devbox
小蓝xlanll
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

搭建spring-security-oauth2授权服务(服务)和资源服务(模块)(一)—— 搭建授权服务_the class with org.springframework.security.oauth2

作者:小蓝xlanll | 2024-02-15 09:55:53

the class with org.springframework.security.oauth2.provider.oauth2authentica

之前用的是springsecurity+jwt作为安全验证,现在oauth2版本也可以实现,而且还有对外的token获取方式,所以替换成oauth2版本的springsecurity。

同样是使用jwt管理token,但是会加上redis,因为jwt生成的token是无状态的,所以生成新toekn后,旧token依旧能用,所以使用redis作为中间件来避免旧token还能使用的情况,实现单点登陆。

项目接口,红框里的是没用的,不用管

首先创建一个springboot项目,由于我用的是微服务,授权服务只是其中一个服务,所以可能会存在依赖缺少的情况,如果缺少依赖,评论留言。

然后是pom,pom中添加了项目中的其他模块,后面我会把源码上传至git

  1.  <dependencies>
  2.         <dependency>
  3.             <groupId>org.springframework.boot</groupId>
  4.             <artifactId>spring-boot-starter-web</artifactId>
  5.         </dependency>
  6.         <dependency>
  7.             <groupId>org.springframework.boot</groupId>
  8.             <artifactId>spring-boot-starter-security</artifactId>
  9.         </dependency>
  10.         <dependency>
  11.             <groupId>org.springframework.security.oauth.boot</groupId>
  12.             <artifactId>spring-security-oauth2-autoconfigure</artifactId>
  13.             <version>2.1.0.RELEASE</version>
  14.         </dependency>
  15.         <dependency>
  16.             <groupId>org.springframework.boot</groupId>
  17.             <artifactId>spring-boot-starter-test</artifactId>
  18.             <scope>test</scope>
  19.         </dependency>
  20.  
  21.         <dependency>
  22.             <groupId>org.springframework.boot</groupId>
  23.             <artifactId>spring-boot-starter-thymeleaf</artifactId>
  24.         </dependency>
  25.         <!--自定义组件-->
  26.         <dependency>
  27.             <groupId>com.rmt</groupId>
  28.             <artifactId>rmt-db-jpa</artifactId>
  29.             <version>0.0.1-SNAPSHOT</version>
  30.         </dependency>
  31.         <dependency>
  32.             <groupId>com.rmt</groupId>
  33.             <artifactId>rmt-domain-authority</artifactId>
  34.             <version>0.0.1-SNAPSHOT</version>
  35.         </dependency>
  36.         <dependency>
  37.             <groupId>com.rmt</groupId>
  38.             <artifactId>rmt-redis</artifactId>
  39.             <version>0.0.1-SNAPSHOT</version>
  40.         </dependency>
  41.         <dependency>
  42.             <groupId>com.rmt</groupId>
  43.             <artifactId>rmt-common-region</artifactId>
  44.             <version>0.0.1-SNAPSHOT</version>
  45.         </dependency>
  46.     </dependencies>

