快捷導(dǎo)航

Spring?Security?自定義授權(quán)服務(wù)器實(shí)踐記錄

更新時(shí)間：2022年08月19日 09:51:37 作者：阿提說(shuō)說(shuō)

授權(quán)服務(wù)器（Authorization Server）目前并沒(méi)有集成在Spring Security項(xiàng)目中，而是作為獨(dú)立項(xiàng)目存在于Spring生態(tài)中，這篇文章主要介紹了Spring?Security?自定義授權(quán)服務(wù)器實(shí)踐,需要的朋友可以參考下

前言

在之前我們已經(jīng)對(duì)接過(guò)了GitHub、Gitee客戶端，使用OAuth2 Client能夠快速便捷的集成第三方登錄，集成第三方登錄一方面降低了企業(yè)的獲客成本，同時(shí)為用戶提供更為便捷的登錄體驗(yàn)。
但是隨著企業(yè)的發(fā)展壯大，越來(lái)越有必要搭建自己的OAuth2服務(wù)器。
OAuth2不僅包括前面的OAuth客戶端，還包括了授權(quán)服務(wù)器，在這里我們要通過(guò)最小化配置搭建自己的授權(quán)服務(wù)器。
授權(quán)服務(wù)器主要提供OAuth Client注冊(cè)、用戶認(rèn)證、token分發(fā)、token驗(yàn)證、token刷新等功能。實(shí)際應(yīng)用中授權(quán)服務(wù)器與資源服務(wù)器可以在同一個(gè)應(yīng)用中實(shí)現(xiàn)，也可以拆分成兩個(gè)獨(dú)立應(yīng)用，在這里為了方便理解，我們拆分成兩個(gè)應(yīng)用。

授權(quán)服務(wù)器變遷

授權(quán)服務(wù)器（Authorization Server）目前并沒(méi)有集成在Spring Security項(xiàng)目中，而是作為獨(dú)立項(xiàng)目存在于Spring生態(tài)中，圖1為Spring Authorization Server 在Spring 項(xiàng)目列表中的位置。

圖1

Spring Authorization Server 為什么沒(méi)被集成在Spring Security中呢？

起因是因?yàn)镾pring 中的Spring Security OAuth、Spring Cloud Security都對(duì)OAuth有自己的實(shí)現(xiàn)，Spring團(tuán)隊(duì)開(kāi)始是想把OAuth獨(dú)立出來(lái)放到Spring Security中，但是后面Spring團(tuán)隊(duì)意識(shí)到OAuth授權(quán)服務(wù)并不適合包含在Spring Security框架中，于是在2019年11月Spring宣布不在Spring Security中支持授權(quán)服務(wù)器。原文如下：

原文：
Since the Spring Security OAuth project was created, the number of authorization server choices has grown significantly. Additionally, we did not feel like creating an authorization server was a common scenario. Nor did we feel like it was appropriate to provide authorization support within a framework with no library support. After careful consideration, the Spring Security team decided that we would not formally support creating authorization servers.

但是對(duì)于Spring Security不再支持授權(quán)服務(wù)器，社區(qū)反應(yīng)強(qiáng)烈。于是在2020年4月，Spring推出了Spring Authorization Server項(xiàng)目。
目前項(xiàng)目最新GA版本為0.3 GA，預(yù)覽版本1.0.0-M1。

最小化配置

安裝授權(quán)服務(wù)器

1、新創(chuàng)建一個(gè)Spring Boot項(xiàng)目，命名為spring-security-authorization-server
2、引入pom依賴

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <version>0.3.1</version>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

