基於之前的文章springboot和springsecurity整合OAuth2
略有修改
1. 授權模塊修改OauthServerConfig配置文件
@Configuration
@EnableAuthorizationServer
public class OauthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private PasswordEncoder passwordEncoder;
private String SIGNING_KEY = "salt";
//從數據庫中查詢出客戶端信息
@Bean
public JdbcClientDetailsService clientDetailsService() {
JdbcClientDetailsService jdbcClientDetailsService = new JdbcClientDetailsService(dataSource);
jdbcClientDetailsService.setPasswordEncoder(passwordEncoder);
return jdbcClientDetailsService;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(SIGNING_KEY); //對稱秘鑰,資源服務器使用該秘鑰來驗證
return converter;
}
//授權信息保存策略
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
//授權碼模式專用對象
@Bean
public AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
//指定客戶端登錄信息來源
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//從數據庫取數據
clients.withClientDetails(clientDetailsService());
}
//檢測token的策略
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.allowFormAuthenticationForClients() //允許form表單客戶端認證,允許客戶端使用client_id和client_secret獲取token
.checkTokenAccess("permitAll()") //對校驗token接口設置權限控制
.tokenKeyAccess("permitAll()") // 獲取token請求不進行攔截
.passwordEncoder(passwordEncoder);
}
//OAuth2的主配置信息
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.approvalStore(approvalStore())
.authenticationManager(authenticationManager)
.authorizationCodeServices(authorizationCodeServices())
.tokenStore(tokenStore())
.userDetailsService(userDetailsService)
.tokenServices(tokenService())
.allowedTokenEndpointRequestMethods(HttpMethod.POST);
}
@Bean
public AuthorizationServerTokenServices tokenService() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setClientDetailsService(clientDetailsService());
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(tokenStore());
tokenServices.setAccessTokenValiditySeconds(10800); // 令牌默認有效期2小時
tokenServices.setRefreshTokenValiditySeconds(86400); // 刷新令牌默認有效期3天
//新增對jwt配置
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(accessTokenConverter()));
tokenServices.setTokenEnhancer(tokenEnhancerChain);
return tokenServices;
}
}
2. 修改資源模塊OauthResourceConfig配置文件
@Configuration
@EnableResourceServer
public class OauthResourceConfig extends ResourceServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private TokenStore tokenStore;
private String SIGNING_KEY = "salt";
/**
* 指定token的持久化策略
* 其下有 RedisTokenStore保存到redis中,
* JdbcTokenStore保存到數據庫中,
* InMemoryTokenStore保存到內存中等實現類,
* 這里我們選擇保存在數據庫中
*
* @return
*/
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(SIGNING_KEY); //對稱秘鑰,資源服務器使用該秘鑰來驗證
return converter;
}
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("product_api")//指定當前資源的id,非常重要!必須寫!
.tokenStore(tokenStore) //指定保存token的方式
.stateless(true);
}
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
//指定不同請求方式訪問資源所需要的權限,一般查詢是read,其余是write。
.antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
.antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')")
.and()
.headers().addHeaderWriter((request, response) -> {
response.addHeader("Access-Control-Allow-Origin", "*");//允許跨域
if (request.getMethod().equals("OPTIONS")) {//如果是跨域的預檢請求,則原封不動向下傳達請求頭信息
response.setHeader("Access-Control-Allow-Methods", request.getHeader("Access-Control-Request-Method"));
response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
}
});
}
//資源服務令牌解析服務
// @Bean
// public ResourceServerTokenServices tokenService() {
// //使用遠程服務請求授權服務器校驗token,必須指定校驗token 的url、client_id,client_secret
// RemoteTokenServices service = new RemoteTokenServices();
// service.setCheckTokenEndpointUrl("http://localhost:9001/oauth/check_token");
// service.setClientId("baidu");
// service.setClientSecret("12345");
// return service;
// }
}
主要講原先的數據庫認證改為jwt認證
3. 測試
1. 生成令牌
2. 校驗令牌
3. 測試資源訪問
