（第二篇）微服务架构下无状态权限认证系统设计（Spring Security + Oauth2 + JWT）-- 实现

一、参数配置

1）配置参数：application.yml
springcloud:
  security:
    oauth2:
      clients[0]:
        clientId: zuul-server
        clientSecret: '12345678'
        accessTokenValiditySeconds: 7200  //通行token有效时间（秒）
        refreshTokenValiditySeconds: 604800  //刷新token有效时间（秒）
      clients[1]:
        clientId: user-server
        clientSecret: '123456'
        accessTokenValiditySeconds: 7200
        refreshTokenValiditySeconds: 604800


2）单个客户端配置封装类：OAuth2ClientProperties.java
@Getter @Setter public class OAuth2ClientProperties { 
    private String clientId; //客户端id
    private String clientSecret; //客户端秘钥
    private Integer accessTokenValiditySeconds;  //通行token有效时长
    private Integer refreshTokenValiditySeconds; //刷新token有效时长
}

3）从配置文件获取配置封装到配置集合中：OAuth2Properties.java
@ConfigurationProperties(prefix = "springcloud.security.oauth2") //匹配前缀为springcloud.security.oauth2的参数
public class OAuth2Properties
{
    private OAuth2ClientProperties[] clients = {};//把参数放到数组中，此处也可以从数据库获取，本例子直接配置获取
    public OAuth2ClientProperties[] getClients() {
        return clients;
    }

    //OAuth2ClientProperties 单个配置实体封装
    public void setClients(OAuth2ClientProperties[] clients) {
        this.clients = clients;
    }
}

4）核心配置--扫描、注册自定义配置参数

@Configuration
@EnableConfigurationProperties(OAuth2Properties.class)
public class OAuth2CoreConfig
{
}

二、业务配置
1）认证授权参数配置
@Configuration
@EnableResourceServer
@EnableAuthorizationServer  //开启授权服务
public class OAuth2Config1 extends AuthorizationServerConfigurerAdapter
{
    private JsonParser objectMapper = JsonParserFactory.create();
    
    @Autowired
    private AuthenticationManager authenticationManager;
    
    @Autowired
    private OAuth2Properties oauth2Properties;//注入配置类
    
    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        //这句不知道是干啥的，大概是开启一个身份验证表单的功能吧，就是弹出一个输入账户、密码的框
        oauthServer.allowFormAuthenticationForClients();
    }
    
    /*配置客户端基本信息，循环配置数组，加载到配置服务运行内存，用于授权判断*/
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // 客户端配置化
        InMemoryClientDetailsServiceBuilder build = clients.inMemory();
        if (ArrayUtils.isNotEmpty(oauth2Properties.getClients())) {
            // 验证模式：刷新token,密码、验证码模式，也可根据客户端自定义配置
            for (OAuth2ClientProperties config : oauth2Properties.getClients()) {
                build.withClient(config.getClientId()).secret(config.getClientSecret())
                    .accessTokenValiditySeconds(config.getAccessTokenValiditySeconds())   //通行token
                    .refreshTokenValiditySeconds(config.getRefreshTokenValiditySeconds()) // 刷新token
                    .authorizedGrantTypes("refresh_token", "password", "authorization_code")//验证模式
                    .scopes("platform");//作用域，可以在配置中按实际业务自定义各个客户端的作用域，写死并不可取
            }
        }
    }
    
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        //JWT方式
        endpoints.tokenStore(tokenStore())//设置token存储方式，见方法实现
        .tokenEnhancer(jwtTokenEnhancer()) //设置token的加密方式，见方法实现
        .authenticationManager(authenticationManager);//开启密码类型验证的bean
    }
    
    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(jwtTokenEnhancer());
    }
    
    /*JWT token生成规则，此处对原来的转换器 JwtAccessTokenConverter 下的方法 enhance() 进行重写，
      来补充生成token中自定义的业务字段，如组织架构id、用户id等字段*/
    @Bean
    public JwtAccessTokenConverter jwtTokenEnhancer() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter() {

            /*重写token生成方法，补充组织架构、用户id内容*/
            @Override
            public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
                DefaultOAuth2AccessToken result = new DefaultOAuth2AccessToken(accessToken);
                Map info = new LinkedHashMap(accessToken.getAdditionalInformation());//附加信息map
                String tokenId = result.getValue();
                if (!info.containsKey(TOKEN_ID)) {
                    info.put(TOKEN_ID, tokenId);
                }
                else {
                    tokenId = (String) info.get(TOKEN_ID);
                }

