1.OAuth2協議簡介:
OAuth是一種用來規范令牌(Token)發放的授權機制,目前最新版本為2.0,不兼容1.0,主要有四種授權模式:授權碼模式、簡化模式、密碼模式和客戶端模式,我這邊的前端系統是通過用戶名和密碼來登錄系統的,所以這里只介紹密碼模式
2.密碼模式簡介:
在密碼模式中,用戶向客戶端提供用戶名和密碼,客戶端通過用戶名和密碼到認證服務器獲取令牌,流程如下:
如上圖所示,密碼模式包含了三個步驟:
(A)用戶訪問客戶端,提供URI連接包含用戶名和密碼資訊給授權服務器
(B)授權服務器對客戶端進行身份驗證
(C)授權通過,回傳access_token給客戶端
3.搭建服務
3.1 pom.xml檔案(SpringBoot+SpringSecurity+OAuth2+Redis)
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>demo</groupId>
<artifactId>security</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>security</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
<spring-cloud.version>Greenwich.SR1</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
3.2 組態檔(你們需要換成自己的redis配置,用來存放認證資訊)
spring:
redis:
host: 127.0.0.1
port: 6379
password: KCl9HfqbVnhQ5c3n
database: 0
3.3 我們需要定義一個WebSecurity型別的安全配置類
package com.example.demo.security.config;
import com.example.demo.security.service.UserDetailService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
@Order(2)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailService userDetailService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/oauth/**").authenticated()
.and()
.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailService).passwordEncoder(passwordEncoder());
}
}
該類繼承了WebSecurityConfigurerAdapter配接器,重寫了幾個方法,并且使用@EnableWebSecurity注解標注,開啟了和Web相關的安全配置,
上面代碼中,我們首先注入了UserDetailService,這個類下面會介紹到,這里先略過,
然后我們定義了一個PasswordEncoder型別的Bean,該類是一個介面,定義了幾個和密碼加密校驗相關的方法,這里我們使用的是Spring Security內部實作好的BCryptPasswordEncoder,BCryptPasswordEncoder的特點就是,對于一個相同的密碼,每次加密出來的加密串都不同:
public static void main(String[] args) {
String password = "123456";
PasswordEncoder encoder = new BCryptPasswordEncoder();
System.out.println(encoder.encode(password));
System.out.println(encoder.encode(password));
}
$2a$10$TgKIGaJrL8LBFT8bEj8gH.3ctyo1PpSTw4fs4o6RuMOE4R665HdpS
$2a$10$ZEcCOMVVIV5SfoXPXih92uGJfVeaugMr/PydhYnLvsCroS9xWjOIq
我們也可以自己實作PasswordEncoder介面,這里為了方便就直接使用BCryptPasswordEncoder了
接著我們注冊了一個authenticationManagerBean,因為密碼模式需要使用到這個Bean,
在SecurityConfig 類中,我們還重寫了WebSecurityConfigurerAdapter類的configure(HttpSecurity http)方法,其中requestMatchers().antMatchers("/oauth/**")的含義是:SecurityConfig 安全配置類只對/oauth/開頭的請求有效,
最后我們重寫了configure(AuthenticationManagerBuilder auth)方法,指定了userDetailsService和passwordEncoder
3.4 定義一個資源服務器的配置類
package com.example.demo.security.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.requestMatchers().antMatchers("/**")
.and()
.authorizeRequests()
.antMatchers("/**").authenticated();
}
}
ResourceServerConfig 繼承了ResourceServerConfigurerAdapter,并重寫了configure(HttpSecurity http)方法,通過requestMatchers().antMatchers("/")的配置表明該安全配置對所有請求都生效,**類上的@EnableResourceServer用于開啟資源服務器相關配置,
3.5 SecurityConfig和ResourceServerConfig的區別
上面兩個Config配置都是用來攔截請求的,一個只攔截以"/oauth/**"開頭的請求,一個攔截所有請求,這兩者功能類似,那請求到底先走誰,我們看代碼
@Order(100)
public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigurer<WebSecurity> {
......
}
@Configuration
public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter implements Ordered {
private int order = 3;
......
