Share SPRING_SECURITY_CONTEXT between two applicat

2019-08-17 13:19发布

站内问答 / 移动开发
1113 1 5

I have two different Spring Boot Applications that run on localhost on different ports (8080, 8081) and different configs (application.yml). These apps use SSO with OAuth 2.0 to get authorization token from Authorization Server. I log in to my first application, get authorization and everything works great here. Now I need to share these authentication details with second Spring Boot App (on port 8081) to authorize second app in Authorization Server. Googled and found 2 aproaches: I can try to share HttpSession between two apps (but I think it's redundant) OR HttpSessionSecurityContextRepository as SecurityContextRepository which seems more convenient. The problem here is that I can't manage to do so and I'm still not sure that it's a good idea to share Security Context between 2 apps.

What I tried for now:

  1. Share authorization token from first app via headers in GET request (custom-built in accordance with specification for requests for Authorization Server), but it didn't work - second app doesn't take in mind this token.
  2. Share authorized cookie from first app to second, but it didn't work, too.

I can't do authorization through Authorization Server on second app because it may be not a Spring Boot App with @Controller but any other app without HTML forms, so I need to authorize on first app (with UI), get all the data which is needed to perform authorized requests and pass it to second app (third, fourth...) so they will be able to do authorized requests too.

Thanks in advance!

1条回答
够拽才男人
2楼-- · 2019-08-17 13:55

I presume that your authorization/resource server is external application.And you can login successfully with your first application so flow is working.You have two client application with own client_id, client_secret and etc. parameters.If these parameters are different then authorization/resource server will return different bareer token and sessionid cookie for first and second client application.Otherwise you need to authorize both of them in authorization/resource server. I would offer when user do login to first app then in background you do login also for second application. For automatically authorizing second application you can try to do oauth2 login flow manually for second application with own parameters when after successful first application login and send cookies to frontend which you got from oauth2 login.

For manual oauth2 login you can try below code:

private Cookie oauth2Login(String username, String password, String clientId, String clientSecret) {
    try {
        String oauthHost = InetAddress.getByName(OAUTH_HOST).getHostAddress();
        HttpHeaders headers = new HttpHeaders();
        RestTemplate restTemplate = new RestTemplate();
        headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        MultiValueMap<String, String> map = new LinkedMultiValueMap<String, String>();

        // Basic Auth
        String plainCreds = clientId + ":" + clientSecret;
        byte[] plainCredsBytes = plainCreds.getBytes();
        byte[] base64CredsBytes = org.apache.commons.net.util.Base64.encodeBase64(plainCredsBytes);
        String base64Creds = new String(base64CredsBytes);
        headers.add("Authorization", "Basic " + base64Creds);
        // form param
        map.add("username", username);
        map.add("password", password);
        map.add("grant_type", GRANT_TYPE);
        HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<MultiValueMap<String, String>>(map,
                headers);
        // CALLING TOKEN URL
        OauthTokenRespone res = null;
        try {
            res = restTemplate.postForObject(OAUTH_HOST, request,
                    OauthTokenRespone.class);
        } catch (Exception ex) {
            ex.printStackTrace();
        }
        Optional<OauthTokenRespone> optRes = Optional.ofNullable(res);
        String accessToken = optRes.orElseGet(() -> new OauthTokenRespone("", "", "", "", "", ""))
                .getAccess_token();
        // CALLING RESOURCE
        headers.clear();
        map.clear();
        headers.setContentType(MediaType.APPLICATION_JSON);
        map.add("access_token", accessToken);
        request = new HttpEntity<MultiValueMap<String, String>>(map, headers);

        Cookie oauthCookie = null;
        if (accessToken.length() > 0) {
            HttpEntity<String> response = restTemplate.exchange(
                    OAUTH_RESOURCE_URL.replace(OAUTH_HOST, oauthHost) + "?access_token=" + accessToken,
                    HttpMethod.POST, request, String.class);
            String cookie = Optional.ofNullable(response.getHeaders().get("Set-Cookie"))
                    .orElseGet(() -> Arrays.asList(new String(""))).get(0);
            if (cookie.length() > 0) {
                String[] c = cookie.split(";")[0].split("=");
                oauthCookie = new Cookie(c[0], c[1]);
                oauthCookie.setHttpOnly(true);
            }
        }
        return Optional.ofNullable(oauthCookie).orElseGet(() -> new Cookie("Ops", ""));
    } catch (Throwable t) {
        return new Cookie("Ops", "");
    }
}

@JsonIgnoreProperties(ignoreUnknown = true)
public class OauthTokenRespone {
    private String access_token;
    private String token_type;
    private String refresh_token;
    private String expires_in;
    private String scope;
    private String organization;
    // getter and setter
  }

And call this method after first app login as follows : 

Cookie oauthCookie = oauth2Login(authenticationRequest.getUsername(), authenticationRequest.getPassword(),
            CLIENT_ID, CLIENT_SECRET);

After getting cookie you need change its name (for example JSESSIONID-SECOND) because same cookies will override each other and also need to change its domain path to second app domain.

response.addCookie(oauthCookie);

Last you need add cookie to response (it is HttpServletResponse reference).

Hope it helps!

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)