Spring?Security?自定義授權(quán)服務(wù)器實(shí)踐記錄
前言
在之前我們已經(jīng)對(duì)接過(guò)了GitHub、Gitee客戶端,使用OAuth2 Client能夠快速便捷的集成第三方登錄,集成第三方登錄一方面降低了企業(yè)的獲客成本,同時(shí)為用戶提供更為便捷的登錄體驗(yàn)。
但是隨著企業(yè)的發(fā)展壯大,越來(lái)越有必要搭建自己的OAuth2服務(wù)器。
OAuth2不僅包括前面的OAuth客戶端,還包括了授權(quán)服務(wù)器,在這里我們要通過(guò)最小化配置搭建自己的授權(quán)服務(wù)器。
授權(quán)服務(wù)器主要提供OAuth Client注冊(cè)、用戶認(rèn)證、token分發(fā)、token驗(yàn)證、token刷新等功能。實(shí)際應(yīng)用中授權(quán)服務(wù)器與資源服務(wù)器可以在同一個(gè)應(yīng)用中實(shí)現(xiàn),也可以拆分成兩個(gè)獨(dú)立應(yīng)用,在這里為了方便理解,我們拆分成兩個(gè)應(yīng)用。
授權(quán)服務(wù)器變遷
授權(quán)服務(wù)器(Authorization Server)目前并沒(méi)有集成在Spring Security項(xiàng)目中,而是作為獨(dú)立項(xiàng)目存在于Spring生態(tài)中,圖1為Spring Authorization Server 在Spring 項(xiàng)目列表中的位置。
圖1
Spring Authorization Server 為什么沒(méi)被集成在Spring Security中呢?
起因是因?yàn)镾pring 中的Spring Security OAuth、Spring Cloud Security都對(duì)OAuth有自己的實(shí)現(xiàn),Spring團(tuán)隊(duì)開(kāi)始是想把OAuth獨(dú)立出來(lái)放到Spring Security中,但是后面Spring團(tuán)隊(duì)意識(shí)到OAuth授權(quán)服務(wù)并不適合包含在Spring Security框架中,于是在2019年11月Spring宣布不在Spring Security中支持授權(quán)服務(wù)器。原文如下:
原文:
Since the Spring Security OAuth project was created, the number of authorization server choices has grown significantly. Additionally, we did not feel like creating an authorization server was a common scenario. Nor did we feel like it was appropriate to provide authorization support within a framework with no library support. After careful consideration, the Spring Security team decided that we would not formally support creating authorization servers.
但是對(duì)于Spring Security不再支持授權(quán)服務(wù)器,社區(qū)反應(yīng)強(qiáng)烈。于是在2020年4月,Spring推出了Spring Authorization Server項(xiàng)目。
目前項(xiàng)目最新GA版本為0.3 GA,預(yù)覽版本1.0.0-M1。
最小化配置
安裝授權(quán)服務(wù)器
1、新創(chuàng)建一個(gè)Spring Boot項(xiàng)目,命名為spring-security-authorization-server
2、引入pom依賴
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-authorization-server</artifactId> <version>0.3.1</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency>
配置授權(quán)服務(wù)器
import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jose.jwk.source.ImmutableJWKSet; import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.proc.SecurityContext; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.config.ClientSettings; import org.springframework.security.oauth2.server.authorization.config.ProviderSettings; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.util.matcher.RequestMatcher; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.util.UUID; @Configuration(proxyBeanMethods = false) public class AuthorizationServerConfig { //授權(quán)端點(diǎn)過(guò)濾器鏈 @Bean @Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer<>(); RequestMatcher endpointsMatcher = authorizationServerConfigurer .getEndpointsMatcher(); http //沒(méi)有認(rèn)證會(huì)自動(dòng)跳轉(zhuǎn)到/login頁(yè)面 .exceptionHandling((exceptions) -> exceptions .authenticationEntryPoint( new LoginUrlAuthenticationEntryPoint("/login")) ) .requestMatcher(endpointsMatcher) .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated() ) .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher)) .apply(authorizationServerConfigurer); return http.build(); } //用于身份驗(yàn)證的過(guò)濾器鏈 @Bean @Order(2) public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .anyRequest().authenticated() ) .formLogin(Customizer.withDefaults()); return http.build(); } //配置主體用戶 @Bean public UserDetailsService userDetailsService() { UserDetails userDetails = User.withDefaultPasswordEncoder() .username("user") .password("user") .roles("USER") .build(); return new InMemoryUserDetailsManager(userDetails); } //注冊(cè)客戶端 @Bean public RegisteredClientRepository registeredClientRepository() { RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString()) //客戶端id .clientId("testClientId") //客戶端秘鑰,授權(quán)服務(wù)器需要加密存儲(chǔ) .clientSecret(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("testClientSecret")) //授權(quán)方法 .