一、开篇
本篇是《Spring OAuth2 开发指南》系列文章的第二篇,通过代码实例具体介绍 OAuth2 明码模式的开发细节。网络上对于 OAuth2 开发的代码示范非常多而且芜杂,基本上都是官网手册的摘录搬运,或者过多地受制于框架自身如 Spring Security,束缚太多,不足系统性,容易造成同学们云里雾里,以至于生吞活剥。
自己主张在开发落地过程中,既不能齐全本人造轮子,也不应齐全依赖轮子,应该从实质登程,在理清技术原理和细节的条件下,抉择适宜的办法。从这个准则登程,本文将依据“明码模式的典型架构档次和次要流程”(见《Spring OAuth2 开发指南(一)》)中形容的流程节点,展现其代码实现。另外,文章的要点在于后半局部,提出了资源服务器端鉴权 / 权限管制,和受权服务器端鉴权 / 权限管制两种实现办法。
须要留神的是 password 模式因为 OAuth2.1 不举荐应用所以只提供旧的组件代码版本,具体请参见 https://datatracker.ietf.org/…
二、演示案例
咱们持续用相册预览零碎(PAPS,Photo Album Preview System)作为演示案例。
PAPS 是一个社交平台的子系统,与 IBCS 相似,采纳 RESTful API 对外交互,次要性能是容许用户预览本人的相册,以下是 PAPS 演示我的项目的必要服务:
服务名 | 类别 | 形容 | 技术选型
-
photo-service 外部服务 资源服务器角色,相册预览服务 Spring Boot 开发的 RESTful 服务 idp 外部服务 受权服务器角色,具体指负责认证、受权和鉴权 Spring Boot 开发 demo-h5 内部利用 demo 利用的前端 应用 Postman 代替
为此,咱们将搭建两个工程项目:photo-service 和 idp,客户端用 Postman 代替。
三、工程构造
接下来演示两个工程项目的框架代码,这部分代码蕴含工程的框架结构、Spring Security 和 OAuth2 的根底配置,尽量采纳最精简的形式书写。其余我的项目能够 copy 这部分代码作为根底模板应用。
photo-service 相册服务
- 根底工程构造
src/main
java
com.example.demophoto
config
oauth2
CheckTokenAuthentication.java
CheckTokenFilter.java
CustomPermissionEvaluator.java
CustomRemoteTokenServices.java
ResourceServerConfigurer.java
service
PermisionEvaluatingService.java
web
PhotoController.java
DemoPhotoApplication.java
resources
applicaton.yaml
- pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.4.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>oauth2-demo-1a-photo-service</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>oauth2-demo-1a-photo-service</name>
<description>oauth2-demo-1a-photo-service</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure -->
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
- applicaton.yaml
server:
port: 8010
security:
oauth2:
client:
clientId: client2
clientSecret: client2p
resource:
tokenInfoUri: http://127.0.0.1:8000/oauth/check_token
- ResourceServerConfigurer.java
package com.example.demophoto.config.oauth2;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {
/**
* spring-security-oauth2 组件一般性配置
*
* @param resources
*/
@Override
public void configure(ResourceServerSecurityConfigurer resources) {resources.resourceId("demo-1");
}
/**
* spring-security-oauth2 组件一般性配置
*
* @param http
* @throws Exception
*/
@Override
public void configure(HttpSecurity http) throws Exception {http.authorizeRequests()
.anyRequest().authenticated();
}
}
idp 受权服务
- 根底工程构造
src/main
java
com.example.demoidp
config
oauth2
AuthorizationServerConfigurer.java
CheckTokenInterceptor.java
WebSecurityConfig.java
service
业务逻辑,如鉴权逻辑
DemoIdpApplication.java
resources
applicaton.yaml
- pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.4.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>oauth2-demo-1a-idp</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>oauth2-demo-1a-idp</name>
<description>oauth2-demo-1a-idp</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2 -->
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.8.RELEASE</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
- applicaton.yaml
server:
port: 8000
- AuthorizationServerConfigurer.java
package com.example.demoidp.config.oauth2;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
private AuthenticationManager authenticationManager;
/**
* spring-security-oauth2 组件一般性配置
*
* @param authenticationManager
*/
@Autowired
public AuthorizationServerConfigurer(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}
/**
* 配置明码加密办法
*/
@Bean
