配置web.xml

添加spring-cloud-starter-security和spring-security-oauth2-autoconfigure兩個(gè)依賴。

</dependency> <!-- Spring cloud starter: Security --> <!-- Include: web, actuator, security, zuul, etc. --> <dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-security</artifactId> </dependency> <!-- Spring Security OAuth2 Autoconfigure (optional in spring-cloud-security after 2.1) --> <dependency><groupId>org.springframework.security.oauth.boot</groupId><artifactId>spring-security-oauth2-autoconfigure</artifactId> </dependency>

此外，它還是一個(gè)Eureka Client和Config Client，如何配置Eureka Client和Config Client請(qǐng)看前面章節(jié)。

?

配置WebSecurity

package com.mytools.config;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder;/*** Spring Security Configuration.*/ @Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {@Autowiredprivate UserDetailsService userDetailsService;/*** password encodeer*/@Beanpublic PasswordEncoder passwordEncoder() {return PasswordEncoderFactories.createDelegatingPasswordEncoder();}@Override@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}/* (non-Javadoc)* @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)*/@Overrideprotected void configure(HttpSecurity http) throws Exception {//@formatter:offhttp.authorizeRequests() // configure authorize request rule.antMatchers("/index").permitAll()// .antMatchers("/url/**").hasRole("ADMIN") // some urls have access ADMIN// .anyRequest().authenticated() // any other request need to authenticate .and().formLogin() // login as form.loginPage("/login") // login url (default is login page with framework)// .defaultSuccessUrl("/index") // login success url (default is index).failureUrl("/login-error") // login fail url .and()// .logout() // logout config// .logoutUrl("/logout") // logout url (default is logout)// .logoutSuccessUrl("/index") // logout success url (default is login).rememberMe() // Remember me.key("uniqueAndSecret") // generate the contents of the token.tokenValiditySeconds(60 * 60 * 24 * 30) // 30 days.userDetailsService(userDetailsService) // register UserDetailsService for remember me functionality// .and()//.httpBasic() // use HTTP Basic authentication(in header) for an application ;//@formatter:on } }

說明：

（1）UserDetailsService的配置：有兩種方式，一種是實(shí)現(xiàn)UserDetails/UserDetailsService接口，從DB中獲取User和Role。另一種是使用InMemoryUserDetailsManagerConfigurer在內(nèi)存中創(chuàng)建user和Role。這里使用了第一種，這一部分是Spring Security的范疇，是這里不再貼代碼。如果對(duì)這部分不熟悉，可以參考：

Spring Security(1)：認(rèn)證和授權(quán)的核心組件介紹及源碼分析

Spring Security Reference

（2）PasswordEncoder的配置：使用PasswordEncoderFactories可以通過不同前綴來識(shí)別和創(chuàng)建各種不同的PasswordEncoder。在當(dāng)前的Spring Security版本中，password必須加密，不加密會(huì)報(bào)錯(cuò)。

（3）AuthenticationManager的配置：AuthenticationManager雖然在Spring Security自動(dòng)配置中已經(jīng)創(chuàng)建，但是并沒有暴露為一個(gè)Spring Bean（exposed as a Bean）。我們?cè)谶@里覆蓋它并聲明它為一個(gè)Bean，目的是在配置Authorization Server時(shí)配置AuthorizationServerEndpoints時(shí)使用（for the password grant）。

（4）HttpSecurity的配置：這一部分是Spring Security的范疇，這里不再贅述。這里主要自定義了User&Role&Path的mapping關(guān)系，及l(fā)ogin, index, logout,remember-me等邏輯和頁(yè)面等。

?