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) //支持的授權(quán)類(lèi)型 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) //回調(diào)地址,支持多個(gè),本地測(cè)試不能使用localhost .redirectUri("http://127.0.0.1:8080/login/oauth2/code/customize") .scope(OidcScopes.OPENID) //授權(quán)scope .scope("message.read") .scope("userinfo") .scope("message.write") //是否需要授權(quán)頁(yè)面,開(kāi)啟跳轉(zhuǎn)到授權(quán)頁(yè)面,需要手動(dòng)確認(rèn) .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()) .build(); return new InMemoryRegisteredClientRepository(registeredClient); } //token加密 @Bean public JWKSource<SecurityContext> jwkSource() { KeyPair keyPair = generateRsaKey(); RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); RSAKey rsaKey = new RSAKey.Builder(publicKey) .privateKey(privateKey) .keyID(UUID.randomUUID().toString()) .build(); JWKSet jwkSet = new JWKSet(rsaKey); return new ImmutableJWKSet<>(jwkSet); } private static KeyPair generateRsaKey() { KeyPair keyPair; try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048); keyPair = keyPairGenerator.generateKeyPair(); } catch (Exception ex) { throw new IllegalStateException(ex); } return keyPair; } //配置協(xié)議端點(diǎn),比如/oauth2/authorize、/oauth2/token等 @Bean public ProviderSettings providerSettings() { return ProviderSettings.builder().build(); } }
如上是最小化授權(quán)服務(wù)器的配置,這里我們將授權(quán)主體和客戶端都存儲(chǔ)在內(nèi)存中,當(dāng)然也可以持久化到數(shù)據(jù)庫(kù)中,分別使用JdbcUserDetailsManager
、JdbcRegisteredClientRepository
。ProviderSettings.builder().build()
使用了默認(rèn)的配置,這幾個(gè)地址我們后面就會(huì)用到:
public static Builder builder() { return new Builder() .authorizationEndpoint("/oauth2/authorize") .tokenEndpoint("/oauth2/token") .jwkSetEndpoint("/oauth2/jwks") .tokenRevocationEndpoint("/oauth2/revoke") .tokenIntrospectionEndpoint("/oauth2/introspect") .oidcClientRegistrationEndpoint("/connect/register") .oidcUserInfoEndpoint("/userinfo"); }
? 官方指出@Import(OAuth2AuthorizationServerConfiguration.class)也可以用來(lái)最小化配置,但我親測(cè)這種方式?jīng)]多大用處,并且還有問(wèn)題。
配置客戶端
這里我們要使用自己的搭建授權(quán)服務(wù)器,需要自定義一個(gè)客戶端,還是使用前面集成GitHub的示例,只要在配置文件中擴(kuò)展就可以。
完整配置如下:
spring: security: oauth2: client: registration: gitee: client-id: gitee_clientId client-secret: gitee_secret authorization-grant-type: authorization_code redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}' client-name: Gitee github: client-id: github_clientId client-secret: github_secret # 自定義 customize: client-id: testClientId client-secret: testClientSecret authorization-grant-type: authorization_code redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}' client-name: Customize scope: - userinfo provider: gitee: authorization-uri: https://gitee.com/oauth/authorize token-uri: https://gitee.com/oauth/token user-info-uri: https://gitee.com/api/v5/user user-name-attribute: name # 自定義 customize: authorization-uri: http://localhost:9000/oauth2/authorize token-uri: http://localhost:9000/oauth2/token user-info-uri: http://localhost:9000/userinfo user-name-attribute: username
? 在配置授權(quán)服務(wù)器uri的時(shí)候,請(qǐng)勿依舊使用127.0.0.1,由于是在本地測(cè)試,授權(quán)服務(wù)器的session和客戶端的session會(huì)互相覆蓋,導(dǎo)致莫名其妙的問(wèn)題。