}
在Spring中,數字越小,優先級越高,也就是說ResourceServerConfig的優先級要高于SecurityConfig,這也就意味著所有請求都會被ResourceServerConfig過濾器鏈處理,包括/oauth/開頭的請求,這顯然不是我們要的效果,我們原本是希望以/oauth/開頭的請求由SecurityConfig過濾器鏈處理,剩下的其他請求由ResourceServerConfig過濾器鏈處理,
所以我們需要提高SecurityConfig的優先級(增加@Order(2))
@Order(2)
@EnableWebSecurity
public class SecurityConfigextends WebSecurityConfigurerAdapter {
......
}
3.6 定義一個和認證服務器相關的安全配置類
package com.example.demo.security.config;
import com.example.demo.security.service.UserDetailService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private RedisConnectionFactory redisConnectionFactory;
@Autowired
private UserDetailService userDetailService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("auth")
.secret(passwordEncoder.encode("123456"))
.authorizedGrantTypes("password", "refresh_token")
.scopes("all");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore())
.userDetailsService(userDetailService)
.authenticationManager(authenticationManager)
.tokenServices(defaultTokenServices());
}
/**
* 認證服務器生成的令牌將被存盤到Redis中
* @return
*/
@Bean
public TokenStore tokenStore() {
return new RedisTokenStore(redisConnectionFactory);
}
@Primary
@Bean
public DefaultTokenServices defaultTokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore());
// 開啟重繪令牌的支持
tokenServices.setSupportRefreshToken(true);
// 令牌有效時間為60 * 60 * 24
tokenServices.setAccessTokenValiditySeconds(60 * 60 * 24);
// 重繪令牌有效時間為60 * 60 * 24 * 7秒
tokenServices.setRefreshTokenValiditySeconds(60 * 60 * 24 * 7);
return tokenServices;
}
}
AuthorizationServerConfig繼承AuthorizationServerConfigurerAdapter配接器,使用@EnableAuthorizationServer注解標注,開啟認證服務器相關配置
AuthorizationServerConfig配置類中重點需要介紹的是configure(ClientDetailsServiceConfigurer clients)方法,該方法主要配置了:
客戶端從認證服務器獲取令牌的時候,必須使用client_id為auth,client_secret為123456的標識來獲取;
該client_id支持password模式獲取令牌,并且可以通過refresh_token來獲取新的令牌;
在獲取client_id為auth的令牌的時候,scope只能指定為all,否則將獲取失敗;
3.7 在定義好這三個配置類后,我們還需要定義一個用于校驗用戶名密碼的類,也就是上面提到的UserDetailService,
package com.example.demo.security.service;
import com.example.demo.security.entity.AuthUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
@Service
public class UserDetailService implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
AuthUser user = new AuthUser();
user.setUsername(username);
user.setPassword(this.passwordEncoder.encode("123456"));
return new User(username, user.getPassword(), user.isEnabled(),
user.isAccountNonExpired(), user.isCredentialsNonExpired(),
user.isAccountNonLocked(), AuthorityUtils.commaSeparatedStringToAuthorityList("user:add"));
}
}
該類主要就是重寫loadUserByUsername()方法,去資料庫查詢有沒有當前用戶,并且回傳一個UserDetails物件,該物件也是一個介面,包含一些用于描述用戶資訊的方法,原始碼如下:
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package org.springframework.security.core.userdetails;
import java.io.Serializable;
import java.util.Collection;
import org.springframework.security.core.GrantedAuthority;
public interface UserDetails extends Serializable {
// 獲取用戶包含的權限,回傳權限集合,權限是一個繼承了GrantedAuthority的物件
Collection<? extends GrantedAuthority> getAuthorities();
String getPassword();
String getUsername();
// 判斷賬戶是否未過期,未過期回傳true反之回傳false
boolean isAccountNonExpired();
// 判斷賬戶是否未鎖定
boolean isAccountNonLocked();
// 判斷用戶憑證是否沒過期,即密碼是否未過期
boolean isCredentialsNonExpired();
// 判斷用戶是否可用
boolean isEnabled();
}
3.8 實際開發中,我們會直接用系統的用戶物件,我這邊自定義一個物件AuthUser(也可以直接使用Spring Security提供的UserDetails介面實作類)
package com.example.demo.security.entity;
import java.io.Serializable;
public class AuthUser implements Serializable {
private static final long serialVersionUID = -1748289340320186418L;
private String username;
private String password;
private boolean accountNonExpired = true;
private boolean accountNonLocked= true;
private boolean credentialsNonExpired= true;
