OAUTH2是一種安全的授權框架,其原理在網上有許多文章上可以看到。但從實踐角度,好的文章比較少。SpringSecurity框架本身是支持OAUTH2的,所以下面通過使用SpringSecurity框架做個DEMO,從代碼級別體驗下OAUTH2。
還是先創建一個SpringBoot的項目,然后添加相應的依賴(可以看出springCloud對oatuth2已經有了很好的支持)
<properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <spring-security-oauth2-autoconfigure.version>2.1.0.RELEASE</spring-security-oauth2-autoconfigure.version> </properties>
<dependencies> <dependency> <groupId>org.springframework.security.oauth.boot</groupId> <artifactId>spring-security-oauth2-autoconfigure</artifactId> <version>${spring-security-oauth2-autoconfigure.version}</version> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> </dependency> </dependencies>
添加啟動類
@SpringBootApplication @EnableAuthorizationServer //這個注解也是根據Springcloud的慣例進行添加 public class AuthorizationApp { public static void main( String[] args ) { SpringApplication.run(AuthorizationApp.class, args) ; } }
至於application.yml文件暫時啥都沒配,啟動 AuthorizationApp 實例后,在8080默認端口啟動了web服務,按着對OAUTH協議的理解,這樣應該是啟動了OAUTH2的authorizagion server。
下面先分析下,會加載哪些配置:
一. 由@EnableAuthorizationServer注解引出的配置
查看@EnableAuthorizationServer注解源碼,如下:
@Target(ElementType.TYPE) @Retention(RetentionPolicy.RUNTIME) @Documented @Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class}) public @interface EnableAuthorizationServer { }
可以看到其導入了兩個配置類 :AuthorizationServerEndpointsConfiguration , AuthorizationServerSecurityConfiguration
根據@EnableAuthorizationServer的注釋可知,這個authorization server暴露出兩個http endpoint給我們調用,分別是 /oauth/authorize (實現類AuthorizationEndpoint)和 /oauth/token (實現類TokenEndpoint)
二. 自動配置類 OAuth2AutoConfiguration
這是由 依賴的spring-security-oauth2-autoconfigure導入的,OAuth2AutoConfiguration的源碼
@Configuration @ConditionalOnClass({ OAuth2AccessToken.class, WebMvcConfigurer.class }) @Import({ OAuth2AuthorizationServerConfiguration.class, OAuth2MethodSecurityConfiguration.class, OAuth2ResourceServerConfiguration.class, OAuth2RestOperationsConfiguration.class }) @AutoConfigureBefore(WebMvcAutoConfiguration.class) @EnableConfigurationProperties(OAuth2ClientProperties.class) public class OAuth2AutoConfiguration { private final OAuth2ClientProperties credentials; public OAuth2AutoConfiguration(OAuth2ClientProperties credentials) { this.credentials = credentials; } @Bean public ResourceServerProperties resourceServerProperties() { return new ResourceServerProperties(this.credentials.getClientId(), this.credentials.getClientSecret()); } }
由源碼可知,又引入了幾個配置類:
OAuth2AuthorizationServerConfiguration.class, OAuth2MethodSecurityConfiguration.class,
OAuth2ResourceServerConfiguration.class, OAuth2RestOperationsConfiguration.class
從以上分析來看,似乎有兩套配置參與了OAuth2的使用,究竟是哪一套在起作用,還是兩套在合作着起作用呢,請看后續分析。