我是用spring security,oauth2 ,zuul,springcloud做路由,同時進行api接口授權管理。
先貼出pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>zuulCenter</artifactId>
<version>0.1</version>
<packaging>jar</packaging>
<name>zuulCenter</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>com.neusoft</groupId>
<artifactId>center</artifactId>
<version>0.0.1-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>com.neusoft</groupId>
<artifactId>center_common</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- 路由 -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-zuul</artifactId>
<version>2.0.1.RELEASE</version>
</dependency>
<!-- 安全驗證 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.0.6.RELEASE</version>
</dependency>
</project>
啓動類
package com;
import org.mybatis.spring.annotation.MapperScan;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
/** 服務網管
* @author wf
* @Time 2019年1月17日 15:19
* @version 1.0
*/
@SpringBootApplication
@EnableEurekaClient
@EnableZuulProxy
@MapperScan("com.neusoft.dao")
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
oauth2的資源代碼
package com.neusoft.config;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.web.cors.CorsConfiguration;
/**
* @Description: 配置資源服務器(oauth2)
* @author: wf
* @Date: 2018-11-26
* @Time: 15:08
*/
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ResourceServiceConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http .csrf().disable()
.authorizeRequests()
.antMatchers("/**")
.authenticated()
.antMatchers("actuator/*").permitAll()//定義這兩個鏈接不需要登錄可訪問
.and()
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
/* .permitAll()*/
//跨域配置
.and().cors().configurationSource(request -> {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.addAllowedHeader("*");
corsConfiguration.addAllowedOrigin(request.getHeader("Origin"));
corsConfiguration.addAllowedMethod("*");
corsConfiguration.setAllowCredentials(true);
corsConfiguration.setMaxAge(3600L);
return corsConfiguration;
});
//自定義過濾器
//把springsecurity決策管理那套東西通過過濾器加進來
/* http.addFilterAt(myFilterSecurityInterceptor, FilterSecurityInterceptor.class); */
}
@Override
public void configure(ResourceServerSecurityConfigurer resources)
throws Exception {
super.configure(resources);
}
}
配置apppliction.yml
spring:
profiles:
#包含的配置項
include:
- single-datasource
# - quartz
#啓用配置項級別
active: prod
---
spring:
application:
name: service-zuul
redis:
host: localhost
port: 6379
server:
port: 8082
eureka:
client:
serviceUrl:
defaultZone: http://localhost:8080/eureka/
mybatis:
mapper-locations: classpath*:**/mappers/*.xml
type-aliases-package: com.neusoft.entity
configuration:
map-underscore-to-camel-case: true
use-generated-keys: true
use-column-label: true
cache-enabled: true
call-setters-on-nulls: true
logging:
level:
root: error
org:
springframework: info
security:
oauth2:
authorization:
check-token-access: http://127.0.0.1:8081/oauth/check_token
resource:
user-info-uri: http://127.0.0.1:8081/user/me
id: oa
###路由
zuul:
routes:
api-a: #id
path: /api-a/** #路徑
serviceId: EURKA-CLIENT1 #子服務id
api-b:
path: /api-b/**
serviceId: EURKA-CLIENT131/
最後就是加入springsecurity 決策器的三大件,決策器,資源管理,用戶管理(因爲認證是通過認證服務器來,固此出去去掉),攔截器
決策器:
import java.util.Collection;
import java.util.Iterator;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Service;
/**決策器
* @author 王峯
* @Time:2019年1月18日 下午4:37:30
* @version 1.0
*/
@Service
public class MyAccessDecisionManager implements AccessDecisionManager {
// decide 方法是判定是否擁有權限的決策方法,
//authentication 是釋CustomUserService中循環添加到 GrantedAuthority 對象中的權限信息集合.
