前面已经介绍了JWT,接下来进入实战环节
1. 生成密钥证书 下边命令生成密钥证书,采用RSA 算法每个证书包含公钥和私钥
创建一个文件夹,在该文件夹下执行如下命令行:
keytool -genkeypair -alias kaikeba -keyalg RSA -keypass kaikeba -keystore kaikeba.jks -storepass kaikeba
-alias:密钥的别名
-keyalg:使用的hash算法
-keypass:密钥的访问密码
-keystore:密钥库文件名
-storepass:密钥库的访问密码
当你直接复制然后cmd执行命令的时候,可能会这样
哈哈,问题不大,这时候我们执行目录改到jre下面。
这时候已经出来了。
2. 查询证书信息
keytool -list -keystore kaikeba.jks
这样就没问题了。
3. 导出公钥
openssl是一个加解密工具包,这里使用openssl来导出公钥信息。
安装 openssl:http://slproweb.com/products/Win32OpenSSL.html
安装并且配置好环境变量之后,执行下面的命令
keytool -list -rfc --keystore kaikeba.jks | openssl x509 -inform pem -pubkey
下面段内容是公钥
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhkw5XroxnOLSSakPjNvd
3QxV6Vr/cUXq+0xYDEKA3L7oxdHQP/BZMkHr63R14GsL24B3UtLMAlv/3xua5aE7
rJ54SX9h8i6yxhUb83qRU4rMU749goMazGOr3xaGXV7oXc3qYrKrGqP/Kzpeomsw
FrYCJyVLkR4e5vwM/i6fbpQmVhxFOZSeekYOkCsL71oCtKcXMHMswGRt+xbCLgM/
414SSJoX4EUSnUUaQPm7fi7nxLea/VSLlBuPhln2UR3xr4Zi1jlhIgKp/dMYMdQy
Nm3THt+0CtDgelEkH+rVhpjFso1kTTV36+qP3UMSI0ekXAiEEVtpN3kLEmYqkvbO
yQIDAQAB
-----END PUBLIC KEY-----
将上边的公钥拷贝到文本public.key文件中,放到资源服务器中。
测试是否能够生成密钥
//生成一个jwt令牌
@Test
public void testCreateJwt() throws Exception {
//证书文件
String key_location = "kaikeba.jks";
//密钥库密码
String keystore_password = "kaikeba";
//访问证书路径
ClassPathResource resource = new ClassPathResource(key_location);
//密钥工厂
KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(resource, keystore_password.toCharArray());
//密钥的密码,此密码和别名要匹配
String keypassword = "kaikeba";
//密钥别名
String alias = "kaikeba";
//密钥对(密钥和公钥)
KeyPair keyPair = keyStoreKeyFactory.getKeyPair(alias, keypassword.toCharArray());
//私钥
RSAPrivateKey aPrivate = (RSAPrivateKey) keyPair.getPrivate();
//定义payload信息
Map<String, Object> tokenMap = new HashMap<String, Object>();
tokenMap.put("id", "123");
tokenMap.put("name", "malong");
tokenMap.put("roles", "r01,r02");
tokenMap.put("ext", "1");
//生成jwt令牌
Jwt jwt = JwtHelper.encode(new ObjectMapper().writeValueAsString(tokenMap), new RsaSigner(aPrivate));
//取出jwt令牌
String token = jwt.getEncoded();
System.out.println(token);
}
校验合法性以及解码
//资源服务使用公钥验证jwt的合法性,并对jwt解码
@Test
public void testVerify() {
//jwt令牌
String token
= "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHQiOiIxIiwicm9sZXMiOiJyMDEscjAyIiwibmFtZSI6Im1hbG9uZyIsImlkIjoiMTIzIn0.fjwhLSoiDk_zpyQMueBwYHbb5O5DMuvRghhxW9eZaH4qV6PHYtagEyrjSEjKiWnppqPrMn0hE1oTOVhMpRAYKGofUXJ2e04274b8YT6x6k9YC-s4bj9bckt74iGxqgslRHz0x9Zs7vK2EsywB23cNR-h6ZQyoEbPpsjwN6Knrwuv_YvxnUw6ZgGpg7QO0KRTUgNiytPaSABLZUETZQvU8ZTLCB_uwT5dkv4Si8J6107eZhzMYwvGawKtrmsG7M2iaMmegzSh6YRyX_FNjowW_L8fRobk3wbCR_VNgKVL5UU0B_XWurt2OoCH9xAjzSH6xZbJazQ1gpqXn05YAG05Wg";
//公钥
String publickey = "-----BEGIN PUBLIC KEY-----\n" +
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhkw5XroxnOLSSakPjNvd\n" +
"3QxV6Vr/cUXq+0xYDEKA3L7oxdHQP/BZMkHr63R14GsL24B3UtLMAlv/3xua5aE7\n" +
"rJ54SX9h8i6yxhUb83qRU4rMU749goMazGOr3xaGXV7oXc3qYrKrGqP/Kzpeomsw\n" +
"FrYCJyVLkR4e5vwM/i6fbpQmVhxFOZSeekYOkCsL71oCtKcXMHMswGRt+xbCLgM/\n" +
"414SSJoX4EUSnUUaQPm7fi7nxLea/VSLlBuPhln2UR3xr4Zi1jlhIgKp/dMYMdQy\n" +
"Nm3THt+0CtDgelEkH+rVhpjFso1kTTV36+qP3UMSI0ekXAiEEVtpN3kLEmYqkvbO\n" +
"yQIDAQAB\n" +
"-----END PUBLIC KEY-----";
//校验jwt
Jwt jwt = JwtHelper.decodeAndVerify(token, new RsaVerifier(publickey));
//获取jwt原始内容
String claims = jwt.getClaims();
System.out.println(claims);
try {
Map<String, String> map = new ObjectMapper().readValue(claims, Map.class);
System.out.println(map.get("user_name"));
} catch (IOException e) {
e.printStackTrace();
}
}
搭建授权中心工程
@SpringBootApplication
@EnableDiscoveryClient
@EnableFeignClients
@EnableCircuitBreaker
public class AuthApplication {
public static void main(String[] args) {
SpringApplication.run(AuthApplication.class, args);
}
}
OAuth2配置类
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
import javax.sql.DataSource;
import java.util.concurrent.TimeUnit;
/**
* @author 11658
