spring-security-oauth2-authorization-server(四)Redis存储token实现

已于 2024-07-09 22:20:04 修改
阅读量504 收藏 10
点赞数 3
分类专栏: Spring SpringSecurity Spring Authorization Server 文章标签: spring redis java
于 2024-07-04 23:31:57 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_42229668/article/details/140137800
版权

文章目录

写在前面的话

因为SpringBoot3.x是目前最新的版本,整合spring-security-oauth2-authorization-server的资料很少,所以产生了这篇文章,主要为想尝试SpringBoot高版本,想整合最新的spring-security-oauth2-authorization-server的初学者,旨在为大家提供一个简单上手的参考,如果哪里写得不对或可以优化的还请大家踊跃评论指正。

前面几篇文章主要结合官网的描述实现了基于JDBC获取用户信息登录并存储token在数据库中。但是我们实际中使用较多的是将token存储在Redis,官方只提供了InMemory和JDBC两种模式,所以本篇文章主要想实现一个自定义的RedisService来存储和获取token。此中会遇到很多问题,会一一列出。
整个项目的配置还是复用的上一篇。

一、自定义RedisOAuth2AuthorizationService

1. 整合Redis

在pom中添加如下坐标,如果开启lettuce连接池需要引入common-pools否则会报错

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>

<!--  开启lettuce pool需要此依赖 -->
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-pool2</artifactId>
</dependency>

spring:
  data:
    redis:
      lettuce:
        pool:
          max-active: 8
          max-idle: 8
          min-idle: 1
          max-wait: 30000
          # 开启连接池,需要引入common-pools
          enabled: true
      database: 15
      host: 192.168.0.51
      port: 6379
      password: lx90150..

2. 创建RedisOAuth2AuthorizationService

我们上一篇实现了基于JDBC的JdbcOAuth2AuthorizationService,点进去会看到是实现了OAuth2AuthorizationService接口,那我们也实现此接口。里面有用到RedisUtils工具类,比较简单就不贴了。

public class RedisOAuth2AuthorizationService implements OAuth2AuthorizationService {

    @Override
    public void save(OAuth2Authorization authorization) {

    }

    @Override
    public void remove(OAuth2Authorization authorization) {

    }

    @Override
    public OAuth2Authorization findById(String id) {
        return null;
    }

    @Override
    public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType) {
        return null;
    }
}

然后我们一一去重写它。

2.1 save(OAuth2Authorization authorization)

之前我们认证服务器配置中,有配置RegisteredClientRepository Bean,里面我们设置了tokenSettings,里面包含token的一些信息,如:授权码过期时间,accessToken过期时间等,默认是5分钟,支持自定义。所以我们将RegisteredClientRepository引入进来供查询客户端信息。

    private final RegisteredClientRepository clientRepository;

    @Setter
    private ObjectMapper objectMapper = new ObjectMapper();

    public RedisOAuth2AuthorizationService(RegisteredClientRepository clientRepository) {
        this.clientRepository = clientRepository;
    }
	
	@Override
    public void save(OAuth2Authorization authorization) {
        // 获取客户端信息
        final String clientId = authorization.getRegisteredClientId();
        RegisteredClient registeredClient = clientRepository.findById(clientId);
        Assert.notNull(registeredClient, "客户端信息不可为空");
        Assert.notNull(registeredClient.getTokenSettings(), "token配置信息不可为空");

        // 获取授权码、AccessToken、RefreshToken过期时间,默认5分钟
        Duration codeLiveTime = registeredClient.getTokenSettings().getAuthorizationCodeTimeToLive();
        Duration accessTokenLiveTime = registeredClient.getTokenSettings().getAccessTokenTimeToLive();
        Duration refreshTokenLiveTime = registeredClient.getTokenSettings().getRefreshTokenTimeToLive();

        // 获取authorizationId
        final String authorizationId = authorization.getId();
        final String idToAuthorizationKey = SecurityConstant.getIdToAuthorizationKey(authorizationId);
        
        // write()是用objectMapper序列化,想以原样存储原样获取方便查看
        RedisUtils.setEx(idToAuthorizationKey, write(authorization), accessTokenLiveTime.getSeconds(), TimeUnit.SECONDS);

