1. 程式人生 > >Spring Security Oauth2 示例

Spring Security Oauth2 示例

所有示例的依賴如下(均是SpringBoot專案)

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-jwt</artifactId>
    </dependency>
</dependencies>

一、ResourceServer(資源伺服器)

application.yml

server:
  port: 8082
  context-path: /resourceserver

啟動類

@SpringBootApplication
public class ResourceServerApplication {

    public static void main(String[] args) {
        SpringApplication.run(ResourceServerApplication.class, args);
    }
}

TestController.java(暴露RESTful介面)

@RestController
public class TestController {

    @GetMapping("/product/{id}")
    public String product(@PathVariable String id) {
        return "product id : " + id;
    }

    @GetMapping("/order/{id}")
    public String order(@PathVariable String id) {
        return "order id : " + id;
    }

    @GetMapping("/pomer/{id}")
    public String pomer(@PathVariable String id) {
        return "pomer id : " + id;
    }
}

配置類 ResourceServerConfig(配置JWT形式的token)

@EnableResourceServer
@Configuration
public class ResourceServerConfig {

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey("123");
        return converter;
    }
}

配置類 MyResourceServerConfigurer(配置訪問許可權)

@Configuration
public class MyResourceServerConfigurer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/product/**").permitAll()
                .antMatchers("/order/**").authenticated()
                .antMatchers("/pomer/**").access("#oauth2.hasScope('read_profile') and hasAuthority('ADMIN')");
    }
}

二、AuthorizationServer 授權伺服器(授權碼模式,authorization code)

application.yml

server:
  port: 8081
  context-path: /authorizationserver

啟動類

@SpringBootApplication
public class AuthorizationServerApplication {

    public static void main(String[] args) {
        SpringApplication.run(AuthorizationServerApplication.class, args);
    }
}

配置類 AuthorizationServerConfig(配置JWT形式的token)

@EnableAuthorizationServer
@Configuration
public class AuthorizationServerConfig {

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey("123");
        return converter;
    }
}

配置類 MyAuthorizationServerConfigurer

@Configuration
public class MyAuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private TokenStore tokenStore;
    @Autowired
    private JwtAccessTokenConverter jwtAccessTokenConverter;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore)
                .accessTokenConverter(jwtAccessTokenConverter)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("clientApp")
                .secret("123456")
                .redirectUris("http://localhost:9000/callback")
                .authorizedGrantTypes("authorization_code")
                .scopes("read_profile", "read_contacts");
    }
}

配置類 MyWebSecurityConfigurerAdapter(配置使用者名稱密碼)

@Configuration
public class MyWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("123456").authorities("USER").and()
                .withUser("admin").password("123456").authorities("USER", "ADMIN");
    }
}

開始測試!開啟瀏覽器訪問:

http://localhost:8081/authorizationserver/oauth/authorize?client_id=clientApp&redirect_uri=http://localhost:9000/callback&response_type=code&scope=read_profile

顯示登入頁面,輸入使用者名稱密碼,返回重定向302(授權碼位於引數部分)

http://localhost:9000/callback?code=EWfpi5

根據授權碼,請求令牌:

>  curl -X POST --user clientApp:123456 http://localhost:8081/authorizationserver/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&redirect_uri=http://localhost:9000/callback&scope=read_profile&code=EWfpi5"

# clientApp:123456 經Base64編碼得 'Y2xpZW50QXBwOjEyMzQ1Ng=='
POST /authorizationserver/oauth/token HTTP/1.1
Host: localhost:8081
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Y2xpZW50QXBwOjEyMzQ1Ng==
Cache-Control: no-cache
Postman-Token: c6c182c7-5df1-46ea-9cb7-130ff250c93c

code=F4QesT&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Fcallback&scope=read_profile

得到令牌:

{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDE4NTExMTYsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJVU0VSIl0sImp0aSI6ImMyYzQ4YTc0LWI4MjUtNGNlYS05NGU3LTMyM2VlN2Q4NTk2ZCIsImNsaWVudF9pZCI6ImNsaWVudEFwcCIsInNjb3BlIjpbInJlYWRfcHJvZmlsZSJdfQ.Oc1TN7fMPgNVXX7k8dEw0QqosD7ZKQ198c-Qa2l1Gho",
"token_type":"bearer",
"expires_in":43199,
"scope":"read_profile",
"jti":"c2c48a74-b825-4cea-94e7-323ee7d8596d"
}

根據令牌請求資源

> curl http://localhost:8082/resourceserver/order/12 -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDE4NTExMTYsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJVU0VSIl0sImp0aSI6ImMyYzQ4YTc0LWI4MjUtNGNlYS05NGU3LTMyM2VlN2Q4NTk2ZCIsImNsaWVudF9pZCI6ImNsaWVudEFwcCIsInNjb3BlIjpbInJlYWRfcHJvZmlsZSJdfQ.Oc1TN7fMPgNVXX7k8dEw0QqosD7ZKQ198c-Qa2l1Gho"

