文章目錄
- 本文認證鑒權思路方案
- 一. 認證服務器
- 1. 需要依賴
- 2. 撰寫認證服務
- 3. 安全配置
- 4. 開放介面配置
- 二. 資源服務器(此處可理解為鑒權服務)
- 1. 需要依賴
- 2. 撰寫鑒權管理器
- 3. 撰寫資源服務
- 3. 黑名單過濾器
- 4. 例外處理
- 5. JWT重繪方案
- 6. 配置網關模塊呼叫認證模塊獲取jwt加密公鑰地址
- 三. 配置完畢,開始測驗
- 1. 獲取Token
- 2. 重繪Token
- 3. 攜帶Token訪問資源
- 4. 退出登錄
- 5. 退出登錄后再次訪問資源
本文認證鑒權思路方案
實作思路受到開源電商專案mall和youlai-mall啟發,此處貼上他們的開源地址
mall: https://gitee.com/macrozheng/mall
youlai-mall: https://gitee.com/youlaitech/youlai-mall
該篇內容主要為了提升自己對oauth2技術的理解、記錄走過的坑的一些解決方案以及對網上零散實作方式的整合
用戶登錄,網關遠程呼叫認證授權服務完成登錄,辦法token,使用jwt,本文僅為password認證模式,其他模式請了解Oauth的授權模式后自行百度,大同小異
當網關收到客戶端請求的時候,驗證用戶Token是否正確,正確則校驗用戶是否具備當前請求路徑的權限
內部服務之間裸奔,不校驗權限
一. 認證服務器
1. 需要依賴
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
2. 撰寫認證服務
package top.sclf.auth.config;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
import top.sclf.auth.domain.CustomUserDetails;
import top.sclf.auth.exception.CustomWebResponseExceptionTranslator;
import top.sclf.common.core.constant.AuthConstants;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @author zhangxing
* @date 2021/4/4
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private final AuthenticationManager authenticationManager;
private final UserDetailsService userDetailsService;
public AuthorizationServerConfig(
AuthenticationManager authenticationManager,
@Qualifier("userDetailsServiceImpl") UserDetailsService userDetailsService
) {
this.authenticationManager = authenticationManager;
this.userDetailsService = userDetailsService;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// 此處客戶端可以寫死到記憶體中,也可以從資料庫讀取,視具體業務而變,客戶端作用此處不在講述
clients.inMemory()
// 客戶端id
.withClient("client")
// 客戶端密碼
.secret("123456")
// 自動授權配置
.autoApprove(true)
.scopes("all")
// 客戶端授權型別(authorization_code:授權碼型別 password:密碼型別 implicit:簡化型別/隱式型別 client_credentials:客戶端型別 refresh_token:該為特例,加了才可以重繪授權)
.authorizedGrantTypes("password", "refresh_token")
.accessTokenValiditySeconds(3600 * 24)
.refreshTokenValiditySeconds(3600 * 24 * 7);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
List<TokenEnhancer> tokenEnhancers = new ArrayList<>();
// 增強jwt載荷的內容
tokenEnhancers.add(tokenEnhancer());
// 添加jwt的加密公鑰
tokenEnhancers.add(jwtAccessTokenConverter());
tokenEnhancerChain.setTokenEnhancers(tokenEnhancers);
endpoints.authenticationManager(authenticationManager)
.accessTokenConverter(jwtAccessTokenConverter())
.tokenEnhancer(tokenEnhancerChain)
// 使用自己實作的用戶密碼校驗邏輯
.userDetailsService(userDetailsService)
// refresh_token有兩種使用方式:重復使用(true)、非重復使用(false),默認為true
// 1.重復使用:access_token過期重繪時, refresh token過期時間未改變,仍以初次生成的時間為準
// 2.非重復使用:access_token過期重繪時, refresh_token過期時間延續,在refresh_token有效期內重繪而無需失效再次登錄
.reuseRefreshTokens(false);
}
/**
* 允許表單認證
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
// 支持表單登錄
security.allowFormAuthenticationForClients();
}
/**
* jwt生成使用RS256非對稱加密,非對稱加密需要私鑰和公鑰,此處設定公鑰
*/
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setKeyPair(keyPair());
return converter;
}
/**
* 從classpath下的密鑰庫中獲取密鑰對(公鑰+私鑰)
*/
@Bean
public KeyPair keyPair() {
KeyStoreKeyFactory factory = new KeyStoreKeyFactory(
new ClassPathResource("jcps.jks"), "123456".toCharArray());
return factory.getKeyPair(
"jcps", "123456".toCharArray());
}
/**
* JWT內容增強
* 在jwt的載荷中加入自定義的一些內容
*/
@Bean
public TokenEnhancer tokenEnhancer() {
return (accessToken, authentication) -> {
Map<String, Object> map = new HashMap<>(1);
