Spring Cloud+OAuth2+Spring Security+Redis 实现微服务统一认证授权,附源码

因为目前做了一个基于Spring Cloud的微服务项目,所以了解到了OAuth2,打算整合一下OAuth2来实现统一授权。关于OAuth是一个关于授权的开放网络标准,目前的版本是2.0,这里我就不多做介绍了。下面贴一下我学习过程中参考的资料。

开发环境:Windows10,  Intellij Idea2018.2,   jdk1.8,  redis3.2.9, Spring Boot 2.0.2 Release, Spring Cloud Finchley.RC2 Spring 5.0.6

项目目录

eshop —— 父级工程,管理jar包版本

eshop-server —— Eureka服务注册中心

eshop-gateway —— Zuul网关

eshop-auth —— 授权服务

eshop-member —— 会员服务

eshop-email —— 邮件服务(暂未使用)

eshop-common —— 通用类

关于如何构建一个基本的Spring Cloud 微服务这里就不赘述了,不会的可以看一下我的关于Spring Cloud系列的博客。这里给个入口地址:https://blog.csdn.net/wya1993/article/category/7701476

授权服务

首先构建eshop-auth服务,引入相关依赖

<?xml version="1.0"encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>

<artifactId>eshop-parent</artifactId>

<groupId>com.curise.eshop</groupId>

<version>1.0-SNAPSHOT</version>

</parent>

<modelVersion>4.0.0</modelVersion>

<artifactId>eshop-auth</artifactId>

<packaging>war</packaging>

<description>授权模块</description>

<dependencies>

<dependency>

<groupId>com.curise.eshop</groupId>

<artifactId>eshop-common</artifactId>

<version>1.0-SNAPSHOT</version>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-oauth2</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-security</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-data-redis</artifactId>

</dependency>

<dependency>

<groupId>org.mybatis.spring.boot</groupId>

<artifactId>mybatis-spring-boot-starter</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-actuator</artifactId>

</dependency>

<dependency>

<groupId>mysql</groupId>

<artifactId>mysql-connector-java</artifactId>

</dependency>

<dependency>

<groupId>com.alibaba</groupId>

<artifactId>druid</artifactId>

</dependency>

<dependency>

<groupId>log4j</groupId>

<artifactId>log4j</artifactId>

</dependency>

</dependencies>

<build>

<plugins>

<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

接下来,配置Mybatis、redis、eureka,贴一下配置文件

server:

port:1203

spring:

application:

name:eshop-auth

redis:

database:0

host:192.168.0.117

port:6379

password:

jedis:

pool:

max-active:8

max-idle:8

min-idle:0

datasource:

driver-class-name:com.mysql.jdbc.Driver

url:jdbc:mysql://localhost:3306/eshop_member?useUnicode=true&characterEncoding=utf-8&useSSL=false&allowMultiQueries=true

username:root

password:root

druid:

initialSize:5#初始化连接大小

minIdle:5#最小连接池数量

maxActive:20#最大连接池数量

maxWait:60000#获取连接时最大等待时间,单位毫秒

timeBetweenEvictionRunsMillis:60000#配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒

minEvictableIdleTimeMillis:300000#配置一个连接在池中最小生存的时间,单位是毫秒

validationQuery:SELECT1from DUAL  #测试连接

testWhileIdle:true#申请连接的时候检测,建议配置为true,不影响性能,并且保证安全性

testOnBorrow:false#获取连接时执行检测,建议关闭,影响性能

testOnReturn:false#归还连接时执行检测,建议关闭,影响性能

poolPreparedStatements:false#是否开启PSCache,PSCache对支持游标的数据库性能提升巨大,oracle建议开启,mysql下建议关闭

maxPoolPreparedStatementPerConnectionSize:20#开启poolPreparedStatements后生效

filters:stat,wall,log4j #配置扩展插件,常用的插件有=>stat:监控统计  log4j:日志  wall:防御sql注入

connectionProperties:'druid.stat.mergeSql=true;druid.stat.slowSqlMillis=5000'#通过connectProperties属性来打开mergeSql功能;慢SQL记录

eureka:

instance:

prefer-ip-address:true

instance-id:${spring.cloud.client.ip-address}:${server.port}

client:

service-url:

defaultZone:http://localhost:1111/eureka/

mybatis:

type-aliases-package:com.curise.eshop.common.entity

configuration:

map-underscore-to-camel-case:true#开启驼峰命名,l_name->lName

jdbc-type-for-null:NULL

lazy-loading-enabled:true

aggressive-lazy-loading:true

cache-enabled:true#开启二级缓存

call-setters-on-nulls:true#map空列不显示问题

mapper-locations:

-classpath:mybatis/*.xml

AuthApplication添加@EnableDiscoveryClient和@MapperScan注解。

接下来配置认证服务器AuthorizationServerConfig ,并添加@Configuration和@EnableAuthorizationServer注解,其中ClientDetailsServiceConfigurer配置在内存中,当然也可以从数据库读取,以后慢慢完善。

@Configuration

@EnableAuthorizationServer

publicclassAuthorizationServerConfigextendsAuthorizationServerConfigurerAdapter{

@Autowired

privateAuthenticationManager authenticationManager;

@Autowired

privateDataSource dataSource;

@Autowired

privateRedisConnectionFactory redisConnectionFactory;

@Autowired

privateMyUserDetailService userDetailService;

@Bean

publicTokenStoretokenStore(){

returnnewRedisTokenStore(redisConnectionFactory);

}

@Override

publicvoidconfigure(AuthorizationServerSecurityConfigurer security)throwsException{

security

.allowFormAuthenticationForClients()

.tokenKeyAccess("permitAll()")

.checkTokenAccess("isAuthenticated()");

}

@Override

publicvoidconfigure(ClientDetailsServiceConfigurer clients)throwsException{

// clients.withClientDetails(clientDetails());

clients.inMemory()

.withClient("android")

.scopes("read")

.secret("android")

.authorizedGrantTypes("password","authorization_code","refresh_token")

.and()

.withClient("webapp")

.scopes("read")

.authorizedGrantTypes("implicit")

.and()

.withClient("browser")

.authorizedGrantTypes("refresh_token","password")

.scopes("read");

}

@Bean

publicClientDetailsServiceclientDetails(){

returnnewJdbcClientDetailsService(dataSource);

}

@Bean

publicWebResponseExceptionTranslatorwebResponseExceptionTranslator(){

returnnewMssWebResponseExceptionTranslator();

}

@Override

publicvoidconfigure(AuthorizationServerEndpointsConfigurer endpoints)throwsException{

endpoints.tokenStore(tokenStore())

.userDetailsService(userDetailService)

.authenticationManager(authenticationManager);

endpoints.tokenServices(defaultTokenServices());

//认证异常翻译

// endpoints.exceptionTranslator(webResponseExceptionTranslator());

}

/**

*

注意,自定义TokenServices的时候,需要设置@Primary,否则报错,

* @return

*/

@Primary

@Bean

publicDefaultTokenServicesdefaultTokenServices(){

DefaultTokenServices tokenServices=newDefaultTokenServices();

tokenServices.setTokenStore(tokenStore());

tokenServices.setSupportRefreshToken(true);

//tokenServices.setClientDetailsService(clientDetails());

// token有效期自定义设置,默认12小时

tokenServices.setAccessTokenValiditySeconds(60*60*12);

// refresh_token默认30天

tokenServices.setRefreshTokenValiditySeconds(60*60*24*7);

returntokenServices;

}

}

在上述配置中,认证的token是存到redis里的,如果你这里使用了Spring5.0以上的版本的话,使用默认的RedisTokenStore认证时会报如下异常:

nested exception is java.lang.NoSuchMethodError:org.springframework.data.redis.connection.RedisConnection.set([B[B)V

原因是spring-data-redis 2.0版本中set(String,String)被弃用了,要使用RedisConnection.stringCommands().set(…),所有我自定义一个RedisTokenStore,代码和RedisTokenStore一样,只是把所有conn.set(…)都换成conn..stringCommands().set(…),测试后方法可行。

publicclassRedisTokenStoreimplementsTokenStore{

privatestaticfinalString ACCESS="access:";

privatestaticfinalString AUTH_TO_ACCESS="auth_to_access:";

privatestaticfinalString AUTH="auth:";

privatestaticfinalString REFRESH_AUTH="refresh_auth:";

privatestaticfinalString ACCESS_TO_REFRESH="access_to_refresh:";

privatestaticfinalString REFRESH="refresh:";

privatestaticfinalString REFRESH_TO_ACCESS="refresh_to_access:";

privatestaticfinalString CLIENT_ID_TO_ACCESS="client_id_to_access:";

privatestaticfinalString UNAME_TO_ACCESS="uname_to_access:";

privatefinalRedisConnectionFactory connectionFactory;

privateAuthenticationKeyGenerator authenticationKeyGenerator=newDefaultAuthenticationKeyGenerator();

privateRedisTokenStoreSerializationStrategy serializationStrategy=newJdkSerializationStrategy();

privateString prefix="";

publicRedisTokenStore(RedisConnectionFactory connectionFactory){

this.connectionFactory=connectionFactory;

