改模式改进后可用于app终端的认证授权,认证过程
步骤如下
B步骤中,客户端发出HTTP请求,包含以下参数:
pom.xml中引入相关依赖
org.springframework.boot
spring-boot-starter-web
org.springframework.cloud
spring-cloud-starter-oauth2
org.springframework.cloud
spring-cloud-starter-security
server.port=8080
server.servlet.context-path=/auth
以inMemory方式配置简单的认证用户,springboot2要将AuthenticationManager以@Bean方式注入到容器中
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("jk").password(passwordEncoder.encode("jkjk")).roles("USER")
.and()
.withUser("admin").password(passwordEncoder.encode("admin123")).roles("ADMIN");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login").permitAll()
.antMatchers("/tokens/**").permitAll()
.anyRequest().authenticated()
.and().formLogin().permitAll()
.and().csrf().disable();
}
}
注册客户端的id和secret,声明该客户端允许的授权模式,token有效期。
@Configuration
@EnableAuthorizationServer
public class Oauth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter{
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("admin")
.secret(passwordEncoder().encode("admin"))
.authorizedGrantTypes("password", "authorization_code", "refresh_token")
.scopes("all")
.accessTokenValiditySeconds(3600)
.refreshTokenValiditySeconds(2592000)
.redirectUris("http://localhost:8080");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore())
.allowedTokenEndpointRequestMethods(HttpMethod.GET,HttpMethod.POST)
.accessTokenConverter(accessTokenConverter())
.authenticationManager(authenticationManager);
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
server.port=8081
#resource server 相关配置
security.oauth2.client.client-id=admin
security.oauth2.client.client-secret=admin
security.oauth2.client.user-authorization-uri=http://localhost:8080/auth/oauth/authorize
security.oauth2.client.grant-type=password
security.oauth2.client.scope=all
security.oauth2.client.access-token-uri=http://localhost:8080/auth/oauth/token
security.oauth2.authorization.check-token-access=http://localhost:8080/auth/oauth/check_token
#配置check-token的url地址;
security.oauth2.resource.token-info-uri=http://localhost:8080/auth/oauth/check_token
#配置userinfo的url地址
security.oauth2.resource.user-info-uri=http://localhost:8080/auth/me
#如果上面两个都配置了,更倾向于用哪个
security.oauth2.resource.prefer-token-info=true
@Configuration
@EnableResourceServer
public class Oauth2ResourceServerConfig extends ResourceServerConfigurerAdapter{
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
}
}
@RestController
public class TestController {
@GetMapping("/test")
public String test() {
return "test api json";
}
}
分别部署认证服务器和资源服务器
参考
https://www.jianshu.com/p/68f22f9a00ee