SpringBoot 整合 oauth2實現 token 認證

參考地址：https://www.jianshu.com/p/19059060036b

session和token的區別：

• session是空間換時間，而token是時間換空間。session占用空間，但是可以管理過期時間，token管理部了過期時間，但是不占用空間.
• sessionId失效問題和token內包含。
• session基於cookie，app請求並沒有cookie 。
• token更加安全(每次請求都需要帶上)

Oauth2 密碼授權流程

在oauth2協議里，每一個應用都有自己的一個clientId和clientSecret（需要去認證方申請），所以一旦想通過認證，必須要有認證方下發的clientId和secret。

1. pom

       <!--security-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
        </dependency>

2. UserDetail實現認證第一步

MyUserDetailsService.java

    @Autowired
    private PasswordEncoder passwordEncoder;

    /**
     * 根據進行登錄
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        log.info("登錄用戶名:"+username);
        String password = passwordEncoder.encode("123456");
        //User三個參數   (用戶名+密碼+權限)
        //根據查找到的用戶信息判斷用戶是否被凍結
        log.info("數據庫密碼:"+password);
        return new User(username,password, AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
    }

3. 獲取token的控制器

@RestController
public class OauthController {

    @Autowired
    private ClientDetailsService clientDetailsService;
    @Autowired
    private AuthorizationServerTokenServices authorizationServerTokenServices;
    @Autowired
    private AuthenticationManager authenticationManager;

    @PostMapping("/oauth/getToken")
    public Object getToken(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
        Map<String,Object>map = new HashMap<>(8);
        //進行驗證
        String header = request.getHeader("Authorization");
        if (header == null && !header.startsWith("Basic")) {
            map.put("code",500);
            map.put("message","請求投中無client信息");
            return map;
        }
        String[] tokens = this.extractAndDecodeHeader(header, request);
        assert tokens.length == 2;
        //獲取clientId 和 clientSecret
        String clientId = tokens[0];
        String clientSecret = tokens[1];
        //獲取 ClientDetails
        ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
        if (clientDetails == null){
            map.put("code",500);
            map.put("message","clientId 不存在"+clientId);
            return map;
            //判斷  方言  是否一致
        }else if (!StringUtils.equals(clientDetails.getClientSecret(),clientSecret)){
            map.put("code",500);
            map.put("message","clientSecret 不匹配"+clientId);
            return map;
        }
        //使用username、密碼進行登錄
        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(username, password);
        //調用指定的UserDetailsService，進行用戶名密碼驗證
        Authentication authenticate = authenticationManager.authenticate(authentication);
        HrUtils.setCurrentUser(authenticate);
        //放到session中
        //密碼授權 模式, 組建 authentication
        TokenRequest tokenRequest = new TokenRequest(new HashMap<>(),clientId,clientDetails.getScope(),"password");

        OAuth2Request oAuth2Request = tokenRequest.createOAuth2Request(clientDetails);
        OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request,authentication);

        OAuth2AccessToken token = authorizationServerTokenServices.createAccessToken(oAuth2Authentication);
        map.put("code",200);
        map.put("token",token.getValue());
        map.put("refreshToken",token.getRefreshToken());
        return map;
    }

    /**
     * 解碼請求頭
     */
    private String[] extractAndDecodeHeader(String header, HttpServletRequest request) throws IOException {
        byte[] base64Token = header.substring(6).getBytes("UTF-8");

        byte[] decoded;
        try {
            decoded = Base64.decode(base64Token);
        } catch (IllegalArgumentException var7) {
            throw new BadCredentialsException("Failed to decode basic authentication token");
        }

        String token = new String(decoded, "UTF-8");
        int delim = token.indexOf(":");
        if (delim == -1) {
            throw new BadCredentialsException("Invalid basic authentication token");
        } else {
            return new String[]{token.substring(0, delim), token.substring(delim + 1)};
        }
    }
}

4. 核心配置

（1）、Security 配置類 說明登錄方式、登錄頁面、哪個url需要認證、注入登錄失敗/成功過濾器

@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

    /**
     * 注入 自定義的  登錄成功處理類
     */
    @Autowired
    private MyAuthenticationSuccessHandler mySuccessHandler;
    /**
     * 注入 自定義的  登錄失敗處理類
     */
    @Autowired
    private MyAuthenticationFailHandler myFailHandler;

    @Autowired
    private ValidateCodeFilter validateCodeFilter;

    /**
     * 重寫PasswordEncoder  接口中的方法，實例化加密策略
     * @return 返回 BCrypt 加密策略
     */
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //在UsernamePasswordAuthenticationFilter 過濾器前 加一個過濾器 來搞驗證碼
        http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
                //表單登錄 方式
                .formLogin()
                .loginPage("/authentication/require")
                //登錄需要經過的url請求
                .loginProcessingUrl("/authentication/form")
                .passwordParameter("pwd")
                .usernameParameter("user")
                .successHandler(mySuccessHandler)
                .failureHandler(myFailHandler)
                .and()
                //請求授權
                .authorizeRequests()
                //不需要權限認證的url
                .antMatchers("/oauth/*","/authentication/*","/code/image").permitAll()
                //任何請求
                .anyRequest()
                //需要身份認證
                .authenticated()
                .and()
                //關閉跨站請求防護
                .csrf().disable();
        //默認注銷地址：/logout
        http.logout().
                //注銷之后 跳轉的頁面
                logoutSuccessUrl("/authentication/require");
    }

    /**
     * 認證管理
     *
     * @return 認證管理對象
     * @throws Exception 認證異常信息
     */
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

（2）、認證服務器

@Configuration
@EnableAuthorizationServer
public class MyAuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private MyUserDetailsService userDetailsService;




    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        super.configure(security);
    }

    /**
     * 客戶端配置（給誰發令牌）
     * @param clients
     * @throws Exception
     */
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("internet_plus")
                .secret("internet_plus")
                //有效時間 2小時
                .accessTokenValiditySeconds(72000)
                //密碼授權模式和刷新令牌
                .authorizedGrantTypes("refresh_token","password")
                .scopes( "all");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
                .authenticationManager(authenticationManager)
                .userDetailsService(userDetailsService);
    }
}

@EnableResourceServer這個注解就決定了這是個資源服務器。它決定了哪些資源需要什么樣的權限。

5、測試