//object 包含客戶端發起的請求的requset信息,可轉換爲 HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
//configAttributes 爲MyInvocationSecurityMetadataSource的getAttributes(Object object)這個方法返回的結果,此方法是爲了判定用戶請求的url 是否在權限表中,如果在權限表中,則返回給 decide 方法,用來判定用戶是否有此權限。如果不在權限表中則放行。
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
if(null== configAttributes || configAttributes.size() <=0) {
return;
}
ConfigAttribute c;
String needRole;
for(Iterator<ConfigAttribute> iter = configAttributes.iterator(); iter.hasNext(); ) {
c = iter.next();
needRole = c.getAttribute();
for(GrantedAuthority ga : authentication.getAuthorities()) {//authentication 爲在註釋1 中循環添加到 GrantedAuthority 對象中的權限信息集合
if(needRole!=null&&needRole.trim().equals(ga.getAuthority())) {
return;
}
}
}
throw new AccessDeniedException("無權訪問,請聯繫管理員");
}
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}
資源管理器
package com.neusoft.config;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServletHttpHandlerAdapter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.stereotype.Service;
import com.neusoft.center_common.utils.LogUtil;
import com.neusoft.entity.Resouces;
import com.neusoft.entity.Role;
import com.neusoft.servers.ResouceService;
import com.neusoft.servers.RoleService;
/**資源管理
* @author 王峯
* @Time:2019年1月18日 下午4:38:36
* @version 1.0
*/
@Service
public class MyInvocationSecurityMetadataSourceService implements
FilterInvocationSecurityMetadataSource {
@Autowired
private RoleService roleService;
@Autowired
private ResouceService resouceService;
private HashMap<String, Collection<ConfigAttribute>> ma =null;
/**
* 加載權限表中所有權限
*/
public void loadResourceDefine(){
try {
ma = new HashMap<String, Collection<ConfigAttribute>>();
List<Resouces>resources= resouceService.queryAll();
for (Resouces re : resources) {
Collection<ConfigAttribute> cc = new ArrayList<ConfigAttribute>();
ConfigAttribute ca = null;
List<Role> roles = roleService.queryByResource(re.getAuth_res_Id());
if (roles == null) {
} else {
for (Role r : roles) {
ca = new SecurityConfig(r.getAuth_role_id());
cc.add(ca);
}
ma.put(re.getAuth_res_url(), cc);
}
}
} catch (Exception e) {
LogUtil.doErr("資源管理中查詢全部資源", e);
}
}
//此方法是爲了判定用戶請求的url 是否在權限表中,如果在權限表中,則返回給 decide 方法,用來判定用戶是否有此權限。如果不在權限表中則放行。
@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
if(ma ==null) loadResourceDefine();
//object 中包含用戶請求的request 信息
String url= ((FilterInvocation) object).getRequestUrl();
AntPathRequestMatcher matcher;
String resUrl;
for(Iterator<String> iter = ma.keySet().iterator(); iter.hasNext(); ) {
resUrl = iter.next();
if(url.contains(resUrl)) {
return ma.get(resUrl);
}
}
return null;
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}
攔截器(保證springsecurity加進來)
package com.neusoft.config;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.stereotype.Service;
/**有這個過濾器纔會走springSecurity
*
* @author 王峯
* @Time:2019年1月23日 下午5:33:45
* @version 1.0
*/
@Service
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
@Autowired
private FilterInvocationSecurityMetadataSource securityMetadataSource;
@Autowired
public void setMyAccessDecisionManager(MyAccessDecisionManager myAccessDecisionManager) {
super.setAccessDecisionManager(myAccessDecisionManager);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
public void invoke(FilterInvocation fi) throws IOException, ServletException {
//fi裏面有一個被攔截的url
//裏面調用MyInvocationSecurityMetadataSource的getAttributes(Object object)這個方法獲取fi對應的所有權限
//再調用MyAccessDecisionManager的decide方法來校驗用戶的權限是否足夠
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
//執行下一個攔截器
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
@Override
public void destroy() {
}
@Override
public Class<?> getSecureObjectClass() {
return FilterInvocation.class;
}
@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
}
}
在做這塊的時候,遇到一個問題就是不知道怎麼把springsecurity和oauth2集成在一起,本來想是不是springsecurity攔截器要加入到oauth中,這樣才能啓動攔截,最早的做法是
發現加入紅框中的內容,權限攔截會執行兩次,後來把他去掉就正常了,我猜想是不是加入了安全jar包之後,springcloud自動把他配置好了。