CustomUserDetails user = (CustomUserDetails) authentication.getUserAuthentication().getPrincipal();
map.put(AuthConstants.DETAILS_USER_ID, user.getId());
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(map);
return accessToken;
};
}
}
PS:jks加密可百度搜索如何生成
以上為認證服務的核心配置
配置好后會自動生成一下幾個請求端點
/oauth/authorizemethod=[POST] 授權碼型別和隱式型別的授權端點/oauth/tokenmethod=[GET,POST] 獲取令牌的端點,password模式或有授權code情況下用于獲取token/oauth/check_token請求方式沒有測驗過,用于檢查令牌有效性
3. 安全配置
由于使用Spring Security,故需要開放以上的端點提供給Gateway呼叫,所以需要添加WebSecurity相關配置
package top.sclf.auth.config;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* SpringSecurity配置
*
* @author zhangxing
*/
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
// 使用jwt,則無需使用原本的session管理
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.authorizeRequests()
// actuator中的所有健康檢查端點都放行,經測驗,此處包含了上述幾處oauth端點,直接放行
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
// 此處不加專案的context-path
.antMatchers("/oauth/logout").permitAll()
.antMatchers("/getPublicKey").permitAll()
.anyRequest().authenticated();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
// 上面的認證服務核心配置需要使用AuthenticationManager來配置UserDetailsService
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
// 測驗方便使用密碼不加密模式
return NoOpPasswordEncoder.getInstance();
// return new BCryptPasswordEncoder();
}
}
4. 開放介面配置
關于/getPublicKey端點說明:因為jwt使用RS256非對稱加密,非對稱加密使用相同的公鑰和不同的密鑰加密而成,所以在認證服務模塊中開放公鑰的獲取方式
添加對外暴露的退出登錄介面和開放公鑰介面
package top.sclf.auth.controller;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.security.KeyPair;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
/**
* RSA公鑰開放介面
*
* @author zhangxing
* @date 2021/4/5
*/
@RestController
public class PublicKeyController {
private final KeyPair keyPair;
public PublicKeyController(KeyPair keyPair) {
this.keyPair = keyPair;
}
@GetMapping("/getPublicKey")
public Map<String, Object> getPublicKey() {
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAKey key = new RSAKey.Builder(publicKey).build();
return new JWKSet(key).toJSONObject();
}
}
關于/oauth/logout退出登錄的端點的說明
因為JWT本身就是字包含的加密文本,所以不需要在服務端存盤Token的過期時間,JWT本身就可以驗證自己是否正確,以及什么時候過期,所以意味著Token一旦頒發,從Token本身來說必須等Token本身過期才會失效,為了防止用戶退出登錄后,Token依舊有效,我們可以在用戶退出或者修改密碼后將Token加入到Redis中,并設定過期時間,可以理解為將Token加入黑名單,再在gateway上添加過濾器識別token是否在黑名單中即可實作用戶的退出改密作廢Token的功能
package top.sclf.auth.controller;
import cn.hutool.json.JSONObject;
import cn.hutool.json.JSONUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
import org.springframework.web.HttpRequestMethodNotSupportedException;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import top.sclf.common.core.constant.AuthConstants;
import top.sclf.common.core.http.ResultEntity;
import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
import java.util.Map;
import java.util.concurrent.TimeUnit;
/**
* 自定義Oauth2獲取令牌介面
*
* @author zhangxing
*/
@RestController
@RequestMapping("/oauth")
public class AuthController {
@Autowired
private TokenEndpoint tokenEndpoint;
@Autowired
private RedisTemplate<String, Object> redisTemplate;
@PostMapping("/token")
public ResultEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
OAuth2AccessToken oAuth2AccessToken = tokenEndpoint.postAccessToken(principal, parameters).getBody();
return ResultEntity.ok(oAuth2AccessToken);
}
@DeleteMapping("/logout")
public ResultEntity<?> logout(HttpServletRequest request) {
String payload = request.getHeader(AuthConstants.USER_TOKEN_HEADER);
JSONObject jsonObject = JSONUtil.parseObj(payload);
