Class ScopeJwtAuthenticationConverter
java.lang.Object
io.leandev.appfuse.security.resourceserver.ScopeJwtAuthenticationConverter
- All Implemented Interfaces:
org.springframework.core.convert.converter.Converter<org.springframework.security.oauth2.jwt.Jwt, org.springframework.security.authentication.AbstractAuthenticationToken>
public class ScopeJwtAuthenticationConverter
extends Object
implements org.springframework.core.convert.converter.Converter<org.springframework.security.oauth2.jwt.Jwt, org.springframework.security.authentication.AbstractAuthenticationToken>
FEDERATED 模式的 JWT → Authentication 轉換器
驗證外部企業 IdP(Keycloak/Okta,OIDC)簽發的 token。授權資訊來自 IdP 的
claim,對映到與自簽 token 同一套 resource:action 權限詞彙(ADR-009 點 2):
scope/scpclaim(OAuth2 標準,空白分隔字串或字串陣列)→ 原樣作為GrantedAuthority(不加SCOPE_前綴、不轉大寫),如order:readscope →order:readauthority,直接滿足@PreAuthorize("hasAuthority('order:read')")。- roles claim(預設
roles)→ROLE_*(供hasRole(...)型端點規則),已帶ROLE_前綴者不重複加。IdP 端須以同一套詞彙設定 scope / role。
principal 保持為 Jwt,租戶由 JwtClaimTenantIdResolver 從 tenantId
claim 解析(與 STANDALONE 共用,見 ADR-009 與 ADR-001)。
-
Constructor Summary
ConstructorsConstructorDescription以預設 roles claim 名稱(roles)建立轉換器ScopeJwtAuthenticationConverter(String rolesClaim) -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.authentication.AbstractAuthenticationTokenconvert(org.springframework.security.oauth2.jwt.Jwt jwt) Methods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.springframework.core.convert.converter.Converter
andThen
-
Constructor Details
-
ScopeJwtAuthenticationConverter
public ScopeJwtAuthenticationConverter()以預設 roles claim 名稱(roles)建立轉換器 -
ScopeJwtAuthenticationConverter
- Parameters:
rolesClaim- IdP token 內角色 claim 的名稱;null 或空白表示不對映角色
-
-
Method Details
-
convert
public org.springframework.security.authentication.AbstractAuthenticationToken convert(org.springframework.security.oauth2.jwt.Jwt jwt) - Specified by:
convertin interfaceorg.springframework.core.convert.converter.Converter<org.springframework.security.oauth2.jwt.Jwt, org.springframework.security.authentication.AbstractAuthenticationToken>
-