1.概述

1.1.SpringSecurity-Oauth2介绍#

SpingSecurity Oauth2实现了Oatuh2,SpingSecurity Oauth2分为两个大块,一者为认证授权(Authorization Server)服务和资源服务(Resource server),认证授权服务一般负责执行认证逻辑(登录)和加载用户的权限(给用户授权),以及认证成功后的令牌颁发 ,而资源服务器一般指的是我们系统中的微服务(被访问的微服务),在资源服务器需要对用户的令牌(认证成功与否),以及授权(是不是有访问权限)做检查 。

1.2.微服务Oauth2认证解决方案#

这里我们需要准备四个服务,1.授权服务 2.资源服务,3.网关,4注册中心,一共4个服务。授权服务和资源服务的流程图:

 

请求流程是:

  • 浏览器向认证服务提交认证获取Token
  • 浏览器存储Token并向资源服务器发起请求
  • 资源服务器校验Token并对资源进行授权

2.微服务环境准备

注意:没有SpringCloud基础的同学先去学SpringCloud,搭建基本项目结构如下

security-parent  //父工程
	security-auth-server  //统一认证微服务
	security-eureka-server  //注册中心
	security-resource-server  //资源微服务
	security-zuul-server  //网关

2.1.搭建父工程#

管理SpringBoot和SpringCloud相关依赖,管理公共依赖,以及依赖版本统一管理

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.5.RELEASE</version>
</parent>
<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>Finchley.SR1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

2.2搭建EurekaServer注册中心#

1、 导入依赖;

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
</dependencies>

2、 启动类;

@SpringBootApplication
@EnableEurekaServer
public class EurekaServerApplication {
   
     

    public static void main(String[] args) {
   
     
        SpringApplication.run(EurekaServerApplication.class);
    }
}

3、 yml配置;

server:
  port: 1000
eureka:
  instance:
    hostname: localhost
  client:
    registerWithEureka: false禁用注册中心向自己注册
    fetchRegistry: false 不让注册中心获取服务的注册列表
    serviceUrl:
      defaultZone: http://localhost:1000/eureka/
     注册中心的注册地址 ,其他微服务需要向这个地址注册

2.3.搭建ZuulServer网关微服务#

微服务统一访问入口,后面实现统一鉴权操作。
1、 导入依赖;

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
    </dependency>
</dependencies>

2、 启动类;

@SpringBootApplication
@EnableZuulProxy
public class EurekaServerApplication {
   
     

    public static void main(String[] args) {
   
     
        SpringApplication.run(EurekaServerApplication.class);
    }
}

3、 yml配置;

eureka:
  client:
    serviceUrl:
      defaultZone: http://localhost:1000/eureka/注册中心地址
  instance:
    prefer-ip-address: true使用ip地址注册
    instance-id: zuul-server:2000 指定服务的id
server:
  port: 2000
zuul:
  ignored-services: "*"  禁止使用服务名字进行访问
  prefix: "/servers" 统一的前缀
  routes:配置路由,指定服务的访问路径
    resource1-server: "/resources/**"
spring:
  application:
    name: zuul-server

2.4.搭建AuthServer认证授权微服务#

认证微服务,实现认证逻辑,用户授权,令牌颁发等
1、 导入依赖;

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
</dependencies>

2、 启动类;

@SpringBootApplication
public class AuthServerApplication {
   
     
    public static void main(String[] args) {
   
     
        SpringApplication.run(AuthServerApplication.class) ;
    }
}

3、 yml配置;

eureka:
  client:
    serviceUrl:
      defaultZone: http://localhost:1000/eureka/注册中心地址
  instance:
    prefer-ip-address: true使用ip地址注册
    instance-id: auth-server:3000 指定服务的id
server:
  port: 3000
spring:
  application:
    name: auth-server

2.5.搭建Resource1Server资源微服务#

资源服务,负责校验Token和资源授权
1、 导入依赖;

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
</dependencies>

2、 启动类;

@SpringBootApplication
public class Resource1ServerApplication {
   
     
    public static void main(String[] args) {
   
     
        SpringApplication.run(Resource1ServerApplication.class) ;
    }
}

3、 yml配置;

eureka:
  client:
    serviceUrl:
      defaultZone: http://localhost:1000/eureka/注册中心地址
  instance:
    prefer-ip-address: true使用ip地址注册
    instance-id: resource1-server:4000 指定服务的id
server:
  port: 4000
spring:
  application:
    name: resource1-server

启动测试http://localhost:1000/

 

3.认证服务配置

3.1.创建相关组件#

修改security-auth-server服务,完成User,Role,Permission实体类的创建,以及mapper映射器,Mapper.xml等相关组件的创建 , 以及相关表的创建和关系维护,这里省略…

3.2.集成MyBatis#

1、 security-auth-server增加依赖,"spring-cloud-starter-oauth2"包含了Oauth2和Security的内容;

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-oauth2</artifactId>
    </dependency>
  
