Spring Cloud+OAuth2+Spring Security+Redis 實現微服務統一認證授權,附源碼

因為目前做了一個基于Spring Cloud的微服務項目,所以了解到了OAuth2,打算整合一下OAuth2來實現統一授權。關于OAuth是一個關于授權的開放網絡標準,目前的版本是2.0,這里我就不多做介紹了。下面貼一下我學習過程中參考的資料。

開發環境:Windows10,? Intellij Idea2018.2,? ?jdk1.8,? redis3.2.9, Spring Boot 2.0.2 Release, Spring Cloud Finchley.RC2 Spring 5.0.6

項目目錄

eshop —— 父級工程,管理jar包版本

eshop-server —— Eureka服務注冊中心

eshop-gateway —— Zuul網關

eshop-auth —— 授權服務

eshop-member —— 會員服務

eshop-email —— 郵件服務(暫未使用)

eshop-common —— 通用類

關于如何構建一個基本的Spring Cloud 微服務這里就不贅述了,不會的可以看一下我的關于Spring Cloud系列的博客。這里給個入口地址:https://blog.csdn.net/wya1993/article/category/7701476

授權服務

首先構建eshop-auth服務,引入相關依賴

<?xml version="1.0"encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>

<artifactId>eshop-parent</artifactId>

<groupId>com.curise.eshop</groupId>

<version>1.0-SNAPSHOT</version>

</parent>

<modelVersion>4.0.0</modelVersion>

<artifactId>eshop-auth</artifactId>

<packaging>war</packaging>

<description>授權模塊</description>

<dependencies>

<dependency>

<groupId>com.curise.eshop</groupId>

<artifactId>eshop-common</artifactId>

<version>1.0-SNAPSHOT</version>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-oauth2</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-security</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-data-redis</artifactId>

</dependency>

<dependency>

<groupId>org.mybatis.spring.boot</groupId>

<artifactId>mybatis-spring-boot-starter</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-actuator</artifactId>

</dependency>

<dependency>

<groupId>mysql</groupId>

<artifactId>mysql-connector-java</artifactId>

</dependency>

<dependency>

<groupId>com.alibaba</groupId>

<artifactId>druid</artifactId>

</dependency>

<dependency>

<groupId>log4j</groupId>

<artifactId>log4j</artifactId>

</dependency>

</dependencies>

<build>

<plugins>

<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

接下來,配置Mybatis、redis、eureka,貼一下配置文件

server:

port:1203

spring:

application:

name:eshop-auth

redis:

database:0

host:192.168.0.117

port:6379

password:

jedis:

pool:

max-active:8

max-idle:8

min-idle:0

datasource:

driver-class-name:com.mysql.jdbc.Driver

url:jdbc:mysql://localhost:3306/eshop_member?useUnicode=true&characterEncoding=utf-8&useSSL=false&allowMultiQueries=true

username:root

password:root

druid:

initialSize:5#初始化連接大小

minIdle:5#最小連接池數量

maxActive:20#最大連接池數量

maxWait:60000#獲取連接時最大等待時間,單位毫秒

timeBetweenEvictionRunsMillis:60000#配置間隔多久才進行一次檢測,檢測需要關閉的空閑連接,單位是毫秒

minEvictableIdleTimeMillis:300000#配置一個連接在池中最小生存的時間,單位是毫秒

validationQuery:SELECT1from DUAL? #測試連接

testWhileIdle:true#申請連接的時候檢測,建議配置為true,不影響性能,并且保證安全性

testOnBorrow:false#獲取連接時執行檢測,建議關閉,影響性能

testOnReturn:false#歸還連接時執行檢測,建議關閉,影響性能

poolPreparedStatements:false#是否開啟PSCache,PSCache對支持游標的數據庫性能提升巨大,oracle建議開啟,mysql下建議關閉

maxPoolPreparedStatementPerConnectionSize:20#開啟poolPreparedStatements后生效

filters:stat,wall,log4j #配置擴展插件,常用的插件有=>stat:監控統計? log4j:日志? wall:防御sql注入

connectionProperties:'druid.stat.mergeSql=true;druid.stat.slowSqlMillis=5000'#通過connectProperties屬性來打開mergeSql功能;慢SQL記錄

eureka:

instance:

prefer-ip-address:true

instance-id:${spring.cloud.client.ip-address}:${server.port}

client:

service-url:

defaultZone:http://localhost:1111/eureka/

mybatis:

type-aliases-package:com.curise.eshop.common.entity

configuration:

map-underscore-to-camel-case:true#開啟駝峰命名,l_name->lName

jdbc-type-for-null:NULL

lazy-loading-enabled:true

aggressive-lazy-loading:true

cache-enabled:true#開啟二級緩存

call-setters-on-nulls:true#map空列不顯示問題

mapper-locations:

-classpath:mybatis/*.xml

AuthApplication添加@EnableDiscoveryClient和@MapperScan注解。

接下來配置認證服務器AuthorizationServerConfig?,并添加@Configuration和@EnableAuthorizationServer注解,其中ClientDetailsServiceConfigurer配置在內存中,當然也可以從數據庫讀取,以后慢慢完善。

@Configuration

@EnableAuthorizationServer

publicclassAuthorizationServerConfigextendsAuthorizationServerConfigurerAdapter{

@Autowired

privateAuthenticationManager authenticationManager;

@Autowired

privateDataSource dataSource;

@Autowired

privateRedisConnectionFactory redisConnectionFactory;

@Autowired

privateMyUserDetailService userDetailService;

@Bean

publicTokenStoretokenStore(){

returnnewRedisTokenStore(redisConnectionFactory);

}

@Override

publicvoidconfigure(AuthorizationServerSecurityConfigurer security)throwsException{

security

.allowFormAuthenticationForClients()

.tokenKeyAccess("permitAll()")

.checkTokenAccess("isAuthenticated()");

}

@Override

publicvoidconfigure(ClientDetailsServiceConfigurer clients)throwsException{

// clients.withClientDetails(clientDetails());

clients.inMemory()

.withClient("android")

.scopes("read")

.secret("android")

.authorizedGrantTypes("password","authorization_code","refresh_token")

.and()

.withClient("webapp")

.scopes("read")

.authorizedGrantTypes("implicit")

.and()

.withClient("browser")

.authorizedGrantTypes("refresh_token","password")

.scopes("read");

}

@Bean

publicClientDetailsServiceclientDetails(){

returnnewJdbcClientDetailsService(dataSource);

}

@Bean

publicWebResponseExceptionTranslatorwebResponseExceptionTranslator(){

returnnewMssWebResponseExceptionTranslator();

}

@Override

publicvoidconfigure(AuthorizationServerEndpointsConfigurer endpoints)throwsException{

endpoints.tokenStore(tokenStore())

.userDetailsService(userDetailService)

.authenticationManager(authenticationManager);

endpoints.tokenServices(defaultTokenServices());

//認證異常翻譯

// endpoints.exceptionTranslator(webResponseExceptionTranslator());

}

/**

*

注意,自定義TokenServices的時候,需要設置@Primary,否則報錯,

* @return

*/

@Primary

@Bean

publicDefaultTokenServicesdefaultTokenServices(){

DefaultTokenServices tokenServices=newDefaultTokenServices();

tokenServices.setTokenStore(tokenStore());

tokenServices.setSupportRefreshToken(true);

//tokenServices.setClientDetailsService(clientDetails());

// token有效期自定義設置,默認12小時

tokenServices.setAccessTokenValiditySeconds(60*60*12);

// refresh_token默認30天

tokenServices.setRefreshTokenValiditySeconds(60*60*24*7);

returntokenServices;

}

}

在上述配置中,認證的token是存到redis里的,如果你這里使用了Spring5.0以上的版本的話,使用默認的RedisTokenStore認證時會報如下異常:

nested exception is java.lang.NoSuchMethodError:org.springframework.data.redis.connection.RedisConnection.set([B[B)V

原因是spring-data-redis 2.0版本中set(String,String)被棄用了,要使用RedisConnection.stringCommands().set(…),所有我自定義一個RedisTokenStore,代碼和RedisTokenStore一樣,只是把所有conn.set(…)都換成conn..stringCommands().set(…),測試后方法可行。

publicclassRedisTokenStoreimplementsTokenStore{

privatestaticfinalString ACCESS="access:";

privatestaticfinalString AUTH_TO_ACCESS="auth_to_access:";

privatestaticfinalString AUTH="auth:";

privatestaticfinalString REFRESH_AUTH="refresh_auth:";

privatestaticfinalString ACCESS_TO_REFRESH="access_to_refresh:";

privatestaticfinalString REFRESH="refresh:";

privatestaticfinalString REFRESH_TO_ACCESS="refresh_to_access:";

privatestaticfinalString CLIENT_ID_TO_ACCESS="client_id_to_access:";

privatestaticfinalString UNAME_TO_ACCESS="uname_to_access:";

privatefinalRedisConnectionFactory connectionFactory;

privateAuthenticationKeyGenerator authenticationKeyGenerator=newDefaultAuthenticationKeyGenerator();

privateRedisTokenStoreSerializationStrategy serializationStrategy=newJdkSerializationStrategy();

privateString prefix="";

publicRedisTokenStore(RedisConnectionFactory connectionFactory){

this.connectionFactory=connectionFactory;