创建数据库security_oauth2

  1. /*
  2.  Navicat Premium Data Transfer
  4.  Source Server         : localhost
  5.  Source Server Type    : MySQL
  6.  Source Server Version : 50717
  7.  Source Host           : localhost:3306
  8.  Source Schema         : security_oauth2
  10.  Target Server Type    : MySQL
  11.  Target Server Version : 50717
  12.  File Encoding         : 65001
  14.  Date: 05/03/2021 10:48:56
  15. */
  16.  
  17. SET NAMES utf8mb4;
  18. SET FOREIGN_KEY_CHECKS = 0;
  19.  
  20. -- ----------------------------
  21. -- Table structure for menu
  22. -- ----------------------------
  23. DROP TABLE IF EXISTS `menu`;
  24. CREATE TABLE `menu`  (
  25.   `id` int(11) NOT NULL AUTO_INCREMENT,
  26.   `menu_code` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '菜单编号',
  27.   `menu_name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '菜单名称',
  28.   `router` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '路由',
  29.   `imgsrc` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '图标地址',
  30.   `index_num` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '序号',
  31.   `type` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '菜单类型(目录,菜单,按钮)',
  32.   `perms` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '权限标识',
  33.   `status` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '菜单状态(正常 ,停用)',
  34.   PRIMARY KEY (`id`) USING BTREE,
  35.   UNIQUE INDEX `MENU_UNIQUE`(`menu_code`) USING BTREE COMMENT 'menu唯一',
  36.   UNIQUE INDEX `PERMS_UNIQUE`(`perms`) USING BTREE COMMENT 'perms唯一'
  37. ) ENGINE = InnoDB AUTO_INCREMENT = 171 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
  38.  
  39. -- ----------------------------
  40. -- Records of menu
  41. -- ----------------------------
  42. INSERT INTO `menu` VALUES (1, '1000', '总菜单', NULL, NULL, '1', '菜单', NULL, '正常');
  43. INSERT INTO `menu` VALUES (9, '10000001', '系统管理', '', 'el-icon-user-solid', '0', '目录', 'system', '正常');
  44. INSERT INTO `menu` VALUES (11, '100000010002', '用户管理', '/UserIndex', '', '1', '菜单', 'system:user', '正常');
  45. INSERT INTO `menu` VALUES (12, '100000010003', '角色权限', '/RoleIndex', '', '2', '菜单', 'system:role', '正常');
  46. INSERT INTO `menu` VALUES (18, '100000010005', '菜单管理', '/MenuIndex', '', '3', '菜单', 'system:menu', '正常');
  47. INSERT INTO `menu` VALUES (40, '100000010006', '所属单位管理', '/OrganizationIndex', '', '4', '菜单', 'system:company', '正常');
  48. INSERT INTO `menu` VALUES (44, '100000010007', '日志管理', '/LogIndex', NULL, '5', '菜单', 'system:logs', '正常');
  49. INSERT INTO `menu` VALUES (75, '1000000100020001', '添加用户', '', '', '0', '按钮', 'system:user:add', '正常');
  50. INSERT INTO `menu` VALUES (76, '1000000100050001', '添加菜单', '', '', '0', '按钮', 'system:menu:add', '正常');
  51. INSERT INTO `menu` VALUES (77, '1000000100050002', '菜单列表', '', '', '0', '按钮', 'system:menu:list', '正常');
  52. INSERT INTO `menu` VALUES (78, '1000000100050003', '菜单修改', '', '', '0', '按钮', 'system:menu:update', '正常');
  53. INSERT INTO `menu` VALUES (79, '1000000100050004', '菜单删除', '', '', '0', '按钮', 'system:menu:delete', '正常');
  54. INSERT INTO `menu` VALUES (80, '1000000100020002', '用户修改', '', '', '0', '按钮', 'system:user:update', '正常');
  55. INSERT INTO `menu` VALUES (88, '1000000100020003', '用户删除', '', '', '0', '按钮', 'system:user:delete', '正常');
  56. INSERT INTO `menu` VALUES (89, '1000000100020004', '用户查询', '', '', '0', '按钮', 'system:user:select', '正常');
  57. INSERT INTO `menu` VALUES (90, '1000000100030001', '添加角色', '', '', '0', '按钮', 'system:role:add', '正常');
  58. INSERT INTO `menu` VALUES (91, '1000000100030002', '角色修改', '', '', '0', '按钮', 'system:role:update', '正常');
  59. INSERT INTO `menu` VALUES (92, '1000000100030003', '角色删除', '', '', '0', '按钮', 'system:role:delete', '正常');
  60. INSERT INTO `menu` VALUES (93, '1000000100030004', '菜单配置', '', '', '0', '按钮', 'system:role:config', '正常');
  61. INSERT INTO `menu` VALUES (94, '1000000100060001', '添加单位', '', '', '0', '按钮', 'system:company:add', '正常');
  62. INSERT INTO `menu` VALUES (95, '1000000100060002', '单位修改', '', '', '0', '按钮', 'system:company:update', '正常');
  63. INSERT INTO `menu` VALUES (96, '1000000100060003', '单位删除', '', '', '0', '按钮', 'system:company:delete', '正常');
  64. INSERT INTO `menu` VALUES (101, '1000000100070001', '日志查询', '', '', '0', '按钮', 'system:logs:select', '正常');