PasswordEncoder passwordEncoder() {return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
/**
* spring-security-oauth2 组件一般性配置
*
* @param endpoints
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {endpoints.authenticationManager(authenticationManager);
}
/**
* spring-security-oauth2 组件一般性配置
*
* @param security
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
security
// /oauth/check_token 申请放行
.checkTokenAccess("permitAll()")
.passwordEncoder(passwordEncoder());
}
}
- WebSecurityConfig.java
package com.example.demoidp.config.oauth2;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* spring-security-oauth2 组件一般性配置
*
* @return AuthenticationManager
* @throws Exception
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();
}
}
四、代码实现
如图所示,是明码模式的最精简架构档次和次要流程。上面咱们逐渐实现该流程:
一)第一阶段:认证受权阶段
1)用户代理(demo-h5)将用户输出的用户名和明码,发送给客户端(demo-service)
此步骤咱们应用 Postman 执行,这里不开展介绍。
2)客户端(demo-service)将用户输出的用户名和明码,连同 client_id + client_secret (由 idp 调配)一起发送到 idp 以申请令牌,如果 idp 约定了 scope 则还须要带上 scope 参数
此步骤咱们应用 Postman 执行,这里不开展介绍。须要留神的是,Postman 在这里依然是一个 client 角色,client_id 代表的是它本人。申请的 URL 为:
POST http://127.0.0.1:8000/oauth/token
3)idp 首先验证 client_id + client_secret 的合法性,再查看 scope 是否无误,最初验证用户名和明码是否正确,正确则生成 token。这一步也叫“认证”
为了实现这个步骤,咱们在 idp 工程的 AuthorizationServerConfigurer 类中退出以下代码:
- 首先是 client_id + client_secret + scope 的校验
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
...
/**
* 3. [明码模式的典型架构档次和次要流程] 中的第 3 步:* idp 首先验证 client_id + client_secret 的合法性,再查看 scope 是否无误
*
* PS: 这里为演示不便,就地创立了账号,生产环境应自行替换成数据库查问等形式
*/
private class MockJDBCClientDetailsService implements ClientDetailsService {
@Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
/**
* GrantedAuthority 与 hasAuthority() 关联
*/
Set<GrantedAuthority> authorities = new HashSet<>();
authorities.add(new SimpleGrantedAuthority("READ"));
authorities.add(new SimpleGrantedAuthority("WRITE"));
BaseClientDetails details1 = new BaseClientDetails();
details1.setClientId("client1");
details1.setClientSecret(passwordEncoder().encode("client1p"));
details1.setAuthorizedGrantTypes(Arrays.asList("password"));
details1.setScope(Arrays.asList("resource:write", "resource:read"));
details1.setResourceIds(Arrays.asList("demo-1"));
details1.setAuthorities(authorities);
BaseClientDetails details2 = new BaseClientDetails();
details2.setClientId("client2");
details2.setClientSecret(passwordEncoder().encode("client2p"));
details2.setAuthorizedGrantTypes(Arrays.asList("client_credentials"));
details2.setScope(Arrays.asList("resource:write", "resource:read"));
details2.setResourceIds(Arrays.asList("demo-1"));
details2.setAuthorities(authorities);
BaseClientDetails details3 = new BaseClientDetails();
details3.setClientId("client3");
details3.setClientSecret(passwordEncoder().encode("client3p"));
details3.setAuthorizedGrantTypes(Arrays.asList("password"));
details3.setScope(Arrays.asList("resource:write", "resource:read"));
details3.setResourceIds(Arrays.asList("demo-1"));
details3.setAuthorities(authorities);
Map<String, ClientDetails> clients = new HashMap<>();
clients.put("client1", details1);
clients.put("client2", details2);
clients.put("client3", details3);
if (!clients.containsKey(clientId)) {throw new ClientRegistrationException("Client not found");
}
return clients.get(clientId);
}
}
/**
* spring-security-oauth2 组件一般性配置
* 配置自定义 ClientDetails
*
* @param clients
* @throws Exception
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.withClientDetails(new MockJDBCClientDetailsService());
}
...