}

publicvoidsetAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticationKeyGenerator){

this.authenticationKeyGenerator=authenticationKeyGenerator;

}

publicvoidsetSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy){

this.serializationStrategy=serializationStrategy;

}

publicvoidsetPrefix(String prefix){

this.prefix=prefix;

}

privateRedisConnectiongetConnection(){

returnthis.connectionFactory.getConnection();

}

privatebyte[]serialize(Object object){

returnthis.serializationStrategy.serialize(object);

}

privatebyte[]serializeKey(String object){

returnthis.serialize(this.prefix+object);

}

privateOAuth2AccessTokendeserializeAccessToken(byte[]bytes){

return(OAuth2AccessToken)this.serializationStrategy.deserialize(bytes,OAuth2AccessToken.class);

}

privateOAuth2AuthenticationdeserializeAuthentication(byte[]bytes){

return(OAuth2Authentication)this.serializationStrategy.deserialize(bytes,OAuth2Authentication.class);

}

privateOAuth2RefreshTokendeserializeRefreshToken(byte[]bytes){

return(OAuth2RefreshToken)this.serializationStrategy.deserialize(bytes,OAuth2RefreshToken.class);

}

privatebyte[]serialize(String string){

returnthis.serializationStrategy.serialize(string);

}

privateStringdeserializeString(byte[]bytes){

returnthis.serializationStrategy.deserializeString(bytes);

}

@Override

publicOAuth2AccessTokengetAccessToken(OAuth2Authentication authentication){

String key=this.authenticationKeyGenerator.extractKey(authentication);

byte[]serializedKey=this.serializeKey(AUTH_TO_ACCESS+key);

byte[]bytes=null;

RedisConnection conn=this.getConnection();

try{

bytes=conn.get(serializedKey);

}finally{

conn.close();

}

OAuth2AccessToken accessToken=this.deserializeAccessToken(bytes);

if(accessToken!=null){

OAuth2Authentication storedAuthentication=this.readAuthentication(accessToken.getValue());

if(storedAuthentication==null||!key.equals(this.authenticationKeyGenerator.extractKey(storedAuthentication))){

this.storeAccessToken(accessToken,authentication);

}

}

returnaccessToken;

}

@Override

publicOAuth2AuthenticationreadAuthentication(OAuth2AccessToken token){

returnthis.readAuthentication(token.getValue());

}

@Override

publicOAuth2AuthenticationreadAuthentication(String token){

byte[]bytes=null;

RedisConnection conn=this.getConnection();

try{

bytes=conn.get(this.serializeKey("auth:"+token));

}finally{

conn.close();

}

OAuth2Authentication auth=this.deserializeAuthentication(bytes);

returnauth;

}

@Override

publicOAuth2AuthenticationreadAuthenticationForRefreshToken(OAuth2RefreshToken token){

returnthis.readAuthenticationForRefreshToken(token.getValue());

}

publicOAuth2AuthenticationreadAuthenticationForRefreshToken(String token){

RedisConnection conn=getConnection();

try{

byte[]bytes=conn.get(serializeKey(REFRESH_AUTH+token));

OAuth2Authentication auth=deserializeAuthentication(bytes);

returnauth;

}finally{

conn.close();

}

}

@Override

publicvoidstoreAccessToken(OAuth2AccessToken token,OAuth2Authentication authentication){

byte[]serializedAccessToken=serialize(token);

byte[]serializedAuth=serialize(authentication);

byte[]accessKey=serializeKey(ACCESS+token.getValue());

byte[]authKey=serializeKey(AUTH+token.getValue());

byte[]authToAccessKey=serializeKey(AUTH_TO_ACCESS+authenticationKeyGenerator.extractKey(authentication));

byte[]approvalKey=serializeKey(UNAME_TO_ACCESS+getApprovalKey(authentication));

byte[]clientId=serializeKey(CLIENT_ID_TO_ACCESS+authentication.getOAuth2Request().getClientId());

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.stringCommands().set(accessKey,serializedAccessToken);

conn.stringCommands().set(authKey,serializedAuth);

conn.stringCommands().set(authToAccessKey,serializedAccessToken);

if(!authentication.isClientOnly()){

conn.rPush(approvalKey,serializedAccessToken);

}

conn.rPush(clientId,serializedAccessToken);

if(token.getExpiration()!=null){

intseconds=token.getExpiresIn();

conn.expire(accessKey,seconds);

conn.expire(authKey,seconds);

conn.expire(authToAccessKey,seconds);

conn.expire(clientId,seconds);

conn.expire(approvalKey,seconds);

