spring security oauth2 自动刷新续签token (refresh token)
1.引言
- 前提:了解spring security oauth2的大致流程(对过滤器的内容有一定的了解)
- 主要思路:
- 首先用过期token访问受拦截资源
- 认证失败返回401的时候调用异常处理器
- 通过异常处理器结合refresh_token进行token的刷新
- 刷新成功则通过请求转发(request.getRequestDispatcher)的方式再次访问受拦截资源
2.源码分析核心过滤器OAuth2AuthenticationProcessingFilter
- 此过滤器与我们的token的各种操作息息相关,不清楚的可以参考别人的博客进行了解https://blog.csdn.net/u013815546/article/details/77046453
- 下面是此过滤器的过滤方法,从中可以知道当授权失败抛出异常的时候将会被catch,并且通过authenticationEntryPoint.commence()调用端点异常处理器,这个被调用的异常处理器就是我们要重写的类
-
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
-
ServletException {
-
-
final boolean debug = logger.isDebugEnabled();
-
final HttpServletRequest request = (HttpServletRequest) req;
-
final HttpServletResponse response = (HttpServletResponse) res;
-
-
try {
-
-
Authentication authentication = tokenExtractor.extract(request);
-
-
...
-
-
catch (OAuth2Exception failed) {
-
SecurityContextHolder.clearContext();
-
-
if (debug) {
-
logger.debug("Authentication request failed: " + failed);
-
}
-
eventPublisher.publishAuthenticationFailure(new BadCredentialsException(failed.getMessage(), failed),
-
new PreAuthenticatedAuthenticationToken("access-token", "N/A"));
-
-
authenticationEntryPoint.commence(request, response,
-
new InsufficientAuthenticationException(failed.getMessage(), failed));
-
-
return;
-
}
-
-
chain.doFilter(request, response);
-
}
3.分析默认端点异常处理器
- 从过滤器源码中我们可以看到此异常处理器是有默认实现类的
-
public class OAuth2AuthenticationProcessingFilter implements Filter, InitializingBean {
-
-
private final static Log logger = LogFactory.getLog(OAuth2AuthenticationProcessingFilter.class);
-
-
private AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
-
-
...
-
-
}
- 通过查看此默认处理器,我们可以发现里面主要调用了doHandle的方法
-
public class OAuth2AuthenticationEntryPoint extends AbstractOAuth2SecurityExceptionHandler implements
-
AuthenticationEntryPoint {
-
-
...
-
-
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
-
throws IOException, ServletException {
-
doHandle(request, response, authException);
-
}
-
-
...
-
-
}
- 我们再次查看doHandle的具体内容可以得出此过滤器的主要功能有3个:
- 解析异常类型
- 扩展respone的一些属性和内容
- respone 刷新缓存直接返回
-
protected final void doHandle(HttpServletRequest request, HttpServletResponse response, Exception authException)
-
throws IOException, ServletException {
-
try {
-
ResponseEntity<?> result = exceptionTranslator.translate(authException);
-
result = enhanceResponse(result, authException);
-
exceptionRenderer.handleHttpEntityResponse(result, new ServletWebRequest(request, response));
-
response.flushBuffer();
-
}
-
-
...
-
}
4.重写异常处理器
- 对默认异常处理器的分析,我们可以得出如果是我们需要的异常(401异常)则用我们自定义的方法进行处理,如果是其他异常则让原来的异常处理器处理即可,大致思路如下:
- 通过exceptionTranslator.translate(authException)解析异常,判断异常类型(status)
- 如果不是401异常,则直接调用默认异常处理器的处理方法即可
- 如果是401异常则向授权服务器发起token刷新的请求
- 如果token刷新成功,则通过request.getRequestDispatcher(request.getRequestURI()).forward(request,response);再次请求资源
- 如果token刷新失败,要么跳转到登陆页面(web的话也可以通过response.sendirect跳转到登陆页面),要么返回错误信息(json)
-
public class LLGAuthenticationEntryPoint extends OAuth2AuthenticationEntryPoint {
-
-
@Autowired
-
private OAuth2ClientProperties oAuth2ClientProperties;
-
@Autowired
-
private BaseOAuth2ProtectedResourceDetails baseOAuth2ProtectedResourceDetails;
-
private WebResponseExceptionTranslator<?> exceptionTranslator = new DefaultWebResponseExceptionTranslator();
-
@Autowired
-
RestTemplate restTemplate;
-
-
@Override
-
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
-
try {
-
//解析异常,如果是401则处理
-
ResponseEntity<?> result = exceptionTranslator.translate(authException);
-
if (result.getStatusCode() == HttpStatus.UNAUTHORIZED) {
-
MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
-
formData.add("client_id", oAuth2ClientProperties.getClientId());
-
formData.add("client_secret", oAuth2ClientProperties.getClientSecret());
-
formData.add("grant_type", "refresh_token");