}

publicvoidsetAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticationKeyGenerator){

this.authenticationKeyGenerator=authenticationKeyGenerator;

}

publicvoidsetSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy){

this.serializationStrategy=serializationStrategy;

}

publicvoidsetPrefix(String prefix){

this.prefix=prefix;

}

privateRedisConnectiongetConnection(){

returnthis.connectionFactory.getConnection();

}

privatebyte[]serialize(Object object){

returnthis.serializationStrategy.serialize(object);

}

privatebyte[]serializeKey(String object){

returnthis.serialize(this.prefix+object);

}

privateOAuth2AccessTokendeserializeAccessToken(byte[]bytes){

return(OAuth2AccessToken)this.serializationStrategy.deserialize(bytes,OAuth2AccessToken.class);

}

privateOAuth2AuthenticationdeserializeAuthentication(byte[]bytes){

return(OAuth2Authentication)this.serializationStrategy.deserialize(bytes,OAuth2Authentication.class);

}

privateOAuth2RefreshTokendeserializeRefreshToken(byte[]bytes){

return(OAuth2RefreshToken)this.serializationStrategy.deserialize(bytes,OAuth2RefreshToken.class);

}

privatebyte[]serialize(String string){

returnthis.serializationStrategy.serialize(string);

}

privateStringdeserializeString(byte[]bytes){

returnthis.serializationStrategy.deserializeString(bytes);

}

@Override

publicOAuth2AccessTokengetAccessToken(OAuth2Authentication authentication){

String key=this.authenticationKeyGenerator.extractKey(authentication);

byte[]serializedKey=this.serializeKey(AUTH_TO_ACCESS+key);

byte[]bytes=null;

RedisConnection conn=this.getConnection();

try{

bytes=conn.get(serializedKey);

}finally{

conn.close();

}

OAuth2AccessToken accessToken=this.deserializeAccessToken(bytes);

if(accessToken!=null){

OAuth2Authentication storedAuthentication=this.readAuthentication(accessToken.getValue());

if(storedAuthentication==null||!key.equals(this.authenticationKeyGenerator.extractKey(storedAuthentication))){

this.storeAccessToken(accessToken,authentication);

}

}

returnaccessToken;

}

@Override

publicOAuth2AuthenticationreadAuthentication(OAuth2AccessToken token){

returnthis.readAuthentication(token.getValue());

}

@Override

publicOAuth2AuthenticationreadAuthentication(String token){

byte[]bytes=null;

RedisConnection conn=this.getConnection();

try{

bytes=conn.get(this.serializeKey("auth:"+token));

}finally{

conn.close();

}

OAuth2Authentication auth=this.deserializeAuthentication(bytes);

returnauth;

}

@Override

publicOAuth2AuthenticationreadAuthenticationForRefreshToken(OAuth2RefreshToken token){

returnthis.readAuthenticationForRefreshToken(token.getValue());

}

publicOAuth2AuthenticationreadAuthenticationForRefreshToken(String token){

RedisConnection conn=getConnection();

try{

byte[]bytes=conn.get(serializeKey(REFRESH_AUTH+token));

OAuth2Authentication auth=deserializeAuthentication(bytes);

returnauth;

}finally{

conn.close();

}

}

@Override

publicvoidstoreAccessToken(OAuth2AccessToken token,OAuth2Authentication authentication){

byte[]serializedAccessToken=serialize(token);

byte[]serializedAuth=serialize(authentication);

byte[]accessKey=serializeKey(ACCESS+token.getValue());

byte[]authKey=serializeKey(AUTH+token.getValue());

byte[]authToAccessKey=serializeKey(AUTH_TO_ACCESS+authenticationKeyGenerator.extractKey(authentication));

byte[]approvalKey=serializeKey(UNAME_TO_ACCESS+getApprovalKey(authentication));

byte[]clientId=serializeKey(CLIENT_ID_TO_ACCESS+authentication.getOAuth2Request().getClientId());

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.stringCommands().set(accessKey,serializedAccessToken);

conn.stringCommands().set(authKey,serializedAuth);

conn.stringCommands().set(authToAccessKey,serializedAccessToken);

if(!authentication.isClientOnly()){

conn.rPush(approvalKey,serializedAccessToken);

