配置AuthorizationServerConfigurer

  1. import cn.hutool.core.map.MapUtil;
  2. import com.backend.oauth.common.model.JwtTokenConstant;
  3. import com.backend.oauth.common.model.SystemUser;
  4. import com.backend.oauth.service.oauth.JwtTokenUserDetailService;
  5. import org.springframework.beans.factory.annotation.Autowired;
  6. import org.springframework.context.annotation.Bean;
  7. import org.springframework.context.annotation.Configuration;
  8. import org.springframework.core.io.ClassPathResource;
  9. import org.springframework.http.HttpMethod;
  10. import org.springframework.security.authentication.AuthenticationManager;
  11. import org.springframework.security.crypto.password.PasswordEncoder;
  12. import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
  13. import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
  14. import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
  15. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
  16. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
  17. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
  18. import org.springframework.security.oauth2.provider.ClientDetailsService;
  19. import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
  20. import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
  21. import org.springframework.security.oauth2.provider.token.TokenEnhancer;
  22. import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
  23. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  24. import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
  25. import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
  27. import javax.sql.DataSource;
  28. import java.security.KeyPair;
  29. import java.util.ArrayList;
  30. import java.util.List;
  31. import java.util.Map;
  33. @Configuration
  34. @EnableAuthorizationServer
  35. public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
  36.     /**
  37.     * Security的认证管理器,密码模式需要用到
  38.     */
  39.     @Autowired
  40.     private AuthenticationManager authenticationManager;
  41.     @Autowired
  42.     private JwtTokenUserDetailService jwtTokenUserDetailService;
  43.     @Autowired
  44.     private DataSource dataSource;
  45.     @Autowired
  46.     private PasswordEncoder passwordEncoder;
  47.     /**
  48.     * 客户端存储策略,这里使用内存方式,后续可以存储在数据库
  49.     */
  50.     @Autowired
  51.     private ClientDetailsService clientDetailsService;
  53.     /**
  54.     * 允许表单认证
  55.     */
  56.     @Override
  57.     public void configure(AuthorizationServerSecurityConfigurer security) {
  58.         security
  59.             .passwordEncoder(passwordEncoder)
  60.             .allowFormAuthenticationForClients();
  61.     }
  63.     /**
  64.     * oauth三方客户端信息配置
  65.     * 从oauth_client_details表中获取被允许接入的客户端详情
  66.     */
  67.     @Override
  68.     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
  69.         JdbcClientDetailsService detailsService = new JdbcClientDetailsService(dataSource);
  70.         clients.withClientDetails(detailsService);
  71.     }
  73.     /**
  74.     * 配置授权(authorization)以及令牌(token)的访问端点和令牌服务(token services)
  75.     */
  76.     @Override
  77.     public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
  78.         //访问端点配置
  79.         endpoints
  80.             //密码模式所需要的authenticationManager
  81.             .authenticationManager(authenticationManager)
  82.             //oauth token和JWT token转换器
  83.             .accessTokenConverter(jwtAccessTokenConverter())
  84.             //自定义的用户查询服务
  85.             .userDetailsService(jwtTokenUserDetailService)
  86.             //令牌管理服务,无论哪种模式都需要
  87.             .tokenServices(tokenServices())
  88.             //只允许POST提交访问令牌,uri:/oauth/token
  89.             .allowedTokenEndpointRequestMethods(HttpMethod.POST);
  90.     }
  92.     /**
  93.     * 令牌管理服务的配置
  94.     */
  95.     @Bean
  96.     public DefaultTokenServices tokenServices() {
  97.         DefaultTokenServices services = new DefaultTokenServices();
  98.         //JWT token自定义内容增强
  99.         TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
  100.         List<TokenEnhancer> tokenEnhancers = new ArrayList<>();
  101.         tokenEnhancers.add(tokenEnhancer());
  102.         tokenEnhancers.add(jwtAccessTokenConverter());
  103.         tokenEnhancerChain.setTokenEnhancers(tokenEnhancers);
  104.         //添加到增强链
  105.         services.setTokenEnhancer(tokenEnhancerChain);
  106.         //客户端端配置策略
  107.         services.setClientDetailsService(clientDetailsService);
  108.         //支持令牌的刷新
  109.         services.setSupportRefreshToken(true);
  110.         //令牌服务
  111.         services.setTokenStore(new JwtTokenStore(jwtAccessTokenConverter()));
  112.         //access_token的过期时间
  113.         services.setAccessTokenValiditySeconds(60 * 60 * 24);
  114.         //refresh_token的过期时间
  115.         services.setRefreshTokenValiditySeconds(60 * 60 * 24 * 30);
  117.         return services;
  118.     }
  120.     /**
  121.     * 使用非对称加密算法对token签名
  122.     * 作用:JWT token和oauth token信息转换
  123.     */
  124.     @Bean
  125.     public JwtAccessTokenConverter jwtAccessTokenConverter() {
  126.         JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
  127.         converter.setKeyPair(keyPair());
  128.         return converter;
  129.     }
  131.     /**
  132.     * 从classpath下的密钥库中获取密钥对(公钥+私钥)
  133.     */
  134.     @Bean
  135.     public KeyPair keyPair() {
  136.         KeyStoreKeyFactory factory = new KeyStoreKeyFactory(
  137.             new ClassPathResource("scaffold.jks"), "123456".toCharArray());
  138.         return factory.getKeyPair(
  139.             "scaffold", "123456".toCharArray());
  140.     }
  142.     /**
  143.     * JWT内容增强
  144.     * 在JWT token放入一些业务自定义的内容
  145.     */
  146.     @Bean
  147.     public TokenEnhancer tokenEnhancer() {
  148.         return (accessToken, authentication) -> {
  149.             Map<String, Object> additionalInfo = MapUtil.newHashMap();
  150.             Object principal = authentication.getUserAuthentication().getPrincipal();
  151.             if(principal instanceof SystemUser){
  152.                 SystemUser user = (SystemUser) principal;
  153.                 additionalInfo.put(JwtTokenConstant.USER_ID, user.getUserId());
  154.                 additionalInfo.put(JwtTokenConstant.USER_NAME, user.getUsername());
  155.             }
  156.             ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
  157.             return accessToken;
  158.         };
  159.     }
  160. }

