2. Spring Boot 配置

使用 Spring CredHub Starters依赖项时,可以使用 Spring Boot 应用程序属性配置 Spring CredHub。 使用适当的配置属性, Spring CredHub 将自动配置与 CredHub 服务器的连接。spring-doc.cadn.net.cn

2.1. 双向 TLS 身份验证

在 Cloud Foundry 上运行的应用程序可以使用双向 TLS 向部署到同一平台的 CredHub 服务器进行身份验证。 Mutual-TLS 是未提供其他身份验证凭证时的默认身份验证方案。 要对 CredHub 服务器使用双向 TLS 身份验证,只需将 CredHub 服务器的 URL 作为应用程序属性提供即可:spring-doc.cadn.net.cn

spring:
  credhub:
    url: [CredHub server URL]

有关双向 TLS 身份验证的更多信息,请参阅 CredHub 文档spring-doc.cadn.net.cn

在 Cloud Foundry 上运行的应用程序可以使用内部地址https://credhub.service.cf.internal:8844与部署到同一平台的 CredHub 服务器通信。spring-doc.cadn.net.cn

2.2. OAuth2 身份验证

OAuth2 可用于通过 UAA 对任何 CredHub 服务器进行身份验证。 Spring CredHub 支持使用以下 Spring CredHub 和 Spring Security 配置来授予用于身份验证的客户端凭据授予令牌:spring-doc.cadn.net.cn

spring:
  credhub:
    url: [CredHub server URL]
    oauth2:
      registration-id: credhub-client
  security:
    oauth2:
      client:
        registration:
          credhub-client:
            provider: uaa
            client-id: [OAuth2 client ID]
            client-secret: [OAuth2 client secret]
            authorization-grant-type: client_credentials
        provider:
          uaa:
            token-uri: [UAA token server endpoint]

中提供的 IDspring.credhub.oauth2.registration-id必须引用在spring.security.oauth2.client.registration. 有关 Spring Boot OAuth2 客户端配置的更多信息,请参阅 Spring Boot 文档spring-doc.cadn.net.cn

在 Spring Security 客户端注册中指定的 OAuth2 客户端必须具有 CredHub 范围,例如credhub.readcredhub.write执行大多数作。 有关使用 UAA 进行 OAuth2 身份验证的更多信息,请参阅 CredHub 文档spring-doc.cadn.net.cn

2.2.1. Spring Security OAuth2 的自动配置

什么时候spring.credhub.oauth2properties 的 bean 和 Spring Security 位于应用程序 Classpath 上,Spring CredHub 将自动配置 OAuth2 身份验证所需的 Spring Security bean。 如有必要,应用程序可以提供所需的 Spring Security OAuth2 bean 来覆盖自动配置。spring-doc.cadn.net.cn

Servlet 和非响应式应用程序

Spring CredHub 需要 Spring Security 提供的以下类型的 bean,以便使用 OAuth2 进行身份验证。spring-doc.cadn.net.cn

必需的 Bean 类型 自动配置的类型

ClientRegistrationRepositoryspring-doc.cadn.net.cn

InMemoryClientRegistrationRepositoryspring-doc.cadn.net.cn

OAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

AuthenticatedPrincipalOAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

OAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

DefaultOAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

自动配置的DefaultOAuth2AuthorizedClientManager假设应用程序在 servlet 容器中运行,并且具有活动的HttpServletRequest. 应用程序可能需要提供OAuth2AuthorizedClientManagerbean 之类的AuthorizedClientServiceOAuth2AuthorizedClientManager要处理HttpServletRequest,如以下示例所示:spring-doc.cadn.net.cn

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;

@Configuration
public class CredHubSecurityConfiguration {

	@Bean
	public AuthorizedClientServiceOAuth2AuthorizedClientManager reactiveClientManager(
			ClientRegistrationRepository clientRegistrationRepository,
			OAuth2AuthorizedClientService authorizedClientService) {
		AuthorizedClientServiceOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(
				clientRegistrationRepository, authorizedClientService);
		clientManager.setAuthorizedClientProvider(new ClientCredentialsOAuth2AuthorizedClientProvider());
		return clientManager;
	}

}

有关配置其他 bean 的更多信息和示例,请参阅 Spring Security 文档spring-doc.cadn.net.cn

响应式应用

Spring CredHub 需要 Spring Security 提供的以下类型的 bean,以便使用 OAuth2 进行身份验证。spring-doc.cadn.net.cn

必需的 Bean 类型 自动配置的类型

ReactiveClientRegistrationRepositoryspring-doc.cadn.net.cn

InMemoryReactiveClientRegistrationRepositoryspring-doc.cadn.net.cn

ServerOAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

UnAuthenticatedServerOAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

ReactiveOAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

DefaultReactiveOAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

自动配置的DefaultReactiveOAuth2AuthorizedClientManager需要 ActiveServerHttpRequest上下文。 应用程序可能需要提供ReactiveOAuth2AuthorizedClientManagerbean 之类的AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager要处理ServerHttpRequest,如以下示例所示:spring-doc.cadn.net.cn

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;

@Configuration
public class CredHubReactiveSecurityConfiguration {

	@Bean
	public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager reactiveClientManager(
			ReactiveClientRegistrationRepository clientRegistrationRepository,
			ReactiveOAuth2AuthorizedClientService authorizedClientService) {
		AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
				clientRegistrationRepository, authorizedClientService);
		clientManager.setAuthorizedClientProvider(new ClientCredentialsReactiveOAuth2AuthorizedClientProvider());
		return clientManager;
	}

}

有关配置其他 bean 的更多信息和示例,请参阅 Spring Security 文档spring-doc.cadn.net.cn