Spring Cloud Gateway(四)

已于 2022-09-20 09:17:03 修改
阅读量300 收藏
点赞数
分类专栏: Spring Cloud Oauth2 文章标签: java spring cloud spring boot
于 2022-09-15 11:41:51 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/endswell/article/details/126843272
版权

Spring Cloud Gateway(四)

什么是OAuth

在这里插入图片描述

涉及相关角色

  • Client: 客户
  • gateway-sertvice: 网关服务,转发,验证,鉴权
  • oauth2-service: 授权服务,颁发令牌
  • product-service: 资源服务

流程方案

  1. 客户向gateway-service 请求访问令牌;
  2. gateway-service 将请求转发到 授权服务 oauth2-service;
  3. 授权服务验证成功,颁发令牌;
  4. 客户携带令牌向gateway-service 请求访问的特定资源;
  5. gateway-service 验证令牌及访问权限,成功则转发到相关资源服务获取资源。

oauth-service

新增授权服务

<artifactId>oauth2-service</artifactId>

<properties>
    <maven.compiler.source>11</maven.compiler.source>
    <maven.compiler.target>11</maven.compiler.target>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-oauth2</artifactId>
    </dependency>
    <dependency>
        <groupId>com.nimbusds</groupId>
        <artifactId>nimbus-jose-jwt</artifactId>
      </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-redis</artifactId>
    </dependency>
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
    </dependency>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-collections4</artifactId>
    </dependency>
    <dependency>
        <groupId>pr.iceworld.fernando</groupId>
        <artifactId>common-entity</artifactId>
        <version>0.0.1</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-loadbalancer</artifactId>
    </dependency>
    <dependency>
        <groupId>com.alibaba.cloud</groupId>
        <artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
    </dependency>
    <!--
        引入 caffeine 解决 不能启用 cache功能
        caffeine, spring-context-support
        当客户的调用服务 lb://ServiceName 时 会导致 LoadBalancerCacheManager not available, returning delegate without caching.
    -->
    <dependency>
        <groupId>com.github.ben-manes.caffeine</groupId>
        <artifactId>caffeine</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context-support</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-sleuth</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-zipkin</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-stream-binder-rabbit</artifactId>
    </dependency>
    <dependency>
        <groupId>cn.hutool</groupId>
        <artifactId>hutool-core</artifactId>
    </dependency>
</dependencies>

server:
  port: 9011
spring:
  application:
    name: oauth2-service
  zipkin:
    base-url: http://192.168.79.8:9411
    sender:
      type: rabbit
  sleuth:
    sampler:
      # 全部采样
      probability: 1.0
  rabbitmq:
    host: 192.168.79.8
    port: 5672
    username: admin
    password: admin
  cloud:
    nacos:
      discovery:
        server-addr: 192.168.79.8:9999
        service: ${spring.application.name}
        group: provider-consumer
  jackson:
    date-format: yyyy-MM-dd HH:mm:ss
  redis:
    port: 6379
    host: 192.168.79.8

management:
  endpoints:
    web:
      exposure:
        include: "*"


$ keytool -genkey -keystore jwt_test.keystore -keypass tester -storepass tester -alias jwt_test -keyalg RSA -validity 365 -dname "CN=fernando, OU=iceworld, O=iceworld, L=GZ, ST=GD, C=CN"

Keytool 是一个Java 数据证书的管理工具 ,Keytool 将密钥(key)和证书(certificates)存在一个称为keystore的文件中。
在keystore里,包含两种数据:

  • 密钥实体(Key entity)——密钥(secret key)又或者是私钥和配对公钥(采用非对称加密)
  • 可信任的证书实体(trusted certificate entries)——只包含公钥

keytool -genkey -keystore jwt_test.keystore -keypass tester -storepass tester -alias jwt_test -keyalg RSA -validity 365 "CN=(名字与姓氏), OU=(组织单位名称), O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)"

