当前位置：首页>編程日記>正文

使用SpringSecurity 实现 OAuth2 资源服务器认证服务器分离（注册码模式）

編程日記08-29

使用SpringSecurity 实现 OAuth2 资源服务器认证服务器分离（注册码模式）

前言

要解决的问题：不暴露客户密码的情况下授权三方服务访问客户资源

角色：资源拥有者，客户端应用（三方服务），授权服务器，资源服务器

模式：授权码模式：需要客户授权得到授权码后再次通过三方服务的密码取得token，双重校验，最安全，最复杂

简易模式：无需授权码对用户暴露返回的Token，不安全

密码模式：客户端应用需要资源拥有者密码。全链路可信情况下使用

客户端模式：无需资源拥有者密码，只需要客户端应用密码进行校验，服务器对服务器使用

本试验主要演示注册码模式，分为授权服务器和资源服务器俩个应用，后续会持续扩展为单个授权服务器和多个资源服务器。

试验步骤

按照以下截图创建授权服务器，授权服务器包结构如下

1 使用pom文件导入相应依赖，主要导入了以下依赖包

1）SpringBoot的security和web，

2）SpringSecurity的OAuth2

pom文件如下

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>io.spring2go</groupId><artifactId>authcode-server</artifactId><version>0.0.1-SNAPSHOT</version><packaging>jar</packaging><name>authcode-server</name><description>Demo project for Spring Boot</description><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.5.10.RELEASE</version><relativePath /> <!-- lookup parent from repository -->
    </parent><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version></properties><dependencies> <dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><!-- for OAuth 2.0 --><dependency><groupId>org.springframework.security.oauth</groupId><artifactId>spring-security-oauth2</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>

2 修改application.properties设置用户登录密码

# Spring Security Setting
security.user.name=bobo
security.user.password=xyz

3 制作SpringBoot的启动文件

package com.test.authcodeserver;import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplication
public class AuthCodeServerApplication {public static void main(String[] args) {SpringApplication.run(AuthCodeServerApplication.class, args);}
}

4 设置授权服务代码

package com.test.authcodeserver.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;@Configuration
@EnableAuthorizationServer
public class AuthCodeServerConfig extends AuthorizationServerConfigurerAdapter {


    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");}@Override
    public void configure(ClientDetailsServiceConfigurer clients)throws Exception {//JdbcClientDetailsService可以动态管理数据库中客户端数据
        //http://localhost:8080/oauth/authorize?client_id=testclientid&redirect_uri=http://localhost:9001/authCodeCallback&response_type=code&scope=read_userinfo
        clients.inMemory().withClient("testclientid")//clientId：（必须的）用来标识客户的Id。
                .secret("1234")//secret：（需要值得信任的客户端）客户端安全码，如果有的话。
                .redirectUris("http://localhost:9001/authCodeCallback")//客户端应用负责获取授权码的endpoint
                .authorizedGrantTypes("authorization_code")// 授权码模式
                .scopes("read_userinfo", "read_contacts");//scope：用来限制客户端的访问范围，如果为空（默认）的话，那么客户端拥有全部的访问范围。
    }}

5 启动SpringBoot服务

6 客户端服务访问授权服务器，铜鼓访问如下url取得授权码

http://localhost:8080/oauth/authorize?client_id=testclientid&redirect_uri=http://localhost:9001/authCodeCallback&response_type=code&scope=read_userinfo

访问完成后会redirect回客户端服务器并将授权码作为参数传回，其中localhost：9001即为客户端应用

7 客户端使用返回的授权码获取访问令牌

发送请求参数如下

url：http://localhost:8080/oauth/token

code=ifz2BV&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A9001%2FauthCodeCallback&scope=read_userinfo

得到的令牌数据

{

access_token: "554338cd-cab0-4ba0-b5bf-3ebd55db3196"

token_type: "bearer"

expires_in: 43199

scope: "read_userinfo"

}

以上授权服务器就简单完成了，下面将制作资源服务器

--------------------------------------------------------------------------------------------------

资源服务器

0 资源服务器的包结构

1 资源服务器配置，使用RemoteTokenServices调取认证服务器的认证方法来对Token进行认证

package com.test.resourceserver.config;import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.web.AuthenticationEntryPoint;import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;//资源服务配置
@Configuration
@EnableResourceServer
public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {@Primary
    @Bean
    public RemoteTokenServices tokenServices() {final RemoteTokenServices tokenService = new RemoteTokenServices();tokenService.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");tokenService.setClientId("testclientid");tokenService.setClientSecret("1234");return tokenService;}@Override
    public void configure(HttpSecurity http) throws Exception {//        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
//                .and()
//                .authorizeRequests()
//                .anyRequest()
//                .authenticated()
//                .and()
//                .requestMatchers()
//                .antMatchers("/api/**");
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().authorizeRequests().anyRequest().permitAll();}
}

2 提供对外的API接口

package com.test.resourceserver.api;import org.springframework.http.ResponseEntity;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;@Controller
public class UserController {// 资源API
    @RequestMapping("/api/userinfo")public ResponseEntity<UserInfo> getUserInfo() {String  user  = (String) SecurityContextHolder.getContext().getAuthentication().getPrincipal();String email = user+ "@test.com";UserInfo userInfo = new UserInfo();userInfo.setName(user);userInfo.setEmail(email);return ResponseEntity.ok(userInfo);}}