Spring gateway + Oauth2实现单点登录及详细配置

场景:

按职能,鉴权系统需要划分 网关(spring gateway) + 鉴权(auth-server)。本文通过实践搭建鉴权系统。

spring gateway

首先引入pom依赖

1、resilience 熔断器
2、gateway 网关
3、eureka client 服务注册中心
4、lombok插件
5、actuator状态监控

<dependencies>
 <!--        熔断器-->
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-feign</artifactId>
            <version>1.1.0</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <!-- Gateway -->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-gateway</artifactId>
        </dependency>

        <!-- 注册中心 -->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
            <version>2.2.2.RELEASE</version>
        </dependency>

		<dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
</dependencies>

application.yml配置

1、gateway信息
2、actuator状态信息
3、配置eureka server地址及注册信息
4、日志配置
5、获取oauth2的jwt key

server:
  port: 18890
spring:
  application:
    name: open-api-gateway
  profiles:
    active: local
  cloud:
    gateway:
      discovery:
        locator:
          enabled: true
          lower-case-service-id: true
      globalcors:
        corsConfigurations:
          '[/**]':
            allowedOrigins: "*"
            allowedMethods: "*"
      default-filters:
        - AddRequestParameter=gateway_type, member
        - AddRequestHeader=gateway_type, member
management:
  endpoints:
    web:
      exposure:
        include: "*"
  endpoint:
    health:
      show-details: always

eureka:
  instance:
    prefer-ip-address: true
    instance-id: ${spring.cloud.client.ip-address}:${server.port}
  client:
    service-url:
      defaultZone: http://127.0.0.1:22001/eureka
logging:
  level:
    com.dq.edu: debug
    com:
      netflix:
        discovery: error
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://127.0.0.1:18889/auth-server/private/jwk_public_key

gateway 项目目录

核心内容:security配置、PermissionFilter鉴权过滤器

1、security配置

package com.digquant.openapigateway.config;

import com.digquant.openapigateway.entity.Response;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferFactory;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.nio.charset.Charset;

@Slf4j
@Configuration
@AllArgsConstructor
@EnableWebFluxSecurity
public class SecurityConfig {

    private final ReactiveJwtDecoder jwtDecoder;

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http.cors().disable().csrf().disable();
        http
                .authorizeExchange()
                .pathMatchers("/**").permitAll()
                .pathMatchers("/**/public/**").permitAll()
                .pathMatchers("/**/static/**").permitAll()
                .pathMatchers("/*/oauth/**").permitAll()
                .pathMatchers("/actuator/**").permitAll()
                .pathMatchers(HttpMethod.OPTIONS).permitAll()
                .anyExchange().authenticated()
                .and()
                .exceptionHandling()
                .accessDeniedHandler(serverAccessDeniedHandler())
                .authenticationEntryPoint(serverAuthenticationEntryPoint())
                .and()
                .oauth2ResourceServer()
                .jwt()
                .jwtDecoder(jwtDecoder)
                .and()
                .bearerTokenConverter(new ServerBearerTokenAuthenticationConverter());
        return http.build();
    }

    @Bean
    public ServerAccessDeniedHandler serverAccessDeniedHandler() {
        return (exchange, denied) -> {
            log.debug("没有权限");
            String errMsg = StringUtils.hasText(denied.getMessage()) ? denied.getMessage() : "没有权限";
            Response result = new Response(1, errMsg);
            return create(exchange, result);
        };
    }

    @Bean
    public ServerAuthenticationEntryPoint serverAuthenticationEntryPoint() {
        return (exchange, e) -> {
            log.debug("认证失败");
            String errMsg = StringUtils.hasText(e.getMessage()) ? e.getMessage() : "认证失败";
            Response result = new Response(1, errMsg);
            return create(exchange, result);
        };
    }

    private Mono<Void> create(ServerWebExchange exchange, Response result) {
        return Mono.defer(() -> Mono.just(exchange.getResponse()))
                .flatMap(response -> {
                    response.getHeaders().setContentType(MediaType.APPLICATION_JSON_UTF8);
                    DataBufferFactory dataBufferFactory = response.bufferFactory();
                    DataBuffer buffer = dataBufferFactory.wrap(createErrorMsg(result));
                    return response.writeWith(Mono.just(buffer))
                            .doOnError(error -> DataBufferUtils.release(buffer));
                });
    }

    private byte[] createErrorMsg(Response result) {
        return result.getErrMsg().getBytes(Charset.defaultCharset());
    }
}