        //因为授权码、AccessToken、RefreshToken都是通过此service存储和获取,所以都需要存储
        Optional.ofNullable(authorization.getToken(OAuth2AuthorizationCode.class)).ifPresent(token -> {
            final String codeToAuthorizationKey = SecurityConstant.getCodeToAuthorization(token.getToken().getTokenValue());
            RedisUtils.setEx(codeToAuthorizationKey, authorizationId, codeLiveTime.getSeconds(), TimeUnit.SECONDS);
        });
        Optional.ofNullable(authorization.getAccessToken()).ifPresent(token -> {
            final String accessToAuthorization = SecurityConstant.getAccessToAuthorization(token.getToken().getTokenValue());
            RedisUtils.setEx(accessToAuthorization, authorizationId, accessTokenLiveTime.getSeconds(), TimeUnit.SECONDS);
        });
        Optional.ofNullable(authorization.getRefreshToken()).ifPresent(token -> {
            final String refreshToAuthorization = SecurityConstant.getRefreshToAuthorization(token.getToken().getTokenValue());
            RedisUtils.setEx(refreshToAuthorization, authorizationId, refreshTokenLiveTime.getSeconds(), TimeUnit.SECONDS);
        });
    }
  

    /**
     * 将OAuth2Authorization对象序列化成字符串
     *
     * @param data  OAuth2Authorization对象
     * @return OAuth2Authorization字符串
     */
    private String write(Object data) {
        try {
            return this.objectMapper.writeValueAsString(data);
        } catch (Exception ex) {
            throw new IllegalArgumentException(ex.getMessage(), ex);
        }
    }

附上SecurityConstant定义的常量

public class SecurityConstant {

    /**
     * redisToken前缀
     */
    public final static String CACHE_TOKEN_PREFIX = "ADP-SSO:";


    /**
     * authorization_id key
     */
    public static final String ID_TO_AUTHORIZATION = CACHE_TOKEN_PREFIX + "id_to_authorization:";
    
    /**
     * authorization_code key
     */
    public static final String CODE_TO_AUTHORIZATION = CACHE_TOKEN_PREFIX + "code_to_authorization:";

    /**
     * access_token key
     */
    public static final String ACCESS_TO_AUTHORIZATION = CACHE_TOKEN_PREFIX + "access_to_authorization:";

    /**
     * refresh_token key
     */
    public static final String REFRESH_TO_AUTHORIZATION = CACHE_TOKEN_PREFIX + "refresh_to_authorization:";

    private static final MessageDigest DIGEST;

    static {
        try {
            DIGEST = MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    protected static String generateKey(String rawKey) {
        byte[] bytes = DIGEST.digest(rawKey.getBytes(StandardCharsets.UTF_8));
        return String.format("%032x", new BigInteger(1, bytes));
    }

    public static String getIdToAuthorizationKey(String authorizationId) {
        return SecurityConstant.ID_TO_AUTHORIZATION + authorizationId;
    }

    public static String getCodeToAuthorization(String code) {
        return SecurityConstant.CODE_TO_AUTHORIZATION + generateKey(code);
    }

    public static String getAccessToAuthorization(String accessToken) {
        return SecurityConstant.ACCESS_TO_AUTHORIZATION + generateKey(accessToken);
    }

    public static String getRefreshToAuthorization(String refreshToken) {
        return SecurityConstant.REFRESH_TO_AUTHORIZATION + generateKey(refreshToken);
    }
}

2.2 OAuth2Authorization findById(String id)

提供根据authorizationId查询OAuth2Authorization

    @Override
    public OAuth2Authorization findById(String id) {
        return Optional.ofNullable(RedisUtils.get(SecurityConstant.getIdToAuthorizationKey(id))).map(this::parse).orElse(null);
    }

	/**
     * 将redis里的OAuth2Authorization反序列化成OAuth2Authorization对象
     * 
     * @param data  OAuth2Authorization序列化串
     * @return OAuth2Authorization
     */
    private OAuth2Authorization parse(String data) {
        try {
            return this.objectMapper.readValue(data, new TypeReference<>() {
            });
        } catch (Exception ex) {
            throw new IllegalArgumentException(ex.getMessage(), ex);
        }
    }