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
final
AuthenticationManager authenticationManager;
private final DataSource dataSource;
public AuthorizationServerConfiguration(@Qualifier("authenticationManagerBean") AuthenticationManager authenticationManager,
DataSource dataSource) {
this.authenticationManager = authenticationManager;
this.dataSource = dataSource;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
//证书路径和密钥库密码
KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("kaikeba.jks"), "kaikeba".toCharArray());
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
//密钥别名
converter.setKeyPair(keyStoreKeyFactory.getKeyPair("kaikeba"));
return converter;
}
@Bean
public ClientDetailsService clientDetailsService() {
return new JdbcClientDetailsService(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//配置通过表oauth_client_details,读取客户端数据
clients.withClientDetails(clientDetailsService());
}
/**
* 配置token service和令牌存储方式(tokenStore
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
//tokenStore
endpoints.tokenStore(tokenStore()).tokenEnhancer(jwtAccessTokenConverter()).authenticationManager(authenticationManager);
//tokenService
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(endpoints.getTokenStore());
tokenServices.setSupportRefreshToken(false);
tokenServices.setClientDetailsService(endpoints.getClientDetailsService());
tokenServices.setTokenEnhancer(endpoints.getTokenEnhancer());
tokenServices.setAccessTokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(30));
// 30天
endpoints.tokenServices(tokenServices);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
// 允许表单认证
security.allowFormAuthenticationForClients()
//放行oauth/token_key(获得公钥)
.tokenKeyAccess("permitAll()")
.checkTokenAccess("permitAll()");
}
}
Spring Security配置类
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* 注入自定义UserDetailService,读取rbac数据
*/
private final UserDetailsService userDetailsService;
public SecurityConfiguration(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers().anyRequest()
//开放/oauth/开头的所有请求
.and().authorizeRequests().antMatchers("/oauth/**").permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//注入自定义的UserDetailsService,采用BCrypt加密
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
}
UserDetailsService
搭建资源中心
- JwtConfig
创建TokenStore配置使用公钥验证令牌
@Configuration
public class JwtConfig {
public static final String public_cert = "public.key";
@Autowired
private JwtAccessTokenConverter jwtAccessTokenConverter;
@Bean
@Qualifier("tokenStore")
public TokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter);
}
@Bean
protected JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
Resource resource = new ClassPathResource(public_cert);
String publicKey;
try {
publicKey = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
}catch (IOException e) {
throw new RuntimeException(e);
}
// 设置校验公钥
converter.setVerifierKey(publicKey);
// 设置证书签名密码,否则报错
converter.setSigningKey("kaikeba");
return converter;
}
}
- ResourceServerConfiguration
配置资源服务器
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
// .antMatchers("/**").permitAll();
.antMatchers("/user/**").permitAll()
.antMatchers("/book/**").hasRole("ADMIN") //用于测试
.antMatchers("/**").authenticated();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenStore(tokenStore);
}
}
权限控制
Spring Security中定义了四个支持权限控制的表达式注解,分别是
● @PreAuthorize
● @PostAuthorize
● @PreFilter和
● @PostFilter
其中前两者可以用来在方法调用前或者调用后进行权限检查,后两者可以用来对集合类型的参数或者返回值进行过滤。在需要控制权限的方法上,我们可以添加@PreAuthorize注解,用于方法执行前进行权限检查,校验用户当前角色是否能访问该方法。
- EnableGlobalMethodSecurity
使用上述注解控制权限需要设置
@EnableGlobalMethodSecurity(prePostEnabled = true)
** 控制权限方式**
(1)全局代码控制
(2)注解控制
(3)权限测试
使用Postman测试,分别获得管理员和刘国梁的令牌,其中管理员用户属于ADMIN角色,刘国梁不属于USER角色,这时使用刘国梁用户的令牌访问上述请求,会被拒绝
注意:此时关闭授权中心,可以看到资源中心依然可以使用JWT实现授权控制,说明使用资源中心在使用公钥验证令牌
如果希望一个方法能被多个角色访问,使用@PreAuthorize(“hasAnyAuthority(‘admin’,‘user’)”)