1. 设置token有效期
在使用InMemoryTokenStore(token存储在内存)token生成策略时,系统默认的token的有效时间是12小时。
从oauth源码的默认token生成方法中,可以看出
public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
ConsumerTokenServices, InitializingBean {
private int refreshTokenValiditySeconds = 60 * 60 * 24 * 30; // default 30 days.
private int accessTokenValiditySeconds = 60 * 60 * 12; // default 12 hours.
.............................
private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
int validitySeconds = getAccessTokenValiditySeconds(authentication.getOAuth2Request());
if (validitySeconds > 0) {
token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
}
token.setRefreshToken(refreshToken);
token.setScope(authentication.getOAuth2Request().getScope());
return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
}
/**
* The access token validity period in seconds
* @param clientAuth the current authorization request
* @return the access token validity period in seconds
*/
protected int getAccessTokenValiditySeconds(OAuth2Request clientAuth) {
if (clientDetailsService != null) {
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
Integer validity = client.getAccessTokenValiditySeconds();
if (validity != null) {
return validity;
}
}
return accessTokenValiditySeconds;
}
......................
}
从上面官方源码我们可以了解到2个事情
1. 在token对象里面包含了token的过期时间
2. ClientDetails 中的AccessTokenValiditySeconds字段可以指定token的有效期
目前我已经有一个自定义的客户端验证服务类。那么可以在验证客户端对象时,直接调用AccessTokenValiditySeconds的set方法,设置token有效期,这个时间的单位是秒
我的代码:
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import bap.core.config.util.spring.SpringContextHolder;
import bap.core.dao.BaseDao;
import bap.pp.core.config.item.domain.ConfigItem;
import bap.pp.strongbox.client.domain.ClientDetail;
/**
* 客户端身份验证
* @author Amanda.Z
*
*/
public class ClientDetailConfig implements ClientDetailsService{
private BaseDao baseDao;
public ClientDetailConfig() {
baseDao=SpringContextHolder.getBean(BaseDao.class);
}
/*
* 根据客户端clientid检查客户端有效性,如果有效,则封装为oauth2客户端对象
* @see org.springframework.security.oauth2.provider.ClientDetailsService#loadClientByClientId(java.lang.String)
*/
@Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
BaseClientDetails details=new BaseClientDetails();
ClientDetail client=(ClientDetail) this.baseDao.getUniqueResultByHql("from ClientDetail where clientName=? and deleted=0",clientId);
if(client!=null){
//设置客户端id
details.setClientId(client.getClientName());
//客户端私钥
details.setClientSecret(client.getClientSecret());
//受保护资源id
List<String> resourceList=new ArrayList<>();
resourceList.add(client.getResource().getResourceKey());
details.setResourceIds(resourceList);
//oauth2保护模式,本项目默认全部是客户端认证模式
List<String> authorizedGrantTypes=new ArrayList<>();
authorizedGrantTypes.add("client_credentials");
details.setAuthorizedGrantTypes(authorizedGrantTypes);
//客户端传入的参数
List<String> scopList=new ArrayList<>();
scopList.add("view");
scopList.add(client.getScope());
details.setScope(scopList);
//设置此客户端持有的用户组
Collection<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
if(bap.util.StringUtil.isNotEmpty(client.getAuthoritites())){
String [] authArray=client.getAuthoritites().split(",");
for (String auth : authArray) {
auths.add(new SimpleGrantedAuthority(auth));
}
}
details.setAuthorities(auths);
//设置token有效时间,单位是秒,(如果不设置,框架内部默认是12小时,本平台设置默认2小时)
details.setAccessTokenValiditySeconds(Integer.parseInt(ConfigItem.TokenValiditySeconds.getVal()));
}
return details;
}
}