将生成的密钥证书文件放入oauth2-service/src/main/resources/jwt_test.keystore

@EnableWebSecurity
// 开启授权服务
@EnableAuthorizationServer
@EnableDiscoveryClient
@SpringBootApplication
public class Oauth2MainApplication {
	// ...
}

redis 配置

@Configuration
public class RedisConfig {

    @Bean
    public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory connectionFactory) {
        RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
        redisTemplate.setConnectionFactory(connectionFactory);
        StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
        redisTemplate.setKeySerializer(stringRedisSerializer);
        redisTemplate.setHashKeySerializer(stringRedisSerializer);
        Jackson2JsonRedisSerializer<?> jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer<>(Object.class);
        redisTemplate.setValueSerializer(jackson2JsonRedisSerializer);
        redisTemplate.setHashValueSerializer(jackson2JsonRedisSerializer);
        redisTemplate.afterPropertiesSet();
        return redisTemplate;
    }
}

@Component
@AllArgsConstructor
@Slf4j
public class RedisUtils {
    private final RedisTemplate<String, Object> redisTemplate;
    
    public Object get(String key) {
        return key == null ? null : redisTemplate.opsForValue().get(key);
    }

    public boolean set(String key, Object value) {
        try {
            redisTemplate.opsForValue().set(key, value);
            return true;
        } catch (Exception e) {
            log.error("{}", e);
            return false;
        }
    }
}

/**
 * jwt 内容增强器
 */
@Component
public class JwtTokenEnhancer implements TokenEnhancer {
    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
        UserPrincipal userPrincipal = (UserPrincipal) authentication.getPrincipal();
        Map<String, Object> additionalInformation = new HashMap();
        additionalInformation.put("id", userPrincipal.getId());
        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInformation);
        return accessToken;
    }
}

Jwt 配置
JWT 令牌值和 OAuth 身份验证信息(双向)之间转换的助手。授予令牌时还充当TokenEnhancer

@Configuration
public class JwtConfig {
    @Bean
    public JwtAccessTokenConverter accessTokenConverter(@Qualifier("keyPair") KeyPair keyPair) {
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        jwtAccessTokenConverter.setKeyPair(keyPair);
        return jwtAccessTokenConverter;
    }

    @Bean
    public KeyPair keyPair() {
        // 从classpath下的证书中获取秘钥对
        KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("jwt_test.keystore"), "tester".toCharArray());
        return keyStoreKeyFactory.getKeyPair("jwt_test", "tester".toCharArray());
    }
}

使用单个密钥创建新的 JSON Web Key (JWK) 集合,暴露给外部服务器

@RestController
public class KeyPairController {

    @Resource
    private KeyPair keyPair;

    @GetMapping("/rsa/publicKey")
    public Map<String, Object> getKey() {
        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
        RSAKey key = new RSAKey.Builder(publicKey).build();
        return new JWKSet(key).toJSONObject();
    }
}

/**
 * 允许获取公钥接口的访问
 */
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
                .antMatchers("/rsa/publicKey").permitAll()
                .anyRequest().authenticated()
                .and().formLogin().permitAll();
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

@Data
@EqualsAndHashCode(callSuper = false)
@AllArgsConstructor
@NoArgsConstructor
@Builder(toBuilder = true)
public class UserDto {
    private Long id;
    private String username;
    private String password;
    private Integer status;
    private List<String> roles;
}

重要用户数据,适配 Spring security UserDetailsService

@Data
public class UserPrincipal implements UserDetails {
    /**
     * ID
     */
    private Long id;
    /**
     * 用户名
     */
    private String username;
    /**
     * 用户密码
     */
    private String password;
    /**
     * 用户状态
     */
    private Boolean enabled;
    /**
     * 权限数据
     */
    private Collection<SimpleGrantedAuthority> authorities;

    public UserPrincipal(UserDto userDto) {
        this.setId(userDto.getId());
        this.setUsername(userDto.getUsername());
        this.setPassword(userDto.getPassword());
        this.setEnabled(userDto.getStatus() == 1);
        if (userDto.getRoles() != null) {
            authorities = new ArrayList<>();
            userDto.getRoles().forEach(item -> authorities.add(new SimpleGrantedAuthority(item)));
        }
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return this.authorities;
    }

    @Override
    public String getPassword() {
        return this.password;
    }

    @Override
    public String getUsername() {
        return this.username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return this.enabled;
    }
}

通过用户名获取数据,实现 UserDetailsService

@Service
public class UserService implements UserDetailsService {

    private List<UserDto> userList;
    @Resource
    private PasswordEncoder passwordEncoder;