总结:

gateway是基于 WebFlux的响应式编程框架,所以在使用securityConfig时采用的注解是@EnableWebFluxSecurity

2、PermissionFilter

package com.digquant.openapigateway.filter;

import com.digquant.openapigateway.utils.IStrings;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

import java.util.Objects;

@Slf4j
@Order
@Component
@AllArgsConstructor
public class PermissionFilter implements WebFilter {

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        return ReactiveSecurityContextHolder.getContext()
                //排除没有Token的
                .filter(Objects::nonNull)
//                //检查该路径是否需要权限
//                .filter(var -> permissionStore.usingPermission(exchange.getRequest().getPath().value()))
                .map(SecurityContext::getAuthentication)
                .map(authentication -> (JwtAuthenticationToken) authentication)
                .doOnNext(jwtAuthenticationToken -> {
                    String path = exchange.getRequest().getPath().value();
                    log.info("请求 uri {}", path);
                })
                .map(AbstractOAuth2TokenAuthenticationToken::getPrincipal)
                .map(var -> (Jwt) var)
                .map(jwt -> {
                    String tokenValue = jwt.getTokenValue();
                    ServerHttpRequest.Builder builder = exchange.getRequest().mutate();
                    builder.header(HttpHeaders.AUTHORIZATION, IStrings.splice("Bearer ", tokenValue));
                    ServerHttpRequest request = builder.build();
                    return exchange.mutate().request(request).build();
                })
                .defaultIfEmpty(exchange)
                .flatMap(chain::filter);
    }
}

总结
1、使用permissionStore来记录uri的权限要求
2、获取到jwtToken时,处理token所携带的权限,用于匹配是否能请求对应资源

OAuth2 项目目录

pom依赖

1、eureka client
2、spring boot mvc
3、redis 用于存储jwt
4、mysql用于记录用户资源权限
5、oauth2组件
6、httpclient fregn用于用户登陆鉴权

 <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
            <version>2.2.2.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>

        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.1.1</version>
        </dependency>
       <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.21</version>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>8.0.18</version>
        </dependency>

     <!--        oauth2-->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-oauth2</artifactId>
            <version>2.2.0.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-security</artifactId>
            <version>2.2.0.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
            <version>5.2.2.RELEASE</version>
        </dependency>
 <!-- HttpClient -->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
            <version>2.2.2.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>io.github.openfeign</groupId>
            <artifactId>feign-okhttp</artifactId>
            <version>10.9</version>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>

    </dependencies>

应用配置

server:
  port: 37766
spring:
  application:
    name: auth-server
  mvc:
    throw-exception-if-no-handler-found: true
  profiles:
    active: dev

mybatis:
  mapper-locations: classpath:mapper/*.xml
  type-aliases-package: com.digquant.enity.po

logging:
  level:
    com:
      digquant:
        dao: info
  file:
    path: /dq/log/new/auth-server

digquant:
  authorization:
    auth-jwt-jks: hq-jwt.jks
    auth-jwt-key: hq-jwt
    auth-jwt-password: hq940313
    access-token-validity-seconds: 14400
    refresh-token-validity-seconds: 86400

1、AuthorizationServerConfig配置

package com.digquant.config;

import com.digquant.dao.CustomRedisTokenStore;
import com.digquant.enity.JWTProperties;
import com.digquant.enity.Response;
import com.digquant.service.OAuthUserService;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;

import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;
import java.io.IOException;

@Slf4j
@Configuration
@AllArgsConstructor
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    private final JWTProperties jwtProperties;

    /**
     * 注入权限验证控制器 支持 password grant type
     */
    private final AuthenticationManager authenticationManager;

    /**
     * 数据源
     */
    private final DataSource dataSource;

    /**
     * 开启refresh_token
     */
    private final OAuthUserService userService;