}

OAuth2RefreshToken refreshToken=token.getRefreshToken();

if(refreshToken!=null&&refreshToken.getValue()!=null){

byte[]refresh=serialize(token.getRefreshToken().getValue());

byte[]auth=serialize(token.getValue());

byte[]refreshToAccessKey=serializeKey(REFRESH_TO_ACCESS+token.getRefreshToken().getValue());

conn.stringCommands().set(refreshToAccessKey,auth);

byte[]accessToRefreshKey=serializeKey(ACCESS_TO_REFRESH+token.getValue());

conn.stringCommands().set(accessToRefreshKey,refresh);

if(refreshTokeninstanceofExpiringOAuth2RefreshToken){

ExpiringOAuth2RefreshToken expiringRefreshToken=(ExpiringOAuth2RefreshToken)refreshToken;

Date expiration=expiringRefreshToken.getExpiration();

if(expiration!=null){

intseconds=Long.valueOf((expiration.getTime()-System.currentTimeMillis())/1000L)

.intValue();

conn.expire(refreshToAccessKey,seconds);

conn.expire(accessToRefreshKey,seconds);

}

}

}

conn.closePipeline();

}finally{

conn.close();

}

}

privatestaticStringgetApprovalKey(OAuth2Authentication authentication){

String userName=authentication.getUserAuthentication()==null?"":authentication.getUserAuthentication().getName();

returngetApprovalKey(authentication.getOAuth2Request().getClientId(),userName);

}

privatestaticStringgetApprovalKey(String clientId,String userName){

returnclientId+(userName==null?"":":"+userName);

}

@Override

publicvoidremoveAccessToken(OAuth2AccessToken accessToken){

this.removeAccessToken(accessToken.getValue());

}

@Override

publicOAuth2AccessTokenreadAccessToken(String tokenValue){

byte[]key=serializeKey(ACCESS+tokenValue);

byte[]bytes=null;

RedisConnection conn=getConnection();

try{

bytes=conn.get(key);

}finally{

conn.close();

}

OAuth2AccessToken accessToken=deserializeAccessToken(bytes);

returnaccessToken;

}

publicvoidremoveAccessToken(String tokenValue){

byte[]accessKey=serializeKey(ACCESS+tokenValue);

byte[]authKey=serializeKey(AUTH+tokenValue);

byte[]accessToRefreshKey=serializeKey(ACCESS_TO_REFRESH+tokenValue);

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.get(accessKey);

conn.get(authKey);

conn.del(accessKey);

conn.del(accessToRefreshKey);

// Don't remove the refresh token - it's up to the caller to do that

conn.del(authKey);

List<Object>results=conn.closePipeline();

byte[]access=(byte[])results.get(0);

byte[]auth=(byte[])results.get(1);

OAuth2Authentication authentication=deserializeAuthentication(auth);

if(authentication!=null){

String key=authenticationKeyGenerator.extractKey(authentication);

byte[]authToAccessKey=serializeKey(AUTH_TO_ACCESS+key);

byte[]unameKey=serializeKey(UNAME_TO_ACCESS+getApprovalKey(authentication));

byte[]clientId=serializeKey(CLIENT_ID_TO_ACCESS+authentication.getOAuth2Request().getClientId());

conn.openPipeline();

conn.del(authToAccessKey);

conn.lRem(unameKey,1,access);

conn.lRem(clientId,1,access);

conn.del(serialize(ACCESS+key));

conn.closePipeline();

}

}finally{

conn.close();

}

}

@Override

publicvoidstoreRefreshToken(OAuth2RefreshToken refreshToken,OAuth2Authentication authentication){

byte[]refreshKey=serializeKey(REFRESH+refreshToken.getValue());

byte[]refreshAuthKey=serializeKey(REFRESH_AUTH+refreshToken.getValue());

byte[]serializedRefreshToken=serialize(refreshToken);

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.stringCommands().set(refreshKey,serializedRefreshToken);

conn.stringCommands().set(refreshAuthKey,serialize(authentication));

if(refreshTokeninstanceofExpiringOAuth2RefreshToken){

ExpiringOAuth2RefreshToken expiringRefreshToken=(ExpiringOAuth2RefreshToken)refreshToken;

Date expiration=expiringRefreshToken.getExpiration();

if(expiration!=null){

intseconds=Long.valueOf((expiration.getTime()-System.currentTimeMillis())/1000L)

