1. 整體架構
在這種結構中,網關就是一個資源服務器,它負責統一授權(鑒權)、路由轉發、保護下游微服務,
后端微服務應用完全不用考慮權限問題,也不需要引入spring security依賴,就正常的服務功能開發就行了,不用關注權限,因為鑒權提到網關去做了,
網關負責保護它后面的微服務應用,鑒權就是看“問當前資源所需的權限”和“當前用戶擁有的權限”之間是否有交集,
認證服務器負責用戶身份的認證校驗,
如此一來,認證服務器就專心做用戶身份認證,網關就專心做用戶訪問授權,業務應用就專心做業務開發,分工明確,各司其職,
客戶端訪問服務端介面的程序如下:
1、客戶端瀏覽器(前端)訪問后端服務時,網關過濾器發現沒有帶token,于是回傳403未授權
2、客戶端重定向到登錄頁面,用戶輸入用戶名和密碼登錄后,首先調后端的登錄介面,然后獲取access_token
3、客戶端攜帶token再次訪問服務端介面,網關校驗當前用戶是否有權限訪問該介面
2. 認證服務 (cjs-uaa-server)
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.6</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>cjs-uaa-server</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>cjs-uaa-server</name>
<properties>
<java.version>1.8</java.version>
<spring-cloud.version>2020.0.4</spring-cloud.version>
<alibaba-nacos.version>2021.1</alibaba-nacos.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.4.3.4</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
<version>2.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
<version>${alibaba-nacos.version}</version>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>9.15.2</version>
</dependency>
<!--<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
<version>5.5.3</version>
</dependency>-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
application.yml
server:
port: 8081
servlet:
context-path: /uaa
spring:
application:
name: cjs-uaa-server
cloud:
nacos:
discovery:
server-addr: 192.168.28.32:8848
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost:3306/sso?serverTimezone=Asia/Shanghai&useUnicode=true&characterEncoding=utf8&useSSL=false
username: root
password: 123456
redis:
host: 192.168.28.31
port: 6379
password: 123456
logging:
level:
org:
springframework:
security: debug
mybatis-plus:
configuration:
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl默認spring security oauth2生成的token就是一串uuid,里面沒有帶任何資訊,通常會把生成的token存到redis中,這樣做的話一般問題也不大,就是費點存盤空間而已,
這里我們采用JWT來生成token,JWT的優點就是輕量級、無狀態、不用存盤,缺點是無法主動撤銷,
有一點需要注意,JWT本身是無狀態的,如果我們把JWT又再存到Redis中這就相當于有狀態了,JWT+Redis這對JWT而言就相當于是“傷害不大,侮辱性極強”,唉,沒辦法,后面要實作退出,我打算這么做了,
JWT的加密方式有對稱加密和非對稱加密,這里我們采用非對稱加密,接下來用java自帶的keytool工具生成密鑰,
生成好的jwt.jks檔案我們把它放到resources目錄下即可
資源服務器在拿到用戶傳的access_token以后對它進行解密時需要密鑰,為此需要寫個介面把公鑰暴露出去
獲取公鑰
@Bean
public KeyPair keyPair() {
KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("jwt.jks"), "123456".toCharArray());
return keyStoreKeyFactory.getKeyPair("jwt", "123456".toCharArray());
}再寫個Controller
package com.example.cjsuaaserver.controller;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.security.KeyPair;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
/**
* @Author ChengJianSheng
* @Date 2021/11/13
*/
@RestController
public class KeyPairController {
@Autowired
private KeyPair keyPair;
@GetMapping("/rsa/jwks.json")
public Map<String, Object> getKey() {
RSAPublicKey publicKey = (RSAPublicKey) this.keyPair.getPublic();
RSAKey key = new RSAKey.Builder(publicKey).build();
return new JWKSet(key).toJSONObject();
}
}
WebSecurityConfig.java
package com.example.cjsuaaserver.config;
import com.example.cjsuaaserver.service.impl.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* @Author ChengJianSheng
* @Date 2021/11/11
*/
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
// .disable() // 禁用默認的表單登錄
.and()
.authorizeRequests()
.antMatchers("/rsa/jwks.json", "/oauth/login").permitAll()
.anyRequest().authenticated()
.and()
// .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// .and()
.csrf().disable().cors();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
}
UserDetailsServiceImpl.java
package com.example.cjsuaaserver.service.impl;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.example.cjsuaaserver.domain.UserDetailsDTO;
import com.example.cjsuaaserver.entity.SysPermission;
import com.example.cjsuaaserver.entity.SysRolePermission;
import com.example.cjsuaaserver.entity.SysUser;
import com.example.cjsuaaserver.entity.SysUserRole;
import com.example.cjsuaaserver.service.ISysPermissionService;
import com.example.cjsuaaserver.service.ISysRolePermissionService;
import com.example.cjsuaaserver.service.ISysUserRoleService;
import com.example.cjsuaaserver.service.ISysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
/**
* @Author ChengJianSheng
* @Date 2021/11/11
