Spring Security OAuth 2.0

Spring Security OAuth 项目已经被弃用了，停止维护...
在 2020/04/15 这天，Spring 团队又宣布新起《Spring Authorization Server》项目，以继续提供对 Spring 授权服务器的支持...

1、OAuth 2.0 中的提供者角色实际上分为授权服务和资源服务，虽然它们有时驻留在同一个应用程序中，但使用 Spring Security OAuth，您可以选择将它们拆分为两个应用程序，也可以让多个资源服务共享授权服务。

2、OAuth四种模式
● 授权码模式（authorization code）
● 简化模式（implicit)
● 密码模式（resource owner password credentials）
● 客户端模式（client credentials）

3、UAA核心三个配置【AuthorizationServerConfigurerAdapter】
@EnableAuthorizationServer注解被用来配置授权服务器
ClientDetailServiceConfigurerr：配置客户端详情服务（ClientDetailsService）
AuthorizationServerEndpointsConfigurer：配置令牌端点的安全约束
AuthorizationServerSecurityConfigurer：配置令牌（token）的访问短点和令牌服务（tokenService）

4、令牌请求由 Spring MVC 控制器端点处理，对受保护资源的访问由标准 Spring Security 请求过滤器处理。为了实现 OAuth 2.0 授权服务器，Spring Security 过滤器链中需要以下端点：

AuthorizationEndpoint用于服务授权请求。默认网址：http://localhost:8080/oauth/authorize
TokenEndpoint用于服务访问令牌的请求。默认网址：http://localhost:8080/oauth/token

5、客户端模式 client_credentials
客户端向授权服务器发送自己的身份信息，请求令牌access_token
http://localhost:8080/oauth/token?client_id=client&client_secret=secret&grant_type=client_credentials
Postman 请求


6、密码模式
http://localhost:8080/oauth/token?client_id=client&client_secret=secret&grant_type=password&username=admin&password=123456
*
7、简化模式
1、http://localhost:8080/login 输入账号密码
2、再次输入如下地址，获取token
http://localhost:8080/oauth/authorize?response_type=token&client_id=client&redirect_uri=http://example.com&scope=write 
地址栏重定向如下
http://example.com/#access_token=2820363f-2e2f-4485-8892-64683895675e&token_type=bearer&expires_in=3512
*
8、授权码模式
1、http://localhost:8080/login 输入账号密码
2、再次输入如下地址，获取code
http://localhost:8080/oauth/authorize?response_type=code&client_id=client&redirect_uri=http://example.com&scope=write
地址栏重定向如下
http://example.com/?code=n9WlYp 
3、http://localhost:8080/oauth/token?grant_type=authorization_code&client_id=client_id_1&client_secret=123456&redirect_uri=http://example.com&code=n9WlYp

9、pom.xml 添加依赖

<dependency>
    <groupId>org.springframework.security.oauth.boot</groupId>
    <artifactId>spring-security-oauth2-autoconfigure</artifactId>
    <version>2.1.11.RELEASE</version>
</dependency>
<!--引入security对oauth2的支持-->
<dependency>
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth2</artifactId>
    <version>2.3.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-test</artifactId>
    <scope>test</scope>
</dependency>

10、OAuth2AuthorizationServer.java 授权服务配置类
ClientDetailsServiceConfigurer：配置客户端详情服务（ClientDetailsService）
AuthorizationServerSecurityConfigurer：配置令牌（token）的访问短点和令牌服务（tokenService）
AuthorizationServerEndpointsConfigurer：配置令牌端点的安全约束

package com.example.demosecurity0218.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;

@Configuration
@EnableAuthorizationServer
public class MyAuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private AuthorizationCodeServices authorizationCodeServices;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    private JwtAccessTokenConverter accessTokenConverter;

    // 1. 配置客户端
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                // 添加一个client配置,指定其client_id
                .withClient("client_1")
                // 指定客户端的密码/安全码
                .secret(new BCryptPasswordEncoder().encode("secret"))
                // 指定客户端所能访问资源id清单，此处的资源id是需要在具体的资源服务器上也配置一样
                .resourceIds("salary")
                .authorizedGrantTypes("authorization_code", "password", "implicit","client_credentials","refresh_token")
                // 客户端的权限范围，此处配置为all全部即可
                .scopes("all")
                // 跳转到授权页面
                .autoApprove(false)
                // 回调地址
                .redirectUris("http://www.baidu.com");
    }

    // 2. 配置令牌访问端点
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
                // 指定认证管理器，随后注入一个到当前类使用即可
                .authenticationManager(authenticationManager)
                // 密码模式用户信息管理
                .userDetailsService(userDetailsService)
                // 授权码服务
                .authorizationCodeServices(authorizationCodeServices)
                .authorizationCodeServices(new InMemoryAuthorizationCodeServices())
                // token服务的一个描述，可以认为是token生成细节的描述，比如有效时间多少等
                .tokenServices(tokenServices())
                // 指定token的存储方法
                .tokenStore(tokenStore)
                .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
    }

    // 3. 配置令牌端点的安全策略
    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security
                // 开启端口/oauth/token_key的访问权限（允许）
                .tokenKeyAccess("permitAll()")
                // 开启端口/oauth/check_token的访问权限（允许）
                .checkTokenAccess("permitAll()")
                // 允许客户端表单认证,申请令牌
                .allowFormAuthenticationForClients();
    }

    /**
     * 该方法用户获取一个token服务对象（该对象描述了token有效期等信息）
     */
    public AuthorizationServerTokenServices tokenServices() {
        // 使用默认实现
        DefaultTokenServices services = new DefaultTokenServices();
        services.setClientDetailsService(clientDetailsService);
        // 开启令牌自动刷新
        services.setSupportRefreshToken(true);
        // 令牌存储策略-内存
        //services.setTokenStore(tokenStore());
        services.setTokenStore(tokenStore);
        // 使用 JWT令牌
        services.setTokenEnhancer(accessTokenConverter);
        // 设置令牌有效时间（一般设置为2个小时），当前设置5秒钟
        services.setAccessTokenValiditySeconds(300);
        // 设置刷新令牌的有效时间 3天
        services.setRefreshTokenValiditySeconds(259200);

        return services;
    }
}

*
11、SecurityConfig.java

package com.example.demosecurity0218.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;

@Configuration
@EnableWebSecurity
//@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
//@Order(-1)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private static final String SIGN_KEY = "UAA";

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("admin").password(passwordEncoder().encode("123")).roles("ADMIN")
                .and()
                .withUser("user").password(passwordEncoder().encode("123")).roles("USER")
                .and()
                .withUser("king").password(passwordEncoder().encode("123")).roles("USER", "ADMIN");;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin();
    }

    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    // 从父类加载认证管理器
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Bean
    public AuthorizationCodeServices authorizationCodeServices(){
        return new InMemoryAuthorizationCodeServices();
    }

    @Bean
    public UserDetailsService userDetailsService(){
        return new UserDetailsService() {
            @Override
            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
                return null;
            }
        };
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter(){
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey(SIGN_KEY);
        return converter;
    }
}

postman获取token：
http://localhost:8080/oauth/token


检查token
http://localhost:8080/oauth/check_token

*
*
*