.intValue();

conn.expire(refreshKey,seconds);

conn.expire(refreshAuthKey,seconds);

}

}

conn.closePipeline();

}finally{

conn.close();

}

}

@Override

publicOAuth2RefreshTokenreadRefreshToken(String tokenValue){

byte[]key=serializeKey(REFRESH+tokenValue);

byte[]bytes=null;

RedisConnection conn=getConnection();

try{

bytes=conn.get(key);

}finally{

conn.close();

}

OAuth2RefreshToken refreshToken=deserializeRefreshToken(bytes);

returnrefreshToken;

}

@Override

publicvoidremoveRefreshToken(OAuth2RefreshToken refreshToken){

this.removeRefreshToken(refreshToken.getValue());

}

publicvoidremoveRefreshToken(String tokenValue){

byte[]refreshKey=serializeKey(REFRESH+tokenValue);

byte[]refreshAuthKey=serializeKey(REFRESH_AUTH+tokenValue);

byte[]refresh2AccessKey=serializeKey(REFRESH_TO_ACCESS+tokenValue);

byte[]access2RefreshKey=serializeKey(ACCESS_TO_REFRESH+tokenValue);

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.del(refreshKey);

conn.del(refreshAuthKey);

conn.del(refresh2AccessKey);

conn.del(access2RefreshKey);

conn.closePipeline();

}finally{

conn.close();

}

}

@Override

publicvoidremoveAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken){

this.removeAccessTokenUsingRefreshToken(refreshToken.getValue());

}

privatevoidremoveAccessTokenUsingRefreshToken(String refreshToken){

byte[]key=serializeKey(REFRESH_TO_ACCESS+refreshToken);

List<Object>results=null;

RedisConnection conn=getConnection();

try{

conn.openPipeline();

conn.get(key);

conn.del(key);

results=conn.closePipeline();

}finally{

conn.close();

}

if(results==null){

return;

}

byte[]bytes=(byte[])results.get(0);

String accessToken=deserializeString(bytes);

if(accessToken!=null){

removeAccessToken(accessToken);

}

}

@Override

publicCollection<OAuth2AccessToken>findTokensByClientIdAndUserName(String clientId,String userName){

byte[]approvalKey=serializeKey(UNAME_TO_ACCESS+getApprovalKey(clientId,userName));

List<byte[]>byteList=null;

RedisConnection conn=getConnection();

try{

byteList=conn.lRange(approvalKey,0,-1);

}finally{

conn.close();

}

if(byteList==null||byteList.size()==0){

returnCollections.<OAuth2AccessToken>emptySet();

}

List<OAuth2AccessToken>accessTokens=newArrayList<OAuth2AccessToken>(byteList.size());

for(byte[]bytes:byteList){

OAuth2AccessToken accessToken=deserializeAccessToken(bytes);

accessTokens.add(accessToken);

}

returnCollections.<OAuth2AccessToken>unmodifiableCollection(accessTokens);

}

@Override

publicCollection<OAuth2AccessToken>findTokensByClientId(String clientId){

byte[]key=serializeKey(CLIENT_ID_TO_ACCESS+clientId);

List<byte[]>byteList=null;

RedisConnection conn=getConnection();

try{

byteList=conn.lRange(key,0,-1);

}finally{

conn.close();

}

if(byteList==null||byteList.size()==0){

returnCollections.<OAuth2AccessToken>emptySet();

}

List<OAuth2AccessToken>accessTokens=newArrayList<OAuth2AccessToken>(byteList.size());

for(byte[]bytes:byteList){

OAuth2AccessToken accessToken=deserializeAccessToken(bytes);

accessTokens.add(accessToken);

}

returnCollections.<OAuth2AccessToken>unmodifiableCollection(accessTokens);

}

}

配置资源服务器

@Configuration

@EnableResourceServer

@Order(3)

publicclassResourceServerConfigextendsResourceServerConfigurerAdapter{

@Override

publicvoidconfigure(HttpSecurity http)throwsException{

http

.csrf().disable()

.exceptionHandling()

.authenticationEntryPoint((request,response,authException)->response.sendError(HttpServletResponse.SC_UNAUTHORIZED))

.and()

.requestMatchers().antMatchers("/api/**")

.and()

.authorizeRequests()

.antMatchers("/api/**").authenticated()

.and()

.httpBasic();

}

}

配置Spring Security

@Configuration

@EnableWebSecurity

@Order(2)

publicclassSecurityConfigextendsWebSecurityConfigurerAdapter{

@Autowired

privateMyUserDetailService userDetailService;

@Bean

publicPasswordEncoderpasswordEncoder(){

//return new BCryptPasswordEncoder();

returnnewNoEncryptPasswordEncoder();

}

@Override

protectedvoidconfigure(HttpSecurity http)throwsException{

http.requestMatchers().antMatchers("/oauth/**")

.and()

.authorizeRequests()

.antMatchers("/oauth/**").authenticated()

.and()

.csrf().disable();

}

@Override

protectedvoidconfigure(AuthenticationManagerBuilder auth)throwsException{

auth.userDetailsService(userDetailService).passwordEncoder(passwordEncoder());

}

/**

* 不定义没有password grant_type

*

* @return

* @throws Exception

*/

@Override

@Bean

publicAuthenticationManagerauthenticationManagerBean()throwsException{

returnsuper.authenticationManagerBean();

}

}

可以看到ResourceServerConfig 是比SecurityConfig 的优先级低的。

二者的关系:

ResourceServerConfig 用于保护oauth相关的endpoints,同时主要作用于用户的登录(form login,Basic auth)

SecurityConfig 用于保护oauth要开放的资源,同时主要作用于client端以及token的认证(Bearer auth)

所以我们让SecurityConfig优先于ResourceServerConfig,且在SecurityConfig 不拦截oauth要开放的资源,在ResourceServerConfig 中配置需要token验证的资源,也就是我们对外提供的接口。所以这里对于所有微服务的接口定义有一个要求,就是全部以/api开头。

如果这里不这样配置的话,在你拿到access_token去请求各个接口时会报invalid_token的提示。

另外,由于我们自定义认证逻辑,所以需要重写UserDetailService

@Service("userDetailService")

publicclassMyUserDetailServiceimplementsUserDetailsService{

@Autowired

privateMemberDao memberDao;

@Override

publicUserDetailsloadUserByUsername(String memberName)throwsUsernameNotFoundException{

Member member=memberDao.findByMemberName(memberName);

if(member==null){

thrownewUsernameNotFoundException(memberName);

}

Set<GrantedAuthority>grantedAuthorities=newHashSet<>();

// 可用性 :true:可用 false:不可用

booleanenabled=true;

// 过期性 :true:没过期 false:过期

booleanaccountNonExpired=true;

// 有效性 :true:凭证有效 false:凭证无效

booleancredentialsNonExpired=true;

// 锁定性 :true:未锁定 false:已锁定

booleanaccountNonLocked=true;

for(Role role:member.getRoles()){

//角色必须是ROLE_开头,可以在数据库中设置

GrantedAuthority grantedAuthority=newSimpleGrantedAuthority(role.getRoleName());

grantedAuthorities.add(grantedAuthority);

//获取权限

for(Permission permission:role.getPermissions()){

GrantedAuthority authority=newSimpleGrantedAuthority(permission.getUri());

grantedAuthorities.add(authority);

}

}

User user=newUser(member.getMemberName(),member.getPassword(),

enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,grantedAuthorities);

returnuser;

}

}

密码验证为了方便我使用了不加密的方式,重写了PasswordEncoder,实际开发还是建议使用BCryptPasswordEncoder。

publicclassNoEncryptPasswordEncoderimplementsPasswordEncoder{

@Override

publicStringencode(CharSequence charSequence){

return(String)charSequence;

}

@Override

publicbooleanmatches(CharSequence charSequence,String s){

returns.equals((String)charSequence);

}

}

另外,OAuth的密码模式需要AuthenticationManager支持

@Override

@Bean

publicAuthenticationManagerauthenticationManagerBean()throwsException{

returnsuper.authenticationManagerBean();

}

定义一个Controller,提供两个接口,/api/member用来获取当前用户信息,/api/exit用来注销当前用户

@RestController

@RequestMapping("/api")

publicclassMemberController{

@Autowired

privateMyUserDetailService userDetailService;

@Autowired

privateConsumerTokenServices consumerTokenServices;

@GetMapping("/member")

publicPrincipaluser(Principal member){

returnmember;

}

@DeleteMapping(value="/exit")

publicResultrevokeToken(String access_token){

Result result=newResult();

if(consumerTokenServices.revokeToken(access_token)){

result.setCode(ResultCode.SUCCESS.getCode());

result.setMessage("注销成功");

}else{

result.setCode(ResultCode.FAILED.getCode());

result.setMessage("注销失败");

}

returnresult;

}

}

会员服务配置

引入依赖

<?xml version="1.0"encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>

<artifactId>eshop-parent</artifactId>

<groupId>com.curise.eshop</groupId>

<version>1.0-SNAPSHOT</version>

</parent>

<modelVersion>4.0.0</modelVersion>

<artifactId>eshop-member</artifactId>

<packaging>war</packaging>

<description>会员模块</description>

<dependencies>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-test</artifactId>

<scope>test</scope>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-oauth2</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-security</artifactId>

</dependency>

<dependency>

<groupId>com.alibaba</groupId>

<artifactId>fastjson</artifactId>

</dependency>

</dependencies>

<build>

<plugins>

<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

配置资源服务器

@Configuration

@EnableResourceServer

publicclassResourceServerConfigextendsResourceServerConfigurerAdapter{

@Override

publicvoidconfigure(HttpSecurity http)throwsException{

http

.csrf().disable()

.exceptionHandling()

.authenticationEntryPoint((request,response,authException)->response.sendError(HttpServletResponse.SC_UNAUTHORIZED))

.and()

.requestMatchers().antMatchers("/api/**")

.and()

.authorizeRequests()

.antMatchers("/api/**").authenticated()

.and()

.httpBasic();

}

}

配置文件配置

spring:

application:

name:eshop-member

server:

port:1201

eureka:

instance:

prefer-ip-address:true

instance-id:${spring.cloud.client.ip-address}:${server.port}

client:

service-url:

defaultZone:http://localhost:1111/eureka/

security:

oauth2:

resource:

id:eshop-member

user-info-uri:http://localhost:1202/auth/api/member

prefer-token-info:false

MemberApplication主类配置

@SpringBootApplication

@EnableDiscoveryClient

@EnableGlobalMethodSecurity(prePostEnabled=true)

publicclassMemberApplication{

publicstaticvoidmain(String[]args){

SpringApplication.run(MemberApplication.class,args);

}

}

提供对外接口

@RestController

@RequestMapping("/api")

publicclassMemberController{

@GetMapping("hello")

@PreAuthorize("hasAnyAuthority('hello')")

publicStringhello(){

return"hello";

}

@GetMapping("current")

publicPrincipaluser(Principal principal){

returnprincipal;

}

@GetMapping("query")

@PreAuthorize("hasAnyAuthority('query')")

publicStringquery(){

return"具有query权限";

}

}

配置网关

引入依赖

<?xml version="1.0"encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<parent>

<artifactId>eshop-parent</artifactId>

<groupId>com.curise.eshop</groupId>

<version>1.0-SNAPSHOT</version>

</parent>

<modelVersion>4.0.0</modelVersion>

<packaging>jar</packaging>

<artifactId>eshop-gateway</artifactId>

<description>网关</description>

<dependencies>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-netflix-zuul</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-oauth2</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.cloud</groupId>

<artifactId>spring-cloud-starter-security</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-actuator</artifactId>

</dependency>

</dependencies>

<build>

<plugins>

<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

配置文件

server:

port:1202

spring:

application:

name:eshop-gateway

#--------------------eureka---------------------

eureka:

instance:

prefer-ip-address:true

instance-id:${spring.cloud.client.ip-address}:${server.port}

client:

service-url:

defaultZone:http://localhost:1111/eureka/

#--------------------Zuul-----------------------

zuul:

routes:

member:

path:/member/**

serviceId: eshop-member

sensitiveHeaders: "*"

auth:

path: /auth/**

serviceId: eshop-auth

sensitiveHeaders: "*"

retryable: false

ignored-services: "*"

ribbon:

eager-load:

enabled: true

host:

connect-timeout-millis: 3000

socket-timeout-millis: 3000

add-proxy-headers: true

#---------------------OAuth2---------------------

security:

oauth2:

client:

access-token-uri: http://localhost:${server.port}/auth/oauth/token

user-authorization-uri: http://localhost:${server.port}/auth/oauth/authorize

client-id: web

resource:

user-info-uri:  http://localhost:${server.port}/auth/api/member

prefer-token-info: false

#----------------------超时配置-------------------

ribbon:

ReadTimeout: 3000

ConnectTimeout: 3000

MaxAutoRetries: 1

MaxAutoRetriesNextServer: 2

eureka:

enabled: true

hystrix:

command:

default:

execution:

timeout:

enabled: true

isolation:

thread:

timeoutInMilliseconds: 3500

ZuulApplication主类

@SpringBootApplication

@EnableDiscoveryClient

@EnableZuulProxy

@EnableOAuth2Sso

publicclassZuulApplication{

publicstaticvoidmain(String[]args){

SpringApplication.run(ZuulApplication.class,args);

}

}

Spring Security配置

@Configuration

@EnableWebSecurity

@Order(99)

publicclassSecurityConfigextendsWebSecurityConfigurerAdapter{

@Override

protectedvoidconfigure(HttpSecurity http)throwsException{

http.csrf().disable();

}

}

接下来分别启动eshop-server、eshop-member、eshop-auth、eshop-gateway。

先发送一个请求测试一下未认证的效果

获取认证

使用access_token请求auth服务下的用户信息接口

使用access_token请求member服务下的用户信息接口

请求member服务的query接口

请求member服务的hello接口,数据库里并没有给用户hello权限

刷新token

注销


后续还会慢慢完善,敬请期待!!

