当前位置 : 主页 > 编程语言 > java >

Spring CredHub 教程学习

来源:互联网 收集:自由互联 发布时间:2023-02-04
Spring CredHub提供客户端支持,用于从Cloud Foundry​平台中运行的CredHub服务器存储,检索和删除凭据。 CredHub提供了一个HTTP API,用于安全地存储,生成,检索和删除各种类型的凭据。Spri

Spring CredHub 教程学习_API

Spring CredHub提供客户端支持,用于从Cloud Foundry​平台中运行的CredHub服务器存储,检索和删除凭据。

CredHub提供了一个HTTP API,用于安全地存储,生成,检索和删除各种类型的凭据。Spring CredHub为CredHub API提供了Java绑定,使Spring应用程序与CredHub集成变得容易。

1. 入门

Spring CredHub支持CredHub服务器版本1.x和2.x。 此库旨在提供 CredHub API 的完整覆盖 - 所有凭据类型的所有操作。

Spring CredHub已经过优化,可以与Spring Boot应用程序一起使用。 要将 Spring CredHub 包含在 Spring Boot 应用程序中,请向项目构建文件添加一些依赖项。

1.1. Maven 依赖

将Spring CredHub入门器添加到构建文件的部分:​​dependencies​​

<dependencies> <dependency> <groupId>org.springframework.credhub</groupId> <artifactId>spring-credhub-starter</artifactId> <version>2.3.0</version> </dependency> </dependencies>

要在Spring CredHub中启用反应式支持,请将以下Spring WebFlux依赖项添加到构建文件中:

<dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-webflux</artifactId> <version>5.3.23</version> </dependency> </dependencies>

要使用 OAuth2 身份验证到 CredHub,请将以下 Spring 安全性依赖项添加到构建文件中:

<dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.7.5</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-client</artifactId> <version>5.7.5</version> </dependency> </dependencies>

1.2. 格拉德尔依赖

将Spring CredHub入门器添加到构建文件的部分:​​dependencies​​

dependencies { compile('org.springframework.credhub:spring-credhub-starter:2.3.0') }

要在Spring CredHub中启用反应式支持,请将以下Spring WebFlux依赖项添加到构建文件中:

dependencies { compile("org.springframework.boot:spring-boot-starter-webflux:5.3.23") }

要使用 OAuth2 身份验证到 CredHub,请将以下 Spring 安全性依赖项添加到构建文件中:

dependencies { compile("org.springframework.security:spring-security-config:5.7.5") compile("org.springframework.security:spring-security-oauth2-client:5.7.5") }

2. 弹簧启动配置

当使用Spring CredHub启动器依赖项时,Spring CredHub可以使用Spring Boot应用程序属性进行配置。 使用正确的配置属性,Spring CredHub将自动配置与CredHub服务器的连接。

2.1. 双向 TLS 身份验证

在Cloud Foundry上运行的应用程序可以使用双向TLS向部署到同一平台的CredHub服务器进行身份验证。 当未提供其他身份验证凭据时,双向 TLS 是默认身份验证方案。 若要对 CredHub 服务器使用相互 TLS 身份验证,只需提供 CredHub 服务器的 URL 作为应用程序属性:

spring: credhub: url: [CredHub server URL]

有关双向 TLS 身份验证的详细信息,请参阅 CredHub 文档。

在Cloud Foundry上运行的应用程序可以使用内部地址与部署到同一平台的CredHub服务器进行通信。​​https://credhub.service.cf.internal:8844​​

2.2. OAuth2 认证

OAuth2可用于通过UAA对任何CredHub服务器进行身份验证。 Spring CredHub支持使用以下Spring CredHub和Spring Security配置进行身份验证的客户端凭据授予令牌:

spring: credhub: url: [CredHub server URL] oauth2: registration-id: credhub-client security: oauth2: client: registration: credhub-client: provider: uaa client-id: [OAuth2 client ID] client-secret: [OAuth2 client secret] authorization-grant-type: client_credentials provider: uaa: token-uri: [UAA token server endpoint]

