CVE-2022-31690：spring-security-oauth2-client 中的权限提升

影响

已应用缓解措施的用户应注意以下影响：

当授权服务器 (AS) 以空值或缺失 scope 参数响应 OAuth2 访问令牌响应时，没有授权范围被映射到主体 (当前用户)。

如果受此漏洞影响，当 AS 未返回范围时，用户将不会获得任何以 SCOPE_ 开头的权限。只有特殊权限 ROLE_USER 会授予主体。

注意

从 6.0 开始，特殊权限更改为 OAUTH2_USER（或 OIDC_USER）。有关更多信息，请参阅 6.0 参考文档中的使用 GrantedAuthoritiesMapper。

如果您的应用程序需要额外的权限，您应该注册一个 GrantedAuthoritiesMapper @Bean 来提供所需的权限，如下例所示：

@Configuration @EnableWebSecurity public class OAuth2LoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .mvcMatchers(HttpMethod.GET, "/messages").hasAuthority("SCOPE_read") // ... .anyRequest().authenticated() ) .oauth2Login(Customizer.withDefaults()); return http.build(); } @Bean public GrantedAuthoritiesMapper userAuthoritiesMapper() { return (authorities) -> { if (!authorities.isEmpty() && authorities.stream() .map(GrantedAuthority::getAuthority) .anyMatch(authority -> authority.startsWith("SCOPE_"))) { // AS returned scopes that are mapped to SCOPE_ by Spring Security return authorities; } // AS returned no scopes, either because none were granted or because requested == granted // See https://www.rfc-editor.org/rfc/rfc6749#section-5.1 and your AS documentation // You can access the ID Token or UserInfo attributes to map authorities based on the user: Set<GrantedAuthority> grantedAuthorities = new HashSet<>(); authorities.forEach(authority -> { if (OidcUserAuthority.class.isInstance(authority)) { OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority; OidcIdToken idToken = oidcUserAuthority.getIdToken(); // ... } else if (OAuth2UserAuthority.class.isInstance(authority)) { OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority) authority; Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes(); // ... } }); return grantedAuthorities; // Alternatively, provide a fallback set of authorities that make sense for your application // return AuthorityUtils.createAuthorityList("ROLE_USER", "SCOPE_read"); }; } }

警告

不建议仅从 ClientRegistration 映射权限。