Springboot Oauth2單點登錄實踐

最近把網站的用戶認證部分改成springboot oauth2完成，結合jwt基本實現了後臺和前臺完全分離，但是實現單點登錄時還是遇到了很多的坑，在此記錄一下，供大家參考。

單點登錄認證服務器實現

這部分的內容很多地方都可以查得到，在此我就不做詳細介紹了，如果不明白的，建議參考江南一點雨的系列教程，寫得非常好！

https://mp.weixin.qq.com/s/AELXf1nmpWbYE3NINpLDRg

單點登錄客戶端實現

1、首先在pom.xml文件中引用oauth2依賴，加了這個依賴後就不用再加security了。

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>

2、加入SecurityConfig類，主要是加入@EnableOAuth2Sso註解，代碼如下：

package com.fitit100.geodata.config;

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().cors().disable();
    }

    /**
     * 需要忽略的靜態資源
     * @param web
     * @throws Exception
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/js/**",
                "/images/**",
                "/css/**",
                "/pages/**",
                "/plugins/**",
                "/scss/**",
                "/geodata/**");
    }
}

3、修改配置文件。

szzgj:
  auth-server: http://auth.xxx.com #認證服務器的地址
security:
  oauth2:
    client:
      client-id: clientId
      client-secret: clientSecret
      user-authorization-uri: ${szzgj.auth-server}/oauth/authorize
      access-token-uri: ${szzgj.auth-server}/oauth/token
    resource:
      jwt:
        key-uri: ${szzgj.auth-server}/oauth/token_key
        key-value: szzgj-auth #這個一定要設置，而且跟認證端的JWT密碼一致，否則無法解析用戶信息，很多教程裏面都沒有寫這個
server:
  servlet:
    session:
      cookie:
        name: OAUTH2SESSION-GEODATA #這個也一定要設置
#如果用Apache或Nginx做代理，這個也一定要設置，否則登錄時調轉的路徑會不對  
tomcat:
    remoteip:
      host-header: "X-Forwarded-For"
      protocol-header: "X-Forwarded-Proto"
      protocol-header-https-value: "https"

如果用Apache做代理，那麼Apache中需要做如下設置，這裏我用兩個tomcat做負載均衡，如果沒有做負載均衡，直接做轉發即可：

<VirtualHost *:80>
    ServerName cleint.xxx.com
    ServerAdmin [email protected]
    DirectoryIndex index.html index.jsp index.htm index.php
    #RequestHeader set X-Forwarded-Proto https
    #RequestHeader set X-Forwarded-Port 443
    ProxyPreserveHost On
    ProxyPass / balancer://ClientDemo/ stickysession=jsessionid nofailover=On
    ProxyPassReverse / balancer://ClientDemo/ 
    ProxyRequests Off
    <Proxy balancer://ClientDemo/> 
        BalancerMember http://192.168.70.69:8095 loadfactor=1 route=tomcat1
        #BalancerMember http://192.168.70.149:8095 loadfactor=1 route=tomcat2
    </Proxy>
</VirtualHost>