Spring Security OAuth2 SSO

Stella981
• 阅读 745

通常公司肯定不止一个系统,每个系统都需要进行认证和权限控制,不可能每个每个系统都自己去写,这个时候需要把登录单独提出来

  1. 登录和授权是统一的
  2. 业务系统该怎么写还怎么写

Spring Security OAuth2 SSO

最近学习了一下Spring Security,今天用Spring Security OAuth2简单写一个单点登录的示例

在此之前,需要对OAuth2有一点了解

这里有几篇文章可能会对你有帮助

Spring Boot Security

OAuth 2.0

OAuth 2.0 授权码请求

Spring Security OAuth 2.0

Spring Boot OAuth 2.0 客户端

1. 服务器端配置

1.1. Maven依赖

Spring Security OAuth2 SSO

4.0.0

<groupId>com.cjs.example</groupId>
<artifactId>cjs-oauth2-sso-auth-server</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>

<name>cjs-oauth2-sso-auth-server</name>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.3.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <java.version>1.8</java.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>2.3.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity4</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-jdbc</artifactId>
    </dependency>
    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>5.1.46</version>
    </dependency>

    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

Spring Security OAuth2 SSO

1.2. 配置授权服务器

Spring Security OAuth2 SSO

package com.cjs.example.config;

import org.springframework.context.annotation.Configuration; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;

import javax.annotation.Resource; import javax.sql.DataSource;

@Configuration @EnableAuthorizationServer public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

@Resource
private DataSource dataSource;

/\*\*
 \* 配置授权服务器的安全,意味着实际上是/oauth/token端点。
 \* /oauth/authorize端点也应该是安全的
 \* 默认的设置覆盖到了绝大多数需求,所以一般情况下你不需要做任何事情。
 \*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    super.configure(security);
}

/\*\*
 \* 配置ClientDetailsService
 \* 注意,除非你在下面的configure(AuthorizationServerEndpointsConfigurer)中指定了一个AuthenticationManager,否则密码授权方式不可用。
 \* 至少配置一个client,否则服务器将不会启动。
 \*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.jdbc(dataSource);
}

/\*\*
 \* 该方法是用来配置Authorization Server endpoints的一些非安全特性的,比如token存储、token自定义、授权类型等等的
 \* 默认情况下,你不需要做任何事情,除非你需要密码授权,那么在这种情况下你需要提供一个AuthenticationManager
 \*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    super.configure(endpoints);
}

}

Spring Security OAuth2 SSO

说明:这里授权服务器我主要是配置了注册客户端,客户端可以从内存中或者数据库中加载,这里我从数据库中加载,因为这样感觉更真实一点儿。

Spring Security OAuth2 SSO

查看JdbcClientDetailsService源码我们不难看出其表结构。(PS:也可以自定义,就像UserDetailsService那样)

这里,我准备的SQL脚本如下:

Spring Security OAuth2 SSO

CREATE TABLE oauth_client_details ( client_id VARCHAR(256) PRIMARY KEY, resource_ids VARCHAR(256), client_secret VARCHAR(256), scope VARCHAR(256), authorized_grant_types VARCHAR(256), web_server_redirect_uri VARCHAR(256), authorities VARCHAR(256), access_token_validity INTEGER, refresh_token_validity INTEGER, additional_information VARCHAR(4096), autoapprove VARCHAR(256) ); INSERT INTO oauth_client_details (client_id, client_secret, scope, authorized_grant_types, web_server_redirect_uri, autoapprove) VALUES ('MemberSystem', '$2a$10$dYRcFip80f0jIKGzRGulFelK12036xWQKgajanfxT65QB4htsEXNK', 'user_info', 'authorization_code', 'http://localhost:8081/login', 'user_info'); INSERT INTO oauth_client_details (client_id, client_secret, scope, authorized_grant_types, web_server_redirect_uri, autoapprove) VALUES ('CouponSystem', '$2a$10$dYRcFip80f0jIKGzRGulFelK12036xWQKgajanfxT65QB4htsEXNK', 'user_info', 'authorization_code', 'http://localhost:8082/login', 'user_info');

Spring Security OAuth2 SSO

这里注册了两个客户端,分别是MemberSystem和CouponSystem。

1.3. 配置WebSecurity

Spring Security OAuth2 SSO

package com.cjs.example.config;

import com.cjs.example.support.MyUserDetailsService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private MyUserDetailsService myUserDetailsService;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/oauth/\*\*","/login/\*\*", "/logout").permitAll()
            .anyRequest().authenticated()   // 其他地址的访问均需验证权限
            .and()
            .formLogin()
            .loginPage("/login")
            .and()
            .logout().logoutSuccessUrl("/");
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/assets/\*\*");
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
}

@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
    return super.authenticationManager();
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

}

Spring Security OAuth2 SSO

说明:

  1. 这里,主要配置了UserDetailsService

Spring Security OAuth2 SSO

package com.cjs.example.support;

import com.cjs.example.domain.SysPermission; import com.cjs.example.domain.SysRole; import com.cjs.example.domain.SysUser; import com.cjs.example.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service;

import java.util.ArrayList; import java.util.List;

@Service public class MyUserDetailsService implements UserDetailsService {

@Autowired
private UserService userService;

/\*\*
 \* 授权的时候是对角色授权,而认证的时候应该基于资源,而不是角色,因为资源是不变的,而用户的角色是会变的
 \*/

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    SysUser sysUser = userService.getUserByName(username);
    if (null == sysUser) {
        throw new UsernameNotFoundException(username);
    }
    List<SimpleGrantedAuthority> authorities = new ArrayList<>();
    for (SysRole role : sysUser.getRoleList()) {
        for (SysPermission permission : role.getPermissionList()) {
            authorities.add(new SimpleGrantedAuthority(permission.getCode()));
        }
    }

    return new User(sysUser.getUsername(), sysUser.getPassword(), authorities);
}

}

Spring Security OAuth2 SSO

1.4. 新建登录页面

Spring Security OAuth2 SSO

package com.cjs.example.controller;

import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping;

@Controller public class LoginController {

@RequestMapping("/login")
public String login() {
    return "login";
}

@GetMapping("/index")
public String index() {
    return "index";
}

}

Spring Security OAuth2 SSO

1.5. application.yml

Spring Security OAuth2 SSO

server: port: 8080 spring: datasource: url: jdbc:mysql://10.123.52.189:3306/oh_coupon username: devdb password: d^V$0Fu!/6-<s driver-class-name: com.mysql.jdbc.Driver logging: level: root: debug

Spring Security OAuth2 SSO

2. 客户端配置

2.1. Maven依赖

Spring Security OAuth2 SSO

4.0.0

<groupId>com.example</groupId>
<artifactId>cjs-oauth2-sso-ui</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>

<name>cjs-oauth2-sso-ui</name>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.3.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <java.version>1.8</java.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity4</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>2.3.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth.boot</groupId>
        <artifactId>spring-security-oauth2-autoconfigure</artifactId>
        <version>2.0.1.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <optional>true</optional>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

Spring Security OAuth2 SSO

2.2. WebSecurity配置

Spring Security OAuth2 SSO

package com.cjs.example.config;

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableOAuth2Sso @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class UiSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/\*\*")
            .authorizeRequests()
            .antMatchers("/", "/login\*\*").permitAll()
            .anyRequest()
            .authenticated();
}

}

Spring Security OAuth2 SSO

说明:

  这里最重要的是应用了**@EnableOAuth2Sso**注解

  Spring Boot 1.x 版本和 2.x 版本在OAuth2这一块的差异还是比较大的,在Spring Boot 2.x 中没有@EnableOAuth2Sso这个注解,所以我引用了spring-security-oauth2-autoconfigure

Spring Security OAuth2 SSO

2.3. 定义一个简单的控制器

Spring Security OAuth2 SSO

package com.cjs.example.controller;

import com.cjs.example.domain.Member; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.servlet.ModelAndView;

import java.util.ArrayList; import java.util.List;

@Controller @RequestMapping("/member") public class MemberController {

/\*\*
 \* 会员列表页面
 \*/
@RequestMapping("/list")
public ModelAndView list() {
    ModelAndView modelAndView = new ModelAndView("member/list");
    return modelAndView;
}

/\*\*
 \* 导出
 \*/
@PreAuthorize("hasAuthority('memberExport')")
@ResponseBody
@RequestMapping("/export")
public List<Member> export() {
    Member member = new Member();
    member.setName("苏九儿");
    member.setCode("1000");
    member.setMobile("13112345678");
    member.setGender(1);
    Member member1 = new Member();
    member1.setName("郭双");
    member1.setCode("1001");
    member1.setMobile("15812346723");
    member1.setGender(1);
    List<Member> list = new ArrayList<>();
    list.add(member);
    list.add(member1);
    return list;
}

/\*\*
 \* 详情
 \*/
@PreAuthorize("hasAuthority('memberDetail')")
@RequestMapping("/detail")
public ModelAndView detail() {
    return new ModelAndView(" member/detail");
}

}

Spring Security OAuth2 SSO

2.4. application.yml

Spring Security OAuth2 SSO

server: port: 8081 servlet: session: cookie: name: UISESSIONMEMBER

security: oauth2: client: client-id: MemberSystem client-secret: 12345 access-token-uri: http://localhost:8080/oauth/token user-authorization-uri: http://localhost:8080/oauth/authorize resource: user-info-uri: http://localhost:8080/user/me logging: level: root: debug spring: thymeleaf: cache: false

Spring Security OAuth2 SSO

说明:

  1. 这里需要注意的是不要忘记设置cookie-name,不然会有一些莫名其妙的问题,比如“User must be authenticated with Spring Security before authorization can be completed”

3. 运行效果

Spring Security OAuth2 SSO

在这个例子中,会员系统(localhost:8081)和营销系统(localhost:8082)是两个系统

可以看到,当我们登录会员系统以后,再进营销系统就不需要登录了。

3.1. 遗留问题

  1. 退出
  2. 记住我

3.2. 工程结构

Spring Security OAuth2 SSO

https://github.com/chengjiansheng/cjs-oauth2-example.git

3.3. 参考

https://github.com/eugenp/tutorials/tree/master/spring-security-sso

https://blog.csdn.net/sinat_24798023/article/details/80536881

https://segmentfault.com/a/1190000012384850

http://www.baeldung.com/spring-security-oauth-revoke-tokens

https://segmentfault.com/a/1190000013531863

https://spring.io/guides/tutorials/spring-boot-oauth2/

点赞
收藏
评论区
推荐文章
blmius blmius
3年前
MySQL:[Err] 1292 - Incorrect datetime value: ‘0000-00-00 00:00:00‘ for column ‘CREATE_TIME‘ at row 1
文章目录问题用navicat导入数据时,报错:原因这是因为当前的MySQL不支持datetime为0的情况。解决修改sql\mode:sql\mode:SQLMode定义了MySQL应支持的SQL语法、数据校验等,这样可以更容易地在不同的环境中使用MySQL。全局s
Karen110 Karen110
3年前
一篇文章带你了解JavaScript日期
日期对象允许您使用日期(年、月、日、小时、分钟、秒和毫秒)。一、JavaScript的日期格式一个JavaScript日期可以写为一个字符串:ThuFeb02201909:59:51GMT0800(中国标准时间)或者是一个数字:1486000791164写数字的日期,指定的毫秒数自1970年1月1日00:00:00到现在。1\.显示日期使用
皕杰报表之UUID
​在我们用皕杰报表工具设计填报报表时,如何在新增行里自动增加id呢?能新增整数排序id吗?目前可以在新增行里自动增加id,但只能用uuid函数增加UUID编码,不能新增整数排序id。uuid函数说明:获取一个UUID,可以在填报表中用来创建数据ID语法:uuid()或uuid(sep)参数说明:sep布尔值,生成的uuid中是否包含分隔符'',缺省为
待兔 待兔
5个月前
手写Java HashMap源码
HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程22
Jacquelyn38 Jacquelyn38
3年前
2020年前端实用代码段,为你的工作保驾护航
有空的时候,自己总结了几个代码段,在开发中也经常使用,谢谢。1、使用解构获取json数据let jsonData  id: 1,status: "OK",data: 'a', 'b';let  id, status, data: number   jsonData;console.log(id, status, number )
Easter79 Easter79
3年前
Twitter的分布式自增ID算法snowflake (Java版)
概述分布式系统中,有一些需要使用全局唯一ID的场景,这种时候为了防止ID冲突可以使用36位的UUID,但是UUID有一些缺点,首先他相对比较长,另外UUID一般是无序的。有些时候我们希望能使用一种简单一些的ID,并且希望ID能够按照时间有序生成。而twitter的snowflake解决了这种需求,最初Twitter把存储系统从MySQL迁移
Wesley13 Wesley13
3年前
00:Java简单了解
浅谈Java之概述Java是SUN(StanfordUniversityNetwork),斯坦福大学网络公司)1995年推出的一门高级编程语言。Java是一种面向Internet的编程语言。随着Java技术在web方面的不断成熟,已经成为Web应用程序的首选开发语言。Java是简单易学,完全面向对象,安全可靠,与平台无关的编程语言。
Stella981 Stella981
3年前
Django中Admin中的一些参数配置
设置在列表中显示的字段,id为django模型默认的主键list_display('id','name','sex','profession','email','qq','phone','status','create_time')设置在列表可编辑字段list_editable
Wesley13 Wesley13
3年前
MySQL部分从库上面因为大量的临时表tmp_table造成慢查询
背景描述Time:20190124T00:08:14.70572408:00User@Host:@Id:Schema:sentrymetaLast_errno:0Killed:0Query_time:0.315758Lock_
Python进阶者 Python进阶者
11个月前
Excel中这日期老是出来00:00:00,怎么用Pandas把这个去除
大家好,我是皮皮。一、前言前几天在Python白银交流群【上海新年人】问了一个Pandas数据筛选的问题。问题如下:这日期老是出来00:00:00,怎么把这个去除。二、实现过程后来【论草莓如何成为冻干莓】给了一个思路和代码如下:pd.toexcel之前把这