學習Spring Security OAuth認證(一)-受權碼模式

時間 2019-11-12

標籤學習 spring security oauth 認證受權模式欄目 Spring 简体版

原文原文鏈接

一.環境

spring boot+spring security+idea+maven+mybatishtml

主要是spring security前端

二.依賴

    <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

不須要版本號,spring boot的pom中已經聲明瞭合適的版本號java

三.springsecurity登陸配置

package com.haitian.security;

import com.haitian.service.security.CustomUserService;
import com.haitian.utils.PathUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.MessageSource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authentication.encoding.BasePasswordEncoder;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import java.util.Locale;

/**
 * User:zhangweixiao
 * Description:
 */
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private AuthenticationFailureHandler authenticationFailureHandler;
    @Autowired
    private AuthenticationSuccessHandler authenticationSuccessHandler;

    @Autowired
    private  UserDetailsService userDetailsService;

    @Bean
    public BasePasswordEncoder getPasswordEncoder()
    {
        return new Md5PasswordEncoder();
    }

   @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setPasswordEncoder(getPasswordEncoder());
        authProvider.setUserDetailsService(userDetailsService);
        return authProvider;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        ValidateCodeFilter validateCodeFilter=new ValidateCodeFilter();
        validateCodeFilter.setAuthenticationFailureHandler(authenticationFailureHandler);

        http
                .authorizeRequests()
                .antMatchers("/**").permitAll()
                .and()
                .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
                .formLogin().loginPage("/login").loginProcessingUrl("/zshop_login")
                .failureHandler(authenticationFailureHandler)
                .successHandler(authenticationSuccessHandler)
                .and()
                .csrf().disable();
    }

}

/**
 * 前臺登陸的數據庫橋樑
 */
@Service
public class CustomUserService implements UserDetailsService{

    @Autowired
    private UserService userService;

    /**
     * @param username
     * @return
     * @throws UsernameNotFoundException
     * @throws DataAccessException
     */
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {

        User user = this.userService.getUserByUserName(username);
        if (user == null) {
            throw new UsernameNotFoundException("用戶名不存在");
        }
        Set authorities = new HashSet();
        for (Role role : user.getRoles()) {
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role.getRoleCode());
            authorities.add(grantedAuthority);
        }
        user.setAuthorities(authorities);
        return user;
    }

}

數據庫中User表對應的User類繼承了UserDetails,這裏就不發了.web

加密算法最好用bcrypt,由於數據庫存的是md5的,因此先用md5了.算法

瞭解加密:http://www.cnblogs.com/ptqueen/p/8448396.htmlspring

配置完成以後要保證能登陸成功.數據庫

四.配置認證服務器

1.配置註解提供認證服務器

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig {
}

2配置client-id和secret.

security:
  oauth2:
    client:
      client-id: zshop
      client-secret: zshop_secret

client-id就是第三方申請認證的id,先後端分離中前端也就至關於第三方.json

你的認證服務器就比如QQ的認證服務器,你的前端就比如須要QQ第三方登陸的網站.後端

3啓動當前模塊

能夠看到控制檯中oath2包的爲咱們作的mapping服務器

 Mapped "{[/oauth/authorize]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java. 
 
 Mapped "{[/oauth/authorize],methods=[POST],params=[user_oauth_approval]}" onto public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)

4.用rest client插件測試

關於插件簡單介紹請看:

http://www.cnblogs.com/ptqueen/p/8449046.html

關於oath2文檔

https://tools.ietf.org/html/rfc6749#page-24

上面是oath2文檔中須要認證的參數信息

先這樣測試,http://localhost:8082/oauth/authorize?response_type=code&client_id=zshop&redirect_uri=https://cnblogs.com&scope=all

五.獲取受權碼code

關於受權碼模式的流程請看:

http://www.cnblogs.com/ptqueen/p/8449150.html

成功的話會跳轉到登陸頁面,這個登陸頁面至關於從某個論壇QQ登陸跳轉出來的登錄窗口

登陸成功後出現這樣一個

OAuth Approval

Do you authorize 'zshop' to access your protected resources?

scope.all: Approve Deny

若是是本身的前端登陸成功以後應該會直接拿到全部權限,不顯示此頁面,而後繼續換取令牌,

第三方QQ登陸的 approval是和登陸頁面一塊兒的.後面看看怎麼配置.

贊成受權以後會跳轉到https://cnblogs.com,同時會攜帶一個code,這個code就是受權碼.下一步須要經過受權碼來換取令牌.

https://www.cnblogs.com/?code=D120US

六.發送受權碼到認證服務器換取令牌

參照oauth2文檔

https://tools.ietf.org/html/rfc6749#page-29

post的參數有

grant_tpye,值必須爲authorization_code

code,第一篇中得到的受權碼

redirect_uri,必須和第一篇相同

client_id,配置文件中定義的client_id

scope,獲取受權碼時定義的scope

請求的header中須要包含client-id和client-secret.

七.得到令牌

成功以後便可獲取,令牌是有有效期的,必須在有效期以前進行刷新

pretty

{

"access_token": "f035137f-def1-4bae-9adc-718a26e6c141",

"token_type": "bearer",

"refresh_token": "e7f65ace-6c5d-44a6-94fb-e7ca65ff12fd",

"expires_in": 43199,

"scope": "all"

}

lines nums