2.3 OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType)

根据token查询OAuth2Authorization

	@Override
    public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType) {
        Assert.notBlank(token, "token不能为空");
        if (tokenType == null) {
            return Optional.ofNullable(RedisUtils.get(SecurityConstant.getCodeToAuthorization(token)))
                    .or(() -> Optional.ofNullable(RedisUtils.get(SecurityConstant.getAccessToAuthorization(token))))
                    .or(() -> Optional.ofNullable(RedisUtils.get(SecurityConstant.getRefreshToAuthorization(token))))
                    .map(this::findById).orElse(null);
        } else if (OAuth2ParameterNames.CODE.equals(tokenType.getValue())) {
            return Optional.ofNullable(RedisUtils.get(SecurityConstant.getCodeToAuthorization(token))).map(this::findById).orElse(null);
        } else if (OAuth2TokenType.ACCESS_TOKEN.equals(tokenType)) {
            return Optional.ofNullable(RedisUtils.get(SecurityConstant.getAccessToAuthorization(token))).map(this::findById).orElse(null);
        } else if (OAuth2TokenType.REFRESH_TOKEN.equals(tokenType)) {
            return Optional.ofNullable(RedisUtils.get(SecurityConstant.getRefreshToAuthorization(token))).map(this::findById).orElse(null);
        }
        return null;
    }

2.4 remove(OAuth2Authorization authorization)

    @Override
    public void remove(OAuth2Authorization authorization) {
        List<String> keysToRemove = new ArrayList<>();
        keysToRemove.add(SecurityConstant.getIdToAuthorizationKey(authorization.getId()));
        RedisUtils.delete(keysToRemove);
    }

2.5 测试并处理一系列问题

2.5.1 反序列化时间错误

访问http://192.168.0.10:8080/oauth2/authorize?response_type=code&scope=user&client_id=oauth2-client&state=ok&redirect_uri=https://www.baidu.com登录后报错:

Caused by: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Java 8 date/time type `java.time.LocalDateTime` not supported by default: add Module "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" to enable handling (through reference chain: org.springframework.security.oauth2.server.authorization.OAuth2Authorization["attributes"]->java.util.Collections$UnmodifiableMap["java.security.Principal"]->org.springframework.security.authentication.UsernamePasswordAuthenticationToken["principal"]->com.roshine.authorization.domain.AccAccountDO["gmtCreate"])

看着像是无法反序列化attributes下principal的gmtCreate时间字段,那我们把JavaTimeModule配好再试试。

public class ObjectMapperUtils {

	public static ObjectMapper objectMapper() {
		ObjectMapper objectMapper = new ObjectMapper();
		objectMapper.setTimeZone(TimeZone.getTimeZone("GMT+8"));
		objectMapper.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
		objectMapper.disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);

		JavaTimeModule javaTimeModule = new JavaTimeModule();
		// 添加序列化
		javaTimeModule.addSerializer(LocalDateTime.class, new LocalDateTimeSerializer(DateTimeFormatter.ofPattern(DatePattern.NORM_DATETIME_PATTERN)));
		javaTimeModule.addSerializer(LocalDate.class, new LocalDateSerializer(DateTimeFormatter.ofPattern(DatePattern.NORM_DATE_PATTERN)));
		javaTimeModule.addSerializer(LocalTime.class, new LocalTimeSerializer(DateTimeFormatter.ofPattern(DatePattern.NORM_TIME_PATTERN)));
		// 添加反序列化
		javaTimeModule.addDeserializer(LocalDateTime.class, new LocalDateTimeDeserializer(DateTimeFormatter.ofPattern(DatePattern.NORM_DATETIME_PATTERN)));
		javaTimeModule.addDeserializer(LocalDate.class, new LocalDateDeserializer(DateTimeFormatter.ofPattern(DatePattern.NORM_DATE_PATTERN)));
		javaTimeModule.addDeserializer(LocalTime.class, new LocalTimeDeserializer(DateTimeFormatter.ofPattern(DatePattern.NORM_TIME_PATTERN)));
		objectMapper.registerModules(javaTimeModule);
		return objectMapper;
	}
}

然后把RedisOAuth2AuthorizationService中的ObjectMapper改成ObjectMapperUtils.objectMapper()再测试试试

    @Setter
    private ObjectMapper objectMapper = ObjectMapperUtils.objectMapper();
2.5.2 点击授权按钮重定向到/oauth2/authorize 400

成功来到授权页,继续下面的操作,发现又报错:
在这里插入图片描述
不知道什么原因,大概率是我们刚写的RedisOAuth2AuthorizationService有问题,debug看下情况,发现:点击授权按钮后来到了findByToken方法,找tokenType == state的信息,我们没有定义返回了null。
在这里插入图片描述
那就把它补上再试试。常量类SecurityConstant补充:

    /**
     * state key
     */
    public static final String STATE_TO_AUTHORIZATION = CACHE_TOKEN_PREFIX + "state_to_authorization:";

    public static String getStateToAuthorization(String state) {
        return SecurityConstant.STATE_TO_AUTHORIZATION + generateKey(state);
    }

save(OAuth2Authorization authorization)下追加state存储

        // 点击授权按钮,会根据state查询authorization,所以state也要存起来
        Optional.ofNullable(authorization.getAttribute(OAuth2ParameterNames.STATE)).ifPresent(token -> {
            final String stateToAuthorizationKey = SecurityConstant.getStateToAuthorization((String) token);
            RedisUtils.setEx(stateToAuthorizationKey, authorizationId, stateLiveTime.getSeconds(), TimeUnit.SECONDS);
        });

OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType)下追加state查询OAuth2Authorization的方法

else if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
            return Optional.ofNullable(RedisUtils.get(SecurityConstant.getStateToAuthorization(token))).map(this::findById).orElse(null);
        }
2.5.3 反序列问题 (重要)

再测试成功通过授权,页面报错500了,有错误信息就接着往下看。错误信息是反序列化问题,这个很重要也很麻烦

Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of `org.springframework.security.oauth2.core.AuthorizationGrantType` (although at least one Creator exists): cannot deserialize from Object value (no delegate- or property-based Creator)
 at [Source: (String)"{"id":"70362044-b300-4845-a6ce-dc9a90e724d7","registeredClientId":"oauth2-client","principalName":"admin","authorizationGrantType":{"value":"authorization_code"},"authorizedScopes":[],"attributes":{"java.security.Principal":{"authorities":[{"authority":"user"}],"details":{"remoteAddress":"192.168.0.10","sessionId":"40EA09B3FBC4DB6BCC6A5D9EFC8ED54E"},"authenticated":true,"principal":{"id":1,"createBy":1,"createByName":"roshine","gmtCreate":"2022-08-20 17:42:08","modifyBy":1,"modifyByName":"roshin"[truncated 1088 chars]; line: 1, column: 133] (through reference chain: org.springframework.security.oauth2.server.authorization.OAuth2Authorization["authorizationGrantType"])

Jackson反序列化时需要对象的无参构造器,但是org.springframework.security.oauth2.core.AuthorizationGrantType又没有为我们提供,那就只能自定义反序列化器。

网上有这样一篇文章,介绍了两种方式自定义反序列器值得一看《Jackson 解决没有无参构造函数的反序列化问题》,官方也给我们定义了几个Module可以看看。
在这里插入图片描述

public class AuthorizationGrantTypeDeserializer extends StdDeserializer<AuthorizationGrantType> {

	@Serial
	private static final long serialVersionUID = 2884780317780523184L;
	public final ObjectMapper objectMapper = new ObjectMapper();

	public AuthorizationGrantTypeDeserializer() {
		super(AuthorizationGrantType.class);
	}

	@Override
	public AuthorizationGrantType deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
		Map<String, String> map = objectMapper.readValue(p, new TypeReference<>() {});
		return new AuthorizationGrantType(map.values().stream().findFirst().orElse(null));
	}

}
2.5.4 AuthorizationGrantTypeMixin
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
    isGetterVisibility = JsonAutoDetect.Visibility.NONE)
public abstract class AuthorizationGrantTypeMixin {

    @JsonCreator
    AuthorizationGrantTypeMixin(@JsonProperty("value") String value) {
    }
}
2.5.5 OAuth2AccessTokenMixin
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
    isGetterVisibility = JsonAutoDetect.Visibility.NONE)
public abstract class OAuth2AccessTokenMixin {

    @JsonCreator
    OAuth2AccessTokenMixin(@JsonProperty("tokenType") OAuth2AccessToken.TokenType tokenType,
                           @JsonProperty("tokenValue") String tokenValue,
                           @JsonProperty("issuedAt") Instant issuedAt,
                           @JsonProperty("expiresAt") Instant expiresAt,
                           @JsonProperty("scopes") Set<String> scopes) {
    }
}
2.5.6 OAuth2AuthorizationCodeMixin
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
    isGetterVisibility = JsonAutoDetect.Visibility.NONE)
public abstract class OAuth2AuthorizationCodeMixin {

    @JsonCreator
    OAuth2AuthorizationCodeMixin(@JsonProperty("tokenValue") String tokenValue,
                                 @JsonProperty("issuedAt") Instant issuedAt,
                                 @JsonProperty("expiresAt") Instant expiresAt) {
    }
}
2.5.7 OAuth2RefreshTokenMixin
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
    isGetterVisibility = JsonAutoDetect.Visibility.NONE)
public abstract class OAuth2RefreshTokenMixin {

