准备工作
环境springboot2.0+
在pom.xml文件中增加
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.0.RELEASE</version>
</dependency>
spring security oauth2 中的 endpoint(聊聊spring security oauth2的几个endpoint的认证)
/oauth/authorize(授权端,授权码模式使用)
/oauth/token(令牌端,获取 token)
/oauth/check_token(资源服务器用来校验token)
/oauth/confirm_access(用户发送确认授权)
/oauth/error(认证失败)
/oauth/token_key(如果使用JWT,可以获的公钥用于 token 的验签)
解析
认证服务器
增加@EnableAuthorizationServer注解
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})
public @interface EnableAuthorizationServer {
}
AuthorizationServerSecurityConfiguration:OAuth认证服务器拦截器配置,继承自WebSecurityConfigurerAdapter,在这个里边会加载实现AuthorizationServerConfigurer的所有类(配置Oauth的主类)。
在Springboot 自动配置OAuth2AutoConfiguration类中
@Configuration
@ConditionalOnClass({ OAuth2AccessToken.class, WebMvcConfigurer.class })
@Import({ OAuth2AuthorizationServerConfiguration.class,// 2
OAuth2MethodSecurityConfiguration.class, OAuth2ResourceServerConfiguration.class,
OAuth2RestOperationsConfiguration.class })
@AutoConfigureBefore(WebMvcAutoConfiguration.class)
@EnableConfigurationProperties(OAuth2ClientProperties.class)
public class OAuth2AutoConfiguration {// 1
}
OAuth2AuthorizationServerConfiguration实现AuthorizationServerConfigurer,会被步骤1中加载,OAuth2AuthorizationServerConfiguration主要用来配置ClientDetailsServiceConfigurer、AuthorizationServerSecurityConfigurer、AuthorizationServerEndpointsConfigurer类信息
(如果自定义AuthorizationServerConfigurerAdapter,不会加载OAuth2AuthorizationServerConfiguration配置,加载自定义)
- ClientDetailsServiceConfigurer:用来配置客户端详情服务(ClientDetailsService),客户端详情信息在这里进行初始化,你能够把客户端详情信息写死在这里或者是通过数据库来存储调取详情信息。
- AuthorizationServerSecurityConfigurer:用来配置令牌端点(Token Endpoint)的安全约束.
- AuthorizationServerEndpointsConfigurer:用来配置授权(authorization)以及令牌(token)的访问端点和令牌服务(token services)。
ClientDetailsServiceConfigurer
ClientDetailsServiceConfigurer (AuthorizationServerConfigurer 的一个回调配置项) 能够使用内存或者JDBC来实现客户端详情服务(ClientDetailsService),Spring Security OAuth2的配置方法是编写@Configuration类继承AuthorizationServerConfigurerAdapter,然后重写void configure(ClientDetailsServiceConfigurer clients)方法,如:
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// 使用JdbcClientDetailsService客户端详情服务
clients.withClientDetails(new JdbcClientDetailsService(dataSource));
}
这里使用Jdbc实现客户端详情服务,数据源dataSource不做叙述,使用框架默认的表,schema链接
AuthorizationServerEndpointsConfigurer
配置令牌 管理 (jwtAccessTokenConverter)
JwtAccessTokenConverter是用来生成token的转换器,而token令牌默认是有签名的,且资源服务器需要验证这个签名。此处的加密及验签包括两种方式:
对称加密、非对称加密(公钥密钥)
对称加密需要授权服务器和资源服务器存储同一key值,而非对称加密可使用密钥加密,暴露公钥给资源服务器验签,本文中使用对称加密方式,配置于AuthorizationServerConfigurerAdapter如下:
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter();
accessTokenConverter.setSigningKey("gggg");
return accessTokenConverter;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.accessTokenConverter(jwtAccessTokenConverter());
}
AuthorizationServerSecurityConfigurer:
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
security.tokenKeyAccess("isAuthenticated()");
}
流程
发起请求对应的url地址:/oauth/authorize(具体请看AuthorizationEndpoint类)
通过授权码获取token 对应的url地址:/oauth/token (具体请看TokenEndpoint类)
资源服务器
增加@EnableAuthorizationServer注解
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import(ResourceServerConfiguration.class)
public @interface EnableResourceServer {
}
在Springboot 自动配置OAuth2AutoConfiguration类中
@Configuration
@ConditionalOnClass({ OAuth2AccessToken.class, WebMvcConfigurer.class })
@Import({ OAuth2AuthorizationServerConfiguration.class,// 2
OAuth2MethodSecurityConfiguration.class, OAuth2ResourceServerConfiguration.class,
OAuth2RestOperationsConfiguration.class })
@AutoConfigureBefore(WebMvcAutoConfiguration.class)
@EnableConfigurationProperties(OAuth2ClientProperties.class)
