SpringBoot 已经集成了OAUth2标准协议的安全框架。结合spring-security以及JWT来实现去状态化的安全访问控制。
一、引入相关依赖:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
二、自定义 WebSecurityConfigurerAdapter
@Configuration
@Order(2)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
public void configure(WebSecurity web) {
}
}
三、自定义配置AuthorizationServerConfigurerAdapter
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
}
}
四、自定义配置ResourceServerConfigurerAdapter
@Order(6)
@Configuration
@EnableResourceServer
public class ResourcesServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
}
@Override
public void configure(HttpSecurity http) throws Exception {
}
}
五、自定义配置GlobalSecurityConfig
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true,jsr250Enabled = true)
public class GlobalSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
六、配置文件
security:
oauth2:
resource:
filter-order: 3
到此基本环境就已搭建完毕,可以根据自身业务去定制里面的配置,可以扩展多种Grant,集成JWT等。