【oauth2 客户端模式】Spring Authorization Server + Resource + Client 资源服务间的相互访问
1、概述
上一节中介绍了项目的搭建,并实现了授权码模式的访问。在上一节的基础上,再来实现客户端模式。【图文详解】搭建 Spring Authorization Server + Resource + Client 完整Demo
- 用户通过客户端访问资源是 授权码模式
- 微服务(资源)间的访问是 客户端模式;客户端模式下,只需要提供注册客户端的ID和密钥,就可以向授权服务器申请令牌,授权服务器核实ID和密钥后,会直接发放令牌,无须再认证/授权,特别适合项目内部模块间的调用。
2、授权服务器中注册新客户端
为了让请求资源的主体更加清晰,再注册一个客户端
micro_service,专门供资源服务器之间的相互调用。也可以用原来客户端my_client,不过要在授权模式GrantType中添加CLIENT_CREDENTIALS
- 客户端模式直接返回token;不需要回调地址
- 在授权服务器的授权服务配置类
AuthorizationServerConfiguration.java中添加
/**
* 定义客户端(令牌申请方式:客户端模式)
*
* @param clientId 客户端ID
* @return
*/
private RegisteredClient createRegisteredClient(final String clientId) {
// JWT(Json Web Token)的配置项:TTL、是否复用refrechToken等等
TokenSettings tokenSettings = TokenSettings.builder()
// 令牌存活时间:1年
.accessTokenTimeToLive(Duration.ofDays(365))
// 令牌不可以刷新
//.reuseRefreshTokens(false)
.build();
// 客户端相关配置
ClientSettings clientSettings = ClientSettings.builder()
// 是否需要用户授权确认
.requireAuthorizationConsent(false)
.build();
return RegisteredClient
// 客户端ID和密码
.withId(UUID.randomUUID().toString())
//.withId(id)
.clientId(clientId)
//.clientSecret("{noop}123456")
.clientSecret(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("123456"))
// 客户端名称:可省略
.clientName("micro_service")
// 授权方法
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
// 授权模式
// ---- 【客户端模式】
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
// 客户端模式直接返回token;不需要回调地址
//.redirectUri("...")
// 授权范围(当前客户端的角色)
.scope("all")
// JWT(Json Web Token)配置项
.tokenSettings(tokenSettings)
// 客户端配置项
.clientSettings(clientSettings)
.build();
}- 修改注册方法:该方法仅注重功能,结构不够优雅,可以自行修改
/**
* 注册客户端
*
* @param jdbcTemplate 操作数据库
* @return 客户端仓库
*/
@Bean
public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
// ---------- 1、检查当前客户端是否已注册
// 操作数据库对象
JdbcRegisteredClientRepository registeredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate);
/*
客户端在数据库中记录的区别
------------------------------------------
id:仅表示客户端在数据库中的这个记录
client_id:唯一标示客户端;请求token时,以此作为客户端的账号
client_name:客户端的名称,可以省略
client_secret:密码
*/
String clientId_1 = "my_client";
String clientId_2 = "micro_service";
// 查询客户端是否存在
RegisteredClient registeredClient_1 = registeredClientRepository.findByClientId(clientId_1);
RegisteredClient registeredClient_2 = registeredClientRepository.findByClientId(clientId_2);
// ---------- 2、添加客户端
// 数据库中没有
if (registeredClient_1 == null) {
registeredClient_1 = this.createRegisteredClientAuthorizationCode(clientId_1);
registeredClientRepository.save(registeredClient_1);
}
// 数据库中没有
if (registeredClient_2 == null) {
registeredClient_2 = this.createRegisteredClient(clientId_2);
registeredClientRepository.save(registeredClient_2);
}
// ---------- 3、返回客户端仓库
return registeredClientRepository;
}3、资源服务器之间访问
3.1、案例说明
用 资源服务器B 调用 资源服务器A 中的资源;
具体:服务B/res1 --> 服务A/res2;
服务A/res2 接口在前面用 my_client 是无法访问的;
当前 资源服务器B 无安全策略,可以直接访问
3.2、令牌申请与使用 处理逻辑
3.3、改造资源服务器B
- 配置RestTemplat
@Configuration(proxyBeanMethods = false)
public class RestTemplateConfiguration {
@Bean
public RestTemplate oauth2ClientRestTemplate(RestTemplateBuilder restTemplateBuilder) {
return restTemplateBuilder.build();
}
}- 修改API接口类
@RestController
public class ResourceController {
@Autowired
RestTemplate restTemplate;