*/
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private ISysUserService sysUserService;
@Autowired
private ISysUserRoleService sysUserRoleService;
@Autowired
private ISysRolePermissionService sysRolePermissionService;
@Autowired
private ISysPermissionService sysPermissionService;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
QueryWrapper<SysUser> queryWrapper = new QueryWrapper<>();
queryWrapper.eq("username", s);
List<SysUser> sysUserList = sysUserService.list();
if (null == sysUserList) {
throw new UsernameNotFoundException("用戶不存在");
}
SysUser sysUser = sysUserList.get(0);
QueryWrapper<SysUserRole> queryWrapper1 = new QueryWrapper<>();
queryWrapper1.eq("user_id", sysUser.getId());
List<SysUserRole> sysUserRoleList = sysUserRoleService.list(queryWrapper1);
List<Integer> roleIds = sysUserRoleList.stream().map(SysUserRole::getRoleId).collect(Collectors.toList());
QueryWrapper<SysRolePermission> queryWrapper3 = new QueryWrapper<>();
queryWrapper3.in("role_id", roleIds);
List<SysRolePermission> sysRolePermissionList = sysRolePermissionService.list(queryWrapper3);
List<Integer> permissionIds = sysRolePermissionList.stream().map(SysRolePermission::getPermissionId).collect(Collectors.toList());
List<SysPermission> sysPermissionList = sysPermissionService.listByIds(permissionIds);
Set<SimpleGrantedAuthority> authorities = sysPermissionList.stream().map(SysPermission::getUrl).map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
return new UserDetailsDTO(sysUser.getId(), sysUser.getUsername(), sysUser.getPassword(), true, authorities);
}
}
接下來,認證服務配置尤為重要,這里面配置了認證客戶端和token增強,AuthorizationServerConfig.java
package com.example.cjsuaaserver.config;
import com.example.cjsuaaserver.domain.UserDetailsDTO;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
import javax.annotation.Resource;
import javax.sql.DataSource;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @Author ChengJianSheng
* @Date 2021/11/11
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Resource
private DataSource dataSource;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
.tokenKeyAccess("isAuthenticated()")
.checkTokenAccess("permitAll()")
.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(new JdbcClientDetailsService(dataSource));
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
List<TokenEnhancer> tokenEnhancerList = new ArrayList<>();
tokenEnhancerList.add(jwtTokenEnhancer());
tokenEnhancerList.add(jwtAccessTokenConverter());
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(tokenEnhancerList);
endpoints.accessTokenConverter(jwtAccessTokenConverter())
.tokenEnhancer(tokenEnhancerChain);
}
public TokenEnhancer jwtTokenEnhancer() {
return new TokenEnhancer() {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
UserDetailsDTO userDetailsDTO = (UserDetailsDTO) authentication.getPrincipal();
Map<String, Object> additionalInformation = new HashMap<>();
additionalInformation.put("userId", userDetailsDTO.getUserId());
additionalInformation.put("username", userDetailsDTO.getUsername());
((DefaultOAuth2AccessToken)accessToken).setAdditionalInformation(additionalInformation);
return accessToken;
}
};
}
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
jwtAccessTokenConverter.setKeyPair(keyPair());
return jwtAccessTokenConverter;
}
@Bean
public KeyPair keyPair() {
KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("jwt.jks"), "123456".toCharArray());
return keyStoreKeyFactory.getKeyPair("jwt", "123456".toCharArray());
}
}
還有最后一個問題,既然是前后端分離,那么就需要我們自己實作登錄處理邏輯以及退出
登錄邏輯比較簡單,利用自帶的AuthenticationManager進行認證即可,由于是授權碼模式,所以登錄成功以后,需要呼叫/oauth/token獲取access_token,而默認該介面回傳的資料結構跟我們自己統一定義的回傳結構不一樣,為此最簡單的方式就是寫一個跟它一模一樣的Controller這樣就覆寫了默認的那個TokenEndpoint里面的/oauth/token
為了實作退出,我們在獲取到token以后,將它存到redis中,退出時從redis中將它洗掉
LoginController.java
package com.example.cjsuaaserver.controller;
import com.example.cjsuaaserver.domain.LoginDTO;
import com.example.cjsuaaserver.domain.RespResult;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
import org.springframework.web.HttpRequestMethodNotSupportedException;
import org.springframework.web.bind.annotation.*;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
import java.util.Map;