}

conn.rPush(clientId,serializedAccessToken);

if(token.getExpiration()!=null){

intseconds=token.getExpiresIn();

conn.expire(accessKey,seconds);

conn.expire(authKey,seconds);

conn.expire(authToAccessKey,seconds);

conn.expire(clientId,seconds);

conn.expire(approvalKey,seconds);

}

OAuth2RefreshToken refreshToken=token.getRefreshToken();

if(refreshToken!=null&&refreshToken.getValue()!=null){

byte[]refresh=serialize(token.getRefreshToken().getValue());

byte[]auth=serialize(token.getValue());

byte[]refreshToAccessKey=serializeKey(REFRESH_TO_ACCESS+token.getRefreshToken().getValue());

conn.stringCommands().set(refreshToAccessKey,auth);

byte[]accessToRefreshKey=serializeKey(ACCESS_TO_REFRESH+token.getValue());

conn.stringCommands().set(accessToRefreshKey,refresh);

if(refreshTokeninstanceofExpiringOAuth2RefreshToken){

ExpiringOAuth2RefreshToken expiringRefreshToken=(ExpiringOAuth2RefreshToken)refreshToken;

Date expiration=expiringRefreshToken.getExpiration();

if(expiration!=null){

intseconds=Long.valueOf((expiration.getTime()-System.currentTimeMillis())/1000L)

.intValue();

conn.expire(refreshToAccessKey,seconds);

conn.expire(accessToRefreshKey,seconds);

}

}

}

conn.closePipeline();

}finally{

conn.close();

}

}

privatestaticStringgetApprovalKey(OAuth2Authentication authentication){

String userName=authentication.getUserAuthentication()==null?"":authentication.getUserAuthentication().getName();

returngetApprovalKey(authentication.getOAuth2Request().getClientId(),userName);

}

privatestaticStringgetApprovalKey(String clientId,String userName){

returnclientId+(userName==null?"":":"+userName);

}

@Override

publicvoidremoveAccessToken(OAuth2AccessToken accessToken){

this.removeAccessToken(accessToken.getValue());

}

@Override

publicOAuth2AccessTokenreadAccessToken(String tokenValue){

byte[]key=serializeKey(ACCESS+tokenValue);

byte[]bytes=null;

RedisConnection conn=getConnection();

try{

bytes=conn.get(key);

}finally{

conn.close();

}

OAuth2AccessToken accessToken=deserializeAccessToken(bytes);

returnaccessToken;

}

publicvoidremoveAccessToken(String tokenValue){

byte[]accessKey=serializeKey(ACCESS+tokenValue);

byte[]authKey=serializeKey(AUTH+tokenValue);

byte[]accessToRefreshKey=serializeKey(ACCESS_TO_REFRESH+tokenValue);

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.get(accessKey);

conn.get(authKey);

conn.del(accessKey);

conn.del(accessToRefreshKey);

// Don't remove the refresh token - it's up to the caller to do that

conn.del(authKey);

List<Object>results=conn.closePipeline();

byte[]access=(byte[])results.get(0);

byte[]auth=(byte[])results.get(1);

OAuth2Authentication authentication=deserializeAuthentication(auth);

if(authentication!=null){

String key=authenticationKeyGenerator.extractKey(authentication);

byte[]authToAccessKey=serializeKey(AUTH_TO_ACCESS+key);

byte[]unameKey=serializeKey(UNAME_TO_ACCESS+getApprovalKey(authentication));

byte[]clientId=serializeKey(CLIENT_ID_TO_ACCESS+authentication.getOAuth2Request().getClientId());

conn.openPipeline();

conn.del(authToAccessKey);

conn.lRem(unameKey,1,access);

conn.lRem(clientId,1,access);

conn.del(serialize(ACCESS+key));

conn.closePipeline();

}

}finally{

conn.close();

}

}

@Override

publicvoidstoreRefreshToken(OAuth2RefreshToken refreshToken,OAuth2Authentication authentication){

byte[]refreshKey=serializeKey(REFRESH+refreshToken.getValue());

byte[]refreshAuthKey=serializeKey(REFRESH_AUTH+refreshToken.getValue());

byte[]serializedRefreshToken=serialize(refreshToken);

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.stringCommands().set(refreshKey,serializedRefreshToken);

conn.stringCommands().set(refreshAuthKey,serialize(authentication));

if(refreshTokeninstanceofExpiringOAuth2RefreshToken){

ExpiringOAuth2RefreshToken expiringRefreshToken=(ExpiringOAuth2RefreshToken)refreshToken;