    @PostConstruct
    public void initData() {
        String password = passwordEncoder.encode("123456");
        userList = new ArrayList<>();
        userList.add(new UserDto(1L,"admin", password,1, Arrays.asList("ADMIN")));
        userList.add(new UserDto(2L,"fernando", password,1, Arrays.asList("NORMAL")));
        userList.add(new UserDto(3L,"normal", password,1, Arrays.asList("NORMAL")));
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        List<UserDto> findUserList = userList.stream().filter(item -> item.getUsername().equals(username)).collect(Collectors.toList());
        if (CollectionUtils.isEmpty(findUserList)) {
            throw new UsernameNotFoundException(MessageConst.USERNAME_PASSWORD_ERROR);
        }
        UserPrincipal securityUser = new UserPrincipal(findUserList.get(0));
        if (!securityUser.isEnabled()) {
            throw new DisabledException(MessageConst.ACCOUNT_DISABLED);
        } else if (!securityUser.isAccountNonLocked()) {
            throw new LockedException(MessageConst.ACCOUNT_LOCKED);
        } else if (!securityUser.isAccountNonExpired()) {
            throw new AccountExpiredException(MessageConst.ACCOUNT_EXPIRED);
        } else if (!securityUser.isCredentialsNonExpired()) {
            throw new CredentialsExpiredException(MessageConst.CREDENTIALS_EXPIRED);
        }
        return securityUser;
    }
}

/**
 * 认证服务器配置
 * 加载用户信息的服务UserService及RSA的钥匙对KeyPair
 */
@Configuration
@AllArgsConstructor
public class Oauth2ServerConfig extends AuthorizationServerConfigurerAdapter {

    private final PasswordEncoder passwordEncoder;
    private final UserService userDetailsService;
    private final AuthenticationManager authenticationManager;
    private final JwtTokenEnhancer jwtTokenEnhancer;
    private final JwtAccessTokenConverter jwtAccessTokenConverter;

    /**
     * 客户端服务配置
     * @param clients the client details configurer
     * @throws Exception
     */
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("397b0b6e-4e20-4fa4-99b7-513d7618290c")
                .secret(passwordEncoder.encode("123456"))
                .scopes("all")
                .authorizedGrantTypes("password", "refresh_token")
                .accessTokenValiditySeconds(7200)
                .refreshTokenValiditySeconds(86400);
    }

    /**
     * 授权服务端配置
     * @param endpoints the endpoints configurer
     */
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
        List<TokenEnhancer> delegates = new ArrayList();
        delegates.add(jwtTokenEnhancer);
        delegates.add(jwtAccessTokenConverter);
        // 配置JWT的内容增强器
        enhancerChain.setTokenEnhancers(delegates);
        endpoints.authenticationManager(authenticationManager)
                // 配置加载用户信息的服务
                .userDetailsService(userDetailsService)
                .accessTokenConverter(jwtAccessTokenConverter)
                .tokenEnhancer(enhancerChain);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) {
        security.allowFormAuthenticationForClients();
    }

授权可访问的服务

@Service
public class ResourceService {
    private Map<String, List<String>> resourceRoles;
    @Resource
    private RedisUtils redisUtils;

    @PostConstruct
    public void initData() {
        resourceRoles = new TreeMap<>();
        resourceRoles.put("/api/productServ/products", Arrays.asList("ADMIN"));
        resourceRoles.put("/api/productServ/products/*", Arrays.asList("ADMIN"));
        resourceRoles.put("/api/productServ/productCategories", Arrays.asList("ADMIN", "NORMAL"));
        resourceRoles.put("/api/productServ/productCategories/*", Arrays.asList("ADMIN", "NORMAL"));

        redisUtils.set(RedisConst.RESOURCE_ROLES, resourceRoles);
    }
}

gateway-service

引入 jwt, oauth 等依赖包

<dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
   </dependency>
   <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-config</artifactId>
   </dependency>
   <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-oauth2-resource-server</artifactId>
   </dependency>
   <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-oauth2-client</artifactId>
   </dependency>
   <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-oauth2-jose</artifactId>
   </dependency>
   <dependency>
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
   </dependency>
   <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-data-redis</artifactId>
   </dependency>
   <dependency>
       <groupId>pr.iceworld.fernando</groupId>
       <artifactId>common-entity</artifactId>
       <version>0.0.1</version>
   </dependency>
   <dependency>
       <groupId>com.alibaba</groupId>
       <artifactId>fastjson</artifactId>
   </dependency>

spring:
  application:
    name: gateway-service
  zipkin:
    base-url: http://192.168.79.8:9411
    sender:
      type: rabbit
  sleuth:
    sampler:
      # 全部采样
      probability: 1.0
  rabbitmq:
    host: 192.168.79.8
    port: 5672
    username: admin
    password: admin
  cloud:
    nacos:
      discovery:
        server-addr: 192.168.79.8:9999
        service: ${spring.application.name}
        group: provider-consumer
    gateway:
      routes:
        - id: user-route
          uri: lb://user-service
          predicates:
            - Path=/api/userServ/**
          filters:
            - StripPrefix=2
        - id: product-route
          uri: lb://product-service
          predicates:
            - Path=/api/productServ/**
          filters:
            - StripPrefix=2
        - id: order-route
          uri: lb://order-service
          predicates:
            - Path=/api/orderServ/**
          filters:
            - StripPrefix=2
        - id: oauth2-route
          uri: lb://oauth2-service
          predicates:
            - Path=/api/authServ/**
          filters:
            - StripPrefix=2
    sentinel:
      eager: true
      transport:
        port: 8719
        dashboard: 127.0.0.1:18182
        client-ip: localhost
      enabled: true
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://localhost:9011/rsa/publicKey
  redis:
    host: 192.168.79.8
    port: 6379

ignore:
  urls:
    - "/actuator/**"
    - "/api/authServ/oauth/token"
    - "/api/orderServ/**"
    - "/zipkin/**"
    - "/nacos/**"

management:
  endpoints:
    gateway:
      enabled: true
    web:
      exposure:
        include: "*"

配置白名单

@Data
@EqualsAndHashCode(callSuper = false)
@Component
@ConfigurationProperties(prefix="ignore")
public class IgnoreUrlsConfig {
    private List<String> urls;
}

Redis 设置

@Configuration
@EnableRedisRepositories
public class RedisRepositoryConfig {

    @Bean
    public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory connectionFactory) {
        RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
        redisTemplate.setConnectionFactory(connectionFactory);
        StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
        redisTemplate.setKeySerializer(stringRedisSerializer);
        redisTemplate.setHashKeySerializer(stringRedisSerializer);
        Jackson2JsonRedisSerializer<?> jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer<>(Object.class);
        redisTemplate.setValueSerializer(jackson2JsonRedisSerializer);
        redisTemplate.setHashValueSerializer(jackson2JsonRedisSerializer);
        redisTemplate.afterPropertiesSet();
        return redisTemplate;
    }
}

/**
 * 令牌过期,失效异常处理
 */
@Component
public class RestAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
    @Override
    public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
        ServerHttpResponse response = exchange.getResponse();
        response.setStatusCode(HttpStatus.OK);
        response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
        String body= JSONObject.toJSONString(ResultData.unauthorized(e.getMessage()));
        DataBuffer buffer =  response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
        return response.writeWith(Mono.just(buffer));
    }
}

/**
 * 无权访问异常处理
 */
@Component
public class RestfulAccessDeniedHandler implements ServerAccessDeniedHandler {

    @Override
    public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {
        ServerHttpResponse response = exchange.getResponse();
        response.setStatusCode(HttpStatus.OK);
        response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
        String body= JSONObject.toJSONString(ResultData.forbidden(denied.getMessage()));
        DataBuffer buffer =  response.bufferFactory().wrap(body.getBytes(Charset.forName("UTF-8")));
        return response.writeWith(Mono.just(buffer));
    }
}

/**
 * 鉴权管理器,用于判断是否有资源的访问权限
 */
@Component
public class AuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
     @Resource
    private RedisUtils redisUtils;