@GetMapping("/res1")
public String getRes1(HttpServletRequest request) {
// 调用资源服务器A中的资源res2
return getServer("http://127.0.0.1:8001/res2", request);
//return JSON.toJSONString(new Result(200, "服务B -> 资源1"));
}
@GetMapping("/res2")
public String getRes2() {
return JSON.toJSONString(new Result(200, "服务B -> 资源2"));
}
/**
* 请求资源
*
* @param url
* @param request
* @return
*/
private String getServer(String url,
HttpServletRequest request) {
// ======== 1、从session中取token ========
HttpSession session = request.getSession();
String token = (String) session.getAttribute("micro-token");
// ======== 2、请求token ========
// 先查session中是否有token;session中没有
if (StringUtils.isEmpty(token)) {
// ===== 去认证中心申请 =====
// 对id及密钥加密
byte[] userpass = Base64.encodeBase64(("micro_service:123456").getBytes());
String str = "";
try {
str = new String(userpass, "UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
// 请求头
HttpHeaders headers1 = new HttpHeaders();
// 组装请求头
headers1.add("Authorization", "Basic " + str);
// 请求体
HttpEntity<Object> httpEntity1 = new HttpEntity<>(headers1);
// 响应体
ResponseEntity<String> responseEntity1 = null;
try {
// 发起申请令牌请求
responseEntity1 = restTemplate.exchange("http://os.com:9000/oauth2/token?grant_type=client_credentials", HttpMethod.POST, httpEntity1, String.class);
} catch (RestClientException e) {
//
System.out.println("令牌申请失败");
}
// 令牌申请成功
if (responseEntity1 != null) {
// 解析令牌
// String t = JSON.parseObject(responseEntity1.getBody(), MyAuth.class).getAccess_token();
Map<String, String> resMap = JSON.parseObject(responseEntity1.getBody(), HashMap.class);
String t = resMap.get("access_token");
// 存入session
session.setAttribute("micro-token", t);
// 赋于token变量
token = t;
}
}
// ======== 3、请求资源 ========
// 请求头
HttpHeaders headers2 = new HttpHeaders();
// 组装请求头
headers2.add("Authorization", "Bearer " + token);
// 请求体
HttpEntity<Object> httpEntity2 = new HttpEntity<>(headers2);
// 响应体
ResponseEntity<String> responseEntity2;
try {
// 发起访问资源请求
responseEntity2 = restTemplate.exchange(url, HttpMethod.GET, httpEntity2, String.class);
} catch (RestClientException e) {
// 令牌失效(认证失效401) --> 清除session
// e.getMessage() 信息格式:
// 401 : "{"msg":"认证失败","uri":"/res2"}"
String str = e.getMessage();
// 判断是否含有 401
if(StringUtils.contains(str, "401")){
// 如果有401,把session中 micro-token 的值设为空
session.setAttribute("micro-token","");
}
// 取两个括号中间的部分(包含两个括号)
return str.substring(str.indexOf("{"), str.indexOf("}") + 1);
}
// 返回
return responseEntity2.getBody();
}
}
// 用于解析申请到的令牌数据
/*@Data
class MyAuth {
private String access_token;
private String scope;
private String token_type;
private long expires_in;
}*/3.4、测试
- 启动server、resource,无须启动client
- 直接访问resource_b
3.5、资源服务器B添加安全策略
- 添加依赖
<!-- 资源服务器 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>- 再次启动测试,已经无法直接访问;需要通过客户端去访问
3.6、继续改造资源服务器B
复制 资源服务器A 中配置策略到 资源服务器B 中来
- 复制cer公钥文件
- appliction.yml中添加jtw配置
# 自定义 jwt 配置(校验jwt)
jwt:
cert-info:
# 公钥证书存放位置
public-key-location: myjks.cer
claims:
# 令牌的鉴发方:即授权服务器的地址
issuer: http://os.com:9000- 复制 oauth2 配置包;如下图
3.7、客户端client访问测试
- 用 maven 的
clean清理项目 - 启动 server、resource (a和b)、client
- 登录客户端
- 访问资源服务A
- 访问资源服务B
如果需要 资源服务器A 调用 B 中资源;可以把 B 中的实现逻辑复制过去就行。
后期会把资源服务器中的公共部分抽离出来,制成starter…