Date expiration=expiringRefreshToken.getExpiration();

if(expiration!=null){

intseconds=Long.valueOf((expiration.getTime()-System.currentTimeMillis())/1000L)

.intValue();

conn.expire(refreshKey,seconds);

conn.expire(refreshAuthKey,seconds);

}

}

conn.closePipeline();

}finally{

conn.close();

}

}

@Override

publicOAuth2RefreshTokenreadRefreshToken(String tokenValue){

byte[]key=serializeKey(REFRESH+tokenValue);

byte[]bytes=null;

RedisConnection conn=getConnection();

try{

bytes=conn.get(key);

}finally{

conn.close();

}

OAuth2RefreshToken refreshToken=deserializeRefreshToken(bytes);

returnrefreshToken;

}

@Override

publicvoidremoveRefreshToken(OAuth2RefreshToken refreshToken){

this.removeRefreshToken(refreshToken.getValue());

}

publicvoidremoveRefreshToken(String tokenValue){

byte[]refreshKey=serializeKey(REFRESH+tokenValue);

byte[]refreshAuthKey=serializeKey(REFRESH_AUTH+tokenValue);

byte[]refresh2AccessKey=serializeKey(REFRESH_TO_ACCESS+tokenValue);

byte[]access2RefreshKey=serializeKey(ACCESS_TO_REFRESH+tokenValue);

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.del(refreshKey);

conn.del(refreshAuthKey);

conn.del(refresh2AccessKey);

conn.del(access2RefreshKey);

conn.closePipeline();

}finally{

conn.close();

}

}

@Override

publicvoidremoveAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken){

this.removeAccessTokenUsingRefreshToken(refreshToken.getValue());

}

privatevoidremoveAccessTokenUsingRefreshToken(String refreshToken){

byte[]key=serializeKey(REFRESH_TO_ACCESS+refreshToken);

List<Object>results=null;

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.get(key);

conn.del(key);

results=conn.closePipeline();

}finally{

conn.close();

}

if(results==null){

return;

}

byte[]bytes=(byte[])results.get(0);

String accessToken=deserializeString(bytes);

if(accessToken!=null){

removeAccessToken(accessToken);

}

}

@Override

publicCollection<OAuth2AccessToken>findTokensByClientIdAndUserName(String clientId,String userName){

byte[]approvalKey=serializeKey(UNAME_TO_ACCESS+getApprovalKey(clientId,userName));

List<byte[]>byteList=null;

RedisConnection conn=getConnection();

try{

byteList=conn.lRange(approvalKey,0,-1);

}finally{

conn.close();

}

if(byteList==null||byteList.size()==0){

returnCollections.<OAuth2AccessToken>emptySet();

}

List<OAuth2AccessToken>accessTokens=newArrayList<OAuth2AccessToken>(byteList.size());

for(byte[]bytes:byteList){

OAuth2AccessToken accessToken=deserializeAccessToken(bytes);

accessTokens.add(accessToken);

}

returnCollections.<OAuth2AccessToken>unmodifiableCollection(accessTokens);

}

@Override

publicCollection<OAuth2AccessToken>findTokensByClientId(String clientId){

byte[]key=serializeKey(CLIENT_ID_TO_ACCESS+clientId);

List<byte[]>byteList=null;

RedisConnection conn=getConnection();

try{

byteList=conn.lRange(key,0,-1);

}finally{

conn.close();

}

if(byteList==null||byteList.size()==0){

returnCollections.<OAuth2AccessToken>emptySet();

}

List<OAuth2AccessToken>accessTokens=newArrayList<OAuth2AccessToken>(byteList.size());

for(byte[]bytes:byteList){

OAuth2AccessToken accessToken=deserializeAccessToken(bytes);

accessTokens.add(accessToken);

}

returnCollections.<OAuth2AccessToken>unmodifiableCollection(accessTokens);

}

}

配置資源服務器

@Configuration

@EnableResourceServer

@Order(3)

publicclassResourceServerConfigextendsResourceServerConfigurerAdapter{

@Override

publicvoidconfigure(HttpSecurity http)throwsException{

http

.csrf().disable()

.exceptionHandling()

.authenticationEntryPoint((request,response,authException)->response.sendError(HttpServletResponse.SC_UNAUTHORIZED))

.and()

.requestMatchers().antMatchers("/api/**")

.and()

.authorizeRequests()

.antMatchers("/api/**").authenticated()

.and()

.httpBasic();