-
Cookie[] cookie=request.getCookies();
-
for(Cookie coo:cookie){
-
if(coo.getName().equals("refresh_token")){
-
formData.add("refresh_token", coo.getValue());
-
}
-
}
-
HttpHeaders headers = new HttpHeaders();
-
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
-
Map map = restTemplate.exchange(baseOAuth2ProtectedResourceDetails.getAccessTokenUri(), HttpMethod.POST,
-
new HttpEntity<MultiValueMap<String, String>>(formData, headers), Map.class).getBody();
-
//如果刷新异常,则坐进一步处理
-
if(map.get("error")!=null){
-
// 返回指定格式的错误信息
-
response.setStatus(401);
-
response.setHeader("Content-Type", "application/json;charset=utf-8");
-
response.getWriter().print("{\"code\":1,\"message\":\""+map.get("error_description")+"\"}");
-
response.getWriter().flush();
-
//如果是网页,跳转到登陆页面
-
//response.sendRedirect("login");
-
}else{
-
//如果刷新成功则存储cookie并且跳转到原来需要访问的页面
-
for(Object key:map.keySet()){
-
response.addCookie(new Cookie(key.toString(),map.get(key).toString()));
-
}
-
request.getRequestDispatcher(request.getRequestURI()).forward(request,response);
-
}
-
}else{
-
//如果不是401异常,则以默认的方法继续处理其他异常
-
super.commence(request,response,authException);
-
}
-
} catch (Exception e) {
-
e.printStackTrace();
-
}
-
-
}
-
-
}
5.将处理器设置到过滤器上
- 由于spring security遵循适配器的设计模式,所以我们可以直接从配置类上配置此处理器
-
-
(prePostEnabled = true, securedEnabled = true)
-
public abstract class ResServerConfig extends ResourceServerConfigurerAdapter {
-
-
...
-
-
-
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
-
super.configure(resources);
-
-
resources.authenticationEntryPoint(new LLGAuthenticationEntryPoint());
-
-
}
6.实战
6.1向授权服务器获取token
- 首先编写登陆控制器,通过restTemplate向授权服务器获取token并且存入cookie
-
PostMapping(value = "/login")
-
public ResponseEntity<OAuth2AccessToken> login(@RequestBody @Valid LoginDTO loginDTO, BindingResult bindingResult, HttpServletResponse response) throws Exception {
-
if (bindingResult.hasErrors()) {
-
throw new Exception("登录信息格式错误");
-
} else {
-
//Http Basic 验证
-
String clientAndSecret = oAuth2ClientProperties.getClientId() + ":" + oAuth2ClientProperties.getClientSecret();
-
//这里需要注意为 Basic 而非 Bearer
-
clientAndSecret = "Basic " + Base64.getEncoder().encodeToString(clientAndSecret.getBytes());
-
HttpHeaders httpHeaders = new HttpHeaders();
-
httpHeaders.set("Authorization", clientAndSecret);
-
//授权请求信息
-
MultiValueMap<String, String> map = new LinkedMultiValueMap<>();
-
map.put("username", Collections.singletonList(loginDTO.getUsername()));
-
map.put("password", Collections.singletonList(loginDTO.getPassword()));
-
map.put("grant_type", Collections.singletonList(oAuth2ProtectedResourceDetails.getGrantType()));
-
map.put("scope", oAuth2ProtectedResourceDetails.getScope());
-
//HttpEntity
-
HttpEntity httpEntity = new HttpEntity(map, httpHeaders);
-
//获取 Token
-
ResponseEntity<OAuth2AccessToken> body = restTemplate.exchange(oAuth2ProtectedResourceDetails.getAccessTokenUri(), HttpMethod.POST, httpEntity, OAuth2AccessToken.class);
-
OAuth2AccessToken oAuth2AccessToken = body.getBody();
-
response.addCookie(new Cookie("access_token", oAuth2AccessToken.getValue()));
-
response.addCookie(new Cookie("refresh_token", oAuth2AccessToken.getRefreshToken().getValue()));
-
return body;
-
}
-
}
- 之后我在这里通过idea的 HTTP Client 工具模拟请求获取token
- 获取access_token请求(/oauth/token)
请求所需参数:client_id、client_secret、grant_type、username、password
6.2模拟失效token访问资源服务器
- 使用失效的token访问资源的时候,可以发现断点直接到达异常处理器,由此看出token确实是失效的并且进入了异常处理器进行处理,最终通过refresh_token获取到最新的token再次成功访问获取资源
- 刷新token请求(/oauth/token)
请求所需参数:grant_type、refresh_token、client_id、client_secret
其中grant_type为固定值:grant_type=refresh_token
7.总结
本次由于对spring security oauth2了解不深入,导致在寻找异常抛出解决方法的时候折腾了一下,整体的思路并不复杂,只是用到了最普通的请求转发,但是需要对过滤器链有一定了解,打断点慢慢看是不错的选择。
如果令牌不是存放在cookie而是licalstorage中该如何把令牌返回给前段呢?毕竟我们服务器内部进行了重定向,前端完全不知道令牌被刷新了。
摘抄自网络,便于检索查找。