    @JsonCreator
    OAuth2RefreshTokenMixin(@JsonProperty("tokenValue") String tokenValue,
                            @JsonProperty("issuedAt") Instant issuedAt,
                            @JsonProperty("expiresAt") Instant expiresAt) {
    }
}
2.5.8 TokenMixin
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
    isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
public abstract class TokenMixin {

    @JsonCreator
    TokenMixin(@JsonProperty("token") OAuth2Token token,
               @JsonProperty("metadata") Map<String, Object> metadata) {
    }
}
2.5.9 TokenTypeMixin
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
    isGetterVisibility = JsonAutoDetect.Visibility.NONE)
public abstract class TokenTypeMixin {

    @JsonCreator
    TokenTypeMixin(@JsonProperty("value") String value) {
    }
}
2.5.10 OAuth2AuthorizationMixin

这里比较重要,OAuth2Authorization内部对象很复杂,通过简单的@JsonCreator已经无法实现,所以需要自定义OAuth2AuthorizationDeserializer

@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonDeserialize(using = OAuth2AuthorizationDeserializer.class)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
        isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
public abstract class OAuth2AuthorizationMixin {

}

public class OAuth2AuthorizationDeserializer extends JsonDeserializer<OAuth2Authorization> {

    private final RegisteredClientRepository registeredClientRepository;

    private static final TypeReference<Set<String>> SET_TYPE_REFERENCE = new TypeReference<>() {
    };

    private static final TypeReference<Map<String, Object>> MAP_TYPE_REFERENCE = new TypeReference<>() {
    };

    private static final TypeReference<AuthorizationGrantType> GRANT_TYPE_TYPE_REFERENCE = new TypeReference<>() {
    };

    public OAuth2AuthorizationDeserializer(RegisteredClientRepository registeredClientRepository) {
        this.registeredClientRepository = registeredClientRepository;
    }

    @Override
    public OAuth2Authorization deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException {
        ObjectMapper mapper = (ObjectMapper) jp.getCodec();
        JsonNode jsonNode = mapper.readTree(jp);

        Set<String> authorizedScopes = mapper.convertValue(jsonNode.get("authorizedScopes"), SET_TYPE_REFERENCE);
        Map<String, Object> attributes = mapper.convertValue(jsonNode.get("attributes"), MAP_TYPE_REFERENCE);
        Map<String, Object> tokens = mapper.convertValue(jsonNode.get("tokens"), MAP_TYPE_REFERENCE);
        AuthorizationGrantType grantType = mapper.convertValue(jsonNode.get("authorizationGrantType"), GRANT_TYPE_TYPE_REFERENCE);

        String id = readJsonNode(jsonNode, "id").asText();
        String registeredClientId = readJsonNode(jsonNode, "registeredClientId").asText();
        String principalName = readJsonNode(jsonNode, "principalName").asText();

        RegisteredClient registeredClient = registeredClientRepository.findById(registeredClientId);
        Assert.notNull(registeredClient, "Registered client must not be null");

        Builder builder = withRegisteredClient(registeredClient)
            .id(id)
            .principalName(principalName)
            .authorizationGrantType(grantType)
            .authorizedScopes(authorizedScopes)
            .attributes(map -> map.putAll(attributes));

        Optional.ofNullable(tokens.get(OAuth2AuthorizationCode.class.getName())).ifPresent(
            token -> addToken((Token) token, builder));
        Optional.ofNullable(tokens.get(OAuth2AccessToken.class.getName())).ifPresent(
            token -> addToken((Token) token, builder));
        Optional.ofNullable(tokens.get(OAuth2RefreshToken.class.getName())).ifPresent(
            token -> addToken((Token) token, builder));
        Optional.ofNullable(tokens.get(OidcIdToken.class.getName())).ifPresent(
            token -> addToken((Token) token, builder));

        return builder.build();
    }

    public void addToken(Token<OAuth2Token> token, Builder builder) {
        builder.token(token.getToken(), map -> map.putAll(token.getMetadata()));
    }

    private JsonNode readJsonNode(JsonNode jsonNode, String field) {
        return jsonNode.has(field) ? jsonNode.get(field) : MissingNode.getInstance();
    }
}

