Springboot Security5 Oauth2 集成Gi

2018-09-24  本文已影响0人  苏小小北

前言

最近有个项目是关于基于springboot oauth 整合Facebook、Twitter登陆,鉴于国内资料较少,将自己查阅的资料整理下,方便供大家参考

综述

1.Springboot
Springboot就是简化配置的spring,这里就不做详细描述了。
2.Spring Security5
Spring Security提供了基于Java EE的企业应用软件全面的安全服务。Springboot引入这个框架非常方便,我们在使用的时候,只要考虑三个地方就可以了:WebSecurityConfigureerAdapter 类的两个方法:
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
protected void configure(HttpSecurity http) throws Exception
还有UserDetailsService接口的方法:
public UserDetails loadUserByUsername(String username)
下来介绍这三个方法的作用。

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
configureGlobal.png

这个方法的主要作用是用来如何验证用户账户密码,图中我们是用内存的user和password来验证的。(security5和security4的最大区别在于,验证需要传入new BCryptPassword()进行密码加密(支持自定义)在实际生产中,应该用数据库信息来验证,改为下图所示即可。


修改后的configureGlobal.png
protected void configure(HttpSecurity http) throws Exception

这个方法主要根据登陆的用户进行权限设置,进行验证请求。


configure.png

1.http.authorizeRequests()方法有多个子节点,每个macher按照他们的声明顺序执行(使用ant风格url匹配模式,?代表匹配任一个字符,* 代表匹配0个或者多个任意的字符,**代表匹配0个或者任意多个目录)。
2.我们指定任何用户都可以访问的多个URL模式。任何用户都可以访问URL以 "/resources/",开头的URL ,以及"/signup", "/about".
3.以"/admin/" 开头的URL只能由拥有 "ROLEADMIN"角色的用户访问. 请注意我们使用HasRole方法,没有使用ROLE前缀。
4.任何以/db/开头的URL需要用户同时具有"ROLEADMIN" 和 "ROLE_DBA". 和上面一样我们的hasRole方法也没有使用ROLE前缀。
5.尚未匹配的任何URL要求用户进行身份认证。
其他细节可以查看security中文文档
https://vincentmi.gitbooks.io/spring-security-reference-zh/content/3.4_authorize_requests.html

public UserDetails loadUserByUsername(String username)

这个方法源自接口package org.springframework.security.core.userdetails;需要自定义验证用户账户密码的时候就需要实现这个方法。
传入用户username,根据username到自己的数据库查询到用户的username,password和roles,生成一个新的UserDetails对象,将这个对象返回,security会将这个对象和登陆时填入的账号密码进行匹配,一致就会完成用户认证。


image.png

3.Oauth2.0
OAuth是一个关于授权的开放网络标准,在全世界得到的广泛的应用,目前是2.0的版本。OAuth2在“客户端”与“服务提供商”之间,设置了一个授权层(authorization layer)。“客户端”不能直接登录“服务提供商”,只能登录授权层,以此将用户与客户端分离。“客户端”登录需要OAuth提供的令牌,否则将提示认证失败而导致客户端无法访问服务。
OAuth2为我们提供了四种授权方式:

1、授权码模式(authorization code)
2、简化模式(implicit)
3、密码模式(resource owner password credentials)
4、客户端模式(client credentials)
这里facebook、Twitter、github、google均支持第一种模式,也是最安全的模式。
这里只要配置客户端,@EnableOAuth2Client就可以支持所有的社交平台,关键有一点,如果用户时第一次登陆,需要将用户信息注册到我们自己的数据库中,与数据库中的用户一一映射,就可以判断当前登陆的用户是对应我们数据库自己的平台身份。并且,Oauth2登陆时,我们将自定义的用户身份(也就是社交平台对应自己数据库的User)返回给security,进行登陆。这样就进行了用户绑定。这里主要实现了自定义的PrincipalExtractor接口,并非使用默认实现FixedPrincipalExtractor。参考FixedPrincipalExtractor的实现

FixedPrincipalExtractor.png

构建项目

这里从Idea的maven开始创建项目
maven依赖

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>cn.hinson</groupId>
  <artifactId>springboot_security5_oauth2</artifactId>
  <version>1.0-SNAPSHOT</version>

  <name>springboot_security5_oauth2</name>
  <!-- FIXME change it to the project's website -->
  <url>http://www.example.com</url>

  <!-- 继承父包 -->
  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.1.RELEASE</version>
    <relativePath></relativePath>
  </parent>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.7</maven.compiler.source>
    <maven.compiler.target>1.7</maven.compiler.target>
    <mybatis.version>3.2.7</mybatis.version>
    <mybatis-spring.version>1.2.2</mybatis-spring.version>
  </properties>

  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.11</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.security.oauth.boot</groupId>
      <artifactId>spring-security-oauth2-autoconfigure</artifactId>
      <version>2.0.0.RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>js-cookie</artifactId>
      <version>2.1.0</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>jquery</artifactId>
      <version>2.1.1</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>bootstrap</artifactId>
      <version>3.2.0</version>
    </dependency>
    <dependency>
      <groupId>org.webjars</groupId>
      <artifactId>webjars-locator-core</artifactId>
    </dependency>

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-configuration-processor</artifactId>
      <optional>true</optional>
    </dependency>

    <!--db-->
    <dependency>
      <groupId>mysql</groupId>
      <artifactId>mysql-connector-java</artifactId>
      <version>5.1.32</version>
    </dependency>

    <!--mybatis-->
    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-jdbc</artifactId>
    </dependency>
    <dependency>
      <groupId>org.mybatis</groupId>
      <artifactId>mybatis</artifactId>
      <version>${mybatis.version}</version>
    </dependency>
    <dependency>
      <groupId>org.mybatis</groupId>
      <artifactId>mybatis-spring</artifactId>
      <version>${mybatis-spring.version}</version>
    </dependency>
    <!-- mysql数据库连接池 pool -->
    <dependency>
      <groupId>com.alibaba</groupId>
      <artifactId>druid</artifactId>
      <version>1.0.15</version>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
      </plugin>
    </plugins>
  </build>
</project>

导入maven依赖,建立项目包结构

包结构.png
下面展示核心的几个类实现代码:

SecurityConfig
Security5 和 Oauth2主要配置

package cn.hinson.security;

import cn.hinson.dao.UserDao;
import cn.hinson.security.oauth2.ClientResources;
import cn.hinson.security.service.MyUserDetailsService;
import cn.hinson.security.service.MyUserInfoTokenServices;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoTokenServices;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter;
import org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.web.filter.CompositeFilter;

import javax.servlet.Filter;
import java.util.ArrayList;
import java.util.List;


@Configuration
@EnableOAuth2Client
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    OAuth2ClientContext oauth2ClientContext;

    @Bean
    UserDetailsService detailsService(){
        return new MyUserDetailsService();
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        Log logger = LogFactory.getLog(SecurityConfig.class);
        logger.info("HttpSecurity http");
        http.antMatcher("/**").authorizeRequests()
                .antMatchers("/", "/login**", "/webjars/**", "/test").permitAll()
                .anyRequest().authenticated().and().exceptionHandling()
                .and()
                    .logout().
                    logoutUrl("/logout").
                    logoutSuccessUrl("/")
                .and()
                .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class)
                .formLogin();
        // @formatter:on
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

//        auth.inMemoryAuthentication()
//                .passwordEncoder(new BCryptPasswordEncoder())
//                .withUser("user1")
//                .password(new BCryptPasswordEncoder().encode("123456"))
//                .roles("USER");

        auth.userDetailsService(detailsService()).passwordEncoder(new BCryptPasswordEncoder());
    }


    @Bean
    public FilterRegistrationBean<OAuth2ClientContextFilter> oauth2ClientFilterRegistration(OAuth2ClientContextFilter filter) {
        FilterRegistrationBean<OAuth2ClientContextFilter> registration = new FilterRegistrationBean<OAuth2ClientContextFilter>();
        registration.setFilter(filter);
        registration.setOrder(-100);
        return registration;
    }

    @Bean
    @ConfigurationProperties("github")
    public ClientResources github() {
        return new ClientResources("github");
    }

    @Bean
    @ConfigurationProperties("facebook")
    public ClientResources facebook() {
        return new ClientResources("facebook");
    }

    @Autowired
    GithubPrincipalExtractor githubPrincipalExtractor;

    @Autowired
    FacebookPrincipalExtractor facebookPrincipalExtractor;

    private Filter ssoFilter() {
        CompositeFilter filter = new CompositeFilter();
        List<Filter> filters = new ArrayList<>();
        filters.add(ssoFilter(facebook(), "/login/facebook", facebookPrincipalExtractor));
        filters.add(ssoFilter(github(), "/login/github", githubPrincipalExtractor));
        filter.setFilters(filters);
        return filter;
    }



    private Filter ssoFilter(ClientResources client, String path, AbstractPrincipalExtractor principalExtractor) {
        OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter(
                path);
        OAuth2RestTemplate template = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext);
        filter.setRestTemplate(template);
        UserInfoTokenServices tokenServices = new MyUserInfoTokenServices(client.getResource().getUserInfoUri(), client.getClient().getClientId(), principalExtractor);
        tokenServices.setRestTemplate(template);
        filter.setTokenServices(tokenServices);
        return filter;
    }
}

MyUserDetailsService
security 自定义认证,从数据库认证

package cn.hinson.security.service;

import cn.hinson.dao.UserDao;
import cn.hinson.domain.SysRole;
import cn.hinson.domain.SysUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.web.context.WebApplicationContext;

import java.util.ArrayList;
import java.util.List;

@Service
public class MyUserDetailsService implements UserDetailsService { //自定义UserDetailsService 接口

