spring cloud security oauth2單點登陸

1.maven依賴關係

pom.xml中添加 

     

<!--身份驗證服務器>
<dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
</dependency>

<dependency> 
        <groupId>org.springframework.boot</groupId> 
        <artifactId>spring-boot-starter-security</artifactId> 
</dependency> 

  <dependency>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-thymeleaf</artifactId>
  </dependency>

2.客戶端應用程序的安全配置

/**
 * spring boot 啓動類
 */
@EnableFeignClients
// 註冊和發現服務
// 須要設置 eureka.client.serviceUrl.defaultZone
@EnableDiscoveryClient
// 斷路由
// 開啓 hystrix 支持 必須啓用此註解
@EnableCircuitBreaker
@EnableOAuth2Sso
@SpringBootApplication
public class AdminWebApplication extends WebSecurityConfigurerAdapter {
    public static void main(String[] args) {
        SpringApplication.run(AdminWebApplication.class, args);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http.logout().logoutSuccessUrl("/").and().authorizeRequests().anyRequest()
        .authenticated().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
        // @formatter:on
    }
    
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/userInfo.xhtml");
    }
}

3.application.yml

server:
  port: ${service.server.port:9091}
  session:
    cookie:
      domain: ifa.com
spring:
  application:
    name: admin-web
  devtools:
    restart:
      enabled: true
  aop:
    proxy-target-class: true

security:
  oauth2:
    sso:
      login-path: /login.xhtml
    client:
      client-id: channel
      client-secret: b8a9cb1c-cc63-4999-8702-983d246c2d66
      access-token-uri: http://passport.auth.com/oauth/token  #URI獲取訪問令牌
      user-authorization-uri: http://passport.auth.com/oauth/authorize   #受權的URI,用戶將被重定向到
      client-authentication-scheme: form  
      scope: app
    resource:
      user-info-uri: http://passport.auth.com/userInfo     #用戶端點的URI來得到當前用戶詳細信息

4.oauth配置

 * */
package com.ifa.cloud.channel; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.cloud.client.circuitbreaker.EnableCircuitBreaker; import org.springframework.cloud.client.discovery.EnableDiscoveryClient; import org.springframework.cloud.netflix.feign.EnableFeignClients;  @EnableFeignClients //註冊和發現服務 //須要設置 eureka.client.serviceUrl.defaultZone
@EnableDiscoveryClient //斷路由 //開啓 hystrix 支持 必須啓用此註解
@EnableCircuitBreaker @SpringBootApplication public class SSOWebApplication { public static void main(String[] args) { SpringApplication.run(SSOWebApplication.class, args); } }

 

5.配置受權服務器

package com.ifa.cloud.channel.config;




import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.oauth2.authserver.AuthorizationServerProperties; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.data.redis.connection.RedisConnectionFactory; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore; import com.ifa.cloud.channel.config.oauth2.ClientDetailsServiceImpl; import lombok.extern.slf4j.Slf4j; @Slf4j @Configuration @EnableResourceServer @EnableAuthorizationServer @EnableConfigurationProperties(AuthorizationServerProperties.class) public class Oauth2ServerConfig extends AuthorizationServerConfigurerAdapter{ @Bean public ResourceServerConfigurer resourceServerConfigurer() { return new ResourceServerConfigurer() { @Override public void configure(HttpSecurity http) throws Exception { log.debug("loadding resource server configurer http ..."); http.antMatcher("/userInfo").authorizeRequests() .anyRequest().authenticated(); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { } }; } @Autowired public RedisConnectionFactory redisConnectionFactory; @Bean public TokenStore tokenStore() { log.debug("loadding redis token store ..."); return new RedisTokenStore(redisConnectionFactory); } @Bean public ClientDetailsService clientDetailsService() { return new ClientDetailsServiceImpl(); } private final AuthenticationManager authenticationManager; private final AuthorizationServerProperties properties; public Oauth2ServerConfig(AuthenticationManager authenticationManager,AuthorizationServerProperties properties) { this.authenticationManager = authenticationManager; this.properties = properties; } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.withClientDetails(clientDetailsService()); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.tokenStore(tokenStore()); endpoints.authenticationManager(this.authenticationManager); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { if (this.properties.getCheckTokenAccess() != null) { security.checkTokenAccess(this.properties.getCheckTokenAccess()); } if (this.properties.getTokenKeyAccess() != null) { security.tokenKeyAccess(this.properties.getTokenKeyAccess()); } if (this.properties.getRealm() != null) { security.realm(this.properties.getRealm()); } security.allowFormAuthenticationForClients(); } }

 

6.安全配置

/**
 * 
 */
package com.ifa.cloud.channel.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@Order(-20)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Autowired
    private AuthenticationManager authenticationManager;
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .formLogin().loginPage("/login.html").failureUrl("/login.html?error").defaultSuccessUrl("/").usernameParameter("username")
            .passwordParameter("password").permitAll()
        .and()
            .requestMatchers().antMatchers("/login.html", "/oauth/authorize", "/oauth/confirm_access")
        .and()
            //除以上路徑都須要驗證
            .authorizeRequests().anyRequest().authenticated();
        // @formatter:on

//        http.authorizeRequests().antMatchers("/oauth/token").anonymous().antMatchers("/login.html").permitAll()
//                .antMatchers("/**").authenticated().and().httpBasic().and().formLogin().loginPage("/login.html")
//                .failureUrl("/login.html?error").defaultSuccessUrl("/").usernameParameter("username")
//                .passwordParameter("password").and().sessionManagement()
//                .sessionCreationPolicy(SessionCreationPolicy.NEVER);

    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider).parentAuthenticationManager(authenticationManager);
        //auth.inMemoryAuthentication().withUser("admin").password("admin").roles("USER").and().withUser("user")
        //        .password("user").roles("USER");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/style/**", "/script/**", "/font-awesome/**", "/fonts/**", "/webjars/**");
    }


    @Autowired
    private AuthenticationProvider authenticationProvider;
}

7.用戶終端

/**
 * 
 */
package com.ifa.cloud.channel.web.controller;

import java.security.Principal;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.ModelAndView;

import lombok.extern.slf4j.Slf4j;

@Slf4j
@RestController
public class UserLoginController {
    
    @RequestMapping("/login.html")
    public ModelAndView login(HttpServletRequest request,HttpServletResponse response) {
        return new ModelAndView("login");
    }

    @RequestMapping("/userInfo")
    public Object userinfo(Principal principal) {
        return principal;
    }
}

返回的JSON表示的用戶數據。