1、@EnableOAuth2Client:客戶端,提供OAuth2RestTemplate,用于客戶端訪問資源服務。?
簡要步驟:客戶端訪問資源->客戶端發現沒有資源訪問token->客戶端根據授權類型生成跳轉url->瀏覽器 302 到認證授權服務進行認證、授權。
2、@EnableOAuth2Sso:應用系統,使用遠端認證授權服務,替換應用自身的用戶登錄鑒權security邏輯,實現單點登錄功能。?
簡要步驟:訪問應用系統資源-> 應用系統發現未登錄-> 302 跳轉到登錄頁面(登錄頁面地址已經與獲取token邏輯自動關聯)-> 應用系統發現符合獲取token條件,根據授權類型拼裝url->302 跳轉到認證授權地址(認證授權服務提供)進行認證、授權。
3、@EnableAuthorizationServer:認證授權服務,提供用于獲取token,解析token相關功能,實現認證、授權功能。
具體見 Spring Security 文章目錄中的 Spring Cloud OAuth2 五種授權方式介紹。
4、@EnableResourceServer:資源服務,提供基于token的資源訪問功能。
<--認證服務器配置--> <dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-security</artifactId> </dependency><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-oauth2</artifactId> </dependency>
@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {@Autowiredprivate DataSource dataSource;@Autowiredprivate AuthenticationManager authenticationManager;@Autowiredprivate PasswordEncoder passwordEncoder;@Autowiredprivate RedisConnectionFactory redisConnectionFactory;@Autowiredprivate CodeStoreService codeStoreService;@Overridepublic void configure(AuthorizationServerSecurityConfigurer security) throws Exception {security.allowFormAuthenticationForClients().tokenKeyAccess("isAuthenticated()").checkTokenAccess("isAuthenticated()");}@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.jdbc(dataSource).passwordEncoder(passwordEncoder);}@Beanpublic JwtTokenStore jwtTokenStore() {return new JwtTokenStore(jwtAccessTokenConverter());}@Beanpublic RedisTokenStore redisTokenStore() {return new RedisTokenStore(redisConnectionFactory);}@Beanpublic AuthorizationServerTokenServices authorizationServerTokenServices() {DefaultTokenServices defaultTokenServices = new DefaultTokenServices();defaultTokenServices.setTokenStore(redisTokenStore());defaultTokenServices.setSupportRefreshToken(true);defaultTokenServices.setRefreshTokenValiditySeconds(30 * 60 * 1000);defaultTokenServices.setAccessTokenValiditySeconds(30 * 69 * 1000);return defaultTokenServices;}@Beanpublic JwtAccessTokenConverter jwtAccessTokenConverter() {ClassPathResource resource = new ClassPathResource("user.jks");KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(resource, "123456".toCharArray());JwtAccessTokenConverter jwtTokenConverter = new JwtAccessTokenConverter();jwtTokenConverter.setKeyPair(keyStoreKeyFactory.getKeyPair("xm"));return jwtTokenConverter;}@Overridepublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints.allowedTokenEndpointRequestMethods(HttpMethod.POST);endpoints.authenticationManager(authenticationManager);//endpoints.accessTokenConverter(jwtAccessTokenConverter());endpoints.tokenServices(authorizationServerTokenServices());endpoints.authorizationCodeServices(codeStoreService);}
}
spring security 的配置文件
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate PasswordEncoder passwordEncoder;@Autowiredprivate CustomUserDetailsService userDetailsService;@Autowiredprivate SuccessAuthentication successAuthentication;@Autowiredprivate FailureAuthentication failureAuthentication;@Autowiredprivate UnauthorizedEntryPoint unauthorizedEntryPoint;@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);}@Override@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}@Overridepublic void configure(WebSecurity web) {web.ignoring().mvcMatchers("/assets/**", "/css/**", "/images/**");}@Overrideprotected void configure(HttpSecurity http) throws Exception {/*http.csrf().disable();http.authorizeRequests().antMatchers( "/oauth/token", "/check/token").permitAll();http.authorizeRequests().antMatchers("/success").hasRole("USER").antMatchers("/success").hasRole("ADMIN").antMatchers("/user/r1").hasRole("USER").antMatchers("/user/r2").hasRole("ADMIN").antMatchers("/user/p1").hasAuthority("p1").antMatchers("/user/p2").hasAuthority("p2").anyRequest().authenticated().and().formLogin().loginPage("/login").successForwardUrl("/success").and().exceptionHandling().accessDeniedHandler(new CustomAccessDecisionHandler()).and().httpBasic();*/http.csrf().disable();http.formLogin().loginPage("/login")//.successHandler(successAuthentication)//.failureHandler(failureAuthentication).and().authorizeRequests().antMatchers("/login").permitAll().anyRequest().authenticated().and()/*.exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint).and()*/.rememberMe(remember ->remember.rememberMeParameter("remember-me").rememberMeCookieName("remember-me").tokenValiditySeconds(30 * 1000).userDetailsService(userDetailsService));}
}
資源服務器使用spring-boot-starter-oauth2-client
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.security.oauth.boot</groupId><artifactId>spring-security-oauth2-autoconfigure</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-oauth2-client</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-oauth2-resource-server</artifactId></dependency><dependency><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-springsecurity5</artifactId><version>3.0.4.RELEASE</version> </dependency>
spring.security.oauth2.client.registration.user.provider=user spring.security.oauth2.client.registration.user.client-id=user-service spring.security.oauth2.client.registration.user.client-secret=root spring.security.oauth2.client.registration.user.authorization-grant-type=authorization_code spring.security.oauth2.client.registration.user.redirect-uri=http://localhost:9091/login spring.security.oauth2.client.registration.user.scope=all spring.security.oauth2.client.provider.user.authorization-uri=http://localhost:9091/oauth/authorize spring.security.oauth2.client.provider.user.token-uri=http://localhost:9091/oauth/token spring.security.oauth2.client.provider.user.user-info-uri=http://localhost:9091/oauth2/userinfo spring.security.oauth2.client.provider.user.user-name-attribute=sub spring.security.oauth2.client.provider.user.jwk-set-uri=http://localhost:9091/oauth/token_key spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:9091/oauth/token_key
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().anyRequest().authenticated();http.oauth2ResourceServer(oauth2->oauth2.jwt());// 改成oauth2Login 就是oauth 登錄}
}
參考資料
https://www.cnblogs.com/atwood-pan/p/17787904.html
OAuth2 - @EnableResourceServer vs @EnableOAuth2Sso | Baeldung
Spring-Security-OAuth2-Client | zyc的博客
spring oauth2實現單點登錄,Vue+spring boot+oauth2前后端分離 - 簡書
(二)、Spring Security OAuth2 四個常用注解說明_oauth2clientcontext是什么-CSDN博客
https://www.cnblogs.com/atwood-pan/p/17787904.html
springsecurity oauth2實現前后端分離項目的SSO技術點總結_spring outh2 前后端分離-CSDN博客
【Spring Security OAuth2 Client】基本介紹以及定制開發_spring-boot-starter-oauth2-client-CSDN博客
springboot整合Oauth2_spring-boot-starter-oauth2-client-CSDN博客
https://www.cnblogs.com/simpleito/p/15786122.html
自定義grant_type 以及第三方登錄。
總之,這個東西比較復雜,暫且放過
?
和with是干嘛的)
(十))