然后加入到RedisOAuth2AuthorizationService构造器中。

    public RedisOAuth2AuthorizationService(RegisteredClientRepository clientRepository) {
        this.clientRepository = clientRepository;
        objectMapper.registerModule(new OAuth2AuthorizationModule());
    }
2.5.11 OAuth2AuthorizationDeserializer内部对象没有无参构造器错误
Caused by: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Class com.roshine.authorization.deserializer.OAuth2AuthorizationDeserializer has no default (no arg) constructor
 at [Source: (String)"{"@class":"org.springframework.security.oauth2.server.authorization.OAuth2Authorization","id":"56b7e0b2-0366-49a6-899f-17bc3f0fe79f","registeredClientId":"oauth2-client","principalName":"admin","authorizationGrantType":{"@class":"org.springframework.security.oauth2.core.AuthorizationGrantType","value":"authorization_code"},"authorizedScopes":["java.util.Collections$UnmodifiableSet",[]],"tokens":{"@class":"java.util.Collections$UnmodifiableMap"},"attributes":{"@class":"java.util.Collections$Unmod"[truncated 2130 chars]; line: 1, column: 1]

说我们自定义的OAuth2AuthorizationDeserializer没有无参构造器,那尝试提供一个无参构造,就变成这样

private RegisteredClientRepository registeredClientRepository;

    private static final TypeReference<Set<String>> SET_TYPE_REFERENCE = new TypeReference<>() {
    };

    private static final TypeReference<Map<String, Object>> MAP_TYPE_REFERENCE = new TypeReference<>() {
    };

    private static final TypeReference<AuthorizationGrantType> GRANT_TYPE_TYPE_REFERENCE = new TypeReference<>() {
    };

    public OAuth2AuthorizationDeserializer() {}

    public OAuth2AuthorizationDeserializer(RegisteredClientRepository registeredClientRepository) {
        this.registeredClientRepository = registeredClientRepository;
    }
2.5.12 Collections$UnmodifiableSet is not in the allowlist.

此时没有再提示:OAuth2AuthorizationDeserializer has no default (no arg) constructor错误了,有了新的错误,接着往下。

Caused by: java.lang.IllegalArgumentException: The class with java.util.Collections$UnmodifiableSet and name of java.util.Collections$UnmodifiableSet is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

我们发现就是一些简单数据类型的反序列化失败,翻看github的issue,也翻看了一些文章说试着找找类加载器里有什么module,都加进来再试试。

    public RedisOAuth2AuthorizationService(RegisteredClientRepository clientRepository) {
        this.clientRepository = clientRepository;
        objectMapper.registerModule(new OAuth2AuthorizationModule());
        ClassLoader classLoader = this.getClass().getClassLoader();
        List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
        objectMapper.registerModules(securityModules);
    }
2.5.13 java.util.HashSet is not in the allowlist

发现可以了,没有再提示UnmodifiableSet is not in the allowlist,提示了以下错误,也是常见数据类型反序列化失败,翻看源码发现给我们提供了一个OAuth2AuthorizationServerJackson2Module,里面就包含了我们需要的类型。

Caused by: java.lang.IllegalArgumentException: The class with java.util.HashSet and name of java.util.HashSet is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

在这里插入图片描述
加进来就变成了这样

    public RedisOAuth2AuthorizationService(RegisteredClientRepository clientRepository) {
        this.clientRepository = clientRepository;
        objectMapper.registerModule(new OAuth2AuthorizationModule());
        ClassLoader classLoader = this.getClass().getClassLoader();
        List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
        objectMapper.registerModules(securityModules);
        objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
    }

很好,没有反序列化的报错了,但是又出现了新的报错。

Caused by: java.lang.NullPointerException: Cannot invoke "org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository.findById(String)" because "this.registeredClientRepository" is null

这一看就是我们上面加的OAuth2AuthorizationDeserializer加的无参构造器引起的,实例化对象的时候默认调用了无参构造器,导致我们的registeredClientRepository为null,所以不能添加无参构造器,但是不添加又会报OAuth2AuthorizationDeserializer内部对象没有无参构造器错误。查阅一些文章得到了解决方法。
这种方式为什么能解决这个问题还不是很清楚,希望有大佬看到这里能解解惑。
先把OAuth2AuthorizationDeserializer无参构造去掉,然后RedisOAuth2AuthorizationService构造器中添加AutowireCapableBeanFactory beanFactory。

    public RedisOAuth2AuthorizationService(RegisteredClientRepository clientRepository, AutowireCapableBeanFactory beanFactory) {
        this.clientRepository = clientRepository;
        objectMapper.registerModule(new OAuth2AuthorizationModule());
        ClassLoader classLoader = this.getClass().getClassLoader();
        List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
        objectMapper.registerModules(securityModules);
        objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
        objectMapper.setHandlerInstantiator(new SpringHandlerInstantiator(beanFactory));
    }

