看這篇之前,相信你對SpringBoot,Spring Security,OAuth2都有個大概的瞭解,什麼?不瞭解?篇幅太長,本人太懶,木有關係,已經替你找好博客了,springBoot介紹,Oauth2 .0介紹,彈簧安全介紹
如果你是第一次接觸,估計看完上面介紹還有有點懵,建議還是多瞭解一下,其實OAuth2.0的就是一個協議,瞭解下它的運行原理,按照協議寫代碼就好了,OK,瞭解之後,開工
Spring Security OAuth2
1.導入jar包
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
2.建立數據表,主要存儲認證信息以及令牌
說明表文檔http://andaily.com/spring-oauth-server/db_table_description.html
create table oauth_client_details (
client_id VARCHAR(256) PRIMARY KEY,
resource_ids VARCHAR(256),
client_secret VARCHAR(256),
scope VARCHAR(256),
authorized_grant_types VARCHAR(256),
web_server_redirect_uri VARCHAR(256),
authorities VARCHAR(256),
access_token_validity INTEGER,
refresh_token_validity INTEGER,
additional_information VARCHAR(4096),
autoapprove VARCHAR(256)
);
create table oauth_client_token (
token_id VARCHAR(256),
token blob,
authentication_id VARCHAR(256) PRIMARY KEY,
user_name VARCHAR(256),
client_id VARCHAR(256)
);
create table oauth_access_token (
token_id VARCHAR(256),
token blob,
authentication_id VARCHAR(256) PRIMARY KEY,
user_name VARCHAR(256),
client_id VARCHAR(256),
authentication blob,
refresh_token VARCHAR(256)
);
create table oauth_refresh_token (
token_id VARCHAR(256),
token blob,
authentication blob
);
create table oauth_code (
code VARCHAR(256), authentication blob
);
create table oauth_approvals (
userId VARCHAR(256),
clientId VARCHAR(256),
scope VARCHAR(256),
status VARCHAR(10),
expiresAt TIMESTAMP,
lastModifiedAt TIMESTAMP
);
也許你會問,表爲什麼這麼建,不要着急,下面會慢慢講到
3.認證服務器及資源服務器
@Configuration
public class OAuth2ServerConfig {
private static final String DEMO_RESOURCE_ID = "test";
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(DEMO_RESOURCE_ID).stateless(true);
}
}
@Configuration
@EnableAuthorizationServer
@Slf4j
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
AuthenticationManager authenticationManager;
@Autowired
RedisConnectionFactory redisConnectionFactory;
@Autowired
UserDetailsService userDetailsService;
// @Autowired
// @Qualifier("myMemoryTokenStore")
// TokenStore myTokenStore;
@Autowired
private DataSource dataSource;
@Bean // 聲明TokenStore實現
public TokenStore tokenStore() {
return new JdbcTokenStores(dataSource);
}
@Bean
public ClientDetailsService clientDetails() {
return new JdbcClientDetailsService(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//配置兩個客戶端,一個用於password認證一個用於client認證
// clients.inMemory().withClient("client_1")
//// .resourceIds(DEMO_RESOURCE_ID)
// .authorizedGrantTypes("client_credentials")
// .scopes("select")
// .authorities("ROLE_ADMIN","ROLE_USER")
// .secret("123456")
// .and().withClient("client_2")
//// a .resourceIds(DEMO_RESOURCE_ID)
// .authorizedGrantTypes("password", "refresh_token")
// .scopes("select")
// .accessTokenValiditySeconds(1800)
// .refreshTokenValiditySeconds(3600)
// .authorities("ROLE_ADMIN","ROLE_USER")
// .secret("123456");
//默認值InMemoryTokenStore對於單個服務器是完全正常的(即,在發生故障的情況下,低流量和熱備份備份服務器)。大多數項目可以從這裏開始,也可以在開發模式下運行,以便輕鬆啓動沒有依賴關係的服務器。
//這JdbcTokenStore是同一件事的JDBC版本,它將令牌數據存儲在關係數據庫中。如果您可以在服務器之間共享數據庫,則可以使用JDBC版本,如果只有一個,則擴展同一服務器的實例,或者如果有多個組件,則授權和資源服務器。要使用JdbcTokenStore你需要“spring-jdbc”的類路徑。
//這個地方指的是從jdbc查出數據來存儲
clients.withClientDetails(clientDetails());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService)
// 2018-4-3 增加配置,允許 GET、POST 請求獲取 token,即訪問端點:oauth/token
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
// 配置TokenServices參數
DefaultTokenServices tokenServices = (DefaultTokenServices) endpoints.getDefaultAuthorizationServerTokenServices();
tokenServices.setTokenStore(endpoints.getTokenStore());
tokenServices.setSupportRefreshToken(true);
// 複用refresh token
tokenServices.setReuseRefreshToken(true);
tokenServices.setRefreshTokenValiditySeconds(3600);