注意:这里通过ClientDail设置进去的token有效时间,只要有效时间没有过,不管这个时候,客户端是否被删除,都不会影响这个token的访问。
这个时候 ,产生了一个明显的问题,认证端管理员创建了某个客户端账户,并分配了权限,这个客户端获取了一个token,如果这个时候管理员希望把这个客户端删除,理论上应该连带这个客户端产生的token也删除。
接下来,介绍如何解决上面的问题,在自己的服务类中,删除某个客户端账户产生的token数据
首先还是先看源码,我使用的是InMemoryTokenStore,其中已经具备了删除token的方法:
public class InMemoryTokenStore implements TokenStore {
private static final int DEFAULT_FLUSH_INTERVAL = 1000;
private final ConcurrentHashMap<String, OAuth2AccessToken> accessTokenStore = new ConcurrentHashMap<String, OAuth2AccessToken>();
private final ConcurrentHashMap<String, OAuth2AccessToken> authenticationToAccessTokenStore = new ConcurrentHashMap<String, OAuth2AccessToken>();
private final ConcurrentHashMap<String, Collection<OAuth2AccessToken>> userNameToAccessTokenStore = new ConcurrentHashMap<String, Collection<OAuth2AccessToken>>();
private final ConcurrentHashMap<String, Collection<OAuth2AccessToken>> clientIdToAccessTokenStore = new ConcurrentHashMap<String, Collection<OAuth2AccessToken>>();
private final ConcurrentHashMap<String, OAuth2RefreshToken> refreshTokenStore = new ConcurrentHashMap<String, OAuth2RefreshToken>();
private final ConcurrentHashMap<String, String> accessTokenToRefreshTokenStore = new ConcurrentHashMap<String, String>();
private final ConcurrentHashMap<String, OAuth2Authentication> authenticationStore = new ConcurrentHashMap<String, OAuth2Authentication>();
private final ConcurrentHashMap<String, OAuth2Authentication> refreshTokenAuthenticationStore = new ConcurrentHashMap<String, OAuth2Authentication>();
private final ConcurrentHashMap<String, String> refreshTokenToAccessTokenStore = new ConcurrentHashMap<String, String>();
private final DelayQueue<TokenExpiry> expiryQueue = new DelayQueue<TokenExpiry>();
private final ConcurrentHashMap<String, TokenExpiry> expiryMap = new ConcurrentHashMap<String, TokenExpiry>();
private int flushInterval = DEFAULT_FLUSH_INTERVAL;
private AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();
private AtomicInteger flushCounter = new AtomicInteger(0);
.............................
//从内存中清除token记录
public void removeAccessToken(OAuth2AccessToken accessToken) {
removeAccessToken(accessToken.getValue());
}
//根据clientid获取其所有token
public Collection<OAuth2AccessToken> findTokensByClientId(String clientId) {
Collection<OAuth2AccessToken> result = clientIdToAccessTokenStore.get(clientId);
return result != null ? Collections.<OAuth2AccessToken> unmodifiableCollection(result) : Collections
.<OAuth2AccessToken> emptySet();
}
//根据token值,在内存中移除这条token的记录
public void removeAccessToken(String tokenValue) {
OAuth2AccessToken removed = this.accessTokenStore.remove(tokenValue);
this.accessTokenToRefreshTokenStore.remove(tokenValue);
// Don't remove the refresh token - it's up to the caller to do that
OAuth2Authentication authentication = this.authenticationStore.remove(tokenValue);
if (authentication != null) {
this.authenticationToAccessTokenStore.remove(authenticationKeyGenerator.extractKey(authentication));
Collection<OAuth2AccessToken> tokens;
String clientId = authentication.getOAuth2Request().getClientId();
tokens = this.userNameToAccessTokenStore.get(getApprovalKey(clientId, authentication.getName()));
if (tokens != null) {
tokens.remove(removed);
}
tokens = this.clientIdToAccessTokenStore.get(clientId);
if (tokens != null) {
tokens.remove(removed);
}
this.authenticationToAccessTokenStore.remove(authenticationKeyGenerator.extractKey(authentication));
}
}
...............