// JWT唯一標識
String jti = jsonObject.getStr("jti");
// JWT過期時間戳(單位:秒)
long exp = jsonObject.getLong("exp");
long currentTimeSeconds = System.currentTimeMillis() / 1000;
// token已過期
if (exp < currentTimeSeconds) {
return ResultEntity.fail("登錄憑證超時");
}
redisTemplate.opsForValue().set(AuthConstants.TOKEN_BLACKLIST_PREFIX + jti, null, (exp - currentTimeSeconds), TimeUnit.SECONDS);
return ResultEntity.ok();
}
}
為什么這里又重寫了獲取/oauth/token端點呢,是為了通過@RestControllerAdvice來捕捉例外
添加例外捕獲
/**
* @author zhangxing
*/
@ControllerAdvice
public class Oauth2ExceptionHandler {
@ResponseBody
@ExceptionHandler(value = OAuth2Exception.class)
public ResultEntity<?> handleOauth2(OAuth2Exception e) {
return ResultEntity.fail(e.getMessage());
}
}
添加認證中查詢用戶的實作
package top.sclf.auth.service;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import top.sclf.api.resource.RemoteResUserService;
import top.sclf.api.resource.domain.model.LoginUser;
import top.sclf.auth.constant.MessageConstant;
import top.sclf.auth.domain.CustomUserDetails;
import top.sclf.common.core.enums.DelFlagEnum;
import top.sclf.common.core.http.ResultEntity;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
/**
* @author zhangxing
* @date 2021/4/4
*/
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
// 遠程呼叫用戶服務
@Autowired
private RemoteResUserService remoteResUserService;
@Override
public UserDetails loadUserByUsername(String loginName) throws UsernameNotFoundException {
ResultEntity<LoginUser> loginUserRes = remoteResUserService.getByLoginName(loginName);
LoginUser.User user = Optional.ofNullable(loginUserRes)
.map(ResultEntity::getData)
.map(LoginUser::getResUser)
.orElse(null);
if (user == null) {
throw new UsernameNotFoundException(MessageConstant.USERNAME_PASSWORD_ERROR);
}
CustomUserDetails userDetails = new CustomUserDetails();
userDetails.setId(user.getId());
userDetails.setLoginName(user.getLoginName());
userDetails.setUserName(user.getUserName());
userDetails.setPassword(user.getLoginPwd());
userDetails.setEnable(Objects.equals(user.getDelFlag(), DelFlagEnum.DEFAULT.getVal()));
// 此處查詢系統中用戶的角色權限等資訊
List<CustomUserDetails.Perm> perms = new ArrayList<CustomUserDetails.Perm>(){{
add(new CustomUserDetails.Perm("/a"));
add(new CustomUserDetails.Perm("/b"));
}};
userDetails.setPermList(perms);
return userDetails;
}
}
package top.sclf.auth.domain;
import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.AllArgsConstructor;
import lombok.Data;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.io.Serializable;
import java.util.Collection;
import java.util.List;
/**
* @author zhangxing
* @date 2021/4/4
*/
@Data
public class CustomUserDetails implements UserDetails, Serializable {
private static final long serialVersionUID = 1L;
private Long id;
private String loginName;
private String userName;
@JsonIgnore
private String password;
private boolean enable;
private List<Perm> permList;
@Data
@AllArgsConstructor
public static class Perm implements GrantedAuthority {
private String uri;
@Override
public String getAuthority() {
return uri;
}
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return permList;
}
@Override
public String getPassword() {
return this.password;
}
@Override
public String getUsername() {
return this.loginName;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return enable;
}
}
二. 資源服務器(此處可理解為鑒權服務)
1. 需要依賴