請(qǐng)區(qū)分回調(diào)地址,和授權(quán)服務(wù)器端點(diǎn)uri的地址。
客戶端的session
授權(quán)服務(wù)器的session
體驗(yàn)
另外為了能夠更好的調(diào)式,可以在兩個(gè)應(yīng)用增加@EnableWebSecurity(debug = true)
和 log日志,日志如下,打開(kāi)TRACE
級(jí)別日志:
logging: level: root: INFO org.springframework.web: INFO org.springframework.security: TRACE org.springframework.security.oauth2: TRACE
現(xiàn)在啟動(dòng)兩個(gè)應(yīng)用,訪問(wèn)http://127.0.0.1:8080/hello
,自動(dòng)跳轉(zhuǎn)到登錄頁(yè)面。
點(diǎn)擊Customize
,將跳轉(zhuǎn)至授權(quán)服務(wù)器,注意看地址欄地址為localhost:9000/login,輸入用戶名/密碼登錄,user/user
。
登錄后,將跳轉(zhuǎn)至授權(quán)頁(yè)面,由于我們沒(méi)有定制,使用的是默認(rèn)頁(yè)面,可以看到該頁(yè)面的地址為http://localhost:9000/oauth2/authorize?response_type=code&client_id=testClientId&scope=userinfo&state=yV1ElAN2855yq3bY5kgj_rmilnCclyvZHkxVB7a1d84%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/customize
。
我們勾選userinfo,提交后即跳轉(zhuǎn)回客戶端。
我們看下客戶收到的日志,授權(quán)服務(wù)器帶著code回調(diào)了我們填寫(xiě)的回調(diào)地址。Request received for GET '/login/oauth2/code/customize?code=DPAlx5uyrUpfrZIlBKrpIy_mmcgiyC2qCxPFtUeLA0fBrZd238XM2vN8M1jv9XAgl0KA-D54P_KzVH7RbUw7ApBUc2pbnuSVRZUyHazozmNM4YgQ06CZryfr20qLRhW4&state=_Sgak7GLILLKbwr9JVuwA2xVp95CWPgUMByQcvePkgM%3D'
************************************************************ Request received for GET '/login/oauth2/code/customize?code=DPAlx5uyrUpfrZIlBKrpIy_mmcgiyC2qCxPFtUeLA0fBrZd238XM2vN8M1jv9XAgl0KA-D54P_KzVH7RbUw7ApBUc2pbnuSVRZUyHazozmNM4YgQ06CZryfr20qLRhW4&state=_Sgak7GLILLKbwr9JVuwA2xVp95CWPgUMByQcvePkgM%3D': org.apache.catalina.connector.RequestFacade@1a8761d0 servletPath:/login/oauth2/code/customize pathInfo:null headers: host: 127.0.0.1:8080 connection: keep-alive upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site: cross-site sec-fetch-mode: navigate sec-fetch-user: ?1 sec-fetch-dest: document sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" referer: http://127.0.0.1:8080/ accept-encoding: gzip, deflate, br accept-language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 cookie: JSESSIONID=2527F412F53FA27A30BFBC39161ABB63 Security filter chain: [ DisableEncodeUrlFilter WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter HeaderWriterFilter CsrfFilter LogoutFilter OAuth2AuthorizationRequestRedirectFilter OAuth2AuthorizationRequestRedirectFilter OAuth2LoginAuthenticationFilter DefaultLoginPageGeneratingFilter DefaultLogoutPageGeneratingFilter RequestCacheAwareFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter OAuth2AuthorizationCodeGrantFilter SessionManagementFilter ExceptionTranslationFilter FilterSecurityInterceptor ] ************************************************************
總結(jié)
Spring Security 的最小化授權(quán)服務(wù)器的配置,到這里結(jié)束了,該demo雖然代碼量非常少,但涉及的知識(shí)非常多,并且坑也多。
Spring Security文檔中的代碼說(shuō)明更新不及時(shí),比如@Import(OAuth2AuthorizationServerConfiguration.class)
文檔中說(shuō)明是最小化配置,但文檔的快速開(kāi)始又提供了另外一種的最小化配置方式。
另外授權(quán)服務(wù)器如果發(fā)生異常,是不會(huì)打印堆棧的,而是把錯(cuò)誤信息放入到response中,是打算要在頁(yè)面上顯示,然而demo的默認(rèn)錯(cuò)誤頁(yè)并不會(huì)顯示錯(cuò)誤詳情,只有錯(cuò)誤編號(hào)400,如圖。
Spring Authorization Server 還需要多多完善,Spring Security也不例外,不久前我還提了一個(gè)PR,把一個(gè)持續(xù)數(shù)個(gè)版本的bug給修復(fù)了??(過(guò)了,只是文檔中的錯(cuò)誤罷了,被標(biāo)記為文檔中的bug??),看多了外國(guó)人的產(chǎn)品,其實(shí)也沒(méi)有太比國(guó)內(nèi)的開(kāi)源項(xiàng)目好,坑也很多,而我們某些大廠的開(kāi)源項(xiàng)目其實(shí)很好,卻被網(wǎng)友門(mén)各種噴。
到此這篇關(guān)于SpringSecurity自定義授權(quán)服務(wù)器實(shí)踐的文章就介紹到這了,更多相關(guān)SpringSecurity自定義授權(quán)內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!