}
- 而后是用户名和明码的校验
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 3. [明码模式的典型架构档次和次要流程] 中的第 3 步:* 验证用户名和明码是否正确,正确则生成 token
*
* PS: 这里为演示不便,就地创立了账号,生产环境应自行替换成数据库查问等形式
*/
private class MockJDBCUserDeatilsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {Map<String, String> users = new HashMap<>();
users.put("user1", "pwd1");
users.put("user2", "pwd2");
if (!users.containsKey(username)) {throw new UsernameNotFoundException("User not found");
}
return User.withDefaultPasswordEncoder()
.username(username)
.password(users.get(username))
.roles("USER")
.build();}
}
@Bean
@Override
public UserDetailsService userDetailsService() {return new MockJDBCUserDeatilsService();
}
}
当 client_id + client_secret + scope,以及用户名和明码都校验通过后,spring-security-oauth2 会调用适合的 tokenServices 生成 token。有趣味的同学能够自行查阅源代码追踪整个过程,这里介绍源码追踪的入口办法:
咱们晓得 demo-h5 客户端(Postman)首先向 http://127.0.0.1:8000/oauth/t… 发动申请,因而咱们找到 spring-security-oauth2 组件源码中的 /oauth/token 端点,具体门路为:
org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken()
4)idp 返回认证后果给客户端,认证通过返回 token,认证失败返回 401。如果认证胜利则此步骤也叫“受权”
这一步 spring-security-oauth2 曾经为咱们解决好了,不须要额定解决。想要追踪源码过程的同学,可参考上一步骤介绍的入口办法。
5)客户端收到 token 后进行暂存,并创立对应的 session
这个步骤通过 Postman 演示(间接复制返回的 token 字符串即可),这里不开展介绍。
6)客户端颁发 cookie 给用户代理 / 浏览器
这个步骤通过 Postman 演示,这里不开展介绍。
二)第二阶段:受权后申请资源阶段
7)用户通过用户代理(demo-h5)拜访“我的相册”页面,用户代理携带 cookie 向客户端(demo—service)发动申请
此步骤应用 Postman 执行,不开展叙述。
8)客户端通过 session 找到对应的 token,携带此 token 向资源服务器(photo-service)发动申请
此步骤应用 Postman 执行,咱们将第 5) 步获取的 token 作为 Bearer Token,向 photo-service 发动申请,申请的 URL 为:
GET http://127.0.0.1:8010/api/photo
该申请只须要携带 token 即可,不须要其余参数
9)资源服务器(photo-service)向 idp 申请验证 token 有效性
在介绍如何解决申请前,咱们先在 photo-service 工程中新增相干代码:
- PhotoController.java
package com.example.demophoto.web;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/api/")
public class PhotoController {@GetMapping("/photo")
public String fetchPhoto() {return "GET photo";}
}
此外,还有几个要害配置:
- ResourceServerConfigurerAdapter.configure(HttpSecurity http) 办法配置了 http.authorizeRequests().anyRequest().authenticated() 使得所有申请都要先鉴权;
- application.yaml 中配置了 client_id、client_secret 和 resource.tokenInfoUri,当资源服务承受到申请时,会携带 token 向 tokenInfoUri 指定的地址发动鉴权申请。
默认状况下,当 demo-h5 向 photo-service 发动资源拜访的申请时,photo-service 会将获取的 token 发到 idp 进行校验,在这个过程中 spring-security-oauth2 不会对 scope 做任何解决。咱们晓得 scope 是用来束缚 client 的权限范畴的,因而 scope 权限查看(也视为鉴权的工作之一)这个工作须要本人编码实现。
通常来说,scope 权限查看的业务逻辑能够灵便设定,甚至能够疏忽它。本文介绍两种 scope 查看的实现办法:
- 资源服务器端查看;
- 受权服务器端查看。
接下来的第 10) 步将拆分成两种形式,别离对此进行介绍。
10)【形式一:资源服务器端 scope 查看】idp 校验 token 有效性,资源服务器校验 scope
idp 校验 token 有效性,通过则返回 client 相干信息(蕴含 scope)给 photo-service,photo-service 再依据 scope 判断客户端(demo-h5)是否有权限调用此 API,如通过查看则持续下一步骤,否则返回 403 谬误给 demo-h5。这一步也叫“鉴权”
咱们在 photo-service 工程中增加以下代码:
- ResourceServerConfigurer.java
@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {
...
@Override
public void configure(HttpSecurity http) throws Exception {http.authorizeRequests()
.antMatchers("/api/photo/**").access("#oauth2.hasScope('resource:read')")
.antMatchers("/api/photo2/**").access("#oauth2.hasScope('resource:read')")
.antMatchers("/api/photo3/**").access("#oauth2.hasScope('resource:write')")
.anyRequest().authenticated();
}
...
}
通过 access(“#oauth2.hasScope(‘resource:write’)”) 办法能够实现资源服务器端的 scope 查看。其次要流程为:
- photo-service 收到客户端申请后,将获取到的 token 发往 idp 校验;
- idp 校验通过后,将 clientDetails 信息返回给 photo-service,其中就包含 scope 参数;
- photo-service 拿到 scope 后,依据 access(“#oauth2.hasScope(‘resource:write’)”) 判断该申请是否在 scope 范畴内。
10)【形式二:idp 端 scope 查看】idp 校验 token + scope 有效性
idp 校验 token 有效性,再依据 scope 判断客户端(demo-h5)是否有权限调用此 API,最初返回校验后果给资源服务器。因为 spring-security-oauth2 自身没有解决 scope 查看,且默认状况下,photo-service 向 idp 申请 token 鉴权时,并未携带任何其余申请信息,因而 idp 无奈晓得本次申请的细节,因而无奈执行 socpe 查看。
所以重点有两个:一是 photo-service 向 idp 申请 token 鉴权的同时如何携带申请的细节(比方拜访的是什么资源?申请的是哪个 API?);二是如何拦挡 token 鉴权过程使得 scope 校验失败是返回 403 谬误?