GET /resourceserver/order/12 HTTP/1.1
Host: localhost:8082
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDE4NTExMTYsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJVU0VSIl0sImp0aSI6ImMyYzQ4YTc0LWI4MjUtNGNlYS05NGU3LTMyM2VlN2Q4NTk2ZCIsImNsaWVudF9pZCI6ImNsaWVudEFwcCIsInNjb3BlIjpbInJlYWRfcHJvZmlsZSJdfQ.Oc1TN7fMPgNVXX7k8dEw0QqosD7ZKQ198c-Qa2l1Gho
Cache-Control: no-cache
Postman-Token: 913a8844-1308-47d8-afa3-a9f288323c20

返回資源

order id : 12

附:/product/* 允許任何人訪問,/order/* 需要使用者認證,而 /pomer/* 只允許擁有ADMIN許可權的admin使用者訪問,測試有效

三、AuthorizationServer 授權伺服器(簡化模式,implicit)

只修改配置類 MyAuthorizationServerConfigurer,其餘程式碼不變

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("clientApp")
                .secret("123456")
                .redirectUris("http://localhost:9000/callback")
                .authorizedGrantTypes("implicit")
                .scopes("read_profile","read_contacts");
    }

開始測試!開啟瀏覽器訪問:

http://localhost:8081/authorizationserver/oauth/authorize?client_id=clientApp&redirect_uri=http://localhost:9000/callback&response_type=token&scope=read_profile&state=xyz

顯示登入頁面,輸入使用者名稱密碼,返回重定向302(令牌位於hash部分):

http://localhost:9000/callback#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDE4NjMxNjMsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJVU0VSIl0sImp0aSI6ImQ2MzYxYzZjLTIyZWYtNDU2ZC1iOGJhLWY4ZTE5MzMwMTBmOSIsImNsaWVudF9pZCI6ImNsaWVudEFwcCIsInNjb3BlIjpbInJlYWRfcHJvZmlsZSJdfQ.BRwtzF2rFc6w8WECqYETZbkCSDdoOzKdF4Zm_SAZuao&token_type=bearer&state=xyz&expires_in=119&jti=d6361c6c-22ef-456d-b8ba-f8e1933010f9

得到令牌,後續請求資源相同,不再重複敘述

四、AuthorizationServer 授權伺服器(密碼模式,resource owner password credentials)

修改配置類 MyAuthorizationServerConfigurer

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("clientApp")
                .secret("123456")
                .authorizedGrantTypes("password")
                .scopes("read_profile", "read_contacts");
    }

在預設情況下 AuthorizationServerEndpointsConfigurer 配置沒有開啟密碼模式,只有配置了 authenticationManager 才會開啟密碼模式,如下

在 MyWebSecurityConfigurerAdapter.java 新增一段程式碼(配置 authenticationManager Bean)

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

在 MyAuthorizationServerConfigurer.java 新增一段程式碼(令 AuthorizationServerEndpointsConfigurer 設定 authenticationManager)

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private TokenStore tokenStore;
    @Autowired
    private JwtAccessTokenConverter jwtAccessTokenConverter;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenStore(tokenStore)
                .accessTokenConverter(jwtAccessTokenConverter)
                .authenticationManager(authenticationManager);
    }

開始測試!請求令牌

>  curl -X POST --user clientApp:123456 http://localhost:8081/authorizationserver/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&scope=read_profile&username=user&password=123456"

得到令牌:

{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDE5MDk4MTcsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJVU0VSIl0sImp0aSI6ImJhZDk1OTI0LTdkYTgtNDUyMy05YzZkLTBkNzY3NTlmYjQ1NiIsImNsaWVudF9pZCI6ImNsaWVudEFwcCIsInNjb3BlIjpbInJlYWRfcHJvZmlsZSJdfQ.gO5_kl8_OBRnj2Dt5glflXAIJrbyioYXezV-ZQ8BxL4",
"token_type":"bearer",
"expires_in":43199,
"scope":"read_profile",
"jti":"bad95924-7da8-4523-9c6d-0d76759fb456"
}

得到令牌,後續請求資源相同,不再重複敘述

五、AuthorizationServer 授權伺服器(客戶端模式,client credentials)

只修改配置類 MyAuthorizationServerConfigurer,其餘程式碼不變

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("clientApp")
                .secret("123456")
                .authorizedGrantTypes("client_credentials")
                .scopes("read_profile", "read_contacts");
    }

開始測試!請求令牌

>  curl -X POST --user clientApp:123456 http://localhost:8081/authorizationserver/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&scope=read_profile"

得到令牌:

{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJyZWFkX3Byb2ZpbGUiXSwiZXhwIjoxNTQxOTEwOTEzLCJqdGkiOiI5MDVjNzc2OS1lNGQ2LTQxYTItYjcyMC1jYzliZWZjYzE5MDQiLCJjbGllbnRfaWQiOiJjbGllbnRBcHAifQ.c6UiHxbCdioCklkCqkLsCG6C8KHwwzajlPka6ut5MJs",
"token_type":"bearer",
"expires_in":43199,
"scope":"read_profile",
"jti":"905c7769-e4d6-41a2-b720-cc9befcc1904"
}

得到令牌,後續請求資源相同,不再重複敘述