最近把網站的用戶認證部分改成springboot oauth2完成,結合jwt基本實現了後臺和前臺完全分離,但是實現單點登錄時還是遇到了很多的坑,在此記錄一下,供大家參考。
單點登錄認證服務器實現
這部分的內容很多地方都可以查得到,在此我就不做詳細介紹了,如果不明白的,建議參考江南一點雨的系列教程,寫得非常好!
https://mp.weixin.qq.com/s/AELXf1nmpWbYE3NINpLDRg
單點登錄客戶端實現
1、首先在pom.xml文件中引用oauth2依賴,加了這個依賴後就不用再加security了。
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
2、加入SecurityConfig類,主要是加入@EnableOAuth2Sso註解,代碼如下:
package com.fitit100.geodata.config;
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().cors().disable();
}
/**
* 需要忽略的靜態資源
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**",
"/images/**",
"/css/**",
"/pages/**",
"/plugins/**",
"/scss/**",
"/geodata/**");
}
}
3、修改配置文件。
szzgj:
auth-server: http://auth.xxx.com #認證服務器的地址
security:
oauth2:
client:
client-id: clientId
client-secret: clientSecret
user-authorization-uri: ${szzgj.auth-server}/oauth/authorize
access-token-uri: ${szzgj.auth-server}/oauth/token
resource:
jwt:
key-uri: ${szzgj.auth-server}/oauth/token_key
key-value: szzgj-auth #這個一定要設置,而且跟認證端的JWT密碼一致,否則無法解析用戶信息,很多教程裏面都沒有寫這個
server:
servlet:
session:
cookie:
name: OAUTH2SESSION-GEODATA #這個也一定要設置
#如果用Apache或Nginx做代理,這個也一定要設置,否則登錄時調轉的路徑會不對
tomcat:
remoteip:
host-header: "X-Forwarded-For"
protocol-header: "X-Forwarded-Proto"
protocol-header-https-value: "https"
如果用Apache做代理,那麼Apache中需要做如下設置,這裏我用兩個tomcat做負載均衡,如果沒有做負載均衡,直接做轉發即可:
<VirtualHost *:80>
ServerName cleint.xxx.com
ServerAdmin [email protected]
DirectoryIndex index.html index.jsp index.htm index.php
#RequestHeader set X-Forwarded-Proto https
#RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass / balancer://ClientDemo/ stickysession=jsessionid nofailover=On
ProxyPassReverse / balancer://ClientDemo/
ProxyRequests Off
<Proxy balancer://ClientDemo/>
BalancerMember http://192.168.70.69:8095 loadfactor=1 route=tomcat1
#BalancerMember http://192.168.70.149:8095 loadfactor=1 route=tomcat2
</Proxy>
</VirtualHost>