配置Authorization Server

package com.mytools.config;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; import org.springframework.security.oauth2.provider.ClientDetailsService;/*** OAuth2 Authorization Server Configuration.*/ @Configuration public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {@Autowiredprivate AuthenticationManager authenticationManager;@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate ClientDetailsService clientDetailsService;/*** 用來配置令牌端點(diǎn)(Token Endpoint)的安全約束<br>* * @see org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter#configure(org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer)*/@Overridepublic void configure(AuthorizationServerSecurityConfigurer security) throws Exception {// 如果配置這個(gè)的話，且url中有client_id和client_secret的會(huì)走ClientCredentialsTokenEndpointFilter來保護(hù)// 如果沒有配置這個(gè)，或者配置了這個(gè)但是url中沒有client_id和client_secret的，走basic認(rèn)證保護(hù)// [IMPORTANT] 這里如果不設(shè)置，client app里的clientAuthenticationScheme應(yīng)該設(shè)置為header，反之設(shè)置為form// security.allowFormAuthenticationForClients(); }/*** 用來配置客戶端詳情服務(wù)（ClientDetailsService），客戶端詳情信息在這里進(jìn)行初始化<br>* * @see org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter#configure(org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer)*/@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.withClientDetails(clientDetailsService);}/* 定義授權(quán)和令牌端點(diǎn)以及令牌服務(wù)<br>* @see org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter#configure(org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer)*/@Overridepublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints.authenticationManager(authenticationManager) // 使用Spring提供的AuthenticationManager開啟密碼授權(quán).userDetailsService(userDetailsService) // 注入一個(gè) UserDetailsService，那么刷新令牌授權(quán)將包含對(duì)用戶詳細(xì)信息的檢查，以確保該帳戶仍然是活動(dòng)的.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST); // 默認(rèn)只支持POST } }

說明：

（1）注入AuthenticationManager及UserDetailsService：在配置AuthorizationServerEndpointsConfigurer時(shí)使用。

（2）ClientDetailsService配置：與UserDetailsService的配置類似，同樣有兩種方式，一種是實(shí)現(xiàn)ClientDetails/ClientDetailsService接口，從DB中獲取Client。另一種是使用InMemoryClientDetailsServiceBuilder在內(nèi)存中創(chuàng)建Client。這里使用了第一種，也不再貼代碼。

（3）AuthorizationServerSecurityConfigurer配置：用來配置Authorization Server令牌端點(diǎn)(Token Endpoint)的安全約束，一般不用配置。

（4）ClientDetailsServiceConfigurer配置：配置ClientDetails。

（5）AuthorizationServerEndpointsConfigurer配置：配置authenticationManager和userDetailsService是告訴Authorization Server使用Spring Security提供的驗(yàn)證管理器及用戶詳細(xì)信息服務(wù)。

?

配置ResourceServer

package com.mytools.config;import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;/*** OAuth2 Resource Server Configuration.*/ @Configuration public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {/*** ResourceId: We can give each of the ResourceServer instance to a resourceId.<br>* Here is the resourceId validation on OAuth2AuthenticationManager#authenticate:<br>* * <pre>* Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds();* if (resourceId != null && resourceIds != null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) {* throw new OAuth2AccessDeniedException("Invalid token does not contain resource id (" + resourceId + ")");* }* </pre>* * @throws Exception*/@Overridepublic void configure(ResourceServerSecurityConfigurer resources) throws Exception {resources.resourceId("server-auth-resource");super.configure(resources);}@Overridepublic void configure(HttpSecurity http) throws Exception {// [IMPORTANT] 為什么要提前加antMatcher? 可以看一下antMatcher()的注釋:// Allows configuring the HttpSecurity to only be invoked when matching the provided ant pattern.http.antMatcher("/user").authorizeRequests()// .antMatchers("xxx", "xxx").permitAll() .anyRequest().authenticated();} }

主要定義了resource-id及受保護(hù)的資源的path及Role&Path的mapping關(guān)系

?

配置ServerAuthApplication

package com.mytools;import java.util.HashMap; import java.util.Map;import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController;@SpringBootApplication @RestController @EnableAuthorizationServer @EnableResourceServer public class ServerAuthApplication2 {public static void main(String[] args) {SpringApplication.run(ServerAuthApplication2.class, args);}/*** 映射到/user, Resource Server會(huì)調(diào)用該端點(diǎn)<br>* Resource Server中的@EnableResourceServer會(huì)強(qiáng)制執(zhí)行一個(gè)過濾器，<br>* 該攔截器會(huì)用傳入的token回調(diào)[security.oauth2.resource.userInfoUri]中定義的URI來查看令牌是否有效。<br>* 此外，該URI還會(huì)從Authorization Server傳回一個(gè)Map，包含Principal and GrantedAuthority信息。<br>* 這個(gè)信息是必須的。詳細(xì)請(qǐng)看：UserInfoTokenServices.loadAuthentication<br>* * @param user* @return*/@RequestMapping(value = "/user", produces = "application/json")public Map<String, Object> user(OAuth2Authentication user, @RequestParam(required = false) String client) {Map<String, Object> userInfo = new HashMap<>();userInfo.put("user", user.getUserAuthentication().getName());userInfo.put("authorities", AuthorityUtils.authorityListToSet(user.getUserAuthentication().getAuthorities()));return userInfo;} }