  65. INSERT INTO `menu` VALUES (112, '1000000100060004', '单位查询', '', '', '0', '按钮', 'system:company:select', '正常');
  66. INSERT INTO `menu` VALUES (135, '1000000100020005', '用户列表', '', '', '0', '按钮', 'system:user:list', '正常');
  67. INSERT INTO `menu` VALUES (137, '1000000100030005', '角色列表', '', '', '0', '按钮', 'system:role:list', '正常');
  68. INSERT INTO `menu` VALUES (143, '1000000100060005', '所属单位管理列表', '', '', '0', '按钮', 'system:company:list', '正常');
  69. INSERT INTO `menu` VALUES (146, '1000000100070002', '日志管理列表', '', '', '0', '按钮', 'system:logs:list', '正常');
  70. -- ----------------------------
  71. -- Table structure for oauth_client_details
  72. -- ----------------------------
  73. DROP TABLE IF EXISTS `oauth_client_details`;
  74. CREATE TABLE `oauth_client_details`  (
  75.   `client_id` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '客户端的id(用于唯一标识每一个客户端(client);注册时必须填写(也可以服务端自动生成),这个字段是必须的,实际应用也有叫app_key)',
  76.   `resource_ids` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '资源服务器的id,多个用,(逗号)隔开{客户端能访问的资源id集合,注册客户端时,根据实际需要可选择资源id,也可以根据不同的额注册流程,赋予对应的额资源id}',
  77.   `client_secret` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '客户端的秘钥{注册填写或者服务端自动生成,实际应用也有叫app_secret, 必须要有前缀代表加密方式}',
  78.   `scope` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '指定客户端申请的权限范围,可选值包括read,write,trust;若有多个权限范围用逗号(,)分隔,如: \"read,write\".@EnableGlobalMethodSecurity(prePostEnabled = true)启用方法级权限控制然后在方法上注解标识@PreAuthorize(\"#oauth2.hasScope(\'read\')\")',
  79.   `authorized_grant_types` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '认证的方式{可选值 授权码模式:authorization_code,密码模式:password,刷新token: refresh_token, 隐式模式: implicit: 客户端模式: client_credentials。支持多个用逗号分隔}',
  80.   `web_server_redirect_uri` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '授权码模式认证成功跳转的地址{客户端重定向uri,authorization_code和implicit需要该值进行校验,注册时填写,}',
  81.   `authorities` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '指定用户的权限范围,如果授权的过程需要用户登陆,该字段不生效,implicit和client_credentials需要',
  82.   `access_token_validity` int(11) NULL DEFAULT NULL COMMENT 'token的过期时间{设置access_token的有效时间(秒),默认(60 * 60 * 12,12小时)}',
  83.   `refresh_token_validity` int(11) NULL DEFAULT NULL COMMENT '刷新token的过期时间{设置refresh_token有效期(秒),默认(60 *60 * 24 * 30, 30天)}',
  84.   `additional_information` varchar(4096) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '值必须是json格式',
  85.   `autoapprove` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '默认false,适用于authorization_code模式,设置用户是否自动approval操作,设置true跳过用户确认授权操作页面,直接跳到redirect_uri',
  86.   PRIMARY KEY (`client_id`) USING BTREE
  87. ) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;
  88.  
  89. -- ----------------------------
  90. -- Records of oauth_client_details
  91. -- ----------------------------
  92. INSERT INTO `oauth_client_details` VALUES ('demo-client', NULL, '$2a$10$tj/PXVj9MBRdyuBKq99zeOw6oGkPVe7HNOxjmBWh.hsRmaU4IT2Ba', 'all', 'authorization_code,refresh_token,password', 'http://localhost:17772/home', NULL, 3600, 36000, NULL, '1');
  93.  
  94. -- ----------------------------
  95. -- Table structure for organization
  96. -- ----------------------------
  97. DROP TABLE IF EXISTS `organization`;
  98. CREATE TABLE `organization`  (
  99.   `id` bigint(11) NOT NULL AUTO_INCREMENT,
  100.   `organization_code` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '组织机构编号',
  101.   `organization_name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '组织机构名称',
  102.   `savetime` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '时间',
  103.   `description` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '描述',
  104.   PRIMARY KEY (`id`) USING BTREE,
  105.   UNIQUE INDEX `uk_ code`(`organization_code`) USING BTREE
  106. ) ENGINE = InnoDB AUTO_INCREMENT = 65 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
  107.  
  108. -- ----------------------------
  109. -- Records of organization
  110. -- ----------------------------
  111. INSERT INTO `organization` VALUES (1, '1000', '总组织', '1607496672156', '父集团');
  112.  
  113. -- ----------------------------
  114. -- Table structure for role
  115. -- ----------------------------
  116. DROP TABLE IF EXISTS `role`;
  117. CREATE TABLE `role`  (
  118.   `id` bigint(20) NOT NULL AUTO_INCREMENT,