中提供的 ID 必须引用在 下配置的客户端。 有关 Spring 引导 OAuth2 客户端配置的更多信息,请参阅 Spring 引导文档。​​spring.credhub.oauth2.registration-id​​​​spring.security.oauth2.client.registration​​

在 Spring 安全性客户端注册中指定的 OAuth2 客户端必须具有 CredHub 作用域,例如 或 才能执行大多数操作。 有关使用 UAA 进行 OAuth2 身份验证的详细信息,请参阅 CredHub 文档。​​credhub.read​​​​credhub.write​​

2.2.1. 自动配置 Spring 安全 OAuth2

当设置了属性并且 Spring Security 位于应用程序类路径上时,Spring CredHub 将自动配置 OAuth2 身份验证所需的 Spring Security bean。 如有必要,应用程序可以提供所需的 Spring 安全性 OAuth2 bean 来覆盖自动配置。​​spring.credhub.oauth2​​

Servlet 和非反应式应用程序

Spring CredHub需要Spring Security提供的以下类型的bean,以便使用OAuth2进行身份验证。

必需的 Bean 类型

自动配置类型

ClientRegistrationRepository

InMemoryClientRegistrationRepository

OAuth2AuthorizedClientRepository

AuthenticatedPrincipalOAuth2AuthorizedClientRepository

OAuth2AuthorizedClientManager

DefaultOAuth2AuthorizedClientManager

自动配置假定应用程序在 servlet 容器中运行,并且具有活动的 . 应用程序可能需要提供 Bean 的替代实现(如 AuthorizedClientServiceOAuth2AuthorizedClientManager)来处理 之外的请求,如以下示例所示:​​DefaultOAuth2AuthorizedClientManager​​​​HttpServletRequest​​​​OAuth2AuthorizedClientManager​​​​HttpServletRequest​​

/* * Copyright 2016-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package com.example.credhub;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;@Configurationpublic class CredHubSecurityConfiguration { @Bean public AuthorizedClientServiceOAuth2AuthorizedClientManager reactiveClientManager( ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientService authorizedClientService) { AuthorizedClientServiceOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager( clientRegistrationRepository, authorizedClientService); clientManager.setAuthorizedClientProvider(new ClientCredentialsOAuth2AuthorizedClientProvider()); return clientManager; }}

有关配置其他 Bean 的更多信息和示例,请参阅 Spring 安全性文档。

反应式应用

Spring CredHub需要Spring Security提供的以下类型的bean,以便使用OAuth2进行身份验证。

必需的 Bean 类型

自动配置类型

ReactiveClientRegistrationRepository

InMemoryReactiveClientRegistrationRepository

ServerOAuth2AuthorizedClientRepository

UnAuthenticatedServerOAuth2AuthorizedClientRepository

ReactiveOAuth2AuthorizedClientManager

DefaultReactiveOAuth2AuthorizedClientManager

自动配置需要活动上下文。 应用程序可能需要提供 Bean 的替代实现(如 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager)来处理 之外的请求,如以下示例所示:​​DefaultReactiveOAuth2AuthorizedClientManager​​​​ServerHttpRequest​​​​ReactiveOAuth2AuthorizedClientManager​​​​ServerHttpRequest​​

/* * Copyright 2016-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package com.example.credhub;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;@Configurationpublic class CredHubReactiveSecurityConfiguration { @Bean public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager reactiveClientManager( ReactiveClientRegistrationRepository clientRegistrationRepository, ReactiveOAuth2AuthorizedClientService authorizedClientService) { AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager( clientRegistrationRepository, authorizedClientService); clientManager.setAuthorizedClientProvider(new ClientCredentialsReactiveOAuth2AuthorizedClientProvider()); return clientManager; }}

