領先一步
VMware 提供培訓和認證,以加速您的進度。
了解更多CVE-2022-31690:spring-security-oauth2-client 中的權限提升
Spring Security 5.6.9 和 5.7.5 已於 2022 年 10 月 31 日發布,包含 CVE-2022-31690 的修復程式,該漏洞影響 spring-security-oauth2-client 中授權範圍的映射。 建議使用者盡快更新。
影響
已套用緩解措施的使用者應注意以下影響
當授權伺服器 (AS) 以空的或遺失的 scope 參數回應 OAuth2 存取令牌回應時,沒有授權範圍映射到主體(目前使用者)。
如果您受到此漏洞的影響,當 AS 未傳回 scopes 時,使用者將不會被授予任何以 SCOPE_ 開頭的權限。 只有特殊權限 ROLE_USER 會授予主體。
注意
從 6.0 開始,特殊權限已變更為 OAUTH2_USER (或 OIDC_USER)。 有關更多資訊,請參閱 6.0 參考文件中使用 GrantedAuthoritiesMapper。
如果您的應用程式需要額外的權限,您應該註冊一個 GrantedAuthoritiesMapper @Bean 來提供所需的權限,如下例所示
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.mvcMatchers(HttpMethod.GET, "/messages").hasAuthority("SCOPE_read")
// ...
.anyRequest().authenticated()
)
.oauth2Login(Customizer.withDefaults());
return http.build();
}
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
if (!authorities.isEmpty() && authorities.stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(authority -> authority.startsWith("SCOPE_"))) {
// AS returned scopes that are mapped to SCOPE_ by Spring Security
return authorities;
}
// AS returned no scopes, either because none were granted or because requested == granted
// See https://www.rfc-editor.org/rfc/rfc6749#section-5.1 and your AS documentation
// You can access the ID Token or UserInfo attributes to map authorities based on the user:
Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
// ...
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority) authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
// ...
}
});
return grantedAuthorities;
// Alternatively, provide a fallback set of authorities that make sense for your application
// return AuthorityUtils.createAuthorityList("ROLE_USER", "SCOPE_read");
};
}
}
警告
不建議僅從 ClientRegistration 映射權限。