    @Bean
    OAuth2AuthorizationService auth2AuthorizationService(RegisteredClientRepository registeredClientRepository, AutowireCapableBeanFactory beanFactory) {
        return new RedisOAuth2AuthorizationService(registeredClientRepository, beanFactory);
    }

2.6 最终达到目的

最终成功获取到授权码,然后就可以去拿我们的token了。
https://www.baidu.com/?code=DMtKb2nwpgNJy1a8DPzq68FqXFmnnePsb56nMJGEmMYGcW1Q5Y4zKgdNVLISfbiOGdV-LpRnt1W_WB6wwEElBwFGyBRfjxD5vDIYY4JpfGfOQjk7ezg-o3YaDBetPFiW&state=ok
在这里插入图片描述
这篇文章写的很长,本次实现断断续续持续了很长时间看起来可能有点乱希望可以耐心看。但是这是整套开发的必经过程。
如果发现有哪里不对或者能优化的还望不吝赐教。

2.7 源码地址

gitee源码地址

ReoShine
关注
  • 3
    点赞
  • 10
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
oauth2 spring-authorization-server OAuth2AuthorizationService支持redis
tof
10-21 2049
oauth2 spring-authorization-server OAuth2AuthorizationService redis
SpringSecurity OAuth2 Server 核心组件之OAuth2AuthorizationService,缓存Token就靠它了,但最好把它改造成Redis内核哦!
07-02 546
另一个是基于数据库的:JdbcOAuth2AuthorizationService(对并发量有影响,另外这些数据没必要持久保存)OAuth2AuthorizationService是用于存储和管理授权对象OAuth2Authorization。在很多地方,其它的相关组件都会用到它,例如,客户端身份验证、授权授予处理、令牌内省、令牌吊销、动态客户端注册等等。授权对象很容易理解,这个和一个bean对象差不多,主要包含clientId和对应的token数据。有任何问题都可以加我QQ:3218138121。
spring-security-oauth2-authorization-server.zip
08-25
本文以最简配置搭建一个授权服务,让大家初步了解授权服务及相关表。 token 存于数据库中 例子基于Spring Boot 2.1.7.RELEASE ,使用mysql数据库
浅析spring-security-oauth2-authorization-server
小东子的博客
06-07 4342
oauth2-authorization-server已做了很多封装处理, 在使用过程中, 我们主要关注这几个部分第一, 各种Converter或者我们自定义Converter, 如果自定义Converter通常需要自定义认证对象, 自定义Converter和认证对象都可以参考框架提供的, 如我们分析的ClientSecretBasicAuthenticationConverter和对应的认证对象OAuth2ClientAuthenticationToken第二, 各种Provider。
Spring Security 源码解读:OAuth2 Authorization Server
weixin_41866717的博客
02-15 2932
Spring Authorization Server刚发展不久,还没有springboot版本,而Resource Server有,但是两个底层很多不兼容,会重复引入不同版本的jar包。这里我将AuthorizationServer和ResourceServer分开实现,但是都用的是spring-security的依赖:
Spring Authorization Server入门 (十九) 基于RedisToken、客户端信息和授权确认信息存储
云逸的博客
10-29 1998
本文对应的是文档中的How-to: Implement core services with JPA,文档中使用Jpa实现了核心的三个服务类:授权信息、客户端信息和授权确认的服务;本文会使用Spring Data Redis参考文档来添加新的实现。在这里也放一下文档中的一句话: 本指南的目的是为您自己实现这些服务提供一个起点,以便您可以根据自己的需要进行修改。
SpringSecurity最新学习,spring-security-oauth2-authorization-serverspring-security-oauth2升级】
最新发布
小道仙的后宫
07-03 808
默认获取token是在 header中,还要拼接一个前缀 Bearer, 假如想改为从 url中获取 access_token, 只需要重写BearerTokenResolver// URI 中 Token 的参数名@Override// 从 URI 参数中获取 Token= null &&!上面的流程完成了授权和鉴权,但我们拿不到有用的参数,何为有用的参数比如: 用户的 userId不管是Opaque还是Jwt都可以在里面设置一些我们自己的参数——把参数放到 【claims】Opaque。
spring-security-oauth2详细配置demo
09-30
这个详细配置的Demo旨在帮助开发者理解并实现OAuth2在Spring Security中的应用。在这个Demo中,我们将探讨OAuth2的核心概念、Spring Security OAuth2的主要组件以及如何将它们整合到实际的应用中。 OAuth2是一种...