}
我们看到这些remove方法,入参要求传入token的,显然我并不知道这个客户端的token的值,我只有这个客户端的对象本身,那么,再看另外的方法findTokensByClientId通过这个方法,可以由clientid获取到这个客户端所有token值,也就是说,接下来,只需要调用这个方法,遍历结果集,逐个调用remove方法移除即可。
事实上,真正坑爹的是,你得不到InMemoryTokensStrore这个类的实例对象,从Spring容器中,竟然获取不了,我试着用@autowride获取它,直接异常。这是,求助官网文档,但是连个P都没说。所以继续扣源码!!
public final class AuthorizationServerEndpointsConfigurer {
private AuthorizationServerTokenServices tokenServices;
private ConsumerTokenServices consumerTokenServices;
private AuthorizationCodeServices authorizationCodeServices;
private ResourceServerTokenServices resourceTokenServices;
private TokenStore tokenStore;
private TokenEnhancer tokenEnhancer;
private AccessTokenConverter accessTokenConverter;
private ApprovalStore approvalStore;
private TokenGranter tokenGranter;
private OAuth2RequestFactory requestFactory;
private OAuth2RequestValidator requestValidator;
private UserApprovalHandler userApprovalHandler;
private AuthenticationManager authenticationManager;
private ClientDetailsService clientDetailsService;
private String prefix;
private Map<String, String> patternMap = new HashMap<String, String>();
private Set<HttpMethod> allowedTokenEndpointRequestMethods = new HashSet<HttpMethod>();
private FrameworkEndpointHandlerMapping frameworkEndpointHandlerMapping;
private boolean approvalStoreDisabled;
private List<Object> interceptors = new ArrayList<Object>();
private DefaultTokenServices defaultTokenServices;
private UserDetailsService userDetailsService;
private boolean tokenServicesOverride = false;
private boolean userDetailsServiceOverride = false;
private boolean reuseRefreshToken = true;
private WebResponseExceptionTranslator exceptionTranslator;
......................
//记住这里先
public boolean isUserDetailsServiceOverride() {
return userDetailsServiceOverride;
}
.............
public AuthorizationServerEndpointsConfigurer userDetailsService(UserDetailsService userDetailsService) {
if (userDetailsService != null) {
this.userDetailsService = userDetailsService;
this.userDetailsServiceOverride = true;
}
return this;
}
.................
//tokenStore是InMemoryTokenStore的父类,这里是关键,我们亲爱的get方法
public TokenStore getTokenStore() {
return tokenStore();
}
那么如何获取AuthorizationServerEndpointsConfigurer,我尝试用@autowride注入我的服务类,然并卵。那么继续挖,在oauth2验证端的原始配置类中,找到了如下语句:
@Configuration
@Order(0)
@Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })
public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private List<AuthorizationServerConfigurer> configurers = Collections.emptyList();
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private AuthorizationServerEndpointsConfiguration endpoints;
@Autowired
public void configure(ClientDetailsServiceConfigurer clientDetails) throws Exception {
for (AuthorizationServerConfigurer configurer : configurers) {
configurer.configure(clientDetails);
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();
FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();
http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);
configure(configurer);
http.apply(configurer);
String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");
String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");
String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");
if (!endpoints.getEndpointsConfigurer().isUserDetailsServiceOverride()) {
UserDetailsService userDetailsService = http.getSharedObject(UserDetailsService.class);
//注意看这行代码
endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);
}
endpoints.getEndpointsConfigurer().userDetailsService(userDetailsService);看到这一行,你会明白,用这个endpoints.getEndpointsConfigurer(),你可以获取到AuthorizationServerEndpointsConfigurrer对象。那么这个endpoints这货,是怎么拿到的,是@autowride来的,他在spring容器!妥了这回!
我的客户端全部都是自定义的,有自己的服务类,所以,现在我可以在我自己的服务类中的删除客户端方法中这样写:
@Autowired
private AuthorizationServerEndpointsConfiguration endpoints;
@Transactional
public boolean delete(String[] ck_ids) {
//执行逻辑删除操作
for (String id : ck_ids) {
ClientDetail detail=this.baseDao.get(ClientDetail.class, id);
//移除这个客户端创建的所有token
InMemoryTokenStore tokenStore=(InMemoryTokenStore) endpoints.getEndpointsConfigurer().getTokenStore();
Collection<OAuth2AccessToken> tokens=tokenStore.findTokensByClientId(detail.getClientName());
if(tokens!=null&&tokens.size()>0){
for(OAuth2AccessToken accessToken:tokens){
tokenStore.removeAccessToken(accessToken);
}
}
//对客户端进行逻辑删除
detail.setDeleted(1);
this.baseDao.update(detail);
}
return true;
}
打完收工