2023-4-16:用starter实现Oauth2中资源服务的统一配置
一、前言
Oauth2中的资源服务Resource需要验证令牌,就要配置令牌的解码器JwtDecoder,认证服务器的公钥等等。如果有多个资源服务Resource,就要重复配置,比较繁锁。把公共的配置信息抽取出来,制成starter,可以极大地简化操作。
- 未使用starter的原来配置
二、制作starter
详细步骤参考:自定义启动器 Starter【保姆级教程】
1、完整结构图
2、外部引用模块
名称:
tuwer-oauth2-config-spring-boot-starter普通的 maven 项目
资源服务中引入该模块的依赖即可
模块中只有一个pom.xml文件,其余的都可删除
- pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.tuwer</groupId> <artifactId>tuwer-oauth2-config-spring-boot-starter</artifactId> <version>1.0-SNAPSHOT</version> <description>oauth2-config启动器</description> <properties> <maven.compiler.source>8</maven.compiler.source> <maven.compiler.target>8</maven.compiler.target> <!-- 编译编码 --> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencies> <!-- 自动配置模块 --> <dependency> <groupId>com.tuwer</groupId> <artifactId>tuwer-oauth2-config-spring-boot-starter-autoconfigure</artifactId> <version>1.0-SNAPSHOT</version> </dependency> </dependencies> </project>3、自动配置模块
核心模块
名称:
tuwer-oauth2-config-spring-boot-starter-autoconfigurespring boot 项目
- pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.6.7</version> </parent> <modelVersion>4.0.0</modelVersion> <groupId>com.tuwer</groupId> <artifactId>tuwer-oauth2-config-spring-boot-starter-autoconfigure</artifactId> <version>1.0-SNAPSHOT</version> <description>oauth2-config启动器自动配置模块</description> <properties> <maven.compiler.source>8</maven.compiler.source> <maven.compiler.target>8</maven.compiler.target> <!-- 编译编码 --> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencies> <!-- 基础启动器 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <!-- 资源服务器 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency> <!-- web --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <!-- lombok --> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <version>1.18.22</version> </dependency> </dependencies> </project>
- handler(拒绝访问、认证失败)处理类
package com.tuwer.config.handler; import com.fasterxml.jackson.databind.ObjectMapper; import lombok.SneakyThrows; import org.springframework.http.MediaType; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.util.HashMap; /** * <p>拒绝访问处理器</p> * * @author 土味儿 * Date 2022/5/11 * @version 1.0 */ public class SimpleAccessDeniedHandler implements AccessDeniedHandler { @SneakyThrows @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException ) throws IOException, ServletException { //todo your business HashMap<String, String> map = new HashMap<>(2); map.put("uri", request.getRequestURI()); map.put("msg", "拒绝访问"); response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setCharacterEncoding("utf-8"); response.setContentType(MediaType.APPLICATION_JSON_VALUE); ObjectMapper objectMapper = new ObjectMapper(); String resBody = objectMapper.writeValueAsString(map); PrintWriter printWriter = response.getWriter(); printWriter.print(resBody); printWriter.flush(); printWriter.close(); } }package com.tuwer.config.handler; import com.fasterxml.jackson.databind.ObjectMapper; import lombok.SneakyThrows; import org.springframework.http.MediaType; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException; import org.springframework.security.web.AuthenticationEntryPoint; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.util.HashMap; /** * <p>认证失败处理器</p> * * @author 