  119.   `name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  120.   `description` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '描述',
  121.   PRIMARY KEY (`id`) USING BTREE,
  122.   UNIQUE INDEX `nameunique`(`name`) USING BTREE COMMENT 'role name唯一'
  123. ) ENGINE = InnoDB AUTO_INCREMENT = 7 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
  124.  
  125. -- ----------------------------
  126. -- Records of role
  127. -- ----------------------------
  128. INSERT INTO `role` VALUES (1, 'ROLE_ADMIN', '超级管理员');
  129. INSERT INTO `role` VALUES (2, 'ROLE_TEST', '测试用户');
  130. INSERT INTO `role` VALUES (6, 'ROLE_OR', '普通用户');
  131.  
  132. -- ----------------------------
  133. -- Table structure for role_menu
  134. -- ----------------------------
  135. DROP TABLE IF EXISTS `role_menu`;
  136. CREATE TABLE `role_menu`  (
  137.   `id` int(11) NOT NULL AUTO_INCREMENT,
  138.   `r_id` int(11) NULL DEFAULT NULL,
  139.   `m_id` int(11) NULL DEFAULT NULL,
  140.   PRIMARY KEY (`id`) USING BTREE
  141. ) ENGINE = InnoDB AUTO_INCREMENT = 6857 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
  142.  
  143. -- ----------------------------
  144. -- Records of role_menu
  145. -- ----------------------------
  146. INSERT INTO `role_menu` VALUES (6709, 1, 11);
  147. INSERT INTO `role_menu` VALUES (6710, 1, 75);
  148. INSERT INTO `role_menu` VALUES (6711, 1, 80);
  149. INSERT INTO `role_menu` VALUES (6712, 1, 88);
  150. INSERT INTO `role_menu` VALUES (6713, 1, 89);
  151. INSERT INTO `role_menu` VALUES (6714, 1, 135);
  152.  
  153. -- ----------------------------
  154. -- Table structure for user
  155. -- ----------------------------
  156. DROP TABLE IF EXISTS `user`;
  157. CREATE TABLE `user`  (
  158.   `id` bigint(20) NOT NULL AUTO_INCREMENT,
  159.   `iphone` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  160.   `organization_name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  161.   `organization_num` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  162.   `password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  163.   `savetime` varchar(50) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  164.   `sex` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  165.   `username` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  166.   `real_name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '真实姓名',
  167.   `user_type` enum('巡查员','管理员') CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT '巡查员' COMMENT '用户类型',
  168.   PRIMARY KEY (`id`) USING BTREE
  169. ) ENGINE = InnoDB AUTO_INCREMENT = 72 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
  170.  
  171. -- ----------------------------
  172. -- Records of user
  173. -- ----------------------------
  174. INSERT INTO `user` VALUES (1, '15227686967', '总组织', '1000', '$2a$10$7oxG1a5hefbal86RlTJnVOc5TXR6gcDCxWSP69H/mgAVL63wJ3F6S', '2020-05-28 13:42:15.000000', '2', 'admin', 'xiayanhui', '巡查员');
  175.  
  176. -- ----------------------------
  177. -- Table structure for user_role
  178. -- ----------------------------
  179. DROP TABLE IF EXISTS `user_role`;
  180. CREATE TABLE `user_role`  (
  181.   `id` int(11) NOT NULL AUTO_INCREMENT,
  182.   `u_id` int(11) NULL DEFAULT NULL,
  183.   `r_id` int(11) NULL DEFAULT NULL,
  184.   PRIMARY KEY (`id`) USING BTREE
  185. ) ENGINE = InnoDB AUTO_INCREMENT = 42 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
  186.  
  187. -- ----------------------------
  188. -- Records of user_role
  189. -- ----------------------------
  190. INSERT INTO `user_role` VALUES (1, 1, 1);
  191. INSERT INTO `user_role` VALUES (6, 13, 1);
  192. INSERT INTO `user_role` VALUES (19, 49, 8);
  193. INSERT INTO `user_role` VALUES (32, 62, 1);
  194. INSERT INTO `user_role` VALUES (33, 63, 6);
  195. INSERT INTO `user_role` VALUES (34, 64, 6);
  196. INSERT INTO `user_role` VALUES (35, 65, 1);
  197. INSERT INTO `user_role` VALUES (36, 66, 1);
  198. INSERT INTO `user_role` VALUES (37, 67, 1);
  199. INSERT INTO `user_role` VALUES (38, 68, 1);
  200. INSERT INTO `user_role` VALUES (39, 69, 1);
  201. INSERT INTO `user_role` VALUES (40, 70, 1);
  202. INSERT INTO `user_role` VALUES (41, 71, 1);
  203.  
  204. SET FOREIGN_KEY_CHECKS = 1;

