Spring Authorization Server 实现授权中心
作者:Zhang
- 2022 年 5 月 11 日
本文字数:7282 字
阅读完需:约 24 分钟
源码地址
当前,Spring Security 对 OAuth 2.0 框架提供了全面的支持。Spring Authorization Server 出现的含义在于替换 Spring Security OAuth,交付 [[OAuth 2.1 授权框架|OAuth 2.1]] 框架。 Spring 官方已弃用 Spring Security OAuth。
本文涉及的组件版本如下:
spring-security-oauth2-authorization-server 项目由 Spring Security 团队领导,**社区驱动**。
复制代码
本文的目的:
搭建授权中心示例
fork 当前项目从而免去一些工作
本 demo 的结构
root
[[#auth-center|授权中心]]
[[#user-service|用户服务]]
[[#client-gateway|移动端网关]]
OAuth 2.1 支持三种许可类型,[[OAuth 2.1 授权框架 #授权码许可]]、[[OAuth 2.1 授权框架 #客户端证书许可]]、[[OAuth 2.1 授权框架 #刷新令牌许可]]。
auth-center
build.gradle
plugins { id 'org.springframework.boot' version '2.6.7' id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' } group = 'com.insight.into.life' version = '0.0.1-SNAPSHOT' sourceCompatibility = '17' configurations { compileOnly { extendsFrom annotationProcessor } } repositories { mavenCentral() } dependencies { implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-data-jdbc' implementation 'org.springframework.security:spring-security-oauth2-authorization-server:0.2.3' implementation 'org.springframework.boot:spring-boot-starter-actuator' compileOnly 'org.projectlombok:lombok' developmentOnly 'org.springframework.boot:spring-boot-devtools' // runtimeOnly 'mysql:mysql-connector-java' runtimeOnly "com.h2database:h2" annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor' annotationProcessor 'org.projectlombok:lombok' testImplementation 'org.springframework.boot:spring-boot-starter-test' testImplementation 'org.springframework.security:spring-security-test' } tasks.named('test') { useJUnitPlatform() }
复制代码
config
...
@EnableWebSecurity @Slf4j public class DefaultSecurityConfig { @Bean public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()) .formLogin(withDefaults()); return http.build(); } @Bean public UserDetailsService users() { UserDetails user = User.withDefaultPasswordEncoder() .username("user1") .password("password") .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }
复制代码
...@Configuration(proxyBeanMethods = false) public class AuthorizationServerConfig { @Bean @Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); return http.formLogin(withDefaults()).build(); } @Bean public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) { RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("mobile-gateway-client") .clientSecret("{noop}123456") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) .redirectUri("http://127.0.0.1:9100/login/oauth2/code/mobile-gateway-client-oidc") .redirectUri("http://127.0.0.1:9100/authorized") .scope(OidcScopes.OPENID) .scope("message.read") .scope("message.write") .build(); JdbcRegisteredClientRepository registeredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate); registeredClientRepository.save(registeredClient); return registeredClientRepository; } @Bean public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) { return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository); } @Bean public JWKSource<SecurityContext> jwkSource() { RSAKey rsaKey = Jwks.generateRsa(); JWKSet jwkSet = new JWKSet(rsaKey); return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet); } @Bean public ProviderSettings providerSettings() { return ProviderSettings.builder().issuer("http://localhost:9000").build(); } @Bean public EmbeddedDatabase embeddedDatabase() { return new EmbeddedDatabaseBuilder() .generateUniqueName(true) .setType(EmbeddedDatabaseType.H2) .setScriptEncoding("UTF-8") .addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql") .addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql") .addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql") .build(); }
复制代码
这里的两个 config 中有两个 SecurityFilterChain 类。调用顺序是 authorizationServerSecurityFilterChain、defaultSecurityFilterChain。
registeredClientRepository 用于注册 client。这里的两个 redirectUri 中地址来自于[[#mobile-gateway|移动端网关]]。
application.yml
server: port: 9000 logging: level: root: INFO org.springframework.web: INFO org.springframework.security: INFO org.springframework.security.oauth2: INFO
复制代码
启动服务
在浏览器中输入:http://localhost:9000/.well-known/openid-configuration,得到以下内容。
// 20220510135753// http://localhost:9000/.well-known/openid-configuration
{ "issuer": "http://localhost:9000", "authorization_endpoint": "http://localhost:9000/oauth2/authorize", "token_endpoint": "http://localhost:9000/oauth2/token", "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ], "jwks_uri": "http://localhost:9000/oauth2/jwks", "userinfo_endpoint": "http://localhost:9000/userinfo", "response_types_supported": [ "code" ], "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "scopes_supported": [ "openid" ]}
复制代码
user-service
用户服务在 demo 中的角色是资源服务器。
build.gradle