import java.util.concurrent.TimeUnit;
/**
* @Author ChengJianSheng
* @Date 2021/11/17
*/
@RestController
@RequestMapping("/oauth")
public class LoginController {
@Autowired
private TokenEndpoint tokenEndpoint;
@Resource
private AuthenticationManager authenticationManager;
@Autowired
private StringRedisTemplate stringRedisTemplate;
/**
* 獲取Token
* 這里取巧直接定義了一個跟TokenEndpoint里面一樣的請求路徑,這樣的話自動的就被覆寫了,請求通過我們自定義的這個方法,就可以對請求結構進行封裝,按照我們想要的格式回傳了,
* 多次實驗我發現,一定有過濾器會對/oauth/token進行攔截處理,不然第一個引數principal根本就不會有值,這里的principal代表的是oauth2客戶端
* 如果自己隨便定義一個不叫/oauth/token的話,請求的時候又不知道怎么傳參 o(╥﹏╥)o
* 網上看到還有一種方式是自己定義一個aop去攔截這個請求,并修改回傳資料格式
*/
@PostMapping("/token")
public RespResult getAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
OAuth2AccessToken oAuth2AccessToken = tokenEndpoint.postAccessToken(principal, parameters).getBody();
// 放入Redis中,為了實作退出登錄
String jti = (String) oAuth2AccessToken.getAdditionalInformation().get("jti");
int expiresIn = oAuth2AccessToken.getExpiresIn();
String key = "TOKEN:" + jti;
String value = https://www.cnblogs.com/cjsblog/p/oAuth2AccessToken.getValue();
stringRedisTemplate.opsForValue().set(key, value, expiresIn, TimeUnit.SECONDS);
return new RespResult(200,"success", true, oAuth2AccessToken);
}
/**
* 登錄
* @param dto
* @return
*/
@PostMapping("/login")
public RespResult login(@RequestBody LoginDTO dto) {
// 校驗驗證碼
// 登錄
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(dto.getUsername(), dto.getPassword());
Authentication authentication = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
Object principal = authentication.getPrincipal();
System.out.println(principal);
return new RespResult(200, "success", true, principal);
}
/**
* 退出(清除快取)
*/
@GetMapping("/logout")
public RespResult logout(HttpServletRequest request) {
String userStr = request.getHeader("user");
// 決議出jti
String jti = "xxx";
// 清除快取
stringRedisTemplate.delete("TOKEN:" + jti);
return null;
}
}
3. 業務應用服務 (cjs-order-server)
pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
<version>${alibaba-nacos.version}</version>
</dependency>
application.yml
server:
port: 8082
servlet:
context-path: /order
spring:
application:
name: cjs-order-server
cloud:
nacos:
discovery:
server-addr: 192.168.28.32:8848
OrderController.java
package com.example.cjsorderserver.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @Author ChengJianSheng
* @Date 2021/11/16
*/
@RestController
@RequestMapping("/order")
public class OrderController {
@GetMapping("/pageList")
public String pageList() {
return "good";
}
}
4. 網關 (cjs-gateway-server)
網關服務特別重要
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.6</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>cjs-gateway-server</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>cjs-gateway-server</name>
<properties>
<java.version>1.8</java.version>
<spring-cloud.version>2020.0.4</spring-cloud.version>
<alibaba-nacos.version>2021.1</alibaba-nacos.version>
<spring-security-oauth2.version>5.6.0</spring-security-oauth2.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-loadbalancer</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
<version>${alibaba-nacos.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
<version>2.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
<version>${spring-security-oauth2.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
<version>${spring-security-oauth2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.78</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
application.yml
server:
port: 8080
spring:
application:
name: cjs-gateway-server
cloud:
nacos:
discovery:
server-addr: 192.168.28.32:8848
gateway:
routes:
- id: oauth2-auth
uri: lb://cjs-uaa-server
predicates:
- Path=/uaa/**
- id: order-server
uri: lb://cjs-order-server
predicates:
- Path=/order/**
discovery:
locator:
enabled: true
lower-case-service-id: true
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8081/uaa/rsa/jwks.json
redis:
host: 192.168.28.31
port: 6379
password: 123456
secure:
ignore:
urls:
- /order/hello/sayHello
- /uaa/**
logging:
level:
org.springframework.cloud.gateway: debug作為資源服務器這樣一個角色,自然少不了資源服務器配置
ResourceServerConfig.java
package com.example.gateway.config;
import com.example.gateway.handler.CustomAuthorizationManager;