springboot-security-oauth2:SpringBoot集成Spring Security、OAuth2实现authorization code授权码模式
05-10
springboot-security-oauth2此SpringBoot项目集成Spring Security、OAuth2实现资源访问授权认证。支持client credentials、password、authorization code认证模式。项目默认最为复杂的authorization code授权码认证...
spring-boot-oauth2-demo
05-12
【标题】"spring-boot-oauth2-demo"是一个基于Spring Boot实现OAuth2授权服务的示例项目,旨在帮助开发者理解并应用OAuth2安全框架在实际开发中的工作原理和配置。 【描述】该项目展示了如何利用Spring Boot集成...
spring-security-oauth2spring-security-web 3.1.2 源码
11-28
接下来,`spring-security-oauth2`是Spring Security的扩展,专注于OAuth2协议的实现OAuth2是一种开放标准,用于授权第三方应用安全地访问资源服务器上的资源。在`spring-security-oauth2`中,主要组件包括: 1. ...
spring-security-oauth2
12-11
**Spring Security OAuth2 实现机制** OAuth2 是一个授权框架,允许第三方应用在用户的许可下访问其受保护的资源,而无需获取用户的用户名和密码。Spring Security OAuth2 是 Spring 生态系统中的一个组件,用于...
spring-security-oauth2-authorization-server(三)自定义登录页 + JDBC模式获取用户信息
weixin_42229668的博客
06-29 776
获取数据库用户登录,自定义登录页面,解决用户对象反序列化白名单问题
Spring Security 与 OAuth2(授权服务器)
chucan4529的博客
01-26 1126
Spring Security 与 OAuth2 authrization-server(授权服务器) 授权服务配置 配置一个授权服务,需要考虑 授权类型(GrantType)、不同授权类型为客户端(Client)提供了不同的获取令牌(Token)方式,每一个客户端(Client)都能够通...
spring-security-oauth2-authorization-server(一)SpringBoot3.1.3整合
weixin_42229668的博客
09-16 6471
因为SpringBoot3.x是目前最新的版本,整合spring-security-oauth2-authorization-server的资料很少,所以产生了这篇文章,主要为想尝试SpringBoot高版本,想整合最新的spring-security-oauth2-authorization-server的初学者,旨在为大家提供一个简单上手的参考,如果哪里写得不对或可以优化的还请大家踊跃评论指正。
Spring Security OAuth2 Redis模式下认证服务器
竹林幽深
10-16 382
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。 本文链接:https://blog.csdn.net/yaomingyang/article/details/96288878 1.种授权码模式 授权码模式 密码模式 客户端模式 简化模式 2.密码模式 http://localhost:9001/oauth/token?username=u...
Spring Security 解析(五) —— Spring Security Oauth2 开发
hopelgl的博客
04-20 1124
Spring Security 解析(五) —— Spring Security Oauth2 开发 在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决定先把Spring Security 、Spring Security Oauth2 等权限、认证相关的内容、原理及设计学习并整理一遍。本系列文章就是在学习的过程中加强印象和理解所撰写的,如有侵权请告知...
Spring Authorization Server优化篇:添加redis缓存支持和统一响应类
m0_71777195的博客
07-13 501
今天为大家展示一下如何使用Spring data redis来缓存项目中数据,在项目使用人数少的情况下使用HttpSession问题不大,但是当并发多了就顶不住了,基本都会选择一些NoSQL来做缓存,本人就选择了比较常用的redis来做缓存;关于统一响应类这个东西就是为了规范项目的响应值,方便前端对接接口,其它人对接接口时更轻松。
oauth2 jwt redis
09-29
JwtTokenEnhancer是一个用于增强OAuth2访问令牌的类。它实现TokenEnhancer接口,通过添加自定义拓展字段来增强令牌。在enhance方法中,它将自定义字段添加到OAuth2AccessToken对象的additionalInformation属性中。 OAuth2是一种开放标准,用于授权访问资源的框架。JWT(JSON Web Token)是OAuth2中常用的一种令牌类型,用于表示授权信息。JWT通常被用作OAuth2的访问令牌。 Redis是一种高性能的键值存储数据库,常用于缓存和会话管理。在OAuth2中,Redis可以用来存储和管理令牌的信息,以提高系统的性能和可扩展性。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值