配置securityConfig

import com.backend.oauth.service.oauth.JwtTokenUserDetailService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * web路径安全控制
 */
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JwtTokenUserDetailService jwtTokenUserDetailService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
//                .formLogin().permitAll()
//                .and().httpBasic().and()
                .authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
                .and()
                .authorizeRequests().antMatchers("/oauth/**","/getPublicKey").permitAll()
                // 其余所有请求全部需要鉴权认证
                .anyRequest().authenticated()
                //关闭跨域保护
                .and().csrf().disable();
    }


    public static void main(String[] args) {
        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
        String encode = encoder.encode("123");
        System.out.println(encode);
        boolean matches = encoder.matches("123", "$2a$10$q.tlmZjrZHYDNbna.SQ7ye6AhSR2/w2aCkzK5eMCxL5Q1HgumNOvK");
        System.out.println(matches);
    }
    /**
     * 密码加密算法
     */
    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //从数据库中查询用户信息
        auth.userDetailsService(jwtTokenUserDetailService);
    }


    /**
     * AuthenticationManager对象在OAuth2认证服务中要使用,提前放入IOC容器中
     * Oauth的密码模式需要
     */
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}
  1. 提供JWT token对象
  2. 提供filter过滤器,作用
    1. 黑白名单
    2. 特定url放行
    3. 其他特殊需求,限流,匿名用户。。。
  3. 提供认证用的provider,作用
    1. 根据认证模式判定用户是否能颁发令牌
  4. 登录成功处理器
  5. 登录失败处理器

image.png