土味儿 * Date 2022/5/11 * @version 1.0 */ public class SimpleAuthenticationEntryPoint implements AuthenticationEntryPoint { @SneakyThrows @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException ) throws IOException, ServletException { HashMap<String, String> map = new HashMap<>(2); if (authException instanceof InvalidBearerTokenException) { // 令牌失效 System.out.println("token失效"); //todo token处理逻辑 } map.put("uri", request.getRequestURI()); map.put("msg", "认证失败"); if (response.isCommitted()) { return; } response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setStatus(HttpServletResponse.SC_ACCEPTED); response.setCharacterEncoding("utf-8"); response.setContentType(MediaType.APPLICATION_JSON_VALUE); ObjectMapper objectMapper = new ObjectMapper(); String resBody = objectMapper.writeValueAsString(map); PrintWriter printWriter = response.getWriter(); printWriter.print(resBody); printWriter.flush(); printWriter.close(); } }
property(权限、令牌)属性类
权限属性类:
AuthProperty,通过application.yml来配置权限,避免在自动配置类中以硬编码的形式写入权限package com.tuwer.config.property; import lombok.Data; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.util.CollectionUtils; import java.util.Set; /** * <p>权限属性类</p> * * @author 土味儿 * Date 2022/9/2 * @version 1.0 */ @Data @ConfigurationProperties(prefix = "resource-auth") public final class AuthProperty { private Authority authority; /** * 权限 */ @Data public static class Authority { private Set<String> roles; private Set<String> scopes; private Set<String> auths; } /** * 组装权限字符串 * 目的:给 hasAnyAuthority() 方法生成参数 * @return */ public String getAllAuth() { StringBuilder res = new StringBuilder(); // 角色 Set<String> roles = this.authority.roles; // 角色非空时 if (!CollectionUtils.isEmpty(roles)) { for (String role : roles) { res.append(role).append("','"); } // 循环结果后,生成类似:x ',' y ',' z ',' } // 范围 Set<String> scopes = this.authority.scopes; // 非空时 if (!CollectionUtils.isEmpty(scopes)) { for (String scope : scopes) { res.append("SCOPE_" + scope).append("','"); } // 循环结果后,生成类似:x ',' y ',' z ',' SCOPE_a ',' SCOPE_b ',' SCOPE_c ',' } // 细粒度权限 Set<String> auths = this.authority.auths; // 非空时 if (!CollectionUtils.isEmpty(auths)) { for (String auth : auths) { res.append(auth).append("','"); } // 循环结果后,生成类似:x ',' y ',' z ',' SCOPE_a ',' SCOPE_b ',' SCOPE_c ',' l ',' m ',' n ',' } // 如果res不为空,去掉最后多出的三个字符 ',' int len = res.length(); if (len > 3) { res.delete(len - 3, len); } return res.toString(); } }
package com.tuwer.config.property; import lombok.Data; import org.springframework.boot.context.properties.ConfigurationProperties; /** * <p>属性配置类</p> * * @author 土味儿 * Date 2022/5/11 * @version 1.0 */ @Data @ConfigurationProperties(prefix = "jwt") public class JwtProperty { /* ======= 配置示例 ====== # 自定义 jwt 配置 jwt: cert-info: # 证书存放位置 public-key-location: myKey.cer claims: # 令牌的鉴发方:即授权服务器的地址 issuer: http://os:9000 */ /** * 证书信息(内部静态类) * 证书存放位置... */ private CertInfo certInfo; /** * 证书声明(内部静态类) * 发证方... */ private Claims claims; @Data public static class Claims { /** * 发证方 */ private String issuer; /** * 有效期 */ //private Integer expiresAt; } @Data public static class CertInfo { /** * 证书存放位置 */ private String publicKeyLocation; } }
- 解码器自动配置类