当然实现这个目标,有很多办法,本文采纳了比拟直观的办法:利用 Filter。
咱们在 photo-service 工程中增加以下代码:
- ResourceServerConfigurer.java
package com.example.demophoto.config.oauth2;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {
private final ResourceServerProperties resource;
@Autowired
protected ResourceServerConfigurer(ResourceServerProperties resource) {this.resource = resource;}
/**
* 自定义 RemoteTokenServices 以取代资源服务器默认应用的
* RemoteTokenServices 向 IDP 发动 /oauth/check_token 鉴权申请
*
* @return
*/
public CustomRemoteTokenServices customRemoteTokenServices() {CustomRemoteTokenServices services = new CustomRemoteTokenServices();
services.setCheckTokenEndpointUrl(this.resource.getTokenInfoUri());
services.setClientId(this.resource.getClientId());
services.setClientSecret(this.resource.getClientSecret());
return services;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {resources.resourceId("demo-1")
.tokenServices(customRemoteTokenServices());
}
@Override
public void configure(HttpSecurity http) throws Exception {http.addFilterBefore(new CheckTokenFilter(), AbstractPreAuthenticatedProcessingFilter.class);
http.authorizeRequests()
.antMatchers("/api/photo/**").access("#oauth2.hasScope('resource:read')")
.antMatchers("/api/photo2/**").access("#oauth2.hasScope('resource:read')")
.antMatchers("/api/photo3/**").access("#oauth2.hasScope('resource:write')")
.anyRequest().authenticated();
}
}
- CheckTokenFilter.java
package com.example.demophoto.config.oauth2;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
/**
* 在向 IDP 发动 /oauth/check_token 申请前,将申请细节存储到 SecurityContext 中,* 以便 CustomRemoteTokenServices.loadAuthentication() 能够获取到该申请细节
*/
public class CheckTokenFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {HttpServletRequest request = (HttpServletRequest) req;
String uri = request.getRequestURI();
String method = request.getMethod();
/**
* 仅解决 /api/**
*/
if (!uri.startsWith("/api/")) {chain.doFilter(req, res);
return;
}
SecurityContext sc = SecurityContextHolder.getContext();
CheckTokenAuthentication authentication = (CheckTokenAuthentication) sc.getAuthentication();
if (authentication == null) {authentication = new CheckTokenAuthentication(null);
}
/**
* 将用户代理或其余服务申请拜访本资源服务器的细节(此处为 HTTP-Method + URI)* 存储到 SecurityContext 的 authentication 对象中
*/
Map<String, Object> details = new HashMap<>();
details.put("uri", uri);
details.put("method", method);
authentication.setDetails(details);
sc.setAuthentication(authentication);
chain.doFilter(req, res);
}
}
- CustomRemoteTokenServices.java
package com.example.demophoto.config.oauth2;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.*;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.DefaultResponseErrorHandler;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.HashMap;
import java.util.Map;
/**
* 以 RemoteTokenServices 为模板
* 基本思路是在向 IDP 发动 /oauth/check_token 的申请中,* 增加用户代理或其余服务申请拜访本资源服务器的 API 的细节,* 以便 IDP 能够判断该用户代理或其余服务(即 client)是否能够调用此 API
* <p>
*(PS:也能够由 IDP 返回 ClientDetails 给资源服务,由资源服务解决放行逻辑)*/
public class CustomRemoteTokenServices implements ResourceServerTokenServices {protected final Log logger = LogFactory.getLog(getClass());
private RestOperations restTemplate;
private String checkTokenEndpointUrl;
private String clientId;
private String clientSecret;
private String tokenName = "token";
/**
* 与 IDP 约定的存储 API 申请细节的参数
*/
private String reqPayload = "payload";
private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
public CustomRemoteTokenServices() {restTemplate = new RestTemplate();
((RestTemplate) restTemplate).setErrorHandler(new DefaultResponseErrorHandler() {
@Override
// Ignore 400
public void handleError(ClientHttpResponse response) throws IOException {Integer statusCode = response.getRawStatusCode();
if (statusCode != 400) {if (statusCode == 401 || statusCode == 403) {HttpStatus status = HttpStatus.resolve(statusCode);
throw new AccessDeniedException(status.toString());
}
super.handleError(response);
}
}
});
}
public void setRestTemplate(RestOperations restTemplate) {this.restTemplate = restTemplate;}
public void setCheckTokenEndpointUrl(String checkTokenEndpointUrl) {this.checkTokenEndpointUrl = checkTokenEndpointUrl;}