然后修改配置文件,bootstrap.yml

从配置文件应该可以看出,我使用的是nacos,所以nacos上也会存在一些配置文件。

  1. server:
  2.   port: 17772
  3. ip-address: localhost
  4. namespace-id: 2120ba90-bbee-464c-bcff-62b039803d97
  5. spring:
  6.   aop:
  7.     auto: true
  8.   application:
  9.     name: oauth2-server
  10.   cloud:
  11.     nacos:
  12.       discovery:
  13.         #server-addr: 192.168.0.10:8848
  14.         server-addr: ${ip-address}:8848
  15.         #此处的namespace是discovery服务对应的命名空间,与config不同
  16.         namespace: ${namespace-id}
  17.       config:
  18.         server-addr: ${ip-address}:8848
  19.         file-extension: yaml
  20.         #此处只是对应config的命名空间
  21.         namespace: ${namespace-id}
  22.         #共享配置文件
  23.         shared-configs:
  24.           - data-id: shared.yaml
  25.             group: dev
  26.             refresh: true
  27.           - data-id: kafka-producer.yaml
  28.             group: dev
  29.             refresh: true
  30.           - data-id: redis-config.yaml
  31.             group: dev
  32.             refresh: true
  33.   #数据源
  34.   datasource:
  35.     name: db-base
  36.     url: jdbc:mysql://${ip-address}:3306/security_oauth2?serverTimezone=GMT%2B8
  37.     username: root
  38.     password: root
  39.     driver-class-name: com.mysql.cj.jdbc.Driver
  40.   thymeleaf:
  41.     prefix: classpath:/views/
  42.     suffix: .html
  43.     cache: false
  44.   mvc:
  45.     throw-exception-if-no-handler-found: true

然后开始配置授权服务

创建AuthServerConfig 里面注解很全

  1. package com.zz.zzoauth2.config;
  2.  
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.beans.factory.annotation.Qualifier;
  5. import org.springframework.context.annotation.Configuration;
  6. import org.springframework.security.authentication.AuthenticationManager;
  7. import org.springframework.security.core.userdetails.UserDetailsService;
  8. import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
  9. import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
  10. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
  11. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
  12. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
  13. import org.springframework.security.oauth2.provider.token.TokenEnhancer;
  14. import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
  15. import org.springframework.security.oauth2.provider.token.TokenStore;
  16. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  17.  
  18. import javax.sql.DataSource;
  19. import java.util.ArrayList;
  20. import java.util.List;
  21.  
  22. /**
  23.  * OAuth2的授权服务:主要作用是OAuth2的客户端进行认证与授权
  24.  *
  25.  * @author wqy
  26.  * @date 2020-09-04
  27.  */
  28. @Configuration
  29. @EnableAuthorizationServer
  30. public class AuthServerConfig extends AuthorizationServerConfigurerAdapter{
  31.  
  32. 	/**
  33. 	 * 从数据库中查询账号密码
  34. 	 */
  35. 	@Autowired
  36. 	@Qualifier("cusUserDetailsService")
  37. 	public UserDetailsService userDetailsService;
  38.  
  39. 	/**
  40. 	 * 从spring中获取数据源
  41. 	 */
  42. 	@Autowired
  43. 	private DataSource dataSource;
  44.  
  45. 	/**
  46. 	 * 认证管理器
  47. 	 */
  48. 	@Autowired
  49. 	private AuthenticationManager authenticationManager;
  50.  
  51. 	/**
  52. 	 * 它就是用来保存token
  53. 	 */
  54. 	@Autowired
  55. 	private TokenStore jwtTokenStore;
  56.  
  57. 	/**
  58. 	 * TokenEnhancer的子类,帮助程序在JWT编码的令牌值和OAuth身份验证信息之间进行转换(在两个方向上),
  59. 	 * 同时充当TokenEnhancer授予令牌的时间。
  60. 	 * 自定义的JwtAccessTokenConverter(把自己设置的jwt签名加入accessTokenConverter中)
  61. 	 */
  62. 	@Autowired
  63. 	private JwtAccessTokenConverter jwtAccessTokenConverter;
  64.  
  65. 	/**
  66. 	 * 在AuthorizationServerTokenServices 实现存储访问令牌之前增强访问令牌的策略。
  67. 	 */
  68. 	@Autowired
  69. 	private TokenEnhancer jwtTokenEnhancer;
  70.  
  71. 	/**
  72. 	 * 配置OAuth2的客户端信息:clientId、client_secret、authorization_type、redirect_url等。
  73. 	 * 实际保存在数据库中,建表语句在resource下data中
  74. 	 *
  75. 	 * 注:主要是与数据库互相同步
  76. 	 * @param clients
  77. 	 * @throws Exception
  78. 	 */
  79. 	@Override
  80.     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
  81. 		clients.jdbc(dataSource);
  82.     }
  83.  
  84. 	/**
  85. 	 * 1.增加jwt 增强模式
  86. 	 * 2.调用userDetailsService实现UserDetailsService接口,对客户端信息进行认证与授权
  87. 	 * @param endpoints
  88. 	 * @throws Exception
  89. 	 */
  90. 	@Override
  91.     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
  92. 		/**
  93. 		 * jwt 增强模式
  94. 		 * 对令牌的增强操作就在enhance方法中
  95. 		 * 下面在配置类中,将TokenEnhancer和JwtAccessConverter加到一个enhancerChain中
  96. 		 *
  97. 		 * 通俗点讲它做了两件事:
  98. 		 * 给JWT令牌中设置附加信息和jti:jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击
  99. 		 * 判断请求中是否有refreshToken,如果有,就重新设置refreshToken并加入附加信息
  100. 		 */
  101. 		TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
  102. 		List<TokenEnhancer> enhancerList = new ArrayList<TokenEnhancer>();
  103. 		enhancerList.add(jwtTokenEnhancer);
  104. 		enhancerList.add(jwtAccessTokenConverter);
  105. 		//将自定义Enhancer加入EnhancerChain的delegates数组中
  106. 		enhancerChain.setTokenEnhancers(enhancerList);
  107. 		endpoints.tokenStore(jwtTokenStore)
  108. 				.userDetailsService(userDetailsService)
  109. 				/**
  110. 				 * 支持 password 模式
  111. 				 */
  112. 				.authenticationManager(authenticationManager)
  113. 				.tokenEnhancer(enhancerChain)
  114. 				.accessTokenConverter(jwtAccessTokenConverter);
  115. 		// 最后一个参数为替换之后授权页面的url
  116. 		endpoints.pathMapping("/oauth/confirm_access","/custom/confirm_access");
  117.     }
  118. 	
  119. 	@Override
  120.     public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
  121.         security
  122.         	.tokenKeyAccess("permitAll()")
  123.         	.checkTokenAccess("isAuthenticated()")
  124. 			.allowFormAuthenticationForClients();
  125.     }
  126. 	
  127. }
  128.