tokenServices.setClientDetailsService(endpoints.getClientDetailsService());
tokenServices.setTokenEnhancer(endpoints.getTokenEnhancer());
tokenServices.setAccessTokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(1)); // 1天
endpoints.tokenServices(tokenServices);
super.configure(endpoints);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
//允許表單認證
oauthServer.allowFormAuthenticationForClients();
}
}
/**
* 這裏主要測試移除token,登出使用的
*
*/
@FrameworkEndpoint
public class LogoutEndpoint {
@Qualifier("myMemoryTokenStore")
@Autowired
private TokenStore tokenStore;
@RequestMapping(value = "/oauth/logout", method= RequestMethod.POST)
@ResponseStatus(HttpStatus.OK)
public void logout(HttpServletRequest request, HttpServletResponse response){
String authHeader = request.getHeader("Authorization");
if (authHeader != null) {
String tokenValue = authHeader.replace("Bearer", "").trim();
OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue);
tokenStore.removeAccessToken(accessToken);
}
}
}
}
4.整合SecurityConfiguration
@Configuration
@EnableWebSecurity
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Resource(name = "userService")
private UserService userService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
/**
* 這一步的配置是必不可少的,否則SpringBoot會自動配置一個AuthenticationManager,覆蓋掉內存中的用戶
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
AuthenticationManager manager = super.authenticationManagerBean();
return manager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.logout()
.clearAuthentication(true)
.and()
.requestMatchers().anyRequest()
.and()
.authorizeRequests()
.antMatchers("/oauth/*", "/webjars/**", "/resources/**", "index.html", "/logout"
, "/swagger","/user/loginIn","/user/resetPwd").permitAll()
.and()
.csrf()
.disable();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
5.編寫userService
@Service("userService")
@Slf4j
public class UserService implements UserDetailsService {
@Resource(name = "service.UserService")
private com.jolly.atplan.umrah.service.service.UserService userService;
@Override
public UserDetails loadUserByUsername(String loginId) throws UsernameNotFoundException {
log.info("LoginID : {}",loginId);
User user = userService.getUserByLoginId(loginId);
if(Objects.isNull(user)){
throw new UsernameNotFoundException("User " + loginId + " was not found in the database");
}
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
//返回一個SpringSecurity需要的用戶對象
return new org.springframework.security.core.userdetails.User(
user.getLoginId(),
user.getPwd(),
grantedAuthorities);
}
}
6.最後一步tokenConfig配置
@Configuration
public class TokenStoreConfig {
@Autowired
private DataSource dataSource;
@Bean(name = "myMemoryTokenStore")
public org.springframework.security.oauth2.provider.token.TokenStore myMemoryTokenStore() {
// return new InMemoryTokenStore();
return new JdbcTokenStores(dataSource);
}
}
7,別慌,還有一步,(如果你的控制檯報錯(找不到訪問令牌),令牌找不到)
新建類,重寫jdbcStore readAccessToken方法
public class JdbcTokenStores extends JdbcTokenStore {
private static final Log LOG = LogFactory.getLog(JdbcTokenStores.class);
public JdbcTokenStores(DataSource dataSource) {
super(dataSource);
}
@Override
public OAuth2AccessToken readAccessToken(String tokenValue) {
OAuth2AccessToken accessToken = null;
try {
accessToken = new DefaultOAuth2AccessToken(tokenValue);
}
catch (EmptyResultDataAccessException e) {
if (LOG.isInfoEnabled()) {
LOG.info("Failed to find access token for token "+tokenValue);
}
}
catch (IllegalArgumentException e) {
LOG.warn("Failed to deserialize access token for " +tokenValue,e);
removeAccessToken(tokenValue);
}
return accessToken;
}
}
8.測試訪問
9.查看數據庫表數據
第一張圖片是我們自己錄入的,後面的則是自動生成的,說明令牌生成成功
最後附上官網介紹:https://spring.io/guides/tutorials/spring-boot-oauth2/