public void setClientId(String clientId) {this.clientId = clientId;}
public void setClientSecret(String clientSecret) {this.clientSecret = clientSecret;}
public void setAccessTokenConverter(AccessTokenConverter accessTokenConverter) {this.tokenConverter = accessTokenConverter;}
public void setTokenName(String tokenName) {this.tokenName = tokenName;}
/**
* 当应用自定义的 tokenServices 替换默认的 tokenServices 后,* 原来流程中的第 9 步就变成由该办法执行。*
* 9. [明码模式的典型架构档次和次要流程] 中的第 9 步:* 资源服务器(photo-service)向 idp 申请验证 token 有效性
*
* @param accessToken
* @return
* @throws AuthenticationException
* @throws InvalidTokenException
*/
@Override
public OAuth2Authentication loadAuthentication(String accessToken) throws AuthenticationException, InvalidTokenException {Map<String, Object> authDetails = new HashMap<>();
/**
* 获得在 CheckTokenFilter 过滤器中置入的 API 申请细节
*/
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {authDetails = (Map<String, Object>) authentication.getDetails();}
MultiValueMap<String, String> formData = new LinkedMultiValueMap<>();
formData.add(tokenName, accessToken);
if (!authDetails.isEmpty()) {formData.add(reqPayload, authDetails.get("method") + "" + authDetails.get("uri"));
}
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", getAuthorizationHeader(clientId, clientSecret));
Map<String, Object> map = postForMap(checkTokenEndpointUrl, formData, headers);
/**
* 11. [明码模式的典型架构档次和次要流程] 中的第 11 步:* 如果 token 校验失败则返回 401 给客户端,如果 scope 查看不通过则返回 403
*/
if (map.containsKey("error")) {if (logger.isDebugEnabled()) {logger.debug("check_token returned error:" + map.get("error"));
}
if (map.containsKey("status")) {if ("403".equals(map.get("status").toString())) {throw new OAuth2AccessDeniedException(map.get("error").toString());
}
}
throw new InvalidTokenException(accessToken);
}
// gh-838
if (map.containsKey("active") && !"true".equals(String.valueOf(map.get("active")))) {logger.debug("check_token returned active attribute:" + map.get("active"));
throw new InvalidTokenException(accessToken);
}
return tokenConverter.extractAuthentication(map);
}
@Override
public OAuth2AccessToken readAccessToken(String accessToken) {throw new UnsupportedOperationException("Not supported: read access token");
}
private String getAuthorizationHeader(String clientId, String clientSecret) {if (clientId == null || clientSecret == null) {logger.warn("Null Client ID or Client Secret detected. Endpoint that requires authentication will reject request with 401 error.");
}
String creds = String.format("%s:%s", clientId, clientSecret);
try {return "Basic" + new String(Base64.encode(creds.getBytes("UTF-8")));
} catch (UnsupportedEncodingException e) {throw new IllegalStateException("Could not convert String");
}
}
private Map<String, Object> postForMap(String path, MultiValueMap<String, String> formData, HttpHeaders headers) {if (headers.getContentType() == null) {headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
}
@SuppressWarnings("rawtypes")
Map<String, Object> result = new HashMap<>();
try {
Map map = restTemplate.exchange(path, HttpMethod.POST,
new HttpEntity<MultiValueMap<String, String>>(formData, headers), Map.class).getBody();
result = map;
}
catch (Exception e) {logger.error(e.getMessage());
}
return result;
}
}
- CheckTokenAuthentication.java
package com.example.demophoto.config.oauth2;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
public class CheckTokenAuthentication extends AbstractAuthenticationToken {
/**
* Creates a token with the supplied array of authorities.
*
* @param authorities the collection of <tt>GrantedAuthority</tt>s for the principal
* represented by this authentication object.
*/
public CheckTokenAuthentication(Collection<? extends GrantedAuthority> authorities) {super(authorities);
}
@Override
public Object getCredentials() {return null;}
@Override
public Object getPrincipal() {return null;}
}
接着在 idp 工程中增加以下代码:
- AuthorizationServerConfigurer.java
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
...
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {endpoints.authenticationManager(authenticationManager)
// 通过插入 interceptor 来实现自定义的鉴权办法
.addInterceptor(new CheckTokenInterceptor(endpoints.getTokenStore()));
}
...