    @Autowired
    UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String username) { //重写loadUserByUsername 方法获得 userdetails 类型用户
        System.out.println("loadUserByUserName: " + username);
        SysUser user = userDao.findByUserName(username);
        if(user == null){
            throw new UsernameNotFoundException("用户名不存在");
        }
        List<SimpleGrantedAuthority> authorities = new ArrayList<>();
        //用于添加用户的权限。只要把用户权限添加到authorities。
        for(SysRole role:user.getRoles())
        {
            authorities.add(new SimpleGrantedAuthority(role.getName()));
            System.out.println(role.getName());
        }
        UserDetails userDetails = new User(user.getUsername(), user.getPassword(), authorities);
        return userDetails;
    }
}

AbstractPrincipalExtractor
负责社交账号与自己的数据库绑定

package cn.hinson.security;

import cn.hinson.domain.SysRole;
import cn.hinson.domain.SysUser;
import cn.hinson.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;

public abstract class AbstractPrincipalExtractor implements PrincipalExtractor {

  @Autowired
  UserService userService;
  //用户openid
  public abstract SysUser getUserByOpenId(String id);
  //用户角色,用“FACEBOOK"代表facebook用户,”GITHUB"代表"github用户
  public abstract SysRole getUserRoleByOauth2ClientName();

  @Override
  public Object extractPrincipal(Map<String, Object> map) {
    //得到对于的社交平台的openid
    String id =  map.get("id").toString();
    // Check if we've already registered this uer
    System.out.println("id: " + id);
    SysUser user = getUserByOpenId(id);
    if (user == null) {
      // If we haven't registered this user yet, create a new one
//      Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//      // This Details object exposes a token that allows us to interact with Facebook on this user's behalf
//      String token = ((OAuth2AuthenticationDetails) authentication.getDetails()).getTokenValue();
      user = new SysUser();
      user.setUsername(map.get("id").toString());
      user.setGithubId(id);
      // Set the default Roles for users registered via Facebook
      List<SysRole> authorities = new ArrayList<>();
      SysRole role = new SysRole();
      role.setName("USER");
      authorities.add(role);
      //Oauth2Client客戶端特有角色
      authorities.add(getUserRoleByOauth2ClientName());
      user.setRoles(authorities);
      userService.createUser(user);
    }
    return user;
  }
}

增加其他社交平台
application.yml
在在application.yml中添加yml,然后在SecurityConfig中增加新的OauthClient,最后添加继承AbstractPrincipalExtractor的实现类(例如FacebookPrincipalExtractor类)即可

facebook:
  client:
    clientId: 233668646673605
    clientSecret: 33b17e044ee6a4fa383f46ec6e28ea1d
    accessTokenUri: https://graph.facebook.com/oauth/access_token
    userAuthorizationUri: https://www.facebook.com/dialog/oauth
    tokenName: oauth_token
    authenticationScheme: query
    clientAuthenticationScheme: form
  resource:
    userInfoUri: https://graph.facebook.com/me
github:
  client:
    clientId: bd1c0a783ccdd1c9b9e4
    clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
    accessTokenUri: https://github.com/login/oauth/access_token
    userAuthorizationUri: https://github.com/login/oauth/authorize
    clientAuthenticationScheme: form
  resource:
    userInfoUri: https://api.github.com/user
package cn.hinson.security;

import cn.hinson.domain.SysRole;
import cn.hinson.domain.SysUser;
import org.springframework.stereotype.Component;

@Component
public class FacebookPrincipalExtractor extends AbstractPrincipalExtractor {

    @Override
    public SysUser getUserByOpenId(String id) {
        return super.userService.getUserByFacebookId(id);
    }

    @Override
    public SysRole getUserRoleByOauth2ClientName() {
        SysRole role = new SysRole();
        role.setName("FACEBOOK");
        return role;
    }
}

数据库

sql

CREATE TABLE sys_user (
  id            int  auto_increment PRIMARY KEY,
  username      VARCHAR (80),
  password      VARCHAR (80),
  twitterid     VARCHAR (30),
  facebookid    VARCHAR (30),
  githubid      VARCHAR (30)
);
CREATE TABLE sys_role (
  id            int auto_increment primary key,
  name varchar(80)
);
create table sys_role_user(
  id int auto_increment primary key,
  sys_user_id int,
  sys_role_id int,
  foreign key(sys_user_id) references sys_user(id),
  foreign key(sys_role_id) references sys_role(id)
);
navicator.png

访问

/localhost:8080/login
security自带的登陆界面

login.png

/localhost:8080/
未登陆时的界面

未登陆.png
登陆后的界面
登陆后.png

localhost:8080/user
登陆后的可进入

user.png

其他

本人也是在慢慢学习中,如有错误还请原谅、敬请指出,谢谢!
源代码
github:https://github.com/HinsonHsu/springboot_security5_oauth2.0

上一篇 下一篇

猜你喜欢

热点阅读