    @Override
    public Mono<AuthorizationDecision> check(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
        //从Redis中获取当前路径可访问角色列表
        URI uri = authorizationContext.getExchange().getRequest().getURI();
        Object obj = redisUtils.get(RedisConst.RESOURCE_ROLES);
        Map<String, List<String>> values = (Map<String, List<String>>) obj;
        PathMatcher pathMatcher = new AntPathMatcher();
        List<String> authorities = null;
        for (Map.Entry<String, List<String>> me: values.entrySet()) {
            if (pathMatcher.match(me.getKey(), uri.getPath())) {
                authorities = me.getValue();
            }
        }

        authorities = authorities.stream().map(e -> AuthConst.AUTHORITY_PREFIX + e).collect(Collectors.toList());
        // 认证通过且角色匹配的用户可访问当前路径
        return mono
                .filter(Authentication::isAuthenticated)
                // 获取认证后的全部权限
                .flatMapIterable(Authentication::getAuthorities)
                .map(GrantedAuthority::getAuthority)
                .any(authorities::contains)
                .map(AuthorizationDecision::new)
                .defaultIfEmpty(new AuthorizationDecision(false));
    }
}

/**
 * 资源服务器配置
 */
@AllArgsConstructor
@Configuration
public class ResourceServerConfig {
    private final AuthorizationManager authorizationManager;
    private final IgnoreUrlsConfig ignoreUrlsConfig;
    private final RestfulAccessDeniedHandler restfulAccessDeniedHandler;
    private final RestAuthenticationEntryPoint restAuthenticationEntryPoint;
    private final AuthorizationWhiteList2RemoveJwtFilter authorizationWhiteList2RemoveJwtFilter;
    
    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(
            ServerHttpSecurity http,
            @Qualifier("jwtAuthenticationConverter") Converter jwtAuthenticationConverter) {
        http.oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(jwtAuthenticationConverter);
        // 对白名单路径,直接移除JWT请求头
        http.addFilterBefore(authorizationWhiteList2RemoveJwtFilter, SecurityWebFiltersOrder.AUTHENTICATION)
                .authorizeExchange()
                // url白名单
                .pathMatchers(ignoreUrlsConfig.getUrls().toArray(new String[0])).permitAll()
                .anyExchange()
                // 鉴权管理
                .access(authorizationManager)
                .and()
                .exceptionHandling()
                // 未被授权
                .accessDeniedHandler(restfulAccessDeniedHandler)
                // 配置应用程序请求身份验证时要执行的操作
                .authenticationEntryPoint(restAuthenticationEntryPoint)
                .and()
                // 禁用 CSRF
                .csrf().disable();
        return http.build();
    }

    @Bean
    public Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthorityPrefix(AuthConst.AUTHORITY_PREFIX);
        jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName(AuthConst.AUTHORITY_CLAIM_NAME);
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
        return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
    }
 }

设置全局过滤器,方便后续服务可以定位到当前是哪个用户

@Component
@Slf4j
public class AuthGlobalFilter implements GlobalFilter, Ordered {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        String token = exchange.getRequest().getHeaders().getFirst("Authorization");
        if (StringUtils.isEmpty(token)) {
            return chain.filter(exchange);
        }
        try {
            //从token中解析用户信息并设置到Header中去
            String realToken = token.replace("Bearer ", "");
            JWSObject jwsObject = JWSObject.parse(realToken);
            String userStr = jwsObject.getPayload().toString();
            log.info("AuthGlobalFilter#filter() user:{}", userStr);
            ServerHttpRequest request = exchange.getRequest().mutate().header("user", userStr).build();
            exchange = exchange.mutate().request(request).build();
        } catch (ParseException e) {
            log.error(e.getMessage());
        }
        return chain.filter(exchange);
    }

    @Override
    public int getOrder() {
        return 0;
    }
}

@Component
public class AuthorizationWhiteList2RemoveJwtFilter implements WebFilter {
    @Resource
    private IgnoreUrlsConfig ignoreUrlsConfig;
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        URI uri = request.getURI();
        PathMatcher pathMatcher = new AntPathMatcher();
        //白名单路径移除JWT请求头
        List<String> ignoreUrls = ignoreUrlsConfig.getUrls();
        for (String ignoreUrl : ignoreUrls) {
            if (pathMatcher.match(ignoreUrl, uri.getPath())) {
                request = exchange.getRequest().mutate().header("Authorization", "").build();
                exchange = exchange.mutate().request(request).build();
                return chain.filter(exchange);
            }
        }
        return chain.filter(exchange);
    }
}

验证,获取access_token

POST /api/authServ/oauth/token HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

grant_type=password&client_id=397b0b6e-4e20-4fa4-99b7-513d7618290c&client_secret=123456&username=admin&password=123456

返回

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hb...",
    "expires_in": 59,
    "scope": "all",
    "id": 1,
    "jti": "10396d06-f30f-437b-903c-716486e5f9ec"
}

access_token 失效后,使用 refresh_token 获取新的token

POST /api/authServ/oauth/token HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 789

grant_type=refresh_token&client_id=397b0b6e-4e20-4fa4-99b7-513d7618290c&client_secret=123456&refresh_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...

