使用OAuth2的SSO分析

參考:https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/oauth2-vanilla/README.adoc

1.瀏覽器向UI服務器點擊觸發要求安全認證
2.跳轉到授權服務器獲取授權許可碼
3.從授權服務器帶授權許可碼跳回來
4.UI服務器向授權服務器獲取AccessToken
5.返回AccessToken到UI服務器
6.發出/resource請求到UI服務器
7.UI服務器將/resource請求轉發到Resource服務器
8.Resource服務器要求安全驗證,於是直接從授權服務器獲取認證授權信息進行判斷後(最後會響應給UI服務器,UI服務器再響應給瀏覽中器）

一.先創建OAuth2授權服務器
1.使用Spring Initializrt生成初始項目,選使用spring boot 1.3.3生成maven項目,根據需要填寫group,artifact,依賴選Web和Security兩塊,點生成按鈕即可.
2.加入OAuth2依賴到pom.xml

<dependency>
   <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth2</artifactId>
</dependency>

修改主類(這裏同時也作爲資源服務器).

@SpringBootApplication
@RestController
@EnableAuthorizationServer
@EnableResourceServer
public class AuthserverApplication {

    @RequestMapping("/user")
    public Principal user(Principal user) {
        return user;
    }

    public static void main(String[] args) {
        SpringApplication.run(AuthserverApplication.class, args);
    }

}

同時修改servlet容器的port,contextPath,註冊一個測試用戶與客戶端,加入配置:application.properties

server.port: 9999
server.contextPath: /uaa
security.user.password: password
security.sessions: if-required
security.oauth2.client.clientId: acme
security.oauth2.client.clientSecret: acmesecret
security.oauth2.client.authorized-grant-types: authorization_code,refresh_token,password
security.oauth2.client.scope: openid

基於spring boot的security的session創建策略默認是STATELESS,至於幾個選項意義,可看org.springframework.security.config.http.SessionCreationPolicy
啓動授權服務器後,可測試了:
a.打開瀏覽器輸入地址http://localhost:9999/uaa/oauth/authorize?response_type=code&client_id=acme&redirect_uri=http://example.com發出請求,然後根據以上配置,輸入用戶名/密碼,點同意,獲取返回的授權許可碼
b.在linux的bash或mac的terminal輸入
[root@dev ~]#curl acme:[email protected]:9999/uaa/oauth/token \
-d grant_type=authorization_code -d client_id=acme \
-d redirect_uri=http://example.com -d code=fjRdsL
回車獲取access token,其中fjRdsL替換上步獲取的授權許可碼.返回結果類似如下:
{"access_token":"8eded27d-b849-4473-8b2d-49ae49e17943","token_type":"bearer","refresh_token":"5e9af75c-c442-433f-81ba-996eb2c00f53","expires_in":43199,"scope":"openid"}
從返回結果複製access_token,繼續:
[root@dev ~]# TOKEN=8eded27d-b849-4473-8b2d-49ae49e17943
[root@dev ~]# curl -H “Authorization: Bearer $TOKEN” 192.168.1.115:9999/uaa/user
其中上面的8eded27d-b849-4473-8b2d-49ae49e17943是access_token,根據實際情況替換,第二個命令返回結果類似如下:
{"details":{"remoteAddress":"192.168.1.194","sessionId":null,"tokenValue":"8eded27d-b849-4473-8b2d-49ae49e17943","tokenType":"Bearer","decodedDetails":null},"authorities":[{"authority":"ROLE_USER"}],"authenticated":true,"userAuthentication":{"details":{"remoteAddress":"0:0:0:0:0:0:0:1","sessionId":"3943F6861E0FE31C29568542730342F6"},"authorities":[{"authority":"ROLE_USER"}],"authenticated":true,"principal":{"password":null,"username":"user","authorities":[{"authority":"ROLE_USER"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"enabled":true},"credentials":null,"name":"user"},"oauth2Request":{"clientId":"acme","scope":["openid"],"requestParameters":{"response_type":"code","redirect_uri":"http://example.com","code":"QzbdLe","grant_type":"authorization_code","client_id":"acme"},"resourceIds":[],"authorities":[{"authority":"ROLE_USER"}],"approved":true,"refresh":false,"redirectUri":"http://example.com","responseTypes":["code"],"extensions":{},"grantType":"authorization_code","refreshTokenRequest":null},"credentials":"","principal":{"password":null,"username":"user","authorities":[{"authority":"ROLE_USER"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"enabled":true},"clientOnly":false,"name":"user"}
從結果來看,使用access token訪問資源一切正常,說明授權服務器沒問題.

二.再看分離的資源服務器(改動也不少)
不再使用SpringSession從redis抽取認證授權信息,而是使用ResourceServerTokenServices向授權服務器發送請求獲取認證授權信息.因些沒用到SpringSession時可移除,同時application.properties配置security.oauth2.resource.userInfoUri或security.oauth2.resource.tokenInfoUri中的一個,主類修改如下:

@SpringBootApplication
@RestController
@EnableResourceServer
public class ResourceApplication {
    @RequestMapping("/")
    public Message home() {
        return new Message("Hello World");
    }
    public static void main(String[] args) {
        SpringApplication.run(ResourceApplication.class, args);
    }
}

最後運行主類的main方法,開始測試(授權服務器前面啓動了,access_token也得到了),於是在使用curl命令:
[root@dev ~]# curl -H “Authorization: Bearer $TOKEN” 192.168.1.115:9000
返回結果類似如下:
{"id":"03af8be3-2fc3-4d75-acf7-c484d9cf32b1","content":"Hello World"}
可借鑑的經驗,我在windows上開發,啓動資源服務器,然後資源服務器有配置server.address: 127.0.0.1,這裏限制容器只能是本機訪問,如果使用局域網IP是不可以訪問的,比如你在別人的機器或在一臺虛擬的linux上使用curl都是不是訪問的,註釋這行配置,這限制就解除.
跟蹤下獲取認證授權的信息過程:
1.userInfoRestTemplate Bean的聲明在org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerTokenServicesConfiguration.UserInfoRestTemplateConfiguration#userInfoRestTemplate
2.使用前面配置的userInfoUri和上面的userInfoRestTemplate Bean在org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerTokenServicesConfiguration.RemoteTokenServicesConfiguration.UserInfoTokenServicesConfiguration#userInfoTokenServices創建UserInfoTokenServices Bean.
3.在org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer#configure添加了org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter
4.當使用curl -H “Authorization: Bearer $TOKEN” 192.168.1.115:9000發出請求時,直到被OAuth2AuthenticationProcessingFilter攔截器處理,
org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter#doFilter{
Authentication authentication = tokenExtractor.extract(request);//抽取Token
Authentication authResult = authenticationManager.authenticate(authentication);//還原解碼認證授權信息
}
org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager#authenticate{
OAuth2Authentication auth = tokenServices.loadAuthentication(token);//這裏的tokenServices就是上面的UserInfoTokenServices Bean,就在這裏向授權服務器發出請求.
}
三.UI服務器作爲SSO的客戶端.
1.同樣UI服務器不需要springSession,認證如我們所期望的,交給授權服務器,所以使用Spring Security OAuth2依賴替換Spring Session和Redis依賴.
2.當然UI服務器還是API網關的角色,所以不要移除@EnableZuulProxy.在UI服務器主類加上@EnableOAuth2Sso,這個註解會幫我們完成跳轉到授權服務器,當然要些配置application.yml

zuul:
  routes:
    resource:
      path: /resource/**
      url: http://localhost:9000
    user:
      path: /user/**
      url: http://localhost:9999/uaa/user

這裏將”/user”請求代理到授權服務器
3.繼續修改UI主類繼承WebSecurityConfigurerAdapter,重寫org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)
目的是爲了修改@EnableOAuth2Sso引起的默認Filter鏈,默認是org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration#configure,這個類上面有@Conditional(NeedsWebSecurityCondition.class)意思應該是,沒有WebSecurityConfigurerAdapter纔會去執行這個config,因爲繼承了這個類,所以此config不再執行.
4.作爲oauth2的客戶端,application.yml下面這幾項是少不了的

security:
  oauth2:
    client:
      accessTokenUri: http://localhost:9999/uaa/oauth/token
      userAuthorizationUri: http://localhost:9999/uaa/oauth/authorize
      clientId: acme
      clientSecret: acmesecret
    resource:
      userInfoUri: http://localhost:9999/uaa/user

最後一項,因爲也作爲資源服務器,所以也加上吧.

spring:
  aop:
    proxy-target-class: true

spring aop默認一般都是使用jdk生成代理,前提是要有接口,cglib生成代理,目標類不能是final類,這是最基本的條件.估計是那些restTemplate沒有實現接口,所以不得不在這裏使用cglib生成代理.
5.其它的前端微小改變,這裏不贅述.把授權服務器,分離的資源服務器和這個UI服務器都啓動.準備測試:http://localhost:8080/login
a.經過security的攔截鏈接中的org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.doFilter攔截,觸發了attemptAuthentication方法

    public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {
        OAuth2AccessToken accessToken = context.getAccessToken();
        if (accessToken == null || accessToken.isExpired()) {
            try {
                accessToken = acquireAccessToken(context);
            }catch (UserRedirectRequiredException e) {
                context.setAccessToken(null); // No point hanging onto it now
                accessToken = null;
                String stateKey = e.getStateKey();
                if (stateKey != null) {
                    Object stateToPreserve = e.getStateToPreserve();
                    if (stateToPreserve == null) {
                        stateToPreserve = "NONE";
                    }
                    context.setPreservedState(stateKey, stateToPreserve);
                }
                throw e;
            }
        }
        return accessToken;
    }

acquireAccessToken(context)去獲取token的時候觸發拋異常.在org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider#getRedirectForAuthorization處理髮送的url,最後這個UserRedirectRequiredException往上拋
一直往上拋到org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter#doFilter

    catch (Exception ex) {
        // Try to extract a SpringSecurityException from the stacktrace
        Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex);
        UserRedirectRequiredException redirect = (UserRedirectRequiredException) throwableAnalyzer
                .getFirstThrowableOfType(
                        UserRedirectRequiredException.class, causeChain);
        if (redirect != null) {
            redirectUser(redirect, request, response);
        } else {
            if (ex instanceof ServletException) {
                throw (ServletException) ex;
            }
            if (ex instanceof RuntimeException) {
                throw (RuntimeException) ex;
            }
            throw new NestedServletException("Unhandled exception", ex);
        }
    }

終於看到redirectUser(redirect, request, response);進行跳轉到授權服務器去了.

授權服務器跳回到UI服務器原來的地址(帶回來授權許可碼),再次被OAuth2ClientAuthenticationProcessingFilter攔截髮送獲取accessToken,經org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport#retrieveToken提交POST請求,獲取到返回原來發請求處得到OAuth2AccessToken對象.
在org.springframework.security.oauth2.client.OAuth2RestTemplate#acquireAccessToken使用oauth2Context.setAccessToken(accessToken);對token進行保存.有了accessToken,就可以從授權服務器獲取用戶信息了.

最後,當用戶點logout的時候,授權服務器根本沒有退出(銷燬認證授權信息)