說明：

（1）使用@EnableAuthorizationServer聲明為一個(gè)OAuth2 Authorization Server。

（2）使用@EnableResourceServer聲明為一個(gè)OAuth2 Resource Server。這里聲明其為一個(gè)Resource Server只是為了保護(hù)/user這一個(gè)端點(diǎn)。下面/user端點(diǎn)的定義會(huì)具體說明原因。

（3）/user Endpoint：Resource Server中的@EnableResourceServer會(huì)強(qiáng)制執(zhí)行一個(gè)攔截器，該攔截器會(huì)用傳入的token回調(diào)Resource Server配置文件中定義的security.oauth2.resource.userInfoUri來查看令牌是否有效。這個(gè)userInfoUri就映射到了Authorization Server中/user Endpoint。在/user Endpoint中返回了一個(gè)含有包含Principal和GrantedAuthority信息的Map。最終Resource Server拿到這個(gè)Map，進(jìn)而判斷這個(gè)User有沒有這個(gè)權(quán)限來訪問Resource Server中的某個(gè)path。相關(guān)源碼可以看UserInfoTokenServices的loadAuthentication方法。

?

驗(yàn)證

準(zhǔn)備數(shù)據(jù)

-- Create user INSERT INTO user (username, password, email, enabled, create_user, create_date_time, update_user, update_date_time) VALUES ('admin', '{bcrypt}$2a$10$bmixgIna/bd5gU5ORrWng.xUs2sGBh3BRqj927ChKkAvJA8CVGZmm', 'admin@email.com', true, 'admin', '2019-01-01 10:00:00.000', 'admin', '2019-01-01 10:00:00.000');-- Create client INSERT INTO client (client_id, client_secret, authorized_grant_types_str, registered_redirect_uris_str, enabled, create_user, create_date_time, update_user, update_date_time) VALUES ('dummy-client', '{bcrypt}$2a$10$nbLJ9DdK/HLlKc.Gm/5S4utfxht9D3mj5M7cm9peFDbBGgTLPEh0u', 'authorization_code,password', 'https://www.google.com', true, 'admin', '2019-01-01 10:00:00.000', 'admin', '2019-01-01 10:00:00.000');-- Create role INSERT INTO role (rolename, role_level, enabled, create_user, create_date_time, update_user, update_date_time) VALUES ('ADMIN', 1, true, 'admin', '2019-01-01 10:00:00.000', 'admin', '2019-01-01 10:00:00.000');-- Create user_role_map INSERT INTO user_role_map (username, rolename) VALUES ('admin', 'ADMIN');

Authorization Code（授權(quán)碼模式）

（1）調(diào)用 http://localhost:10030/server-auth/oauth/authorize?response_type=code&client_id=dummy-client&state=test-state&redirect_uri=https://www.google.com&scope=all

如果使用了Zuul，則可以調(diào)用 http://localhost:10020/server-zuul/s3/server-auth/oauth/authorize?response_type=code&client_id=dummy-client&state=test-state&redirect_uri=https://www.google.com&scope=all

如果需要登錄，則需要填寫登錄賬號(hào)admin 密碼admin。

（2）選擇scope: all

（3）Get?Authorization Code?from redirect url:?https://www.google.com/?code=ST77hh&state=test-state

（4）Call url with?Authorization Code:?http://localhost:10030/server-auth/oauth/token?client_id=dummy-client&grant_type=authorization_code&code=ST77hh&redirect_uri=https://www.google.com&scope=all