返回

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXV...",
    "expires_in": 59,
    "scope": "all",
    "id": 1,
    "jti": "7c3af89c-9fdb-42b2-b50b-3bbba2bcc10c"
}
endswel
关注
专栏目录
springboot之本地缓存(guava与caffeine
软件老王
10-11 1564
1. 场景描述 因项目要使用本地缓存,具体为啥不用redis等,就不讨论,记录下过程,希望能帮到需要的朋友。 2.解决方案 2.1 使用google的guava作为本地缓存 初步的想法是使用google的guava,因为本身项目中就有guava的denpency。 2.1.1 pom文件 需要3个dependency,如下: <!--软件老王 1--> <dependen...
springcloud gateway 全局过滤器统一签名判定.doc
12-01
Spring Cloud Gateway中,全局过滤器(Global Filter)是一种强大的机制,用于在请求路由到具体的服务之前或之后执行通用的处理逻辑。在这个场景中,我们关注的是如何利用全局过滤器来实现统一的签名验证,这在...
本地缓存之王,Caffeine 保姆级教程
芋艿V
12-02 163
???? 这是一个或许对你有用的社群???? 一对一交流/面试小册/简历优化/求职解惑,欢迎加入「芋道快速开发平台」知识星球。下面是星球提供的部分资料:《项目实战(视频)》:从书中学,往事上“练”《互联网高频面试题》:面朝简历学习,春暖花开《架构 x 系统设计》:摧枯拉朽,掌控面试高频场景题《精进 Java 学习指南》:系统学习,互联网主流技术栈《必读 Java 源码专栏》:知其然,知其所以然????这是一个或许...
SpringCloudGateway
wyy的博客
04-07 882
文章目录SpringCloudGateway起步消费端整合SpringCloudGateway静态路由配置 SpringCloudGateway起步 SpringCloudGateway是一个微服务的组件,所以如果要想去使用它就必须自己手工创建微服务的项目,同时肯定要有专属的微服务的依赖库,那么下面就直接开整。 1、【microcloud项目】创建一个新的子模块,模块的名称定义为“gateway-9501" 2、【microcloud项目】修改build.gradle配置文件,为gateway-9501
学习:使用 SpringCloud 配置 nacos,feign,gateway
RanSelf的博客
07-10 619
使用 SpringCloud 配置 nacos,feign,gateway
SpringCloud--Gateway解析
最新发布
qq_33807380的博客
02-06 2272
GatewaySpring Cloud官方推出的第二代微服务网关,它旨在提供统一的路由方式以及为微服务应用提供强大的负载均衡能力。与第一代Spring Cloud Netflix Zuul相比,Spring Cloud Gateway在性能、可扩展性、易用性等方面都有了显著的提升。基于Spring BootSpring Cloud 开发,支持RESTful和WebSocket;支持通过Feign或RestTemplate进行服务调用;支持负载均衡、熔断、限流等操作;
spring cloud gateway整合sentinel实现网关限流
08-25
Spring Cloud Gateway 是一款基于 Spring Framework 5 和 Spring Boot 2 设计的云应用入口网关。它提供了诸如路由、过滤器、动态路由等高级功能,是微服务架构中常见的组件。Sentinel 是阿里巴巴开源的一款流量控制...
Spring Cloud Gateway重试机制的实现
08-26
Spring Cloud Gateway重试机制的实现 Spring Cloud Gateway重试机制是指在调用Http接口时,遇到失败的情况下,通过重试的方式重新请求接口,以提高系统的可靠性和稳定性。重试机制在生活中也有很多类似的事例,例如...
Spring cloud gateway工作流程原理解析
08-19
Spring Cloud Gateway 工作流程原理解析 Spring Cloud Gateway 是一种基于 Spring BootSpring WebFlux 构建的 API 网关,提供了访问控制、路由、安全性、监控和其他功能。Gateway 工作流程是指从客户端请求到...
springcloud下通过gateway转发websocket
07-14
