美文网首页
搭建Spring Security OAuth2认证授权服务器

搭建Spring Security OAuth2认证授权服务器

作者: 南湘嘉荣 | 来源:发表于2023-10-18 17:25 被阅读0次

1.创建一几个独立的Spring Boot服务,并引入依赖

        <dependency>
              <groupId>org.springframework.boot</groupId>
              <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <!-- nacos服务注册与发现依赖 -->
        <dependency>
            <groupId>com.alibaba.cloud</groupId>
            <artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
        </dependency>

        <!-- nacos服务注册与发现依赖 -->
        <dependency>
            <groupId>com.alibaba.cloud</groupId>
            <artifactId>spring-cloud-starter-alibaba-nacos-config</artifactId>
        </dependency>

        <!--spring security的依赖-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <!--OAuth2的依赖-->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-oauth2</artifactId>
        </dependency>

主要是要引入spring-boot-starter-security和spring-cloud-starter-oauth2的依赖。

2.将服务注册到nacos

spring:
  application:
    name: sensible-oauth2

  cloud:
    nacos:
      server-addr: localhost:8848
      discovery:
        namespace: seata
        group: seata
      config:
        namespace: seata
        group: seata

3.配置认证服务器

配置认证服务器需要继承 AuthorizationServerConfigurerAdapter,主要是三个方面的配置:安全配置、端点配置、客户端配置。

安全配置主要针对授权服务器端点的访问策略、认证策略、加密方式等进行配置。

端点配置主要配置授权服务器的token存储方式、token转换、端点增强、端点自定义、token授权、token生成等进行配置。

客户端配置主要配置接入的客户端相关信息,如授权类型、授权范围、秘钥等内容。

package com.sensible.config;

import lombok.AllArgsConstructor;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;

/**
 * AuthorizationServerConfiguration 类
 * 认证授权中心配置类
 *
 * @author liuyc
 * @date 2023/10/18 11:58 上午
 */
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    private AuthenticationManager authenticationManager;

    private UserDetailsService userDetailsService;

    private PasswordEncoder passwordEncoder;

    /**
     * 安全配置
     *
     * @param security
     * @throws Exception
     */    
    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients()
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("permitAll()");
    }

    /**
     * 端点配置
     *
     * @param endpoints
     * @throws Exception
     */
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(new InMemoryTokenStore())
                .authenticationManager(authenticationManager)
                .userDetailsService(userDetailsService)
                .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
    }

    /**
     * 客户端配置
     *
     * @param clients
     * @throws Exception
     */
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        String client_secret = passwordEncoder.encode("123456");
        
        clients.inMemory()
                // admin,授权码认证、密码认证、客户端认证、简单认证、刷新token
                .withClient("admin")
                .secret(client_secret)
                .resourceIds("sensible-oauth2")
                .scopes("server", "select")
                .authorizedGrantTypes("authorization_code", "password", "refresh_token", "client_credentials", "implicit")
                .redirectUris("http://www.baidu.com")

                .and()
                // client_1,密码认证、刷新token
                .withClient("client_1")
                .secret(client_secret)
                .resourceIds("sensible-oauth2")
                .scopes("server", "select")
                .authorizedGrantTypes("password", "refresh_token")

                .and()
                // client_2,客户端认证、刷新token
                .withClient("client_2")
                .secret(client_secret)
                .resourceIds("sensible-oauth2")
                .scopes("server", "select")
                .authorizedGrantTypes("client_credentials", "refresh_token");
    }
}

@EnableAuthorizationServer注解的作用是启用所在的服务作为授权服务器。可以放在配置类上,或者放在SpringBoot的启动类上。

4.配置资源服务器

配置资源服务器需要继承ResourceServerConfigurerAdapter,主要负责针对资源服务器的安全访问策略进行相关配置。这里我们把认证授权服务器也当作资源服务器,在实际的企业项目中,资源服务器一般是网关服务担当。

package com.sensible.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

/**
 * ResourceServerConfig 类
 *
 * @author liuyc
 * @date 2023/10/18 11:58 上午
 */
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        //设置资源服务器的ID
        resources.resourceId("sensible-oauth2")
                //将资源服务器设置为无状态(stateless)模式
                .stateless(true);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                //只有匹配"/oauth/login"路径的请求会被处理。
                .antMatchers("/oauth/login")
                .and()
                //所有的请求,需要经过身份认证后才能访问
                .authorizeRequests().anyRequest().authenticated();
    }
}

@EnableResourceServer注解的作用是启用所在的服务作为资源服务器。可以放在配置类上,或者放在SpringBoot的启动类上。

5.配置Spring Security

为何还需要单独针对SpringSecurity再进行配置呢?
答案之一就在于授权模式中的授权码模式,后续会出相关文章,详细说明这个问题。此外,还需配置UserDetailsService、PasswordEncoder等内容。

package com.sensible.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

import java.util.ArrayList;
import java.util.List;

/**
 * WebSecurityConfig 类
 *
 * @author liuyc
 * @date 2023/10/18 11:58 上午
 */
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }


    /**
     * AuthenticationManager在OAuth2认证服务中要使用,提前放入Spring IOC容器
     *
     * @return
     * @throws Exception
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean(name = "userDetailsService")
    @Override
    public UserDetailsService userDetailsServiceBean() throws Exception {
        return createUserDetailsService();
    }

    @Override
    protected UserDetailsService userDetailsService() {
        return createUserDetailsService();
    }

    private UserDetailsService createUserDetailsService() {
        String password = passwordEncoder().encode("123456");
        List<UserDetails> users = new ArrayList<>();

        UserDetails user_admin = User.withUsername("admin").password(password).authorities("ADMIN", "USER").build();
        UserDetails user_1 = User.withUsername("user_1").password(password).authorities("ADMIN", "USER").build();
        UserDetails user_2 = User.withUsername("user_2").password(password).authorities("USER").build();
        users.add(user_admin);
        users.add(user_1);
        users.add(user_2);

        return new InMemoryUserDetailsManager(users);
    }

    /**
     * 配置安全拦截策略
     *
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers().anyRequest().and().formLogin().and().csrf().disable();
    }
}

6.创建资源

既然是资源服务器,那就需要资源。

package com.sensible.controller;

import com.sensible.result.R;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import java.security.Principal;

/**
 * LoginController 类
 *
 * @author liuyc
 * @date 2023/10/18 12:31 下午
 */
@RestController
@RequestMapping("/oauth")
public class LoginController {

    @GetMapping("/login")
    public R<Principal> login(Principal user) {
        return R.success(user);
    }
}

7.测试

首先,请求授权。


image.png

接下来就可以用access_token去访问资源了。


image.png

相关文章

网友评论

      本文标题:搭建Spring Security OAuth2认证授权服务器

      本文链接:https://www.haomeiwen.com/subject/yercidtx.html