    /**
     * 采用redis 存储token
     */
    private final RedisConnectionFactory redisConnectionFactory;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients()
                .checkTokenAccess("permitAll()")
                .tokenKeyAccess("permitAll()")
                .authenticationEntryPoint(authenticationEntryPoint())
                .accessDeniedHandler(accessDeniedHandler());
    }

    @Bean
    public AccessDeniedHandler accessDeniedHandler() {
        return (request, response, accessDeniedException) -> {
            Response result = new Response(1, accessDeniedException.getMessage());
            writerResponse(response, result, HttpStatus.FORBIDDEN.value());
        };
    }

    @Bean
    public AuthenticationEntryPoint authenticationEntryPoint() {
        return (request, response, authException) -> {
            Response result = new Response(1, authException.getMessage());
            writerResponse(response, result, HttpStatus.UNAUTHORIZED.value());
        };
    }

    private void writerResponse(HttpServletResponse response, Response result, int status) throws IOException {
        response.setStatus(status);
        response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        response.setCharacterEncoding("UTF-8");
        response.getWriter().print(result.getErrMsg());
        response.getWriter().flush();
    }

    @Bean("redisTokenStore")
    public TokenStore redisTokenStore() {
        return new CustomRedisTokenStore(redisConnectionFactory);
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        jwtAccessTokenConverter.setKeyPair(keyStoreKeyFactory().getKeyPair(jwtProperties.getAuthJwtKey()));
        return jwtAccessTokenConverter;
    }

    @Bean
    public KeyStoreKeyFactory keyStoreKeyFactory() {
        return new KeyStoreKeyFactory(new ClassPathResource(jwtProperties.getAuthJwtJks()), jwtProperties.getAuthJwtPassword().toCharArray());
    }

    @Bean
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(redisTokenStore());
        defaultTokenServices.setTokenEnhancer(jwtAccessTokenConverter());
        defaultTokenServices.setSupportRefreshToken(true);
        defaultTokenServices.setReuseRefreshToken(false);
        defaultTokenServices.setAccessTokenValiditySeconds(jwtProperties.getAccessTokenValiditySeconds());
        defaultTokenServices.setRefreshTokenValiditySeconds(jwtProperties.getRefreshTokenValiditySeconds());
        return defaultTokenServices;
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        //开启密码授权类型
        endpoints
                .authenticationManager(authenticationManager)
                //配置token存储方式
                .tokenStore(redisTokenStore())
                //需要额外配置,用于refres_token
                .userDetailsService(userService)
                //
                .tokenServices(tokenServices())
                .accessTokenConverter(jwtAccessTokenConverter())
                .exceptionTranslator(exceptionTranslator());
    }

    @Bean
    public WebResponseExceptionTranslator exceptionTranslator() {
        return exception -> {
            return ResponseEntity.status(HttpStatus.OK).body(new OAuth2Exception(exception.getMessage()));
        };
    }

    @Bean
    public ClientDetailsService clientDetails() {
        return new JdbcClientDetailsService(dataSource);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
//        clients.withClientDetails(clientDetails());
        clients.inMemory()
                .withClient("open_api")
                .authorizedGrantTypes("password","refresh_token")
                .authorities("USER")
                .scopes("read", "write")
                .resourceIds("auth-server")
                .secret(new BCryptPasswordEncoder().encode("digquant"));

    }
}

2、ResourceServerConfig 资源服务配置

package com.digquant.config;

import lombok.AllArgsConstructor;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;

@Order(6)
@Configuration
@AllArgsConstructor
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    private final AccessDeniedHandler accessDeniedHandler;

    private final AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http
                .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
                .and().authorizeRequests()
                .antMatchers("/swagger-ui.html","/webjars/**").permitAll()
                .antMatchers("/oauth/**").permitAll()
                .antMatchers("/actuator/**").permitAll()
                .antMatchers("/").permitAll()
                .antMatchers(HttpMethod.OPTIONS).permitAll()
                .anyRequest().permitAll();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.authenticationEntryPoint(authenticationEntryPoint)
                .accessDeniedHandler(accessDeniedHandler)
                .resourceId("auth-server");
    }
}