plugins { id 'org.springframework.boot' version '2.6.7' id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' } group = 'com.insight.into.life' version = '0.0.1-SNAPSHOT' sourceCompatibility = '17' configurations { compileOnly { extendsFrom annotationProcessor } } repositories { mavenCentral() } dependencies { implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server' implementation 'org.springframework.boot:spring-boot-starter-web' compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor' annotationProcessor 'org.projectlombok:lombok' testImplementation 'org.springframework.boot:spring-boot-starter-test' } tasks.named('test') { useJUnitPlatform() }
复制代码
config
...@EnableWebSecurity public class ResourceServerConfig { @Bean SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.mvcMatcher("/menu/**") .authorizeRequests() .mvcMatchers("/menu/**").access("hasAuthority('SCOPE_message.read')") .and() .oauth2ResourceServer() .jwt(); return http.build(); } }
复制代码
定义 menu 路径下的访问权限。
MenuController
@RestController @RequestMapping("/menu") public class MenuController { @GetMapping("/list") public List<String> list() { return List.of("menu1", "menu2", "menu3"); } }
复制代码
application.yml
server: port: 9001 spring: application: name: user-service security: oauth2: resourceserver: jwt: issuer-uri: http://localhost:9000
复制代码
启动服务
资源服务器目前不需要做额外配置,只需要启动即可。
client-gateway
build.gradle
plugins { id 'org.springframework.boot' version '2.6.7' id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' } group = 'com.insight.into.life' version = '0.0.1-SNAPSHOT' sourceCompatibility = '17' configurations { compileOnly { extendsFrom annotationProcessor } } repositories { mavenCentral() } dependencies { implementation 'org.springframework.boot:spring-boot-starter-oauth2-client' implementation 'org.springframework.boot:spring-boot-starter-web' implementation "org.springframework:spring-webflux" implementation "io.projectreactor.netty:reactor-netty" implementation 'org.springframework.cloud:spring-cloud-starter-openfeign:3.1.2' compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor' annotationProcessor 'org.projectlombok:lombok' } tasks.named('test') { useJUnitPlatform() }
复制代码
这里引入 org.springframework:spring-webflux 、io.projectreactor.netty:reactor-netty 的原因在于使用了 WebClient。
config
...@Component @Order(Ordered.HIGHEST_PRECEDENCE) public class LoopbackIpRedirectFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (request.getServerName().equals("localhost") && request.getHeader("host") != null) { UriComponents uri = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(request)) .host("127.0.0.1").build(); response.sendRedirect(uri.toUriString()); return; } filterChain.doFilter(request, response); } }
复制代码
该配置用于转换地址。将 localhost 转换为 127.0.0.1。
...
@EnableWebSecurity @Slf4j public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()) .oauth2Login(oauth2Login -> oauth2Login.loginPage("/oauth2/authorization/mobile-gateway-client-oidc")) .oauth2Client(withDefaults()); return http.build(); } }
复制代码
...@Configuration public class WebClientConfig { @Bean WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); return WebClient.builder().apply(oauth2Client.oauth2Configuration()).build(); } @Bean OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository) { OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder() .authorizationCode() .refreshToken() .build(); DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository); authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider); return authorizedClientManager; } }
复制代码
AuthController
@RestController @Slf4j @RequiredArgsConstructor public class AuthController { private final WebClient webClient; @Value("${user-service.base-uri}") private String userServiceBaseUri; @GetMapping("/menus") public String menus(@RegisteredOAuth2AuthorizedClient("client-gateway-authorization-code") OAuth2AuthorizedClient authorizedClient) { return this.webClient .get() .uri(userServiceBaseUri) .attributes(oauth2AuthorizedClient(authorizedClient)) .retrieve() .bodyToMono(String.class) .block(); } }
复制代码
application.yml
server: port: 9100 spring: application: name: client-gateway security: oauth2: client: registration: mobile-gateway-client-oidc: provider: spring client-id: mobile-gateway-client client-secret: 123456 authorization-grant-type: authorization_code redirect-uri: "http://127.0.0.1:9100/login/oauth2/code/{registrationId}" scope: openid client-gateway-authorization-code: provider: spring client-id: mobile-gateway-client client-secret: 123456 client-authentication-method: client_secret_basic authorization-grant-type: authorization_code redirect-uri: "http://127.0.0.1:9100/authorized" scope: message.read,message.write provider: spring: issuer-uri: http://localhost:9000 user-service: base-uri: http://127.0.0.1:9001/menu/list
复制代码
启动服务
在浏览器中输入:http://127.0.0.1:9100
输入账号密码:user1/password,这里的用户在 [[#auth-center#config]] 中配置。得到以下内容:
总结
spring-authorization-server 目前还没有正式发布。文档较少。
还有一些需要完善的点。比如用户持久化、client 持久化。
此 demo 还要继续更新,为了能和本文对应,所以对应的 git tag 为
primitive-man。
划线
评论
复制
发布于: 刚刚阅读数: 2
版权声明: 本文为 InfoQ 作者【Zhang】的原创文章。
原文链接:【http://xie.infoq.cn/article/40434ed6d698ece8f6528fbd7】。文章转载请联系作者。
Zhang
关注
还未添加个人签名 2020.12.27 加入
还未添加个人简介
评论