- springSecurity實(shí)現(xiàn)簡(jiǎn)單的登錄功能
- SpringSecurity注銷(xiāo)設(shè)置的方法
- SpringSecurity自定義登錄成功處理
- SpringSecurity自定義登錄界面
- SpringSecurity微服務(wù)實(shí)戰(zhàn)之公共模塊詳解
- Spring Security 自定義資源服務(wù)器實(shí)踐過(guò)程
- SpringSecurity添加圖形驗(yàn)證碼認(rèn)證實(shí)現(xiàn)
- SpringBoot淺析安全管理之Spring Security配置
- Spring Security十分鐘入門(mén)教程
相關(guān)文章
簡(jiǎn)要分析Java的Hibernate框架中的自定義類(lèi)型
這篇文章主要介紹了Java的Hibernate框架中的自定義類(lèi)型,Hibernate是Java的SSH三大web開(kāi)發(fā)框架之一,需要的朋友可以參考下2016-01-01Java微信公眾平臺(tái)開(kāi)發(fā)(14) 微信web開(kāi)發(fā)者工具使用
這篇文章主要為大家詳細(xì)介紹了Java微信公眾平臺(tái)開(kāi)發(fā)第十四步,微信web開(kāi)發(fā)者工具的使用方法,具有一定的參考價(jià)值,感興趣的小伙伴們可以參考一下2017-04-04淺談一下RabbitMQ、Kafka和RocketMQ消息中間件對(duì)比
這篇文章主要介紹了淺談一下RabbitMQ、Kafka和RocketMQ消息中間件對(duì)比,消息中間件屬于分布式系統(tǒng)中一個(gè)字系統(tǒng),關(guān)注于數(shù)據(jù)的發(fā)送和接收,利用高效可靠的異步信息傳遞機(jī)制對(duì)分布式系統(tǒng)中的其余各個(gè)子系統(tǒng)進(jìn)行集成,需要的朋友可以參考下2023-05-05SpringMVC請(qǐng)求的路徑變量里面寫(xiě)正則表達(dá)式的方法
這篇文章主要介紹了SpringMVC請(qǐng)求的路徑變量里面寫(xiě)正則表達(dá)式的相關(guān)知識(shí),本文給大家介紹的非常詳細(xì),具有一定的參考借鑒價(jià)值,需要的朋友可以參考下2019-09-09Spring Cloud Gateway 服務(wù)網(wǎng)關(guān)快速實(shí)現(xiàn)解析
這篇文章主要介紹了Spring Cloud Gateway 服務(wù)網(wǎng)關(guān)快速實(shí)現(xiàn)解析,文中通過(guò)示例代碼介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友可以參考下2019-08-08@MapperScan和@ComponentScan一塊使用導(dǎo)致沖突的解決
這篇文章主要介紹了@MapperScan和@ComponentScan一塊使用導(dǎo)致沖突的解決,具有很好的參考價(jià)值,希望對(duì)大家有所幫助。如有錯(cuò)誤或未考慮完全的地方,望不吝賜教2021-11-11