有关配置其他 Bean 的更多信息和示例,请参阅 Spring 安全性文档。

3. CredHub运营简介

接口和实现是Spring CredHub中的中心类。 提供对模拟完整 CredHub API 的其他操作接口的访问:​​org.springframework.credhub.core.CredHubOperations​​​​org.springframework.credhub.core.CredHubTemplate​​​​CredHubOperations​​

/** * Get the operations for saving, retrieving, and deleting credentials. */CredHubCredentialOperations credentials();/** * Get the operations for adding, retrieving, and deleting credential permissions. */CredHubPermissionOperations permissions();/** * Get the operations for adding, retrieving, and deleting credential permissions. */CredHubPermissionV2Operations permissionsV2();/** * Get the operations for retrieving, regenerating, and updating certificates. */CredHubCertificateOperations certificates();/** * Get the operations for interpolating service binding credentials. */CredHubInterpolationOperations interpolation();/** * Get the operations for retrieving CredHub server information. */CredHubInfoOperations info();

3.1. 映射到 CredHub API

接口的每个方法都直接映射到CredHub HTTP API的一个端点。 下表显示了CredHub API和相应的Spring CredHub接口之间的映射。​​Operations​​​​Operations​​

CredHub Credentials API

CredHubCredentialOperations

CredHub Permissions API (v1)

CredHubPermissionOperations

CredHub Permissions API (v2)

CredHubPermissionV2Operations

CredHub Certificates API

信用中心证书操作

CredHub 插值 API

CredHub插值操作

CredHub Information API

CredHubInfoOperations

3.2. CredHub操作自动配置

当正确配置应用程序属性时,将使用 Spring 引导自动配置创建 Spring Bean。 应用程序类可以自动连接此 Bean 的实例,以便与 CredHub 服务器进行交互。​​CredHubOperations​​

/* * Copyright 2016-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package com.example.credhub;import org.springframework.credhub.core.CredHubOperations;import org.springframework.credhub.support.CredentialDetails;import org.springframework.credhub.support.SimpleCredentialName;import org.springframework.credhub.support.password.PasswordCredential;import org.springframework.credhub.support.password.PasswordParameters;import org.springframework.credhub.support.password.PasswordParametersRequest;import org.springframework.stereotype.Component;@Componentpublic class CredHubService { private final CredHubOperations credHubOperations; private final SimpleCredentialName credentialName; public CredHubService(CredHubOperations credHubOperations) { this.credHubOperations = credHubOperations; this.credentialName = new SimpleCredentialName("example", "password"); } public String generatePassword() { PasswordParameters parameters = PasswordParameters.builder().length(12).excludeLower(false).excludeUpper(false) .excludeNumber(false).includeSpecial(true).build(); CredentialDetails<PasswordCredential> password = this.credHubOperations.credentials() .generate(PasswordParametersRequest.builder().name(this.credentialName).parameters(parameters).build()); return password.getValue().getPassword(); } public String getPassword() { CredentialDetails<PasswordCredential> password = this.credHubOperations.credentials() .getByName(this.credentialName, PasswordCredential.class); return password.getValue().getPassword(); }}

4. 反应式存储中心操作简介

接口和实现是Spring CredHub反应式支持的核心类。 提供对模拟完整 CredHub API 的其他操作接口的访问:​​org.springframework.credhub.core.ReactiveCredHubOperations​​​​org.springframework.credhub.core.ReactiveCredHubTemplate​​​​ReactiveCredHubOperations​​

/** * Get the operations for saving, retrieving, and deleting credentials. */ReactiveCredHubCredentialOperations credentials();/** * Get the operations for adding, retrieving, and deleting credential permissions. */ReactiveCredHubPermissionOperations permissions();/** * Get the operations for adding, retrieving, and deleting credential permissions. */ReactiveCredHubPermissionV2Operations permissionsV2();/** * Get the operations for retrieving, regenerating, and updating certificates. */ReactiveCredHubCertificateOperations certificates();/** * Get the operations for interpolating service binding credentials. */ReactiveCredHubInterpolationOperations interpolation();/** * Get the operations for retrieving CredHub server information. */ReactiveCredHubInfoOperations info();