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
2. 撰寫鑒權管理器
package top.sclf.gateway.config;
import cn.hutool.core.convert.Convert;
import cn.hutool.core.util.StrUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
import reactor.core.publisher.Mono;
import top.sclf.common.core.constant.AuthConstants;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
/**
* 鑒權管理器
*
* @author zhangxing
*/
@Slf4j
@Component
public class AuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
private final RedisTemplate redisTemplate;
public AuthorizationManager(RedisTemplate redisTemplate) {
this.redisTemplate = redisTemplate;
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
ServerHttpRequest request = authorizationContext.getExchange().getRequest();
String path = request.getURI().getPath();
PathMatcher pathMatcher = new AntPathMatcher();
// 1. 對應跨域的預檢請求直接放行
if (request.getMethod() == HttpMethod.OPTIONS) {
return Mono.just(new AuthorizationDecision(true));
}
// 2. token為空拒絕訪問
String token = request.getHeaders().getFirst(AuthConstants.HEADER);
if (StrUtil.isBlank(token)) {
return Mono.just(new AuthorizationDecision(false));
}
// 3.快取取資源權限角色關系串列
// Map<Object, Object> resourceRolesMap = redisTemplate.opsForHash().entries(AuthConstants.RESOURCE_ROLES_KEY);
Map<Object, Object> resourceRolesMap = new HashMap<>(0);
Iterator<Object> iterator = resourceRolesMap.keySet().iterator();
// 4.請求路徑匹配到的資源需要的角色權限集合authorities
List<String> authorities = new ArrayList<>();
while (iterator.hasNext()) {
String pattern = (String) iterator.next();
if (pathMatcher.match(pattern, path)) {
authorities.addAll(Convert.toList(String.class, resourceRolesMap.get(pattern)));
}
}
return mono
.filter(Authentication::isAuthenticated)
.flatMapIterable(Authentication::getAuthorities)
.map(GrantedAuthority::getAuthority)
.any(roleId -> {
// 5. roleId是請求用戶的角色(格式:ROLE_{roleId}),authorities是請求資源所需要角色的集合
log.info("訪問路徑:{}", path);
log.info("用戶角色roleId:{}", roleId);
log.info("資源需要權限authorities:{}", authorities);
// return authorities.contains(roleId);
return true;
})
.map(AuthorizationDecision::new)
.defaultIfEmpty(new AuthorizationDecision(false));
}
}
以上的鑒權邏輯參考的mall專案,可以根據自己的業務修改
3. 撰寫資源服務
資源服務需要申明哪些資源需要被保護起來,哪些資源放行,以及被保護起來的資源的保護邏輯(鑒權管理器)
package top.sclf.gateway.config;
import cn.hutool.core.util.ArrayUtil;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverterAdapter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import reactor.core.publisher.Mono;
import top.sclf.gateway.filter.BlackListFilter;
import top.sclf.gateway.handler.CustomServerAccessDeniedHandler;
import top.sclf.gateway.handler.CustomServerAuthenticationEntryPoint;
import top.sclf.gateway.properties.IgnoreWhiteProperties;
/**
* 資源服務器配置
*
* @author zhangxing
*/
@Configuration
@EnableWebFluxSecurity
public class ResourceServerConfig {
private final AuthorizationManager authorizationManager;
private final CustomServerAccessDeniedHandler customServerAccessDeniedHandler;
private final CustomServerAuthenticationEntryPoint customServerAuthenticationEntryPoint;
private final IgnoreWhiteProperties ignoreWhiteProperties;
private final BlackListFilter blackListFilter;
public ResourceServerConfig(AuthorizationManager authorizationManager, CustomServerAccessDeniedHandler customServerAccessDeniedHandler, CustomServerAuthenticationEntryPoint customServerAuthenticationEntryPoint, IgnoreWhiteProperties ignoreWhiteProperties, BlackListFilter blackListFilter) {
