搭建Spring Security OAuth2认证授权服务器
2023-10-18 本文已影响0人
南湘嘉荣
1.创建一几个独立的Spring Boot服务,并引入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!-- nacos服务注册与发现依赖 -->
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
</dependency>
<!-- nacos服务注册与发现依赖 -->
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-starter-alibaba-nacos-config</artifactId>
</dependency>
<!--spring security的依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--OAuth2的依赖-->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
主要是要引入spring-boot-starter-security和spring-cloud-starter-oauth2的依赖。
2.将服务注册到nacos
spring:
application:
name: sensible-oauth2
cloud:
nacos:
server-addr: localhost:8848
discovery:
namespace: seata
group: seata
config:
namespace: seata
group: seata
3.配置认证服务器
配置认证服务器需要继承 AuthorizationServerConfigurerAdapter,主要是三个方面的配置:安全配置、端点配置、客户端配置。
安全配置主要针对授权服务器端点的访问策略、认证策略、加密方式等进行配置。
端点配置主要配置授权服务器的token存储方式、token转换、端点增强、端点自定义、token授权、token生成等进行配置。
客户端配置主要配置接入的客户端相关信息,如授权类型、授权范围、秘钥等内容。
package com.sensible.config;
import lombok.AllArgsConstructor;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
/**
* AuthorizationServerConfiguration 类
* 认证授权中心配置类
*
* @author liuyc
* @date 2023/10/18 11:58 上午
*/
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private AuthenticationManager authenticationManager;
private UserDetailsService userDetailsService;
private PasswordEncoder passwordEncoder;
/**
* 安全配置
*
* @param security
* @throws Exception
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients()
.tokenKeyAccess("permitAll()")
.checkTokenAccess("permitAll()");
}
/**
* 端点配置
*
* @param endpoints
* @throws Exception
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new InMemoryTokenStore())
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}
/**
* 客户端配置
*
* @param clients
* @throws Exception
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
String client_secret = passwordEncoder.encode("123456");
clients.inMemory()
// admin,授权码认证、密码认证、客户端认证、简单认证、刷新token
.withClient("admin")
.secret(client_secret)
.resourceIds("sensible-oauth2")
.scopes("server", "select")
.authorizedGrantTypes("authorization_code", "password", "refresh_token", "client_credentials", "implicit")
.redirectUris("http://www.baidu.com")
.and()
// client_1,密码认证、刷新token
.withClient("client_1")
.secret(client_secret)
.resourceIds("sensible-oauth2")
.scopes("server", "select")
.authorizedGrantTypes("password", "refresh_token")
.and()
// client_2,客户端认证、刷新token
.withClient("client_2")
.secret(client_secret)
.resourceIds("sensible-oauth2")
.scopes("server", "select")
.authorizedGrantTypes("client_credentials", "refresh_token");
}
}
@EnableAuthorizationServer注解的作用是启用所在的服务作为授权服务器。可以放在配置类上,或者放在SpringBoot的启动类上。
4.配置资源服务器
配置资源服务器需要继承ResourceServerConfigurerAdapter,主要负责针对资源服务器的安全访问策略进行相关配置。这里我们把认证授权服务器也当作资源服务器,在实际的企业项目中,资源服务器一般是网关服务担当。
package com.sensible.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
/**
* ResourceServerConfig 类
*
* @author liuyc
* @date 2023/10/18 11:58 上午
*/
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
//设置资源服务器的ID
resources.resourceId("sensible-oauth2")
//将资源服务器设置为无状态(stateless)模式
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
//只有匹配"/oauth/login"路径的请求会被处理。
.antMatchers("/oauth/login")
.and()
//所有的请求,需要经过身份认证后才能访问
.authorizeRequests().anyRequest().authenticated();
}
}
@EnableResourceServer注解的作用是启用所在的服务作为资源服务器。可以放在配置类上,或者放在SpringBoot的启动类上。
5.配置Spring Security
为何还需要单独针对SpringSecurity再进行配置呢?
答案之一就在于授权模式中的授权码模式,后续会出相关文章,详细说明这个问题。此外,还需配置UserDetailsService、PasswordEncoder等内容。
package com.sensible.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import java.util.ArrayList;
import java.util.List;
/**
* WebSecurityConfig 类
*
* @author liuyc
* @date 2023/10/18 11:58 上午
*/
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* AuthenticationManager在OAuth2认证服务中要使用,提前放入Spring IOC容器
*
* @return
* @throws Exception
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean(name = "userDetailsService")
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return createUserDetailsService();
}
@Override
protected UserDetailsService userDetailsService() {
return createUserDetailsService();
}
private UserDetailsService createUserDetailsService() {
String password = passwordEncoder().encode("123456");
List<UserDetails> users = new ArrayList<>();
UserDetails user_admin = User.withUsername("admin").password(password).authorities("ADMIN", "USER").build();
UserDetails user_1 = User.withUsername("user_1").password(password).authorities("ADMIN", "USER").build();
UserDetails user_2 = User.withUsername("user_2").password(password).authorities("USER").build();
users.add(user_admin);
users.add(user_1);
users.add(user_2);
return new InMemoryUserDetailsManager(users);
}
/**
* 配置安全拦截策略
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers().anyRequest().and().formLogin().and().csrf().disable();
}
}
6.创建资源
既然是资源服务器,那就需要资源。
package com.sensible.controller;
import com.sensible.result.R;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.security.Principal;
/**
* LoginController 类
*
* @author liuyc
* @date 2023/10/18 12:31 下午
*/
@RestController
@RequestMapping("/oauth")
public class LoginController {
@GetMapping("/login")
public R<Principal> login(Principal user) {
return R.success(user);
}
}
7.测试
首先,请求授权。
image.png
接下来就可以用access_token去访问资源了。
image.png