3、SecurityConfig配置

package com.digquant.config;

import com.digquant.service.CustomAuthenticationProvider;
import com.digquant.service.OAuthUserService;
import lombok.AllArgsConstructor;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Order(7)
@Configuration
@EnableWebSecurity
@AllArgsConstructor
@AutoConfigureAfter(ResourceServerConfig.class)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final OAuthUserService userService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable();
        http.authorizeRequests()
                .antMatchers("/oauth/**").permitAll()
                .antMatchers("/public/**").permitAll()
                .antMatchers("/actuator/**").permitAll()
                .antMatchers("/private/**").permitAll()
                .antMatchers("/").permitAll()
                .antMatchers(HttpMethod.OPTIONS).permitAll()
                .anyRequest().permitAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/favor.ico");
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationProvider authenticationProvider() {
        CustomAuthenticationProvider provider = new CustomAuthenticationProvider()
                .setUserDetailsService(userService)
                .setPasswordEncoder(passwordEncoder());
        provider.setHideUserNotFoundExceptions(false);
        return provider;
    }

}

4、JwkController 用于gateway 请求jwt私钥

package com.digquant.controller;

import com.digquant.enity.JWTProperties;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import lombok.AllArgsConstructor;
import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
import org.springframework.web.bind.annotation.*;

import java.security.interfaces.RSAPublicKey;
import java.util.Map;

@Api(tags = "jwk")
@RestController
@RequestMapping("/private")
@AllArgsConstructor
public class JwkController {
    private final KeyStoreKeyFactory keyStoreKeyFactory;

    private final JWTProperties jwtProperties;

    @ApiOperation("获取jwk")
    @PostMapping("/jwk_public_key")
    public Map<String, Object> getKey() {
        RSAPublicKey publicKey = (RSAPublicKey) keyStoreKeyFactory.getKeyPair(jwtProperties.getAuthJwtKey()).getPublic();
        RSAKey key = new RSAKey.Builder(publicKey).build();
        return new JWKSet(key).toJSONObject();
    }

}

注意私钥放到项目的resources目录下

5、用户鉴权服务,获取用户信息

package com.digquant.service;

import com.digquant.enity.to.AuthenticationTO;
import com.digquant.enums.LoginType;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import org.springframework.util.CollectionUtils;

import java.util.List;
import java.util.Map;

@Slf4j
@Component
public class OAuthUserService implements UserDetailsService {

    @Autowired(required = false)
    private List<OAuthUserProcessor> oAuthUserProcessors;

    public UserDetails loadUser(String username, UsernamePasswordAuthenticationToken authentication) {
        AuthenticationTO authenticationTO = new AuthenticationTO();
        authenticationTO.setUsername(username);
        authenticationTO.setPassword((String) authentication.getCredentials());

        Map map = (Map) authentication.getDetails();
        String scope = (String) map.get("scope");
        String grantType = (String) map.get("grant_type");
        String clientId = (String) map.get("client_id");

        authenticationTO.setScope(scope);
        authenticationTO.setGrantType(grantType);
        authenticationTO.setLoginType(LoginType.PASSWORD);
        authenticationTO.setClientId(clientId);

        if (log.isDebugEnabled()) {
            log.debug("请求认证参数:{}", authenticationTO);
        }
        if (!CollectionUtils.isEmpty(oAuthUserProcessors)) {
            //目前只支持客户端密码登录方式
            for (OAuthUserProcessor oAuthUserProcessor : oAuthUserProcessors) {
                if (oAuthUserProcessor.support(authenticationTO)) {
                    UserDetails userDetails = oAuthUserProcessor.findUser(authenticationTO);
                    //TODO 需要加载OpenApi用户的权限
                    loadAuthorities(userDetails, authenticationTO);
                    return userDetails;
                }
            }
        }
        throw new UsernameNotFoundException("用户不存在");
    }

    private void loadAuthorities(UserDetails userDetails, AuthenticationTO authenticationTO) {

    }

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        return null;
    }
}

获取token

refresh_token

到此这篇关于Spring gateway + Oauth2实现单点登录的文章就介绍到这了,更多相关Spring gateway Oauth2单点登录内容请搜索我们以前的文章或继续浏览下面的相关文章希望大家以后多多支持我们!