public class OAuth2AutoConfiguration {// 1
}
OAuth2ResourceServerConfiguration中加载相关类
扩展:Security自动配置和Security生成拦截器配置
可以看出自动配置OAuth的时候有WebSecurityConfigurerAdapter 实现类,所以不会加载SpringBootWebSecurityConfiguration 生成拦截器,具体请看下文springboot1.5+和springboot2.0+ 生成的拦截器的区别
@Configuration
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {
}
@Configuration
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {
@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER)
static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
}
}
springboot1.5+和springboot2.0+ 生成的拦截器的区别
springboot2.0+
[
[
OrRequestMatcher[
requestMatchers=[
Ant[
pattern='/oauth/token'
],
Ant[
pattern='/oauth/token_key'
],
Ant[
pattern='/oauth/check_token'
]
]
],
[
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7f0b93b4,
org.springframework.security.web.context.SecurityContextPersistenceFilter@7f4596d0,
org.springframework.security.web.header.HeaderWriterFilter@5d878b25,
org.springframework.security.web.authentication.logout.LogoutFilter@18b6d3c1,
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@1859ffda,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@588545ac,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@f238e4f,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1376883,
org.springframework.security.web.session.SessionManagementFilter@390037e7,
org.springframework.security.web.access.ExceptionTranslationFilter@18d11527,
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@69cd7630
]
]
]
--------------------------------------------------------------------------------------------------------------
springboot1.5+
[
[
OrRequestMatcher[
requestMatchers=[
Ant[
pattern='/css/**'
],
Ant[
pattern='/js/**'
],
Ant[
pattern='/images/**'
],
Ant[
pattern='/webjars/**'
],
Ant[
pattern='/**/favicon.ico'
],
Ant[
pattern='/error'
]
]
],
[
]
],
[
OrRequestMatcher[
requestMatchers=[
Ant[
pattern='/oauth/token'
],
Ant[
pattern='/oauth/token_key'
],
Ant[
pattern='/oauth/check_token'
]
]
],
[
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@56e9a474,
org.springframework.security.web.context.SecurityContextPersistenceFilter@3a90c13c,
org.springframework.security.web.header.HeaderWriterFilter@6aa7b67f,
org.springframework.security.web.authentication.logout.LogoutFilter@365cdacf,
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@3ba348ca,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@188598ad,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3a1706e1,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@45b15381,
org.springframework.security.web.session.SessionManagementFilter@590f0c50,
org.springframework.security.web.access.ExceptionTranslationFilter@2721044,
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@3d0cac1f
]
],
[
OrRequestMatcher[
requestMatchers=[
Ant[
pattern='/**'
]
]
],
[
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7316523a,
org.springframework.security.web.context.SecurityContextPersistenceFilter@4b960b5b,
org.springframework.security.web.header.HeaderWriterFilter@7ed3df3b,
org.springframework.security.web.authentication.logout.LogoutFilter@64dae3b7,
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@1fedf0a4,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1b13467c,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7bd96822,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@33a55bd8,
org.springframework.security.web.session.SessionManagementFilter@465b38e6,
org.springframework.security.web.access.ExceptionTranslationFilter@d5bb1c4,
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@784223e9
]
]
]
Spinrg Security原理 ------OAuth使用认证服务器(二)
参考文献:
Spring Security OAuth 2.0
Spring Cloud OAuth2(一) 搭建授权服务