import com.example.gateway.handler.CustomServerAccessDeniedHandler;
import com.example.gateway.handler.CustomServerAuthenticationEntryPoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverterAdapter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import reactor.core.publisher.Mono;
/**
* @Author ChengJianSheng
* @Date 2021/11/14
*/
@Configuration
@EnableWebFluxSecurity
public class ResourceServerConfig {
@Autowired
private IgnoreUrlsConfig ignoreUrlsConfig;
@Autowired
private CustomAuthorizationManager customAuthorizationManager;
@Autowired
private CustomServerAccessDeniedHandler customServerAccessDeniedHandler;
@Autowired
private CustomServerAuthenticationEntryPoint customServerAuthenticationEntryPoint;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
http.authorizeExchange()
.pathMatchers(ignoreUrlsConfig.getUrls()).permitAll()
.anyExchange().access(customAuthorizationManager)
.and()
.exceptionHandling()
.accessDeniedHandler(customServerAccessDeniedHandler)
.authenticationEntryPoint(customServerAuthenticationEntryPoint)
.and()
.csrf().disable();
return http.build();
}
public Converter<Jwt, Mono<AbstractAuthenticationToken>> jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
jwtGrantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("authorities");
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
}
}
IgnoreUrlsConfig.java 是用來配置不需要授權的url的
package com.example.gateway.config;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
/**
* @Author ChengJianSheng
* @Date 2021/11/15
*/
@Data
@Component
@ConfigurationProperties(prefix = "secure.ignore")
public class IgnoreUrlsConfig {
private String[] urls;
}
利用ReactiveAuthorizationManager實作授權邏輯
CustomAuthorizationManager.java
package com.example.gateway.handler;
import com.example.gateway.constant.AuthConstants;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;
import java.util.ArrayList;
import java.util.List;
/**
* @Author ChengJianSheng
* @Date 2021/11/15
*/
@Component
public class CustomAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext context) {
ServerHttpRequest request = context.getExchange().getRequest();
String path = request.getURI().getPath();
String token = request.getHeaders().getFirst(AuthConstants.JWT_TOKEN_HEADER);
if (StringUtils.isBlank(token)) {
return Mono.just(new AuthorizationDecision(false));
}
List<String> authorities = new ArrayList<>();
authorities.add(AuthConstants.ROLE_PREFIX + path);
return authentication.filter(Authentication::isAuthenticated)
.flatMapIterable(Authentication::getAuthorities)
.map(GrantedAuthority::getAuthority)
// .any(authorities::contains)
.any(roleId->{
System.out.println(path);
System.out.println(roleId);
System.out.println(authorities);
return authorities.contains(roleId);
})
.map(AuthorizationDecision::new)
.defaultIfEmpty(new AuthorizationDecision(false));
}
}
這里的資源就是url,就是請求路徑,資源所需的權限可以從資料庫或者快取Redis中查,也可以提前將所有資源與權限的對應關系存到Redis中,這里直接去取
CustomServerAccessDeniedHandler.java
package com.example.gateway.handler;
import com.alibaba.fastjson.JSON;
import com.example.gateway.domain.Result;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.nio.charset.Charset;
/**
* @Author ChengJianSheng
* @Date 2021/11/15
*/
@Component
public class CustomServerAccessDeniedHandler implements ServerAccessDeniedHandler {
@Override
public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.OK);
response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
String body = JSON.toJSONString(new Result("拒絕訪問"));
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(Charset.forName("UTF-8")));
return exchange.getResponse().writeWith(Mono.just(buffer));
}
}
CustomServerAuthenticationEntryPoint.java
package com.example.gateway.handler;
import com.alibaba.fastjson.JSON;
import com.example.gateway.domain.Result;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.nio.charset.Charset;
/**
* @Author ChengJianSheng
* @Date 2021/11/15
*/
@Component
public class CustomServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
@Override
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.OK);
response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
String body = JSON.toJSONString(new Result("未認證"));