(0)

相关推荐

  • Spring Cloud Gateway 获取请求体(Request Body)的多种方法

    一.直接在全局拦截器中获取,伪代码如下 private String resolveBodyFromRequest(ServerHttpRequest serverHttpRequest){ Flux<DataBuffer> body = serverHttpRequest.getBody(); AtomicReference<String> bodyRef = new AtomicReference<>(); body.subscribe(buffer -> {

  • spring cloud gateway使用 uri: lb://方式配置时,服务名的特殊要求

    在gateway中配置uri配置有三种方式,包括 第一种:ws(websocket)方式: uri: ws://localhost:9000 第二种:http方式: uri: http://localhost:8130/ 第三种:lb(注册中心中服务名字)方式: uri: lb://brilliance-consumer 其中ws和http方式不容易出错,因为http格式比较固定,但是lb方式比较灵活自由.不考虑网关,只考虑服务时,服务名命名时比较自由,都能启动被访问,被注册到注册中心,但是如果

  • Springcloud GateWay网关配置过程图解

    一般为了不暴露自己的端口信息等,会选择架构一个网关在前面进行阻挡,起到保护的作用.附上一张工作示列图. 1.配置网关9527 gateway作为网关需要和其他的应用一样需要注册进eureka中进行管理,先创建应用gateway9527 pom文件,关键是gateway依赖 <dependencies> <dependency> <groupId>com.bai</groupId> <artifactId>cloud-api-common</

  • 解决spring cloud gateway 获取body内容并修改的问题

    之前写过一篇文章,如何获取body的内容. Spring Cloud Gateway获取body内容,不影响GET请求 确实能够获取所有body的内容了,不过今天终端同学调试接口的时候和我说,遇到了400的问题,报错是这样的HTTP method names must be tokens,搜了一下,都是说https引起的.可我的项目还没用https,排除了. 想到是不是因为修改了body内容导致的问题,试着不修改body的内容,直接传给微服务,果然没有报错了. 问题找到,那就好办了,肯定是我新构

  • Spring Cloud Gateway 使用JWT工具类做用户登录校验功能

    1. JWT测试 /** * @Auther: csp1999 * @Date: 2021/01/24/19:29 * @Description: JWT测试 */ public class JwtTest { /** * 创建Jwt令牌: * * JWT = 头部Header + 载荷playload + 签名signature */ @Test public void testCreateJwt() { // 构建jwt令牌 // 1.头部Header: 描述关于该JWT的最基本的信息,例如

  • Spring gateway + Oauth2实现单点登录及详细配置

    场景: 按职能,鉴权系统需要划分 网关(spring gateway) + 鉴权(auth-server).本文通过实践搭建鉴权系统. spring gateway 首先引入pom依赖 1.resilience 熔断器 2.gateway 网关 3.eureka client 服务注册中心 4.lombok插件 5.actuator状态监控 <dependencies> <!-- 熔断器--> <dependency> <groupId>io.github.

  • 使用Spring Security OAuth2实现单点登录

    1.概述 在本教程中,我们将讨论如何使用Spring Security OAuth和Spring Boot实现SSO - 单点登录. 我们将使用三个单独的应用程序: •授权服务器 - 这是中央身份验证机制 •两个客户端应用程序:使用SSO的应用程序 非常简单地说,当用户试图访问客户端应用程序中的安全页面时,他们将被重定向到首先通过身份验证服务器进行身份验证. 我们将使用OAuth2中的授权代码授权类型来驱动身份验证委派. 2.客户端应用程序 让我们从客户端应用程序开始;当然,我们将使用Sprin

  • 基于Security实现OIDC单点登录的详细流程

    目录 一.说明 二.OIDC核心概念 三.什么是IDToken 3.1.与JWT的AccessToken区别 3.2.与UserInfo端点的区别 四.OIDC单点登录流程 五.SpringSecurity实现 六.完整的demo下载地址 一.说明 本文主要是给大家介绍 OIDC 的核心概念以及如何通过对 Spring Security 的授权码模式进行扩展来实现 OIDC 的单点登录. OIDC 是 OpenID Connect 的简称,OIDC=(Identity, Authenticati