配置授權(quán)服務(wù)器

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.matcher.RequestMatcher;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.UUID;
@Configuration(proxyBeanMethods = false)
public class AuthorizationServerConfig {
    //授權(quán)端點(diǎn)過(guò)濾器鏈
    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
                new OAuth2AuthorizationServerConfigurer<>();
        RequestMatcher endpointsMatcher = authorizationServerConfigurer
                .getEndpointsMatcher();
        http
                //沒(méi)有認(rèn)證會(huì)自動(dòng)跳轉(zhuǎn)到/login頁(yè)面
                .exceptionHandling((exceptions) -> exceptions
                        .authenticationEntryPoint(
                                new LoginUrlAuthenticationEntryPoint("/login"))
                )
                .requestMatcher(endpointsMatcher)
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests.anyRequest().authenticated()
                )
                .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
                .apply(authorizationServerConfigurer);
        return http.build();
    }
    //用于身份驗(yàn)證的過(guò)濾器鏈
    @Bean
    @Order(2)
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
            throws Exception {
        http
                .authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                .formLogin(Customizer.withDefaults());
        return http.build();
    }
    //配置主體用戶
    @Bean
    public UserDetailsService userDetailsService() {
        UserDetails userDetails = User.withDefaultPasswordEncoder()
                .username("user")
                .password("user")
                .roles("USER")
                .build();
        return new InMemoryUserDetailsManager(userDetails);
    }
    //注冊(cè)客戶端
    @Bean
    public RegisteredClientRepository registeredClientRepository() {
        RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                //客戶端id
                .clientId("testClientId")
                //客戶端秘鑰，授權(quán)服務(wù)器需要加密存儲(chǔ)
                .clientSecret(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("testClientSecret"))
                //授權(quán)方法
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                //支持的授權(quán)類(lèi)型
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                //回調(diào)地址，支持多個(gè)，本地測(cè)試不能使用localhost
                .redirectUri("http://127.0.0.1:8080/login/oauth2/code/customize")
                .scope(OidcScopes.OPENID)
                //授權(quán)scope
                .scope("message.read")
                .scope("userinfo")
                .scope("message.write")
                //是否需要授權(quán)頁(yè)面，開(kāi)啟跳轉(zhuǎn)到授權(quán)頁(yè)面，需要手動(dòng)確認(rèn)
                .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
                .build();
        return new InMemoryRegisteredClientRepository(registeredClient);
    }
    //token加密
    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        KeyPair keyPair = generateRsaKey();
        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
        RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
        RSAKey rsaKey = new RSAKey.Builder(publicKey)
                .privateKey(privateKey)
                .keyID(UUID.randomUUID().toString())
                .build();
        JWKSet jwkSet = new JWKSet(rsaKey);
        return new ImmutableJWKSet<>(jwkSet);
    }
    private static KeyPair generateRsaKey() {
        KeyPair keyPair;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            keyPair = keyPairGenerator.generateKeyPair();
        }
        catch (Exception ex) {
            throw new IllegalStateException(ex);
        }
        return keyPair;
    }
    //配置協(xié)議端點(diǎn)，比如/oauth2/authorize、/oauth2/token等
    @Bean
    public ProviderSettings providerSettings() {
        return ProviderSettings.builder().build();
    }
}

如上是最小化授權(quán)服務(wù)器的配置，這里我們將授權(quán)主體和客戶端都存儲(chǔ)在內(nèi)存中，當(dāng)然也可以持久化到數(shù)據(jù)庫(kù)中，分別使用JdbcUserDetailsManager、JdbcRegisteredClientRepository。
ProviderSettings.builder().build()使用了默認(rèn)的配置，這幾個(gè)地址我們后面就會(huì)用到：

public static Builder builder() {
    return new Builder()
            .authorizationEndpoint("/oauth2/authorize")
            .tokenEndpoint("/oauth2/token")
            .jwkSetEndpoint("/oauth2/jwks")
            .tokenRevocationEndpoint("/oauth2/revoke")
            .tokenIntrospectionEndpoint("/oauth2/introspect")
            .oidcClientRegistrationEndpoint("/connect/register")
            .oidcUserInfoEndpoint("/userinfo");
}

? 官方指出@Import(OAuth2AuthorizationServerConfiguration.class)也可以用來(lái)最小化配置，但我親測(cè)這種方式?jīng)]多大用處，并且還有問(wèn)題。

配置客戶端

這里我們要使用自己的搭建授權(quán)服務(wù)器，需要自定義一個(gè)客戶端，還是使用前面集成GitHub的示例，只要在配置文件中擴(kuò)展就可以。
完整配置如下：

spring:
  security:
    oauth2:
      client:
        registration:
          gitee:
            client-id: gitee_clientId
            client-secret: gitee_secret
            authorization-grant-type: authorization_code
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            client-name: Gitee
          github:
            client-id: github_clientId
            client-secret: github_secret
          # 自定義
          customize:
            client-id: testClientId
            client-secret: testClientSecret
            authorization-grant-type: authorization_code
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            client-name: Customize
            scope:
              - userinfo
        provider:
          gitee:
            authorization-uri: https://gitee.com/oauth/authorize
            token-uri: https://gitee.com/oauth/token
            user-info-uri: https://gitee.com/api/v5/user
            user-name-attribute: name
          # 自定義
          customize:
            authorization-uri: http://localhost:9000/oauth2/authorize
            token-uri: http://localhost:9000/oauth2/token
            user-info-uri: http://localhost:9000/userinfo
            user-name-attribute: username

? 在配置授權(quán)服務(wù)器uri的時(shí)候，請(qǐng)勿依舊使用127.0.0.1，由于是在本地測(cè)試，授權(quán)服務(wù)器的session和客戶端的session會(huì)互相覆蓋，導(dǎo)致莫名其妙的問(wèn)題。
請(qǐng)區(qū)分回調(diào)地址，和授權(quán)服務(wù)器端點(diǎn)uri的地址。

客戶端的session

授權(quán)服務(wù)器的session

體驗(yàn)