this.authorizationManager = authorizationManager;
this.customServerAccessDeniedHandler = customServerAccessDeniedHandler;
this.customServerAuthenticationEntryPoint = customServerAuthenticationEntryPoint;
this.ignoreWhiteProperties = ignoreWhiteProperties;
this.blackListFilter = blackListFilter;
}
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http.oauth2ResourceServer().jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
// 自定義處理JWT請求頭過期或簽名錯誤的結果
http.oauth2ResourceServer().authenticationEntryPoint(customServerAuthenticationEntryPoint);
// 在鑒權之前,添加一個黑名單過濾器,即認證服務中說到的用戶退出或修改密碼后,應該將Token加入黑名單,如果Token已經在黑名單中了,則由該Token發起的請求也無需再做鑒權判斷了,所以黑名單過濾器必須在鑒權之前,所以放在了認證過濾器的前面
http.addFilterBefore(blackListFilter, SecurityWebFiltersOrder.AUTHENTICATION);
http.authorizeExchange()
// 在網關上放行的請求,該白名單為List<String>,可自行配置,必須包含如下兩個請求
// /oauth/login,/getPublicKey
.pathMatchers(ArrayUtil.toArray(ignoreWhiteProperties.getWhites(), String.class)).permitAll()
// 認證通過后即可發起退出登錄請求
.pathMatchers("/auth/oauth/logout").authenticated()
// 鑒權管理器,剩下的請求通過鑒權管理器判定
.anyExchange().access(authorizationManager)
.and()
// 添加例外處理的回應
.exceptionHandling()
// 處理未授權
.accessDeniedHandler(customServerAccessDeniedHandler)
// 處理未認證
.authenticationEntryPoint(customServerAuthenticationEntryPoint)
// csrf自行百度
.and().csrf().disable();
return http.build();
}
/**
* ServerHttpSecurity沒有將jwt中authorities的負載部分當做Authentication
* 需要把jwt的Claim中的authorities加入
* 方案:重新定義ReactiveAuthenticationManager權限管理器,默認轉換器JwtGrantedAuthoritiesConverter
*/
@Bean
public Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
// 將認證服務中回傳的用戶物件資訊保存在JWT中,即自主實作的UserDetailsService回傳的物件權限加載到JWT中
// UserDetailsService回傳物件中的權限添加到jwt中,并加上前綴
jwtGrantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
// 通過authorities欄位從jwt中獲取UserDetailsService回傳的物件中的權限
jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("authorities");
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
}
}
3. 黑名單過濾器
package top.sclf.gateway.filter;
import cn.hutool.core.util.StrUtil;
import cn.hutool.json.JSONObject;
import cn.hutool.json.JSONUtil;
import com.nimbusds.jose.JWSObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
import top.sclf.common.core.constant.AuthConstants;
import top.sclf.common.core.exception.CustomException;
import top.sclf.common.core.http.ResultEntity;
import top.sclf.common.core.http.ResultEnum;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
/**
* @author zhangxing
* @date 2021/4/7
*/
@Component
public class BlackListFilter implements WebFilter {
@Autowired
private RedisTemplate<String, Object> redisTemplate;
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
String token = exchange.getRequest().getHeaders().getFirst(AuthConstants.HEADER);
if (StrUtil.isEmpty(token)) {
return chain.filter(exchange);
}
String realToken = token.replace("Bearer ", "");
JWSObject jwsObject;
try {
// 從token中決議用戶資訊并設定到Header中去
jwsObject = JWSObject.parse(realToken);
} catch (ParseException e) {
throw new CustomException(ResultEnum.SERVER_ERROR, "token決議錯誤");
}
String payloadStr = jwsObject.getPayload().toString();
JSONObject payload = JSONUtil.parseObj(payloadStr);
// 校驗該token是否存在于黑名單中(登出、修改密碼)
// JWT唯一標識
String jti = payload.getStr("jti");
Boolean isBlack = redisTemplate.hasKey(AuthConstants.TOKEN_BLACKLIST_PREFIX + jti);
if (Boolean.TRUE.equals(isBlack)) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.OK);
response.getHeaders().set(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
response.getHeaders().set("Access-Control-Allow-Origin", "*");
response.getHeaders().set("Cache-Control", "no-cache");
String body = JSONUtil.toJsonStr(ResultEntity.fail(ResultEnum.TOKEN_EXPIRED, ResultEnum.TOKEN_EXPIRED.getMessage()));
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
return response.writeWith(Mono.just(buffer));
}
return chain.filter(exchange);
}
}
4. 例外處理
package top.sclf.gateway.handler;
import cn.hutool.json.JSONUtil;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import top.sclf.common.core.http.ResultEntity;
import top.sclf.common.core.http.ResultEnum;
import java.nio.charset.StandardCharsets;
/**
* 無權訪問自定義回應
*/
@Component
public class CustomServerAccessDeniedHandler implements ServerAccessDeniedHandler {
@Override
public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException e) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.OK);
response.getHeaders().set(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
response.getHeaders().set("Access-Control-Allow-Origin", "*");
response.getHeaders().set("Cache-Control", "no-cache");
String body = JSONUtil.toJsonStr(ResultEntity.fail(ResultEnum.NOT_PERMISSION.getCode(), ResultEnum.NOT_PERMISSION.getMessage()));
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
return response.writeWith(Mono.just(buffer));
}
}
package top.sclf.gateway.handler;
import cn.hutool.json.JSONUtil;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import top.sclf.common.core.http.ResultEntity;
import top.sclf.common.core.http.ResultEnum;
import top.sclf.common.core.util.StringUtils;
import java.nio.charset.StandardCharsets;
/**
* 無效token/token過期 自定義回應
*
* @author zhangxing
*/
@Component
public class CustomServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
@Override
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.OK);
response.getHeaders().set(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
response.getHeaders().set("Access-Control-Allow-Origin", "*");
response.getHeaders().set("Cache-Control", "no-cache");
ResultEntity<String> fail = ResultEntity.fail(ResultEnum.TOKEN_INVALID.getCode().intValue(), "未登陸或登錄已過期");
// 文章下面會詳細描述為什么此處需要判斷是否是jwt過期的情況
String message = e.getMessage();
if (message != null && StringUtils.containsIgnoreCase(message, "Jwt expired")) {
fail.setCode(ResultEnum.TOKEN_EXPIRED.getCode());
}
String body = JSONUtil.toJsonStr(fail);
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
return response.writeWith(Mono.just(buffer));
}
}
5. JWT重繪方案
權限校驗失敗的自定義回應中,我們判斷了是否是應為jwt過期導致的鑒權失敗
當請求進來時,如果jwt過期,我們定制一個和前端約定好的錯誤編碼來表示jwt過期,當前端請求訪問失敗,并且發現回應編碼是因為jwt過期導致的請求失敗,則前端使用refresh_token使用重繪token的請求方式來重新獲取一次新的授權JWT,回傳新JWT后重新設定到請求頭上再次發起剛才鑒權失敗的請求即可
6. 配置網關模塊呼叫認證模塊獲取jwt加密公鑰地址
在網關模塊的組態檔中加入
spring:
security:
oauth2:
resourceserver:
jwt:
# 網上找了一圈沒有找到此處配置負載均衡的方式,似乎不支持
# 所以此處配置的獲取公鑰的地址直接訪問的網關的地址,曲線救國的方式實作負載均衡
jwk-set-uri: http://localhost:8088/auth/getPublicKey # /auth是我的認證模塊的context-path
三. 配置完畢,開始測驗
1. 獲取Token
登錄獲取Token端點: POST /oauth/token,/auth是我的認證模塊context-path
回傳值:
- access_token用于訪問資源
- refresh_token用于重繪token,以獲取新的access_token
2. 重繪Token
重繪Token端點: POST /oauth/token,/auth是我的認證模塊context-path
3. 攜帶Token訪問資源
4. 退出登錄
5. 退出登錄后再次訪問資源
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/274165.html
標籤:其他
下一篇:基于量子密鑰的經典身份認證系統