然后创建JwtTokenConfig,此处主要是对JWT进行的配置,设置密钥,在资源服务器要使用相同的密钥

  1. package com.zz.zzoauth2.config;
  2.  
  3. import com.zz.constant.Oauth2Constant;
  4. import org.springframework.context.annotation.Bean;
  5. import org.springframework.context.annotation.Configuration;
  6. import org.springframework.security.oauth2.provider.token.TokenEnhancer;
  7. import org.springframework.security.oauth2.provider.token.TokenStore;
  8. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  9. import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
  10.  
  11. import java.util.HashMap;
  12.  
  13. /**
  14.  * JwtTokenConfig配置类
  15.  * 使用TokenStroe将进入JwtTokenStore
  16.  * 注:Spring-Sceurity使用TokenEnhancer和JwtAccessConverter增强jwt令牌
  17.  * @author wqy
  18.  * @version 1.0
  19.  * @date 2021/3/3 14:15
  20.  */
  21. @Configuration
  22. public class JwtTokenConfig {
  23.  
  24.     @Bean
  25.     public TokenStore jwtTokenStore(){
  26.         return new JwtTokenStore(jwtAccessTokenConverter());
  27.     }
  28.  
  29.     /**
  30.      * JwtAccessTokenConverter:TokenEnhancer的子类,帮助程序在JWT编码的令牌值和OAuth身份验证信息之间进行转换(在两个方向上),同时充当TokenEnhancer授予令牌的时间。
  31.      * 自定义的JwtAccessTokenConverter:把自己设置的jwt签名加入accessTokenConverter中(这里设置'demo',项目可将此在配置文件设置)
  32.      * @return
  33.      */
  34.     @Bean
  35.     public JwtAccessTokenConverter jwtAccessTokenConverter() {
  36.         JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter();
  37.         accessTokenConverter.setSigningKey(Oauth2Constant.JWT_SIGNING_KEY);
  38.         return accessTokenConverter;
  39.     }
  40.  
  41.     /**
  42.      * 引入自定义JWTokenEnhancer:
  43.      * 自定义JWTokenEnhancer实现TokenEnhancer并重写enhance方法,将附加信息加入oAuth2AccessToken中
  44.      * @return
  45.      */
  46.     @Bean
  47.     public TokenEnhancer jwtTokenEnhancer(){
  48.         return new JwtTokenEnhancer();
  49.     }
  50.  
  51. }