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(Charset.forName("UTF-8")));
return response.writeWith(Mono.just(buffer));
}
}最后,為了避免業務應用自己還要去決議token,網關在將授權通過的請求轉發給下游業務應用時,應該提前將token決議好,并放到請求頭中,這樣業務應用直接從請求頭中獲取用戶資訊
CustomGlobalFilter.java
package com.example.gateway.filter;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.example.gateway.constant.AuthConstants;
import com.example.gateway.domain.Result;
import com.nimbusds.jose.JWSObject;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.nio.charset.Charset;
import java.text.ParseException;
/**
* @Author ChengJianSheng
* @Date 2021/11/17
*/
@Component
public class CustomGlobalFilter implements GlobalFilter, Ordered {
@Autowired
private StringRedisTemplate stringRedisTemplate;
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
String token = exchange.getRequest().getHeaders().getFirst(AuthConstants.JWT_TOKEN_HEADER);
if (StringUtils.isBlank(token)) {
return chain.filter(exchange);
}
String realToken = token.replace(AuthConstants.JWT_TOKEN_PREFIX, "");
try {
JWSObject jwsObject = JWSObject.parse(realToken);
String payload = jwsObject.getPayload().toString();
JSONObject jsonObject = JSON.parseObject(payload);
String jti = jsonObject.getString("jti");
boolean flag = stringRedisTemplate.hasKey(AuthConstants.TOKEN_WHITELIST_PREFIX + jti);
if (!flag) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.OK);
response.getHeaders().set(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
response.getHeaders().set("Access-Control-Allow-Origin", "*");
response.getHeaders().set("Cache-Control", "no-cache");
String body = JSON.toJSONString(new Result("無效的Token"));
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(Charset.forName("UTF-8")));
return response.writeWith(Mono.just(buffer));
}
ServerHttpRequest request = exchange.getRequest().mutate().header("user", payload).build();
exchange = exchange.mutate().request(request).build();
} catch (ParseException e) {
e.printStackTrace();
}
return chain.filter(exchange);
}
@Override
public int getOrder() {
return 0;
}
}
5. 演示
這里為了演示沒有禁用默認的表單登錄,正式開發的時候最后禁用默認登錄,改用自定義登錄頁面
登錄
授權
這里由于重定向到百度,在postman中不好看回傳的code,我們用Wireshark看
通過Wireshark可以看到,確實重定向了
然后獲取token
檢查token
攜帶access_token訪問業務介面,比如 http://localhost:8082/order/order/pageList 可以看到請求header中確實帶了已經決議好的用戶資訊 ,那是我們在前面CustomGlobalFilter.java中放的
最后,補充一點:業務應用中利用利用過濾器將header中的用戶資訊放到ThreadLocal變數中,一遍后續方法中可以直接從背景關系中獲取
UserInfo.java
package com.cjs.component.user.domain;
import lombok.Data;
import java.io.Serializable;
/**
* @Author ChengJianSheng
* @Date 2021/12/1
*/
@Data
public class UserInfo implements Serializable {
private Long userId;
private String username;
private String mobile;
}
UserInfoContext.java
package com.tgf.component.user.service;
import com.tgf.component.user.domain.UserInfo;
/**
* @Author ChengJianSheng
* @Date 2021/12/1
*/
public class UserInfoContext {
public static final String HEADER_USER_INFO = "X-USERINFO";
private static ThreadLocal<UserInfo> threadLocal = new ThreadLocal<>();
public static UserInfo get() {
return threadLocal.get();
}
public static void set(UserInfo userInfo) {
threadLocal.set(userInfo);
}
}
UserInfoFilter.java
package com.cjs.component.user.filter;
import com.alibaba.fastjson.JSON;
import com.tgf.component.user.domain.UserInfo;
import com.tgf.component.user.service.UserInfoContext;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* @Author ChengJianSheng
* @Date 2021/12/1
*/
@Slf4j
@Order(1)
@Component
public class UserInfoFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String userInfoJson = ((HttpServletRequest) request).getHeader(UserInfoContext.HEADER_USER_INFO);
if (StringUtils.isNotBlank(userInfoJson)) {
UserInfo userInfo = JSON.parseObject(userInfoJson, UserInfo.class);
UserInfoContext.set(userInfo);
}
chain.doFilter(request, response);
}
}
參考檔案
https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/html5/#boot-features-security-oauth2-single-sign-on
https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories
https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.security.oauth2.server
https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2resourceserver-jwt-authorization
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/378097.html
標籤:Java