另外為了能夠更好的調(diào)式，可以在兩個(gè)應(yīng)用增加@EnableWebSecurity(debug = true)和 log日志，日志如下,打開(kāi)TRACE級(jí)別日志：

logging:
  level:
    root: INFO
    org.springframework.web: INFO
    org.springframework.security: TRACE
    org.springframework.security.oauth2: TRACE

現(xiàn)在啟動(dòng)兩個(gè)應(yīng)用，訪問(wèn)http://127.0.0.1:8080/hello，自動(dòng)跳轉(zhuǎn)到登錄頁(yè)面。

點(diǎn)擊Customize，將跳轉(zhuǎn)至授權(quán)服務(wù)器，注意看地址欄地址為localhost:9000/login，輸入用戶名/密碼登錄，user/user。

登錄后，將跳轉(zhuǎn)至授權(quán)頁(yè)面，由于我們沒(méi)有定制，使用的是默認(rèn)頁(yè)面，可以看到該頁(yè)面的地址為
http://localhost:9000/oauth2/authorize?response_type=code&client_id=testClientId&scope=userinfo&state=yV1ElAN2855yq3bY5kgj_rmilnCclyvZHkxVB7a1d84%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/customize。

我們勾選userinfo，提交后即跳轉(zhuǎn)回客戶端。
我們看下客戶收到的日志，授權(quán)服務(wù)器帶著code回調(diào)了我們填寫(xiě)的回調(diào)地址。
Request received for GET '/login/oauth2/code/customize?code=DPAlx5uyrUpfrZIlBKrpIy_mmcgiyC2qCxPFtUeLA0fBrZd238XM2vN8M1jv9XAgl0KA-D54P_KzVH7RbUw7ApBUc2pbnuSVRZUyHazozmNM4YgQ06CZryfr20qLRhW4&state=_Sgak7GLILLKbwr9JVuwA2xVp95CWPgUMByQcvePkgM%3D'

************************************************************
Request received for GET '/login/oauth2/code/customize?code=DPAlx5uyrUpfrZIlBKrpIy_mmcgiyC2qCxPFtUeLA0fBrZd238XM2vN8M1jv9XAgl0KA-D54P_KzVH7RbUw7ApBUc2pbnuSVRZUyHazozmNM4YgQ06CZryfr20qLRhW4&state=_Sgak7GLILLKbwr9JVuwA2xVp95CWPgUMByQcvePkgM%3D':
org.apache.catalina.connector.RequestFacade@1a8761d0
servletPath:/login/oauth2/code/customize
pathInfo:null
headers: 
host: 127.0.0.1:8080
connection: keep-alive
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
referer: http://127.0.0.1:8080/
accept-encoding: gzip, deflate, br
accept-language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
cookie: JSESSIONID=2527F412F53FA27A30BFBC39161ABB63
Security filter chain: [
  DisableEncodeUrlFilter
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  OAuth2AuthorizationRequestRedirectFilter
  OAuth2AuthorizationRequestRedirectFilter
  OAuth2LoginAuthenticationFilter
  DefaultLoginPageGeneratingFilter
  DefaultLogoutPageGeneratingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  OAuth2AuthorizationCodeGrantFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]
************************************************************

總結(jié)

Spring Security 的最小化授權(quán)服務(wù)器的配置，到這里結(jié)束了，該demo雖然代碼量非常少，但涉及的知識(shí)非常多，并且坑也多。

Spring Security文檔中的代碼說(shuō)明更新不及時(shí)，比如@Import(OAuth2AuthorizationServerConfiguration.class)文檔中說(shuō)明是最小化配置，但文檔的快速開(kāi)始又提供了另外一種的最小化配置方式。

另外授權(quán)服務(wù)器如果發(fā)生異常，是不會(huì)打印堆棧的，而是把錯(cuò)誤信息放入到response中，是打算要在頁(yè)面上顯示，然而demo的默認(rèn)錯(cuò)誤頁(yè)并不會(huì)顯示錯(cuò)誤詳情，只有錯(cuò)誤編號(hào)400，如圖。

Spring Authorization Server 還需要多多完善，Spring Security也不例外，不久前我還提了一個(gè)PR，把一個(gè)持續(xù)數(shù)個(gè)版本的bug給修復(fù)了??（過(guò)了，只是文檔中的錯(cuò)誤罷了，被標(biāo)記為文檔中的bug??），看多了外國(guó)人的產(chǎn)品，其實(shí)也沒(méi)有太比國(guó)內(nèi)的開(kāi)源項(xiàng)目好，坑也很多，而我們某些大廠的開(kāi)源項(xiàng)目其實(shí)很好，卻被網(wǎng)友門(mén)各種噴。

到此這篇關(guān)于SpringSecurity自定義授權(quán)服務(wù)器實(shí)踐的文章就介紹到這了,更多相關(guān)SpringSecurity自定義授權(quán)內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: