CVE-2022-31690：spring-security-oauth2-client 权限提升漏洞

影响

已应用缓解措施的用户应注意以下影响

当授权服务器 (AS) 使用空或缺少的scope参数响应 OAuth2 访问令牌响应时，不会将任何授权范围映射到主体（当前用户）。

如果您受到此漏洞的影响，当 AS 不返回范围时，用户将不会被授予任何以SCOPE_开头的权限。主体只会被赋予特殊的权限ROLE_USER。

注意

从 6.0 版本开始，特殊权限更改为OAUTH2_USER（或OIDC_USER）。有关更多信息，请参阅 6.0 参考文档中的使用 GrantedAuthoritiesMapper。

如果您的应用程序需要其他权限，则应注册一个GrantedAuthoritiesMapper @Bean 来提供所需的权限，如下例所示

@Configuration @EnableWebSecurity public class OAuth2LoginSecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .mvcMatchers(HttpMethod.GET, "/messages").hasAuthority("SCOPE_read") // ... .anyRequest().authenticated() ) .oauth2Login(Customizer.withDefaults()); return http.build(); } @Bean public GrantedAuthoritiesMapper userAuthoritiesMapper() { return (authorities) -> { if (!authorities.isEmpty() && authorities.stream() .map(GrantedAuthority::getAuthority) .anyMatch(authority -> authority.startsWith("SCOPE_"))) { // AS returned scopes that are mapped to SCOPE_ by Spring Security return authorities; } // AS returned no scopes, either because none were granted or because requested == granted // See https://www.rfc-editor.org/rfc/rfc6749#section-5.1 and your AS documentation // You can access the ID Token or UserInfo attributes to map authorities based on the user: Set<GrantedAuthority> grantedAuthorities = new HashSet<>(); authorities.forEach(authority -> { if (OidcUserAuthority.class.isInstance(authority)) { OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority; OidcIdToken idToken = oidcUserAuthority.getIdToken(); // ... } else if (OAuth2UserAuthority.class.isInstance(authority)) { OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority) authority; Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes(); // ... } }); return grantedAuthorities; // Alternatively, provide a fallback set of authorities that make sense for your application // return AuthorityUtils.createAuthorityList("ROLE_USER", "SCOPE_read"); }; } }

警告

不建议仅从ClientRegistration映射权限。