  • springboot oauth2实现单点登录实例

    我们见过的很多网站,容许使用第三方账号登录,他不需要关注用户信息,只需要用户拿到授权码就可以访问. oauth2是用来做三方登录的,他的授权方式有好几种,授权码模式.密码模式.隐式模式.客户端模式. oauth2认证的过程如下:一般我们请求一个需要登录的网站A,会提示我们使用第三方网站C的用户登录,我们登录,这时候需要我们授权,就是authorize,授权之后,会得到一个token,我们拿到这个token就可以访问这个网站A了.A网站不关心C网站的用户信息. springsecurity结合oa

  • Spring session实现共享单点登录案例过程解析

    一.项目构建 1.案例说明 本文主要演示单点登录功能,会贴出主要配置和代码以及必要解释,全部代码请参考git地址.session共享一个基本原则是将session存储在某个地方,所有的应用都可以访问,这里使用redis存储session.当应用需要认证时,先从redis读取用户信息. 2.基本配置 1)pom.xml <dependency> <groupId>org.springframework.session</groupId> <artifactId>

  • SpringSecurity OAuth2单点登录和登出的实现

    目录 1. 单点登录 1.1 使用内存保存客户端和用户信息 1.2 使用数据库保存客户端和用户信息 1.3 单点登录流程 1.3 JWT Token 2. 单点登出 3. 总结 参考: Spring Security OAuth 最新官方已经不再维护,以下内容只用于学习记录. GitHub:shpunishment/spring-security-oauth2-demo 1. 单点登录 单点登录即有多个子系统,有一个认证中心.当访问其中任意一个子系统时,如果发现未登录,就跳到认证中心进行登录,登

  • SpringBoot如何实现同域SSO(单点登录)

    单点登录,其实看起来不是很复杂,只是细节上的处理,单点区分有三种 同域SSO 同父域SSO 跨域的SSO 如何实现同域SSO? 个人理解:当用户登录访问demo1.lzmvlog.top时,同时具有访问demo2.lzmvlog.top的能力,即认证完成一次,可以访问所有系统. 实现方式:可以采用Cookie实现,即用户在访问一个系统时,携带认证颁发的信息,系统响应是否具有访问资格,否则跳转认证,也可以采用Session,即Session共享,校验访问用户是否具有有效的信息,提供访问资格 代码实

  • SpringSecurity OAtu2+JWT实现微服务版本的单点登录的示例

    目录 何为单点登录 认证中心 maven配置 用户登录逻辑 OAtuh2配置 配置服务中心 配置规则中心 请求模块 真实请求 一些小问题 何为单点登录 单点登录通俗的话来讲在微服务当中,在一个服务登录后就能免去另一个服务的登录操作,所谓单点登录. 就好像你在微博总网站里登录后,然后在微博里面的某一个模块点进去后,就发现这个模块竟然不用登录了,不是因为这个模块与主网站是一体的用一个SpringSecurity就可以搞定了,这里面的水深着呢!感兴趣更深这个SpringSecurity建议去看看图灵课

  • Spring Cloud OAuth2 实现用户认证及单点登录的示例代码

    OAuth 2 有四种授权模式,分别是授权码模式(authorization code).简化模式(implicit).密码模式(resource owner password credentials).客户端模式(client credentials),具体 OAuth2 是什么,可以参考这篇文章.(http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html) 本文我们将使用授权码模式和密码模式两种方式来实现用户认证和授权管理. OAuth2 其

  • 一个注解搞定Spring Security基于Oauth2的SSO单点登录功能

    目录 一.说明 二.原理说明 2.1. 同域单点登录 2.2. 跨域单点登录 2.3. 基于Oauth2的跨域单点登录流程 三.Spring Security实现 四.demo下载地址 一.说明 单点登录顾名思义就是在多个应用系统中,只需要登录一次,就可以访问其他相互信任的应用系统,免除多次登录的烦恼.本文主要介绍 同域 和 跨域 两种不同场景单点登录的实现原理,并使用 Spring Security 来实现一个最简单的跨域 SSO客户端 . 二.原理说明 单点登录主流都是基于共享 cookie

随机推荐