如果使用了Zuul，則可以調(diào)用?http://localhost:10030/server-auth/oauth/token?client_id=dummy-client&grant_type=authorization_code&code=ST77hh&redirect_uri=https://www.google.com&scope=all

（5）Http Basic?Authorization: username is?dummy-client, password is?dummy-client

（6）Get json with token:?{"access_token":"8b867ab3-d900-4f1c-947a-b33dc20a91c1","token_type":"bearer","expires_in":43085,"scope":"all"}

Resource Owner Password（密碼模式）

（1）調(diào)用?http://localhost:10030/server-auth/oauth/token?client_id=dummy-client&grant_type=password&username=admin&password=admin&scope=all

如果使用了Zuul，則可以調(diào)用?http://localhost:10020/server-zuul/s3/server-auth/oauth/token?client_id=dummy-client&grant_type=password&username=admin&password=admin&scope=all

（2）Http Basic?Authorization: username is?dummy-client, password is?dummy-client

（3）Get json with token:?{"access_token":"8b867ab3-d900-4f1c-947a-b33dc20a91c1","token_type":"bearer","expires_in":43085,"scope":"all"}

[注1] 如果使用Zuul調(diào)用，則需要配置以下內(nèi)容：

（1）server-auth中的application.yml

## Eureka info eureka:# 如果設(shè)置了true并且也設(shè)置了eureka.instance.ip-address那么就將此ip地址注冊(cè)到Eureka中，那么調(diào)用的時(shí)候，發(fā)送的請(qǐng)求目的地就是此Ip地址instance:preferIpAddress: trueipAddress: localhost

（2）server-zuul中的application.yml

## Zuul info zuul:# Zuul不會(huì)將敏感HTTP首部（如Cookie,Set-Cookie,Authorization）轉(zhuǎn)發(fā)到下游服務(wù)。它是一個(gè)黑名單。這里排除了Cookie,Set-Cookie,Authorization為后面的OAuth2服務(wù)sensitiveHeaders:

?

其他參數(shù)說明

[scope]

如果請(qǐng)求中含有scope

?- Client沒有配置scopes，可以認(rèn)為是All Scopes，則可以使用（approve）請(qǐng)求的scope

?- Client配置了一組scopes，如果包含請(qǐng)求的scope，則可以使用（approve）請(qǐng)求的scope；如果不包含，則報(bào)錯(cuò)（scope didn't match）

如果請(qǐng)求中沒有scope

?- Client沒有配置scopes，且請(qǐng)求中也沒有，報(bào)錯(cuò)（empty scope is not allowed）

?- Client配置了一組scopes，則可以使用（approve）Client的所有scopes

[注] 注意上面有一個(gè)"approve"關(guān)鍵字。如果Client為scopes配置了AutoApprove=true，則會(huì)跳過approve這一步。

[client_id]

如果在Authorization Server中配置的一個(gè)ClientDetails中沒有配置resourceId，則這個(gè)Client有訪問所有resource的權(quán)限。

如果在Resource Server沒有配置resourceId，則這個(gè)resource可以被所有Client有訪問。

如果兩端都配置了，且Client的resourceIds包含Resource Server的resourceId，這個(gè)resource才可以被這個(gè)Client訪問。

[注] 代碼來源：OAuth2AuthenticationManager#authenticate

[client_secret]

在OAuth2標(biāo)準(zhǔn)中，client_secret并不是required field。但是，在Spring Security中，client_id/client_secret被當(dāng)作了UserDetails，同樣會(huì)調(diào)用AuthenticationProvider.authenticate()方法，最終調(diào)用DaoAuthenticationProvider.additionalAuthenticationChecks()，再調(diào)用PasswordEncoder的match()方法。PasswordEncoder的實(shí)現(xiàn)類（比如DelegatingPasswordEncoder，BCryptPasswordEncoder）在驗(yàn)證空password時(shí)都不會(huì)通過。

解決方法：可以重寫PasswordEncoder實(shí)現(xiàn)類的match()方法，也可以設(shè)置client_secret為required field。這里使用后一種。

轉(zhuǎn)載于:https://www.cnblogs.com/storml/p/11244514.html

總結(jié)

以上是生活随笔為你收集整理的Spring Cloud(6.1)：搭建OAuth2 Authorization Server的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。