然后创建JwtTokenEnhancer作为token增强,因为oauth2生成的token非常的短,而且不能存储信息,所以旧使用增强器,来存储更多的信息,同样生成的token也会更长。

TODO可以看一下,使用redis作为中间件,来实现旧token的伪失效

  1. package com.zz.zzoauth2.config;
  2.  
  3. import com.zz.zzoauth2.bean.ContextBeans;
  4. import com.zz.zzoauth2.domain.AuthUser;
  5. import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
  6. import org.springframework.security.oauth2.common.OAuth2AccessToken;
  7. import org.springframework.security.oauth2.provider.OAuth2Authentication;
  8. import org.springframework.security.oauth2.provider.token.TokenEnhancer;
  9.  
  10. import java.util.HashMap;
  11. import java.util.Map;
  12. import java.util.concurrent.TimeUnit;
  13.  
  14. /**
  15.  * TokenEnhancer:在AuthorizationServerTokenServices 实现存储访问令牌之前增强访问令牌的策略。
  16.  * 自定义TokenEnhancer的代码:把附加信息加入oAuth2AccessToken中
  17.  *
  18.  * @author Tom
  19.  * @date 2020-09-04
  20.  */
  21. public class JwtTokenEnhancer implements TokenEnhancer {
  22.  
  23.  
  24.     /**
  25.      * 重写enhance方法,将附加信息加入oAuth2AccessToken中
  26.      * @param oAuth2AccessToken
  27.      * @param oAuth2Authentication
  28.      * @return
  29.      */
  30.     @Override
  31.     public OAuth2AccessToken enhance(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
  32.         //TODO:token过期可以在此处想办法,结合redis,username可以做redis的key,value为jtl,
  33.         // 在这生成一条以username为key的redis记录,
  34.         // 资源服务根据解析出来的token,在redis中查找是否有相同的数据,有的话验证token中的jtl是否一致,
  35.         // 不一致则提示token异常并删除redis中的该username,此处一定要保证redis中用户对应username的唯一性,
  36.         // 避免大量并发击穿redis。
  37.         // 单点登陆核心就是保证token的唯一性,现在保证jtl的唯一性就是保证token的唯一性
  38.         // 步骤:
  39.         // 1.获取jtl和到期时间
  40.         // 2.以username为key并设置ttl(过期时间)
  41.         // 3.由于系统里用户名是唯一的,所以存redis前要判断是否有重复的,有重复则删掉
  42.         // 4.存入reids并设置ttl
  43.         try {
  44.             Map<String, Object> map = new HashMap<String, Object>();
  45.             AuthUser authUser = (AuthUser) oAuth2Authentication.getPrincipal();
  46.             authUser.getUser().setPassword(null);
  47.             authUser.setPassword(null);
  48.             map.put("authUser",authUser);
  49.             ((DefaultOAuth2AccessToken) oAuth2AccessToken).setAdditionalInformation(map);
  50.             //是否启用redis
  51.             if(ContextBeans.systemParam.getIsOpenOauth2Redis()){
  52.                 ContextBeans.redisTemplateUtils.set(authUser.getUsername(),oAuth2AccessToken.getValue(),oAuth2AccessToken.getExpiresIn(),TimeUnit.SECONDS);
  53.             }
  54.         }catch (Exception e){
  55.             e.printStackTrace();
  56.         }
  57.         return oAuth2AccessToken;
  58.  
  59.     }
  60. }
  61.