package com.tuwer.config; import com.nimbusds.jose.jwk.RSAKey; import com.tuwer.config.property.JwtProperty; import lombok.SneakyThrows; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Primary; import org.springframework.core.io.ClassPathResource; import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.jwt.Jwt; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtIssuerValidator; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import javax.annotation.Resource; import java.io.InputStream; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPublicKey; import java.util.Collection; /** * <p>自定义jwt解码器</p> * * @author 土味儿 * Date 2022/5/11 * @version 1.0 */ @EnableConfigurationProperties(JwtProperty.class) @Configuration public class JwtDecoderConfiguration { /** * 注入 JwtProperties 属性配置类 */ @Resource private JwtProperty jwtProperty; /** * 校验jwt发行者 issuer 是否合法 * * @return the jwt issuer validator */ @Bean JwtIssuerValidator jwtIssuerValidator() { return new JwtIssuerValidator(this.jwtProperty.getClaims().getIssuer()); } /* * * 校验jwt是否过期 * * @return the jwt timestamp validator */ /* @Bean JwtTimestampValidator jwtTimestampValidator() { System.out.println("检测令牌是否过期!"+ LocalDateTime.now()); return new JwtTimestampValidator(Duration.ofSeconds((long) this.jwtProperties.getClaims().getExpiresAt())); }*/ /** * jwt token 委托校验器,集中校验的策略{@link OAuth2TokenValidator} * * // @Primary:自动装配时当出现多个Bean候选者时,被注解为@Primary的Bean将作为首选者,否则将抛出异常 * @param tokenValidators the token validators * @return the delegating o auth 2 token validator */ @Primary @Bean({"delegatingTokenValidator"}) public DelegatingOAuth2TokenValidator<Jwt> delegatingTokenValidator(Collection<OAuth2TokenValidator<Jwt>> tokenValidators) { return new DelegatingOAuth2TokenValidator<>(tokenValidators); } /** * 基于Nimbus的jwt解码器,并增加了一些自定义校验策略 * * // @Qualifier 当有多个相同类型的bean存在时,指定注入 * @param validator DelegatingOAuth2TokenValidator<Jwt> 委托token校验器 * @return the jwt decoder */ @SneakyThrows @Bean public JwtDecoder jwtDecoder(@Qualifier("delegatingTokenValidator") DelegatingOAuth2TokenValidator<Jwt> validator) { // 指定 X.509 类型的证书工厂 CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); // 读取cer公钥证书来配置解码器 String publicKeyLocation = this.jwtProperty.getCertInfo().getPublicKeyLocation(); // 获取证书文件输入流 ClassPathResource resource = new ClassPathResource(publicKeyLocation); InputStream inputStream = resource.getInputStream(); // 得到证书 X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(inputStream); // 解析 RSAKey rsaKey = RSAKey.parse(certificate); // 得到公钥 RSAPublicKey key = rsaKey.toRSAPublicKey(); // 构造解码器 NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder.withPublicKey(key).build(); // 注入自定义JWT校验逻辑 nimbusJwtDecoder.setJwtValidator(validator); return nimbusJwtDecoder; } }
- 主自动配置类:安全权限等