}
- CheckTokenInterceptor.java
package com.example.demoidp.config.oauth2;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;
/**
* /oauth/check_token 校验 token 申请拦截器
*/
public class CheckTokenInterceptor implements HandlerInterceptor {
private String TOKEN_NAME = "token";
private final String TOKEN_INFO_URI = "/oauth/check_token";
private TokenStore tokenStore;
public CheckTokenInterceptor(TokenStore tokenStore) {this.tokenStore = tokenStore;}
// for test only
private final Map<String, String> clientScopes = new HashMap<String, String>() {
{put("client1[resource:read]", "GET /api/photo");
put("client1[resource:write]", "POST /api/photo");
put("client2[resource:read]", "GET /api/photo2");
put("client2[resource:write]", "POST /api/photo2");
put("client3[resource:read]", "GET /api/photo3");
put("client3[resource:write]", "POST /api/photo3");
}
};
/**
* 10. [明码模式的典型架构档次和次要流程] 中的第 10 步:* idp 校验 token 有效性和 scope 权限
* <p>
* 即 IDP 依据 scope 判断客户端(demo-service)* 是否有权限调用此 API,最初返回校验后果给资源服务器
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {String uri = request.getRequestURI();
/**
* 仅拦挡 /oauth/check_token
*/
if (!TOKEN_INFO_URI.equals(uri)) {return true;}
/**
* payload 是 IDP 和资源服务器角色约定的传参格局
* 即 client 申请拜访资源服务器的 API 的细节
* 可要求必须携带 payload
*
* 此局部可依据业务逻辑自行处理
*/
String paylad = request.getParameter("payload");
if (StringUtils.isEmpty(paylad)) {throw new AccessDeniedException("insufficient_payload");
}
if ("GET /error".equals(paylad)) {return true;}
/**
* 10. [明码模式的典型架构档次和次要流程] 中的第 10 步:*【形式二:idp 端 scope 查看】idp 校验 token + scope 有效性
*
* 依据 token 查得 clientId,再依据 scope 查看该 client 是否有权限调用此 API
* 此局部可依据业务逻辑自行处理,比方从数据库中查问 client、API 和 scope 的关系
*/
String token = request.getParameter(TOKEN_NAME);
OAuth2Authentication oAuth2Authentication = tokenStore.readAuthentication(token);
OAuth2Request oAuth2Request = oAuth2Authentication.getOAuth2Request();
String scopeKey = oAuth2Request.getClientId() + oAuth2Request.getScope();
if (clientScopes.containsKey(scopeKey)) {if (!clientScopes.get(scopeKey).equals(paylad)) {throw new AccessDeniedException("insufficient_scope");
}
}
return true;
}
}
idp 端的 scope 查看实现起来略微麻烦点,其次要思路是:
- 在 photo-service 向 idp 发动 /oauth/check_oauth 鉴权申请前,增加过滤器,将客户端的申请细节保留到某个全局对象中;
- 替换 photo-service 默认的 tokenServices,在向 idp 发动 /oauth/check_oauth 鉴权申请的过程中,将申请细节附加到申请中;
- idp 在 AuthorizationServerEndpointsConfigurer 中增加自定义 Interceptor,在每次 check token 前先执行 自定义 Interceptor;
- idp 在自定义 Interceptor 中取出申请细节,依据申请细节和 clientDetails 信息(scope),执行 scope 查看。
以上办法,尽管实现麻烦,然而定制性和灵活性很强,不受框架束缚,能够适应各种简单的业务逻辑。
11)资源服务器依据 idp 测验后果(true/false 或其余等效伎俩)决定是否返回用户相册数据给客户端。如果 token 校验失败则返回 401 给客户端,如果 scope 查看不通过则返回 403。这一步也叫“权限管制”
与鉴权工作中的 scope 范畴查看相似,实现权限管制的办法也有两种:
- 受权服务器端的权限管制,属于集中式权限管制;
- 资源服务器端的权限管制,属于分散型权限管制。
其中,受权服务器端的权限管制比较简单,在 idp 工程的 CheckTokenInterceptor.preHandle() 办法中增加权限管制的业务代码即可:
- CheckTokenInterceptor.java
public class CheckTokenInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
...