                //自定义信息设置到token负载中
                SysUser user = (SysUser)authentication.getPrincipal();//SysUser：系统的登录用户实体，根据实际业务设计
                info.put("orgId", user.getOrgId());//操作用户所在的组织架构id
                info.put("userId", user.getId());//操作用户的id
                try {
                    //用户名，因为是中文，为避免乱码，在设置时进行了编码转换，此处先解码
                    info.put("uname", URLEncoder.encode(user.getName(), "GBK"));
                } catch (UnsupportedEncodingException e1) {
                    e1.printStackTrace();
                }
                info.put("loginName",  user.getLoginName());//当前登录名
                info.put("dataAccess", user.getDataAccess());//当前用户的数据权限（数组）
                
                result.setAdditionalInformation(info);//把解析好的附加信息设置到结果集中
                result.setValue(encode(result, authentication));//对设置好的结果集编码
                OAuth2RefreshToken refreshToken = result.getRefreshToken();//获取结果中的刷新token
                if (refreshToken != null) {
               //下面这一段，我也看不大懂，不知道从哪拼凑来的，勉强能用吧[捂脸]，大概意思就是，生成token，与附加信息合并返回
                    DefaultOAuth2AccessToken encodedRefreshToken = new DefaultOAuth2AccessToken(accessToken);
                    encodedRefreshToken.setValue(refreshToken.getValue());
                    encodedRefreshToken.setExpiration(null);
                    try {
                        Map claims = objectMapper.parseMap(JwtHelper.decode(refreshToken.getValue()).getClaims());
                        if (claims.containsKey(TOKEN_ID)) {
                            encodedRefreshToken.setValue(claims.get(TOKEN_ID).toString());
                        }
                    }
                    catch (IllegalArgumentException e) {
                    }
                    Map refreshTokenInfo = new LinkedHashMap(
                            accessToken.getAdditionalInformation());
                    refreshTokenInfo.put(TOKEN_ID, encodedRefreshToken.getValue());
                    refreshTokenInfo.put(ACCESS_TOKEN_ID, tokenId);
                    encodedRefreshToken.setAdditionalInformation(refreshTokenInfo);//
                    DefaultOAuth2RefreshToken token = new DefaultOAuth2RefreshToken(
                            encode(encodedRefreshToken, authentication));
                    if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
                        Date expiration = ((ExpiringOAuth2RefreshToken) refreshToken).getExpiration();
                        encodedRefreshToken.setExpiration(expiration);
                        token = new DefaultExpiringOAuth2RefreshToken(encode(encodedRefreshToken, authentication), expiration);
                    }
                    result.setRefreshToken(token);
                }
                return result;
            }
        };
        
        //根据私钥加锁，客户端需要拿匹配的公钥进行解锁，保证安全性，私钥使用Java Keytool 工具生成
        KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("fzp-jwt.jks"),
            "123456789".toCharArray());
        converter.setKeyPair(keyStoreKeyFactory.getKeyPair("fzp-jwt"));
        return converter;
    }
}

2）基于web的security基本配置

@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)//方法级别的安全支持
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    UserService userService;
    
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    
    /**
     * 代码解析：
     * 1.在内存中创建一个认证用户信息
     * 2.该认证名为forezp，密码为123456，有USER的角色
     * 防护工作：
     * 1.应用的每一个请求都需要验证
     * 2.自动生成一个登录表单
     * 3.可以用username和password来进行验证
     * 4.可以注销
     * 5.阻止CSRF攻击
     * 6.Session Fixation保护
     * 7.安全Header集成......
     * 8.Servlet API方法集成：
     * HttpServletRequest#getRemoteUser()
     * HttpServletRequest.html#getUserPrincipal()
     * HttpServletRequest.html#getUserInRole(String)
     * HttpServletRequest.html#login(String,String)
     * HttpServletRequest.html#logout()
     */
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //集成JWT
       http.csrf().disable().exceptionHandling().accessDeniedPage("/401")
            .and()
            .authorizeRequests().anyRequest().fullyAuthenticated()
            .and()
            .httpBasic()
            .and().rememberMe().and()
            .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() //登录页面用户任意访问
            .and()
            .logout().permitAll(); //注销行为任意访问
    }
    
    /**
     * 用户信息服务userService，具体实现见实体
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //验证使用自定义的userService
        auth.userDetailsService(userService);//.passwordEncoder(new BCryptPasswordEncoder());
    }
}

3）userService用户服务类实现

@Service
public class UserService implements UserDetailsService {
    private static final Logger log = LoggerFactory.getLogger(UserService.class);

    @Autowired
    UserDao userDao;//用户dao

    @Autowired
    RoleDao roleDao;//角色dao

    @Autowired
    PermissionDao permissionDao;//权限dao

    /**
     * 根据登录名获取用户实体信息
     */
    @Override    
    public SysUser loadUserByUsername(String loginName) throws UsernameNotFoundException {
    try {
        SysUser user = new SysUser();
        List grantedAuthorities = new ArrayList();
        SysUser query = new SysUser();
        query.setLoginName(loginName);
        user = (SysUser) this.userDao.templateOne(query);
        if (user != null) {
            Map paramMap = new HashMap();
            paramMap.put("userId", user.getId());
            List permissions = permissionDao.findByAdminUserId(paramMap);//接口调用权限
            List> dataAccess = permissionDao.findDataAccessByAdminUserId(paramMap);//数据权限
            List