4.1. 映射到 CredHub API

接口的每个方法都直接映射到CredHub HTTP API的一个端点。 下表显示了CredHub API和相应的Spring CredHub接口之间的映射。​​Reactive…Operations​​​​Reactive…Operations​​

CredHub Credentials API

ReactiveCredHubCredentialOperations

CredHub Permissions API (v1)

ReactiveCredHubPermissionOperations

CredHub Permissions API (v2)

ReactiveCredHubPermissionV2Operations

CredHub Certificates API

反应性信用中心证书操作

CredHub 插值 API

ReactiveCredHub插值操作

CredHub Information API

ReactiveCredHubInfoOperations

4.2. 反应式 CredHub操作 自动配置

当正确配置应用程序属性并且 Spring WebFlux 库位于类路径上时,使用 Spring Boot 自动配置创建 Spring Bean。 应用程序类可以自动连接此 Bean 的实例,以便与 CredHub 服务器进行交互。​​ReactiveCredHubOperations​​

/* * Copyright 2016-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package com.example.credhub;import reactor.core.publisher.Mono;import org.springframework.credhub.core.ReactiveCredHubOperations;import org.springframework.credhub.support.SimpleCredentialName;import org.springframework.credhub.support.password.PasswordCredential;import org.springframework.credhub.support.password.PasswordParameters;import org.springframework.credhub.support.password.PasswordParametersRequest;import org.springframework.stereotype.Component;@Componentpublic class ReactiveCredHubService { private final ReactiveCredHubOperations credHubOperations; private final SimpleCredentialName credentialName; public ReactiveCredHubService(ReactiveCredHubOperations credHubOperations) { this.credHubOperations = credHubOperations; this.credentialName = new SimpleCredentialName("example", "password"); } public Mono<String> generatePassword() { PasswordParameters parameters = PasswordParameters.builder().length(12).excludeLower(false).excludeUpper(false) .excludeNumber(false).includeSpecial(true).build(); return this.credHubOperations.credentials() .generate(PasswordParametersRequest.builder().name(this.credentialName).parameters(parameters).build(), PasswordCredential.class) .map((password) -> password.getValue().getPassword()); } public Mono<String> getPassword() { return this.credHubOperations.credentials().getByName(this.credentialName, PasswordCredential.class) .map((password) -> password.getValue().getPassword()); }}

5. HTTP客户端支持

Spring CredHub支持多个HTTP客户端库与CredHub API进行通信。支持以下库:​​CredHubOperations​​

  • Java的内置(默认)HttpURLConnection
  • Apache HttpComponents
  • OkHttp 3
  • 内蒂

选择特定的客户机库要求在应用程序类路径上提供适当的依赖项。 将按上面列出的顺序检查每个客户端库的应用程序类路径。

Spring CredHub仅支持Netty HTTP客户端库。​​ReactiveCredHubOperations​​

5.1. Apache HttpComponents

要使用 Apache HttpComponents 与 CredHub 通信,请将以下依赖项添加到应用程序:

<dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId></dependency>

Apache HttpClient 的线路日志记录可以通过日志记录配置启用。请确保不要意外启用线路日志记录,因为日志可能会以纯文本形式公开应用程序和 CredHub 之间的流量(包括令牌和机密)。

5.2. OkHttp 3

若要使用 OkHttp 3 与 CredHub 通信,请将以下依赖项添加到应用程序:

<dependency> <groupId>com.squareup.okhttp3</groupId> <artifactId>okhttp</artifactId></dependency>

5.3. 内蒂

若要使用 Netty 与 CredHub 通信,请将以下依赖项添加到应用程序:

<dependency> <groupId>io.netty</groupId> <artifactId>netty-all</artifactId></dependency>
上一篇:Spring LDAP参考
下一篇:没有了
网友评论
相关栏目
最近更新
热门文章