}

}

配置Spring Security

@Configuration

@EnableWebSecurity

@Order(2)

publicclassSecurityConfigextendsWebSecurityConfigurerAdapter{

@Autowired

privateMyUserDetailService userDetailService;

@Bean

publicPasswordEncoderpasswordEncoder(){

//return new BCryptPasswordEncoder();

returnnewNoEncryptPasswordEncoder();

}

@Override

protectedvoidconfigure(HttpSecurity http)throwsException{

http.requestMatchers().antMatchers("/oauth/**")

.and()

.authorizeRequests()

.antMatchers("/oauth/**").authenticated()

.and()

.csrf().disable();

}

@Override

protectedvoidconfigure(AuthenticationManagerBuilder auth)throwsException{

auth.userDetailsService(userDetailService).passwordEncoder(passwordEncoder());

}

/**

* 不定義沒有password grant_type

*

* @return

* @throws Exception

*/

@Override

@Bean

publicAuthenticationManagerauthenticationManagerBean()throwsException{

returnsuper.authenticationManagerBean();

}

}

可以看到ResourceServerConfig 是比SecurityConfig 的優先級低的。

二者的關系:

ResourceServerConfig 用于保護oauth相關的endpoints,同時主要作用于用戶的登錄(form login,Basic auth)

SecurityConfig 用于保護oauth要開放的資源,同時主要作用于client端以及token的認證(Bearer auth)

所以我們讓SecurityConfig優先于ResourceServerConfig,且在SecurityConfig 不攔截oauth要開放的資源,在ResourceServerConfig 中配置需要token驗證的資源,也就是我們對外提供的接口。所以這里對于所有微服務的接口定義有一個要求,就是全部以/api開頭。

如果這里不這樣配置的話,在你拿到access_token去請求各個接口時會報invalid_token的提示。

另外,由于我們自定義認證邏輯,所以需要重寫UserDetailService

@Service("userDetailService")

publicclassMyUserDetailServiceimplementsUserDetailsService{

@Autowired

privateMemberDao memberDao;

@Override

publicUserDetailsloadUserByUsername(String memberName)throwsUsernameNotFoundException{

Member member=memberDao.findByMemberName(memberName);

if(member==null){

thrownewUsernameNotFoundException(memberName);

}

Set<GrantedAuthority>grantedAuthorities=newHashSet<>();

// 可用性 :true:可用 false:不可用

booleanenabled=true;

// 過期性 :true:沒過期 false:過期

booleanaccountNonExpired=true;

// 有效性 :true:憑證有效 false:憑證無效

booleancredentialsNonExpired=true;

// 鎖定性 :true:未鎖定 false:已鎖定

booleanaccountNonLocked=true;

for(Role role:member.getRoles()){

//角色必須是ROLE_開頭,可以在數據庫中設置

GrantedAuthority grantedAuthority=newSimpleGrantedAuthority(role.getRoleName());

grantedAuthorities.add(grantedAuthority);

//獲取權限

for(Permission permission:role.getPermissions()){

GrantedAuthority authority=newSimpleGrantedAuthority(permission.getUri());

grantedAuthorities.add(authority);

}

}

User user=newUser(member.getMemberName(),member.getPassword(),

enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,grantedAuthorities);

returnuser;

}

}

密碼驗證為了方便我使用了不加密的方式,重寫了PasswordEncoder,實際開發還是建議使用BCryptPasswordEncoder。

publicclassNoEncryptPasswordEncoderimplementsPasswordEncoder{

@Override

publicStringencode(CharSequence charSequence){

return(String)charSequence;

}

@Override

publicbooleanmatches(CharSequence charSequence,String s){

returns.equals((String)charSequence);

}

}

另外,OAuth的密碼模式需要AuthenticationManager支持

@Override

@Bean

publicAuthenticationManagerauthenticationManagerBean()throwsException{

returnsuper.authenticationManagerBean();

}

定義一個Controller,提供兩個接口,/api/member用來獲取當前用戶信息,/api/exit用來注銷當前用戶

@RestController

@RequestMapping("/api")

publicclassMemberController{

@Autowired

privateMyUserDetailService userDetailService;

@Autowired

privateConsumerTokenServices consumerTokenServices;

@GetMapping("/member")

publicPrincipaluser(Principal member){

returnmember;

}

@DeleteMapping(value="/exit")

publicResultrevokeToken(String access_token){

Result result=newResult();

if(consumerTokenServices.revokeToken(access_token)){

result.setCode(ResultCode.SUCCESS.getCode());

result.setMessage("注銷成功");

