9.4 zuul+jwt+oauthu2
认证服务和资源服务复用上一章节(一点修改,后续会说).eureka注册服务服务之前章节,具体代码参照github:https://github.com/liucc0413/SpringCloudEureka/tree/jwt-oauthu2-zuul-security.
9.4.1 zuul
9.4.1.1 pom文件
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-zuul</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!--spring security oauth2-->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<!--spring cloud config client-->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-config</artifactId>
</dependency>
</dependencies>
9.4.1.2 bootstrap.yml
spring:
application:
name: zuul
profiles:
active: oauth
9.4.1.3 application-oauth.yml
server:
port: 8085
eureka:
instance
prefer-ip-address: false
client:
service-url:
defaultZone: http://localhost:8086/eureka
spring:
application:
name: zuul
management:
endpoints:
web:
exposure:
include: routes
security:
oauth2:
client:
access-token-uri: http://127.0.0.1:9092/oauth/token
user-authorization-uri: http://127.0.0.1:9092/oauth/authorize
client-id: client_1 //认证服务器配置的
client-secret: 123456 // //认证服务器配置的
resource:
jwt:
key-value: 2344 //和认证服务秘钥一致
zuul:
sensitive-headers: [Cookie, Set-Cookie] //一定要写成这样,后面解释
9.4.1.4 启动类
@EnableZuulProxy
@SpringBootApplication
@EnableDiscoveryClient
public class ZuulApplication {
public static void main(String[] args) {
SpringApplication.run(ZuulApplication.class, args);
}
}
9.4.1.5 @EnableOAuth2Sso注解WebSecurityConfigurerAdapter实现类
@EnableOAuth2Sso
@Configuration
public class MyWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login", "/actuator/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable()
.httpBasic();
}
}
注意:
1.zuul.sensitive-headers:是一个黑名单,默认是[Cookie, Set-Cookie,Authorization],以为着这是敏感头部信息.不会将其传入到下游服务.如果不重写配置,则认证的token不会传入到下游资源服务器.这个是全局的
2.可以每个路由单独配置,覆盖全局.
zuul:
routes:
auth:
path: /auth/**
sensitiveHeaders: Cookie,Set-Cookie
3.resource.jwt. key-value的值要和认证服务一致(对称秘钥加密的前提)
9.4.2 修改资源服务JWTOAuth2Config 类
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("client_1").secret(encoder.encode("123456"))
.redirectUris("http://localhost:8085/login")
.autoApprove(true)
.authorizedGrantTypes("client_credentials", "refresh_token","password","authorization_code","implicit")
.scopes("webclient");
}
注意:
1.如果redirectUris不写,会报错"error="invalid_grant", error_description="Invalid redirect: http://localhost:8085/login does not match one of the registered values.""/"Invalid_request", error_description="At least one redirect_uri must be registered with the client.""
2."A redirect_uri can only be used by implicit or authorization_code grant types.",说明authorizedGrantTypes没有配置"authorization_code","implicit"
9.4.3 启动验证
1.访问:localhost:8085/auth/c1/test1,输入用户名密码(user/123456)