在IT行业中,Spring Cloud Gateway作为Spring Cloud生态体系中的一个关键组件,被广泛用于构建微服务架构中的API网关。这个框架允许我们集中处理各种请求,包括路由、过滤、安全等,极大地简化了服务间的通信。而...
新一代缓存Caffeine,速度确实比Guava的Cache快
小姐姐味道
07-04 1649
不羡鸳鸯不羡仙,一行代码调半天。原创:小姐姐味道(微信公众号ID:xjjdog),欢迎分享,转载请保留出处。我想把记忆缓存起来,等再次见到你,就能够很快认出你。能够说出这么有哲理的话,得...
Spring Cloud实战 | 第六篇:Spring Cloud Gateway + Spring Security OAuth2 + JWT实现微服务统一认证授权鉴权
竹林幽深
10-07 4292
https://blog.51cto.com/u_12386660/4903483
Spring Cloud Feign--解决spring-cloud-loadbalancer的缓存警告
IT利刃出鞘的博客
05-04 1万+
本文解决spring-cloud-loadbalancer的缓存相关的警告。
spring集成caffeine缓存
weixin_39478044的博客
04-02 2475
1,官网wiki caffeine官网链接 2,api api help 3,引入pom依赖,注意caffeine版本,如果springboot版本太低引入高版本caffeine会报错 倾向于只使用caffeine提供的pom,不用springboot集成的 cache start,如下 <!--caffeine本地缓存--> <dependency> <groupId>com.github.ben-m
JWT Token、ID Token、Access Token、Refresh Token
乌龟的专栏
02-22 7749
JWT Token、ID Token、Access Token、Refresh Token
Caffeine (史上最全)
热门推荐
架构师尼恩
02-08 3万+
备注: 文章很长,建议收藏起来,慢慢读! 并且,持续更新中… 架构师 尼恩 为您推荐 高薪必备 : 《Netty Zookeeper Redis 高并发实战》 为你打造NIO、Netty 高性能底层原理知识底座 高薪必备 : 《SpringCloud、Nginx高并发核心编程》 为你打造微服务、分布式 高并发底层原理知识底座 高薪必备 :价值 1000元网盘资源大礼包,免费拿 【博客园总入口 】 Caffeine简介 在本文中,我们来看看 Caffeine — 一个高性能的 Java
SpringCloudSpringBoot2.0 整合Oauth2 () 配置文件快速配置url过滤
秦学强
02-28 2213
SpringBoot2.0 整合Oauth2 () 配置文件快速配置url过滤 文章目录SpringBoot2.0 整合Oauth2 () 配置文件快速配置url过滤1、添加url过滤配置2、添加配置类3、配置资源服务器相关链接SpringCloudSpringBoot2.0 整合Oauth2 (一) 基本配置SpringCloudSpringBoot2.0 整合Oauth2 (二) 自定...
oauth2 绕过登录认证即可调取接口
weixin_43839457的博客
03-04 5274
最近公司想开发官网,之前的项目使用oauth2,所有接口都需要登录认证。官网接口空顶无法登录后再调取,所以想开放某些接口用于首页直接使用。
微服务权限解决方案,Cloud Gateway+Oauth2实现统一认证和鉴权
一入Java深似海
07-09 2万+
最近发现了一个很好的微服务权限解决方案,可以通过认证服务进行统一认证,然后通过网关来统一校验认证和鉴权。此方案为目前最新方案,仅支持Spring Boot 2.2.0、Spring Cloud Hoxton 以上版本,本文将详细介绍该方案的实现,希望对大家有所帮助! 前置知识 我们将采用Nacos作为注册中心,Gateway作为网关,使用nimbus-jose-jwtJWT库操作JWT令牌 应用架构 我们理想的解决方案应该是这样的,认证服务负责认证,网关负责校验认证和鉴权,其他API服务负.
SpringCloud Gateway应用案例深度解析
资源摘要信息:"Spring Cloud GatewaySpring Cloud官方的下一代API网关解决方案,与Spring Cloud Zuul的性能和功能相媲美。Spring Cloud Gateway旨在提供一种简单而有效的方式来路由到API,并为它们提供横切关注点...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值