可见).
但带有注释@RolesAllowed({"ROLE_ADMIN", "ADMIN"})
的MainView.java访问始终被拒绝:
Client Application:个
MainView.java
import com.vaadin.flow.component.html.*;
import com.vaadin.flow.component.orderedlayout.VerticalLayout;
import com.vaadin.flow.router.PageTitle;
import com.vaadin.flow.router.Route;
import jakarta.annotation.security.RolesAllowed;
@PageTitle("MainView")
@Route(value = "", layout = MainLayout.class)
@RolesAllowed({"ROLE_ADMIN", "ADMIN"})
public class MainView extends VerticalLayout {
public MainView() {
H3 title = new H3("Application");
add(title);
}
}
UiSecurityConfig.java
import com.vaadin.flow.spring.security.VaadinWebSecurity;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
public class UiSecurityConfig extends VaadinWebSecurity {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/public/**"))
.permitAll()
.and()
.oauth2Login() ;
super.configure(http);
}
}
Application.yml
server:
port: 7060
servlet:
context-path: /application
spring:
security:
oauth2:
client:
registration:
company:
client-id: application
client-secret:
scope: MAM
authorization-grant-type: authorization_code
redirect-uri: http://localhost:7060/application/login/oauth2/code/company
provider:
company:
authorization-uri: http://localhost:9090/sso-service/auth/oauth/authorize
token-uri: http://localhost:9090/sso-service/auth/oauth/token
user-info-uri: http://localhost:9090/sso-service/auth/user/me
user-name-attribute: userCode
resourceserver:
api:
project:
url: http://localhost:9090/sso-service/auth/user/me
logging:
level:
org:
springframework:
security: DEBUG
Spring-oauth2-SSO-Application:个
下面是自定义的"UserController",其中调用"/User/Me",用户将获得所有信息:
@RestController
public class UserController {
private QueryUserDataTemplate queryTemplate;
@Autowired
public UserController(QueryUserDataTemplate queryTemplate) {
this.queryTemplate = queryTemplate;
}
@GetMapping("/user/me")
public User user(Principal principal) {
User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String clientId = ((OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication()).getOAuth2Request().getClientId();
List<String> roleList = queryTemplate.queryForApplicationRoles(user.getSybCode(), clientId);
if (roleList != null) {
user.setRoles((Collection) roleList);
}
return new UserResult(principal, user.getSybCode(), user.getSybTeam(), user.getSybEmail(), user.getSybKtksnr(), user.getRoles(), user.getAuthorities());
}
public static class UserResult extends User {
private final Principal principal;
private UserResult(Principal principal, String username, String sybTeam, String sybEmail, Long sybktksnr,
Collection applicationRoles, List<GrantedAuthority> authorities) {
super(username, sybTeam, sybEmail, sybktksnr, applicationRoles, authorities);
this.principal = principal;
}
public Principal getPrincipal() {
return principal;
}
}
如果您需要任何其他信息,请让我知道!
编辑: 调试信息:
Request received for POST '/?v-r=uidl&v-uiId=0':
org.apache.catalina.connector.RequestFacade@24c0d321
servletPath:/
pathInfo:null
headers:
host: localhost:7060
connection: keep-alive
content-length: 529
sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
content-type: application/json; charset=UTF-8
accept: */*
origin: http://localhost:7060
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: http://localhost:7060/mam/
accept-encoding: gzip, deflate, br
accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
cookie: JSESSIONID=F95188E5E420170BFF950B0C8D6BB8C6
Security filter chain: [
DisableEncodeUrlFilter
WebAsyncManagerIntegrationFilter
SecurityContextHolderFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
OAuth2AuthorizationRequestRedirectFilter
OAuth2LoginAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
AuthorizationFilter
]