创建SecurityConfig,此配置是关于security的配置,security的过滤器级别高于oauth2,所以要注意

  1. package com.zz.zzoauth2.config;
  2.  
  3. import org.springframework.context.annotation.Bean;
  4. import org.springframework.context.annotation.Configuration;
  5. import org.springframework.security.authentication.AuthenticationManager;
  6. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  7. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  8. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  9. import org.springframework.security.crypto.password.PasswordEncoder;
  10. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
  11. import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
  12.  
  13. /**
  14.  * @author wqy
  15.  * @version 1.0
  16.  * @date 2021/3/3 14:08
  17.  */
  18. @Configuration
  19. @EnableAuthorizationServer
  20. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  21.  
  22.     /**
  23.      * 引入密码加密类
  24.      * @return
  25.      */
  26.     @Bean
  27.     public PasswordEncoder passwordEncoder(){
  28.         return new BCryptPasswordEncoder();
  29.     }
  30.  
  31.     /**
  32.      * 支持密码模式配置
  33.      * @return
  34.      * @throws Exception
  35.      */
  36.     @Override
  37.     @Bean
  38.     public AuthenticationManager authenticationManagerBean() throws Exception {
  39.         return super.authenticationManagerBean();
  40.     }
  41.  
  42.     /**
  43.      * 配置URL访问授权,必须配置authorizeRequests(),否则启动报错,说是没有启用security技术。
  44.      * 注意:在这里的身份进行认证与授权没有涉及到OAuth的技术:当访问要授权的URL时,请求会被DelegatingFilterProxy拦截,
  45.      *      如果还没有授权,请求就会被重定向到登录界面。在登录成功(身份认证并授权)后,请求被重定向至之前访问的URL。
  46.      * @param http
  47.      * @throws Exception
  48.      */
  49.     @Override
  50.     protected void configure(HttpSecurity http) throws Exception {
  51.         http
  52.                 // 必须配置,不然OAuth2的http配置不生效----不明觉厉
  53.                 .requestMatchers()
  54.                 .antMatchers("/auth/login", "/auth/authorize","/oauth/authorize")
  55.                 .and()
  56.                 .authorizeRequests()
  57.                 // 自定义页面或处理url是,如果不配置全局允许,浏览器会提示服务器将页面转发多次
  58.                 .antMatchers("/auth/login", "/auth/authorize")
  59.                 .permitAll()
  60.                 .anyRequest()
  61.                 .authenticated();
  62.  
  63.         // 表单登录
  64.         http.formLogin()
  65.                 // 登录页面
  66.                 .loginPage("/auth/login")
  67.                 // 登录处理url
  68.                 .loginProcessingUrl("/auth/authorize");
  69.         http.httpBasic().disable();
  70.  
  71.     }
  72. }

然后CusUserDetailsService,连接数据库,登陆等等都是从此获取的数据

  1. package com.zz.zzoauth2.service;
  2.  
  3. import com.zz.domain.authority.Organization;
  4. import com.zz.domain.authority.User;
  5. import com.zz.zzoauth2.domain.AuthUser;
  6. import com.zz.zzoauth2.resp.OrganizationJpa;
  7. import com.zz.zzoauth2.resp.RoleJpa;
  8. import com.zz.zzoauth2.resp.UserJpa;
  9. import org.springframework.security.core.userdetails.UserDetails;
  10. import org.springframework.security.core.userdetails.UserDetailsService;
  11. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  12. import org.springframework.stereotype.Component;
  13.  
  14. /**
  15.  * Spring-Security自定义身份认证类(实现UserDetailsService并重写loadUserByUsername方法)
  16.  * 在loadUserByUsername方法内校验用户名密码是否正确并返回一个UserDetails对象
  17.  *
  18.  * @author Tom
  19.  * @date 2020-09-04
  20.  */
  21. @Component(value = "cusUserDetailsService")
  22. public class CusUserDetailsService implements UserDetailsService {
  23.  
  24.     private final UserJpa userJpa;
  25.     private final RoleJpa roleJpa;
  26.     private final OrganizationJpa organizationJpa;
  27.  
  28.     public CusUserDetailsService(UserJpa userJpa, RoleJpa roleJpa, OrganizationJpa organizationJpa) {
  29.         this.userJpa = userJpa;
  30.         this.roleJpa = roleJpa;
  31.         this.organizationJpa = organizationJpa;
  32.     }
  33.  
  34.     @Override
  35.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  36.  
  37.         User user = userJpa.findByUsername(username);
  38.  
  39.         Organization organization = organizationJpa.findNameByCode(user.getOrganizationNum());
  40.  
  41.         if (user == null) {
  42.             throw new UsernameNotFoundException("user: " + username + " is not found.");
  43.         }
  44.  
  45.         return new AuthUser(user.getUsername()
  46.                 , user.getPassword()
  47.                 , roleJpa.findByUserRole(user.getId())
  48.                 ,organization
  49.                 ,user);
  50.     }
  51.  
  52. }

上面就是一些配置代码和流程

配置实在是太多了,我就不一一配置, 看源码比较简单。

自定义授权和登陆页面我简单介绍一下,其实就是在配置AuthServerConfig 中配置授权页,因为授权是属于oauth2的,然后在SecurityConfig中配置登陆页,这两个分别对应的是Controller中的请求路由,

然后就可以跳转到对应的页面,源码中使用的是thymeleaf,页面在Resuorce下的views中。

配置security-oauth2主要还是要理解思路和过程,理解什么是授权,由于oauth2中有四种模式,源码可以使用鉴权码模式和密码模式,这两种也是最常用的。

源码中zz-security-oauth2-server下product.md中有使用介绍和简单介绍。

源码正在上传,下一章奉上

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/83406
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号