}else{

result.setCode(ResultCode.FAILED.getCode());

result.setMessage("注銷失敗");

}

returnresult;

}

}

會員服務配置

引入依賴

<?xml version="1.0"encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>

<artifactId>eshop-parent</artifactId>

<groupId>com.curise.eshop</groupId>

<version>1.0-SNAPSHOT</version>

</parent>

<modelVersion>4.0.0</modelVersion>

<artifactId>eshop-member</artifactId>

<packaging>war</packaging>

<description>會員模塊</description>

<dependencies>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-test</artifactId>

<scope>test</scope>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-oauth2</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-security</artifactId>

</dependency>

<dependency>

<groupId>com.alibaba</groupId>

<artifactId>fastjson</artifactId>

</dependency>

</dependencies>

<build>

<plugins>

<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

配置資源服務器

@Configuration

@EnableResourceServer

publicclassResourceServerConfigextendsResourceServerConfigurerAdapter{

@Override

publicvoidconfigure(HttpSecurity http)throwsException{

http

.csrf().disable()

.exceptionHandling()

.authenticationEntryPoint((request,response,authException)->response.sendError(HttpServletResponse.SC_UNAUTHORIZED))

.and()

.requestMatchers().antMatchers("/api/**")

.and()

.authorizeRequests()

.antMatchers("/api/**").authenticated()

.and()

.httpBasic();

}

}

配置文件配置

spring:

application:

name:eshop-member

server:

port:1201

eureka:

instance:

prefer-ip-address:true

instance-id:${spring.cloud.client.ip-address}:${server.port}

client:

service-url:

defaultZone:http://localhost:1111/eureka/

security:

oauth2:

resource:

id:eshop-member

user-info-uri:http://localhost:1202/auth/api/member

prefer-token-info:false

MemberApplication主類配置

@SpringBootApplication

@EnableDiscoveryClient

@EnableGlobalMethodSecurity(prePostEnabled=true)

publicclassMemberApplication{

publicstaticvoidmain(String[]args){

SpringApplication.run(MemberApplication.class,args);

}

}

提供對外接口

@RestController

@RequestMapping("/api")

publicclassMemberController{

@GetMapping("hello")

@PreAuthorize("hasAnyAuthority('hello')")

publicStringhello(){

return"hello";

}

@GetMapping("current")

publicPrincipaluser(Principal principal){

returnprincipal;

}

@GetMapping("query")

@PreAuthorize("hasAnyAuthority('query')")

publicStringquery(){

return"具有query權限";

}

}

配置網關

引入依賴

<?xml version="1.0"encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>

<artifactId>eshop-parent</artifactId>

<groupId>com.curise.eshop</groupId>

<version>1.0-SNAPSHOT</version>

</parent>

<modelVersion>4.0.0</modelVersion>

<packaging>jar</packaging>

<artifactId>eshop-gateway</artifactId>

<description>網關</description>

<dependencies>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-zuul</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-oauth2</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-security</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-actuator</artifactId>

</dependency>

</dependencies>

<build>

<plugins>

<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

配置文件

server:

port:1202

spring:

application:

name:eshop-gateway

#--------------------eureka---------------------

eureka:

instance:

prefer-ip-address:true

instance-id:${spring.cloud.client.ip-address}:${server.port}

client:

service-url:

defaultZone:http://localhost:1111/eureka/

#--------------------Zuul-----------------------

zuul:

routes:

member:

path:/member/**

serviceId: eshop-member

sensitiveHeaders: "*"

auth:

path: /auth/**

serviceId: eshop-auth

sensitiveHeaders: "*"

retryable: false

ignored-services: "*"

ribbon:

eager-load:

enabled: true

host:

connect-timeout-millis: 3000

socket-timeout-millis: 3000

add-proxy-headers: true

#---------------------OAuth2---------------------

security:

oauth2:

client:

access-token-uri: http://localhost:${server.port}/auth/oauth/token

user-authorization-uri: http://localhost:${server.port}/auth/oauth/authorize

client-id: web

resource:

user-info-uri:? http://localhost:${server.port}/auth/api/member

prefer-token-info: false

#----------------------超時配置-------------------

ribbon:

ReadTimeout: 3000

ConnectTimeout: 3000

MaxAutoRetries: 1

MaxAutoRetriesNextServer: 2

eureka:

enabled: true

hystrix:

command:

default:

execution:

timeout:

enabled: true

isolation:

thread:

timeoutInMilliseconds: 3500

ZuulApplication主類

@SpringBootApplication

@EnableDiscoveryClient

@EnableZuulProxy

@EnableOAuth2Sso

publicclassZuulApplication{

publicstaticvoidmain(String[]args){

SpringApplication.run(ZuulApplication.class,args);