关于代码和数据表sql已经上传到GitHub。地址:

https://github.com/WYA1993/springcloud_oauth2.0。

注意把数据库和redis替换成自己的地址

统一回复一下,有很多人反映获取认证时返回401,如下:

{

"timestamp":"2019-08-13T03:25:27.161+0000",

"status":401,

"error":"Unauthorized",

"message":"Unauthorized",

"path":"/oauth/token"

}

原因是在发起请求的时候没有添加Basic Auth认证,如下图:

,添加Basic Auth认证后会在headers添加一个认证消息头

添加Basic Auth认证的信息在代码中有体现:

客户端信息和token信息从MySQL数据库中获取

现在客户端信息都是存在内存中的,生产环境肯定不可以这么做,要支持客户端的动态添加或删除,所以我选择把客户端信息存到MySQL中。

首先,创建数据表,数据表的结构官方已经给出,地址在

https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql

222

其次,需要修改一下sql脚本,把主键的长度改为128,LONGVARBINARY类型改为blob,调整后的sql脚本:

create table oauth_client_details(

client_idVARCHAR(128)PRIMARY KEY,

resource_idsVARCHAR(256),

client_secretVARCHAR(256),

scopeVARCHAR(256),

authorized_grant_typesVARCHAR(256),

web_server_redirect_uriVARCHAR(256),

authoritiesVARCHAR(256),

access_token_validity INTEGER,

refresh_token_validity INTEGER,

additional_informationVARCHAR(4096),

autoapproveVARCHAR(256)

);

create table oauth_client_token(

token_idVARCHAR(256),

token BLOB,

authentication_idVARCHAR(128)PRIMARY KEY,

user_nameVARCHAR(256),

client_idVARCHAR(256)

);

create table oauth_access_token(

token_idVARCHAR(256),

token BLOB,

authentication_idVARCHAR(128)PRIMARY KEY,

user_nameVARCHAR(256),

client_idVARCHAR(256),

authentication BLOB,

refresh_tokenVARCHAR(256)

);

create table oauth_refresh_token(

token_idVARCHAR(256),

token BLOB,

authentication BLOB

);

create table oauth_code(

codeVARCHAR(256),authentication BLOB

);

create table oauth_approvals(

userIdVARCHAR(256),

clientIdVARCHAR(256),

scopeVARCHAR(256),

statusVARCHAR(10),

expiresAt TIMESTAMP,

lastModifiedAt TIMESTAMP

);

--customized oauth_client_details table

create table ClientDetails(

appIdVARCHAR(128)PRIMARY KEY,

resourceIdsVARCHAR(256),

appSecretVARCHAR(256),

scopeVARCHAR(256),

grantTypesVARCHAR(256),

redirectUrlVARCHAR(256),

authoritiesVARCHAR(256),

access_token_validity INTEGER,

refresh_token_validity INTEGER,

additionalInformationVARCHAR(4096),

autoApproveScopesVARCHAR(256)

);

调整后的sql脚步也放到了GitHub中,需要的可以自行下载

然后在eshop_member数据库创建数据表,将客户端信息添加到oauth_client_details表中

如果你的密码不是明文,记得client_secret需要加密后存储。

然后修改代码,配置从数据库读取客户端信息

接下来启动服务测试即可。

获取授权

获取用户信息

刷新token

打开数据表发现token这些信息并没有存到表中,因为tokenStore使用的是redis方式,我们可以替换为从数据库读取。修改配置

重启服务再次测试

查看数据表,发现token数据已经存到表里了。

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 206,013评论 6 481
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 88,205评论 2 382
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 152,370评论 0 342
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 55,168评论 1 278
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 64,153评论 5 371
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,954评论 1 283
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,271评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,916评论 0 259
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 43,382评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,877评论 2 323
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,989评论 1 333
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,624评论 4 322
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,209评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,199评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,418评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,401评论 2 352
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,700评论 2 345

推荐阅读更多精彩内容