/**
* 11. [明码模式的典型架构档次和次要流程] 中的第 11 步:* 受权服务器短的权限管制,即集中式权限管制
*
* 实现更细粒度的权限管制,从某种程度上来说,这个过程也能够称作鉴权
*/
// 受权服务器端鉴权 / 权限管制业务的逻辑
return true;
}
}
最初来看资源服务器端的权限管制。咱们应用 spring-secutity 提供的规范办法来实现:
- 资源服务器端 PreAuthorize hasRole/hasAuthority
- 资源服务器端 PreAuthorize 自定义实现 hasPermission
以上说法在某种程度上也能够了解为鉴权。
首先,咱们增加或批改 photo-service 工程的相干代码:
- PhotoController.java
package com.example.demophoto.web;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* 1、权限管制的两种类型:资源服务端权限管制、受权服务器端权限管制
* 2、权限管制的三种办法:* A、资源服务器端 PreAuthorize hasRole/hasAuthority
* B、资源服务器端 HttpSecurity access 自定义实现 hasPermission
* D、受权服务器端 HandlerInterceptor
* 以上说法在某种程度上也能够了解为鉴权。*/
@RestController
@RequestMapping("/api/")
public class PhotoController {@GetMapping("/photo")
@PreAuthorize("hasRole('USER') and hasAuthority('WRITE')")
public String fetchPhoto() {return "GET photo";}
@GetMapping("/photo2")
public String fetchPhoto2() {return "GET photo 2";}
@GetMapping("/photo3")
@PreAuthorize("hasPermission('PhotoController','read')")
public String fetchPhoto3() {return "GET photo 3";}
}
- ResourceServerConfigurer.java
@Configuration
@EnableResourceServer
public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {
...
/**
* 旧版本的 spring-security-oauth2 还须要将执行 resources.expressionHandler(oAuth2WebSecurityExpressionHandler)
* 以注入自定义的 expressionHandler,以后及当前版本不须要了
*
* @return
*/
@Bean
public OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler() {OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler = new OAuth2WebSecurityExpressionHandler();
// 在新版本的 spring-security-oauth2 中,这行代码能够不必,// 框架会主动注入 customPermissionEvaluator 替换默认的 DenyAllPermissionEvaluator
// oAuth2WebSecurityExpressionHandler.setPermissionEvaluator(customPermissionEvaluator);
return oAuth2WebSecurityExpressionHandler;
}
...
}
- CustomPermissionEvaluator.java
package com.example.demophoto.config.oauth2;
import com.example.demophoto.service.PermisionEvaluatingService;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
import java.io.Serializable;
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {private PermisionEvaluatingService permisionEvaluatingService = new PermisionEvaluatingService();
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {return permisionEvaluatingService.hasPermission(authentication, targetDomainObject, permission);
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {return permisionEvaluatingService.hasPermission(authentication, targetId, targetType, permission);
}
}
- PermisionEvaluatingService.java
package com.example.demophoto.service;
import org.springframework.security.core.Authentication;
import java.io.Serializable;
public class PermisionEvaluatingService {public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
// 业务逻辑
return true;
}
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
// 业务逻辑
return true;
}
}
- DemoPhotoApplication.java
@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true) // 开启 hasRole/hasAuthority/hasPermission 反对
public class DemoPhotoApplication {...}
通过以上配置,当客户端向 photo-service 发动 GET /api/photo3 申请时,将会进入 CustomPermissionEvaluator.hasPermission() 办法进行判断,因而能够实现非常灵活的资源服务器端权限管制。