}

}

Spring Security配置

@Configuration

@EnableWebSecurity

@Order(99)

publicclassSecurityConfigextendsWebSecurityConfigurerAdapter{

@Override

protectedvoidconfigure(HttpSecurity http)throwsException{

http.csrf().disable();

}

}

接下來分別啟動eshop-server、eshop-member、eshop-auth、eshop-gateway。

先發送一個請求測試一下未認證的效果

獲取認證

使用access_token請求auth服務下的用戶信息接口

使用access_token請求member服務下的用戶信息接口

請求member服務的query接口

請求member服務的hello接口,數據庫里并沒有給用戶hello權限

刷新token

注銷


后續還會慢慢完善,敬請期待??!

關于代碼和數據表sql已經上傳到GitHub。地址:

https://github.com/WYA1993/springcloud_oauth2.0。

注意把數據庫和redis替換成自己的地址

統一回復一下,有很多人反映獲取認證時返回401,如下:

{

"timestamp":"2019-08-13T03:25:27.161+0000",

"status":401,

"error":"Unauthorized",

"message":"Unauthorized",

"path":"/oauth/token"

}

原因是在發起請求的時候沒有添加Basic Auth認證,如下圖:

,添加Basic Auth認證后會在headers添加一個認證消息頭

添加Basic Auth認證的信息在代碼中有體現:

客戶端信息和token信息從MySQL數據庫中獲取

現在客戶端信息都是存在內存中的,生產環境肯定不可以這么做,要支持客戶端的動態添加或刪除,所以我選擇把客戶端信息存到MySQL中。

首先,創建數據表,數據表的結構官方已經給出,地址在

https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql

222

其次,需要修改一下sql腳本,把主鍵的長度改為128,LONGVARBINARY類型改為blob,調整后的sql腳本:

create table oauth_client_details(

client_idVARCHAR(128)PRIMARY KEY,

resource_idsVARCHAR(256),

client_secretVARCHAR(256),

scopeVARCHAR(256),

authorized_grant_typesVARCHAR(256),

web_server_redirect_uriVARCHAR(256),

authoritiesVARCHAR(256),

access_token_validity INTEGER,

refresh_token_validity INTEGER,

additional_informationVARCHAR(4096),

autoapproveVARCHAR(256)

);

create table oauth_client_token(

token_idVARCHAR(256),

token BLOB,

authentication_idVARCHAR(128)PRIMARY KEY,

user_nameVARCHAR(256),

client_idVARCHAR(256)

);

create table oauth_access_token(

token_idVARCHAR(256),

token BLOB,

authentication_idVARCHAR(128)PRIMARY KEY,

user_nameVARCHAR(256),

client_idVARCHAR(256),

authentication BLOB,

refresh_tokenVARCHAR(256)

);

create table oauth_refresh_token(

token_idVARCHAR(256),

token BLOB,

authentication BLOB

);

create table oauth_code(

codeVARCHAR(256),authentication BLOB

);

create table oauth_approvals(

userIdVARCHAR(256),

clientIdVARCHAR(256),

scopeVARCHAR(256),

statusVARCHAR(10),

expiresAt TIMESTAMP,

lastModifiedAt TIMESTAMP

);

--customized oauth_client_details table

create table ClientDetails(

appIdVARCHAR(128)PRIMARY KEY,

resourceIdsVARCHAR(256),

appSecretVARCHAR(256),

scopeVARCHAR(256),

grantTypesVARCHAR(256),

redirectUrlVARCHAR(256),

authoritiesVARCHAR(256),

access_token_validity INTEGER,

refresh_token_validity INTEGER,

additionalInformationVARCHAR(4096),

autoApproveScopesVARCHAR(256)

);

調整后的sql腳步也放到了GitHub中,需要的可以自行下載

然后在eshop_member數據庫創建數據表,將客戶端信息添加到oauth_client_details表中

如果你的密碼不是明文,記得client_secret需要加密后存儲。

然后修改代碼,配置從數據庫讀取客戶端信息

接下來啟動服務測試即可。

獲取授權

獲取用戶信息

刷新token

打開數據表發現token這些信息并沒有存到表中,因為tokenStore使用的是redis方式,我們可以替換為從數據庫讀取。修改配置

重啟服務再次測試

查看數據表,發現token數據已經存到表里了。

?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容