2. Spring Boot 配置

当使用 Spring CredHub starter 依赖时,可以通过 Spring Boot application properties 配置 Spring CredHub。 使用适当的配置属性,Spring CredHub 将会自动配置到 CredHub 服务器的连接。spring-doc.cadn.net.cn

2.1. 互 TLS 认证

在 Cloud Foundry 上运行的应用程序可以使用双向 TLS 认证来认证部署在同一平台上的 CredHub 服务器。当未提供其他认证凭据时,双向 TLS 是默认的认证方案。 要使用双向 TLS 认证访问 CredHub 服务器,只需将 CredHub 服务器的 URL 作为应用程序属性提供:spring-doc.cadn.net.cn

spring:
  credhub:
    url: [CredHub server URL]

CredHub 文档 以了解有关 mutual TLS 认证的更多信息。spring-doc.cadn.net.cn

在Cloud Foundry上运行的应用程序可以使用内部地址 https://credhub.service.cf.internal:8844 与部署在同一平台的CredHub服务器进行通信。spring-doc.cadn.net.cn

2.2. OAuth2 认证

OAuth2 可以通过 UAA 认证到任何 CredHub 服务器。 Spring CredHub 支持使用以下 Spring CredHub 和 Spring Security 配置的客户端凭证授予Tokens进行认证:spring-doc.cadn.net.cn

spring:
  credhub:
    url: [CredHub server URL]
    oauth2:
      registration-id: credhub-client
  security:
    oauth2:
      client:
        registration:
          credhub-client:
            provider: uaa
            client-id: [OAuth2 client ID]
            client-secret: [OAuth2 client secret]
            authorization-grant-type: client_credentials
        provider:
          uaa:
            token-uri: [UAA token server endpoint]

The ID provided in spring.credhub.oauth2.registration-id must refer to a client configured under spring.security.oauth2.client.registration. See the Spring Boot documentation for more information on Spring Boot OAuth2 client configuration.spring-doc.cadn.net.cn

OAuth2 客户在 Spring Security 客户注册中指定的 CredHub 权限范围必须是如 credhub.readcredhub.write 之类的,以执行大多数操作。 有关使用 UAA 进行 OAuth2 认证的更多信息,请参阅 CredHub 文档spring-doc.cadn.net.cn

2.2.1. Spring Security OAuth2 自动配置

When spring.credhub.oauth2 properties are set and Spring Security is on the application classpath, Spring CredHub will auto-configure the Spring Security beans required for OAuth2 authentication. An application can provide the required Spring Security OAuth2 beans to override the auto-configuration if necessary.spring-doc.cadn.net.cn

Servlet 和非响应式应用程序

Spring CredHub 需要以下类型的 bean,这些由 Spring Security 提供,以便使用 OAuth2 进行认证。spring-doc.cadn.net.cn

所需Bean类型 自动配置的类型

ClientRegistrationRepositoryspring-doc.cadn.net.cn

InMemoryClientRegistrationRepositoryspring-doc.cadn.net.cn

OAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

AuthenticatedPrincipalOAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

OAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

DefaultOAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

The auto-configured DefaultOAuth2AuthorizedClientManager assumes the application is running in a servlet container and has an active HttpServletRequest. An application might need to provide an alternate implementation of the OAuth2AuthorizedClientManager bean such as AuthorizedClientServiceOAuth2AuthorizedClientManager to process requests outside of an HttpServletRequest, as shown in the following example:spring-doc.cadn.net.cn

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;

@Configuration
public class CredHubSecurityConfiguration {

	@Bean
	public AuthorizedClientServiceOAuth2AuthorizedClientManager reactiveClientManager(
			ClientRegistrationRepository clientRegistrationRepository,
			OAuth2AuthorizedClientService authorizedClientService) {
		AuthorizedClientServiceOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(
				clientRegistrationRepository, authorizedClientService);
		clientManager.setAuthorizedClientProvider(new ClientCredentialsOAuth2AuthorizedClientProvider());
		return clientManager;
	}

}

参考 Spring Security 文档 以获取更多关于配置其他 bean 的信息和示例。spring-doc.cadn.net.cn

响应式应用程序

Spring CredHub 需要以下类型的 bean,这些由 Spring Security 提供,以便使用 OAuth2 进行认证。spring-doc.cadn.net.cn

所需Bean类型 自动配置的类型

ReactiveClientRegistrationRepositoryspring-doc.cadn.net.cn

InMemoryReactiveClientRegistrationRepositoryspring-doc.cadn.net.cn

ServerOAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

UnAuthenticatedServerOAuth2AuthorizedClientRepositoryspring-doc.cadn.net.cn

ReactiveOAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

DefaultReactiveOAuth2AuthorizedClientManagerspring-doc.cadn.net.cn

The auto-configured DefaultReactiveOAuth2AuthorizedClientManager requires an active ServerHttpRequest context. An application might need to provide an alternate implementation of the ReactiveOAuth2AuthorizedClientManager bean such as AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to process requests outside of an ServerHttpRequest, as shown in the following example:spring-doc.cadn.net.cn

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;

@Configuration
public class CredHubReactiveSecurityConfiguration {

	@Bean
	public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager reactiveClientManager(
			ReactiveClientRegistrationRepository clientRegistrationRepository,
			ReactiveOAuth2AuthorizedClientService authorizedClientService) {
		AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
				clientRegistrationRepository, authorizedClientService);
		clientManager.setAuthorizedClientProvider(new ClientCredentialsReactiveOAuth2AuthorizedClientProvider());
		return clientManager;
	}

}

参考 Spring Security 文档 以获取更多关于配置其他 bean 的信息和示例。spring-doc.cadn.net.cn