private boolean enabled= true;
public static long getSerialVersionUID() {
return serialVersionUID;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public boolean isAccountNonExpired() {
return accountNonExpired;
}
public void setAccountNonExpired(boolean accountNonExpired) {
this.accountNonExpired = accountNonExpired;
}
public boolean isAccountNonLocked() {
return accountNonLocked;
}
public void setAccountNonLocked(boolean accountNonLocked) {
this.accountNonLocked = accountNonLocked;
}
public boolean isCredentialsNonExpired() {
return credentialsNonExpired;
}
public void setCredentialsNonExpired(boolean credentialsNonExpired) {
this.credentialsNonExpired = credentialsNonExpired;
}
public boolean isEnabled() {
return enabled;
}
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
}
3.9 最后寫一個Controller,用來驗證我們的攔截是否生效(下面三個類都需要)
package com.example.demo.security.controller;
import com.example.demo.security.entity.Response;
import com.example.demo.security.exception.AuthException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.provider.token.ConsumerTokenServices;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
@RestController
public class SecurityController {
@Autowired
private ConsumerTokenServices consumerTokenServices;
@GetMapping("oauth/test")
public String testOauth() {
return "oauth";
}
@GetMapping("getUserInfo")
public Principal currentUser(Principal principal) {
return principal;
}
@DeleteMapping("loginOut")
public Response loginOut(HttpServletRequest request) throws AuthException {
String authorization = request.getHeader("Authorization");
String token = StringUtils.replace(authorization, "bearer ", "");
Response response = new Response();
if (!consumerTokenServices.revokeToken(token)) {
throw new AuthException("退出登錄失敗");
}
return response.message("退出登錄成功");
}
}
Response類:
package com.example.demo.security.entity;
import java.util.HashMap;
public class Response extends HashMap<String, Object> {
private static final long serialVersionUID = -8713837118340960775L;
public Response message(String message) {
this.put("message", message);
return this;
}
public Response data(Object data) {
this.put("data", data);
return this;
}
@Override
public Response put(String key, Object value) {
super.put(key, value);
return this;
}
public String getMessage() {
return String.valueOf(get("message"));
}
public Object getData() {
return get("data");
}
}
例外類:
package com.example.demo.security.exception;
public class AuthException extends Exception{
private static final long serialVersionUID = -6916154462432027437L;
public AuthException(String message){
super(message);
}
}
4.Postman測驗
4.1 使用PostMan發送 localhost:8080/oauth/token POST請求,請求引數如下所示:
grant_type填password,表示密碼模式,然后填寫用戶名和密碼,根據我們定義的UserDetailService邏輯,這里用戶名隨便填,密碼必須為123456,
一定要在請求頭中配置Authorization資訊,否則請求將回傳401
值為Basic加空格加client_id:client_secret(就是在AuthorizationServerConfig類configure(ClientDetailsServiceConfigurer clients)方法中定義的client和secret)經過base64加密后的值
轉換base64連接地址
4.2 使用PostMan發送 localhost:8080/getUserInfo GET請求,先不帶令牌看看回傳什么:
上面回傳401例外,下面我們在請求頭中添加如下圈紅的內容,成功回傳資料
Authorization值的格式為token_type access_token
4.3 我們使用PostMan發送 localhost:8080/oauth/test GET請求,頭部攜帶Authorization
可以看到,雖然我們在請求頭中已經帶上了正確的令牌,但是并沒有成功獲取到資源,正如前面所說的那樣,/oauth/開頭的請求由SecurityConfig定義的過濾器鏈處理,它不受資源服務器配置管理,所以使用令牌并不能成功獲取到資源
4.4 測驗注銷令牌
使用PostMan發送 localhost:8080/loginOut DELETE請求,并在請求頭中攜帶令牌
注銷令牌后,原先的access_token和refresh_token都會馬上失效,并且Redis也被清空
4.5 測驗令牌重繪
因為我們上面注銷了令牌,所以在此之前再次獲取一次令牌
然后使用refresh_token去換取新的令牌,使用PostMan發送 localhost:8080/oauth/token POST請求,請求引數如下:
成功獲取到了新的令牌
本文參考文獻:https://www.kancloud.cn/mrbird/spring-cloud/1263689
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/280936.html
標籤:其他
上一篇:ForAndSix
下一篇:8253 匯編實驗