1. pom文件 依赖引入
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.9.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>org.tegic</groupId>
<artifactId>oauth2demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>oauth2demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
<spring-cloud.version>Hoxton.SR10</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>2.3.9.RELEASE</version>
</plugin>
</plugins>
</build>
</project>
2. 授权服务器配置文件
package org.tegic.oauth2demo.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.jdbc.DataSourceBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import javax.sql.DataSource;
/**
* @author JiangTeJie
* @since 2021/3/25 15:25
*/
@Configuration
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new JdbcTokenStore(dataSource));
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
// oauth/token_key 请求路径放行
.tokenKeyAccess("permitAll()")
// oauth/check_token 请求路径放行
.checkTokenAccess("permitAll()")
// 允许表单申请令牌
.allowFormAuthenticationForClients();
}
}
3. 资源服务器
package org.tegic.oauth2demo.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
import javax.sql.DataSource;
/**
* @author JiangTeJie
* @since 2021/3/26 9:01
*/
@Configuration
@Order(1)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("test");
resources.tokenStore(new JdbcTokenStore(dataSource));
resources.stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/**")
// 设置访问客户端必须被授权的权限范围 (必须拥有对应的访问权限标识符)
.access("#oauth2.hasScope('read')")
.and().cors().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
;
}
}
4. springSecurity配置搭建
package org.tegic.oauth2demo.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.tegic.oauth2demo.service.CustomUserDetailService;
/**
* @author JiangTeJie
* @since 2021/3/25 15:32
*/
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private CustomUserDetailService customUserDetailService;
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setHideUserNotFoundExceptions(false);
provider.setUserDetailsService(customUserDetailService);
provider.setPasswordEncoder(passwordEncoder);
return provider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().disable();
http.formLogin();
http
.authorizeRequests()
.antMatchers("/login","/logout").permitAll()
.anyRequest().authenticated();
}
}
5. 把Oauth2 的client信息、token信息整合到数据库,只需建表,框架已经封装好了相关sql语句:
客户端信息存在 oauth_client_details 表
CREATE TABLE `oauth_client_details` (
`client_id` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL COMMENT '必填,Oauth2 client_id',
`resource_ids` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '可选,资源id集合,多个资源用英文逗号隔开',
`client_secret` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '必填,Oauth2 client_secret',
`scope` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '必填,Oauth2 权限范围,比如 read,write等可自定义',
`authorized_grant_types` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '必填,Oauth2 授权类型,支持类型:authorization_code,password,refresh_token,implicit,client_credentials,多个用英文逗号隔开',
`web_server_redirect_uri` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '可选,客户端的重定向URI,当grant_type为authorization_code或implicit时,此字段是需要的',
`authorities` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '可选,指定客户端所拥有的Spring Security的权限值',
`access_token_validity` int DEFAULT NULL COMMENT '可选,access_token的有效时间值(单位:秒),不填写框架(类refreshTokenValiditySeconds)默认12小时',
`refresh_token_validity` int DEFAULT NULL COMMENT '可选,refresh_token的有效时间值(单位:秒),不填写框架(类refreshTokenValiditySeconds)默认30天',
`additional_information` varchar(4096) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '预留字段,格式必须是json',
`autoapprove` varchar(256) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL COMMENT '该字段适用于grant_type="authorization_code"的情况下,用户是否自动approve操作',
PRIMARY KEY (`client_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin;
token信息存在 oauth_access_token
CREATE TABLE `oauth_access_token` (
`token_id` varchar(256) COLLATE utf8mb4_bin DEFAULT NULL COMMENT 'MD5加密后存储的access_token',
`token` blob COMMENT 'access_token序列化的二进制数据格式',
`authentication_id` varchar(256) COLLATE utf8mb4_bin NOT NULL COMMENT '主键,其值是根据当前的username(如果有),client_id与scope通过MD5加密生成的,具体实现参见DefaultAuthenticationKeyGenerator',
`user_name` varchar(256) COLLATE utf8mb4_bin DEFAULT NULL,
`client_id` varchar(256) COLLATE utf8mb4_bin DEFAULT NULL,
`authentication` blob COMMENT '将OAuth2Authentication对象序列化后的二进制数据',
`refresh_token` varchar(256) COLLATE utf8mb4_bin DEFAULT NULL COMMENT 'refresh_token的MD5加密后的数据',
PRIMARY KEY (`authentication_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin;
配置类基本完成。
踩坑经历:
-
springSecurity的拦截器链配置会被 resourceServcerConfig的拦截器链 覆盖, 是因为没有协调好这两个拦截器,需要设置两个拦截器链的先后顺序 且 先执行的拦截器链不能拦截所有请求,否则后面的拦截器链 拦截不到请求,相当于没有配置。
-
SpringCloud多模块中,使用 oauth整合数据库后, 如果每个模块的引入的spring security版本不一致,会导致一些信息反序列化失败,比如userDetail信息等等。尽量保持每个项目的SpringSecurity和oauth2相关的包都是从父模块引入的依赖,保持版本一致性。
-
如果授权服务器和资源服务器是分开的 , 那么 client和token整合数据库的时候, 注入数据源的时候,要保证它们注入的都是数据源是连接的同一个数据库。