package com.tuwer.config; import com.tuwer.config.handler.SimpleAccessDeniedHandler; import com.tuwer.config.handler.SimpleAuthenticationEntryPoint; import com.tuwer.config.property.AuthProperty; import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.oauth2.jwt.JwtClaimNames; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter; import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter; import org.springframework.security.web.SecurityFilterChain; import javax.annotation.Resource; /** * <p>资源服务器配置</p> * 当解码器JwtDecoder存在时生效 * * @author 土味儿 * Date 2022/5/11 * @version 1.0 */ @ConditionalOnBean(JwtDecoder.class) @EnableConfigurationProperties(AuthProperty.class) @Configuration public class AutoConfiguration { @Resource private AuthProperty authProperty; /** * 资源管理器配置 * * @param http the http * @return the security filter chain * @throws Exception the exception */ @Bean SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http) throws Exception { // 拒绝访问处理器 401 SimpleAccessDeniedHandler accessDeniedHandler = new SimpleAccessDeniedHandler(); // 认证失败处理器 403 SimpleAuthenticationEntryPoint authenticationEntryPoint = new SimpleAuthenticationEntryPoint(); return http // security的session生成策略改为security不主动创建session即STALELESS .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() // 允许【pc客户端】或【其它微服务】访问 .authorizeRequests() //.antMatchers("/**").hasAnyAuthority("SCOPE_client_pc","SCOPE_micro_service") // 从配置文件中读取权限信息 .antMatchers("/**").hasAnyAuthority(authProperty.getAllAuth()) // 其余请求都需要认证 .anyRequest().authenticated() .and() // 异常处理 .exceptionHandling(exceptionConfigurer -> exceptionConfigurer // 拒绝访问 .accessDeniedHandler(accessDeniedHandler) // 认证失败 .authenticationEntryPoint(authenticationEntryPoint) ) // 资源服务 .oauth2ResourceServer(resourceServer -> resourceServer .accessDeniedHandler(accessDeniedHandler) .authenticationEntryPoint(authenticationEntryPoint) .jwt() ) .build(); } /** * JWT个性化解析 * * @return */ @Bean JwtAuthenticationConverter jwtAuthenticationConverter() { JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter(); JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter(); // 如果不按照规范 解析权限集合Authorities 就需要自定义key // jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("scopes"); // OAuth2 默认前缀是 SCOPE_ Spring Security 是 ROLE_ // jwtGrantedAuthoritiesConverter.setAuthorityPrefix(""); jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter); // 用户名 可以放sub jwtAuthenticationConverter.setPrincipalClaimName(JwtClaimNames.SUB); return jwtAuthenticationConverter; } /** * 开放一些端点的访问控制 * 不需要认证就可以访问的端口 * @return */ @Bean WebSecurityCustomizer webSecurityCustomizer() { return web -> web.ignoring().antMatchers( "/actuator/**" ); } }
- spring.factories
指明自动配置类的地址,在
resources目录下编写一个自己的META-INF\spring.factories;有两个自动配置类,中间用逗号分开注意点:
如果同一个组中有多个starter,自动配置类名称不要相同;如果相同,将只有一个配置类生效,其余的将失效。
如:
starterA中:com.tuwer.config.AutoConfiguration
starterB中:就不要再用 com.tuwer.config.AutoConfiguration 名称,可以改为 com.tuwer.config.AutoConfigurationB
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ com.tuwer.config.JwtDecoderConfiguration,\ com.tuwer.config.AutoConfiguration
- application.yml
令牌、权限的配置可以放在引用starter的资源服务中;如果每个资源服务的配置都一样,可以放在starter中
# 自定义 jwt 配置(校验jwt) jwt: cert-info: # 公钥证书存放位置 public-key-location: myjks.cer claims: # 令牌的鉴发方:即授权服务器的地址 issuer: http://os.com:9000 # 自定义权限配置 resource-auth: # 权限 authority: # 角色名称;不用加ROlE_,提取用户角色权限时,自动加 roles: # 授权范围;不用加SCOPE_,保持与认证中心中定义的一致即可; # 后台自动加 SCOPE_ scopes: - client_pc - micro_service # 细粒度权限 auths:
- 公钥
把认证中心的公钥文件
myjks.cer放到resources目录下4、install
把starter安装install到本地maven仓库中
三、使用starter
1、引入starter依赖
在资源服务中引入
tuwer-oauth2-config-spring-boot-starter
2、application.yml
3、删除资源服务中原文件
摘抄自网络,便于检索查找。
