2. Spring Boot 配置
使用 Spring CredHub Starters依赖项时,可以使用 Spring Boot 应用程序属性配置 Spring CredHub。 使用适当的配置属性, Spring CredHub 将自动配置与 CredHub 服务器的连接。
2.1. 双向 TLS 身份验证
在 Cloud Foundry 上运行的应用程序可以使用双向 TLS 向部署到同一平台的 CredHub 服务器进行身份验证。 Mutual-TLS 是未提供其他身份验证凭证时的默认身份验证方案。 要对 CredHub 服务器使用双向 TLS 身份验证,只需将 CredHub 服务器的 URL 作为应用程序属性提供即可:
spring:
credhub:
url: [CredHub server URL]有关双向 TLS 身份验证的更多信息,请参阅 CredHub 文档。
在 Cloud Foundry 上运行的应用程序可以使用内部地址与部署到同一平台的 CredHub 服务器进行通信。https://credhub.service.cf.internal:8844
2.2. OAuth2 身份验证
OAuth2 可用于通过 UAA 对任何 CredHub 服务器进行身份验证。 Spring CredHub 支持使用以下 Spring CredHub 和 Spring Security 配置来授予用于身份验证的客户端凭据授予令牌:
spring:
credhub:
url: [CredHub server URL]
oauth2:
registration-id: credhub-client
security:
oauth2:
client:
registration:
credhub-client:
provider: uaa
client-id: [OAuth2 client ID]
client-secret: [OAuth2 client secret]
authorization-grant-type: client_credentials
provider:
uaa:
token-uri: [UAA token server endpoint]中提供的 ID 必须引用在 下配置的客户端。
有关 Spring Boot OAuth2 客户端配置的更多信息,请参阅 Spring Boot 文档。spring.credhub.oauth2.registration-idspring.security.oauth2.client.registration
在 Spring Security 客户端注册中指定的 OAuth2 客户端必须具有 CredHub 范围,例如 或 才能执行大多数操作。
有关使用 UAA 进行 OAuth2 身份验证的更多信息,请参阅 CredHub 文档。credhub.readcredhub.write
2.2.1. Spring Security OAuth2 的自动配置
当设置属性并且 Spring Security 位于应用程序 Classpath 上时,Spring CredHub 将自动配置 OAuth2 身份验证所需的 Spring Security bean。
如有必要,应用程序可以提供所需的 Spring Security OAuth2 bean 来覆盖自动配置。spring.credhub.oauth2
Servlet 和非响应式应用程序
Spring CredHub 需要 Spring Security 提供的以下类型的 bean,以便使用 OAuth2 进行身份验证。
| 必需的 Bean 类型 | 自动配置的类型 |
|---|---|
自动配置的假定应用程序在 servlet 容器中运行,并且具有活动的 .
应用程序可能需要提供 bean 的替代实现,例如 AuthorizedClientServiceOAuth2AuthorizedClientManager 来处理 之外的请求,如以下示例所示:DefaultOAuth2AuthorizedClientManagerHttpServletRequestOAuth2AuthorizedClientManagerHttpServletRequest
/*
* Copyright 2016-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.example.credhub;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@Configuration
public class CredHubSecurityConfiguration {
@Bean
public AuthorizedClientServiceOAuth2AuthorizedClientManager reactiveClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientService authorizedClientService) {
AuthorizedClientServiceOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
clientManager.setAuthorizedClientProvider(new ClientCredentialsOAuth2AuthorizedClientProvider());
return clientManager;
}
}有关配置其他 bean 的更多信息和示例,请参阅 Spring Security 文档。
响应式应用
Spring CredHub 需要 Spring Security 提供的以下类型的 bean,以便使用 OAuth2 进行身份验证。
| 必需的 Bean 类型 | 自动配置的类型 |
|---|---|
自动配置的需要活动的上下文。
应用程序可能需要提供 bean 的替代实现,例如 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager 来处理 之外的请求,如以下示例所示:DefaultReactiveOAuth2AuthorizedClientManagerServerHttpRequestReactiveOAuth2AuthorizedClientManagerServerHttpRequest
/*
* Copyright 2016-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.example.credhub;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
@Configuration
public class CredHubReactiveSecurityConfiguration {
@Bean
public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager reactiveClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ReactiveOAuth2AuthorizedClientService authorizedClientService) {
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
clientManager.setAuthorizedClientProvider(new ClientCredentialsReactiveOAuth2AuthorizedClientProvider());
return clientManager;
}
}有关配置其他 bean 的更多信息和示例,请参阅 Spring Security 文档。