        <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>druid</artifactId>
        <version>1.1.20</version>
    </dependency>
    <!-- mysql 数据库驱动. -->
    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
    </dependency>
    <dependency>
        <groupId>org.mybatis.spring.boot</groupId>
        <artifactId>mybatis-spring-boot-starter</artifactId>
        <version>1.1.1</version>
    </dependency>
</dependencies>

2、 开启Mapper扫描"MapperScan";

@SpringBootApplication
@MapperScan("cn.itsource.mapper")
public class AuthServerApplication {
   
     

    public static void main(String[] args) {
   
     
        SpringApplication.run(AuthServerApplication.class) ;
    }
}

3、 yml增加DataSource和MyBatis配置;

eureka:
  client:
    serviceUrl:
      defaultZone: http://localhost:1000/eureka/注册中心地址
  instance:
    prefer-ip-address: true使用ip地址注册
    instance-id: auth-server:3000 指定服务的id
server:
  port: 3000
mybatis:
  mapper-locations: classpath:cn/itsource/mapper/*Mapper.xml
spring:
  datasource:
    type: com.alibaba.druid.pool.DruidDataSource
    username: root
    password: admin
    url: jdbc:mysql:///auth-rbac
    driver-class-name: com.mysql.jdbc.Driver
  application:
    name: auth-server

3.3.配置UserDetailsService#

定义一个类,实现UserDetailsService接口,复写loadUserByUsername,根据用户名从数据库中获取认证的用户对象,并且加载用户的权限信息,把用户的认证信息和权限信息封装成UserDetaials返回。
在前面的章节已经学习过UserDetailsService的配置这里不在赘述配置如下

package cn.itsource.userdetails;

import cn.itsource.domain.Permission;
import cn.itsource.domain.User;
import cn.itsource.mapper.PermissionMapper;
import cn.itsource.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.stereotype.Component;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

@Component
public class UserDetailServiceImpl implements UserDetailsService {
   
     

    @Autowired
    private UserMapper userMapper;

    @Autowired
    private PermissionMapper permissionMapper;

    /**
     * 加载数据库中的认证的用户的信息:用户名,密码,用户的权限列表
     * @param username: 该方法把username传入进来,
        我们通过username查询用户的信息(密码,权限列表等)
        然后封装成 UserDetails进行返回 ,交给security 。
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
   
     
        //User是security内部的对象,UserDetails的实现类 ,
        //用来封装用户的基本信息(用户名,密码,权限列表)
        //public User(String username, String password, Collection<? extends GrantedAuthority> authorities)

        
		User userFromDB = userMapper.selectByUsername(username);
        if(null == userFromDB){
   
     
            throw new RuntimeException("无效的用户");
        }

        //模拟存储在数据库的用户的密码:123
        //String password = passwordEncoder.encode("123");
        String password = userFromDB.getPassword();

        //查询用户的权限
        List<Permission> permission = permissionMapper.selectPermissionsByUserId(userFromDB.getId());

        //用户的权限列表,暂时为空
        Collection<GrantedAuthority> authorities = new ArrayList<>();
        permission.forEach(e->{
   
     
            System.out.println("用户:"+userFromDB.getUsername()+" 加载权限:"+e.getExpression());
            authorities.add(new SimpleGrantedAuthority(e.getExpression()));
        });
		//注意:这里的User是Security的User不是我们自己的User
        org.springframework.security.core.userdetails.User  user = new org.springframework.security.core.userdetails.User (username,password, authorities);

        return user;
    }
}

认证服务在处理认证逻辑的时候会通过该userDetailService加载用户在数据库中的认证信息实现身份认证,同时在整个方法中也加载了用户的权限列表,后续当用户发起对资源服务的访问时,是否能够授权成功就跟用户的权限列表息息相关了。

3.4.配置Security#

在前面的章节已经学习过WebSecurity的配置这里不在赘述,配置如下

//Security配置
@Configuration
@EnableWebSecurity(debug = false)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   
     

    //密码 编码器
    @Bean
    public PasswordEncoder passwordEncoder(){
   
     
        return new BCryptPasswordEncoder();
    }

    //授权规则配置
    @Override
    protected void configure(HttpSecurity http) throws Exception {
   
     

        http.csrf().disable()   //屏蔽跨域防护
                .authorizeRequests()          //对请求做授权处理
                .antMatchers("/login").permitAll()  //登录路径放行
                .anyRequest().authenticated() //其他路径都要拦截
                .and().formLogin()  //允许表单登录, 设置登陆页
                .and().logout().permitAll();    //登出
    }

    //配置认证管理器,授权模式为“poassword”时会用到
  
    @Bean
    public AuthenticationManager authenticationManager() throws Exception {
   
     
        return super.authenticationManager();
    }

}

这里多配置了一个AuthenticationManager 认证管理器,配置它的目录是后续Oauth2支持password模式需要做认证时会用到认证管理器

配置到这里已经完成了一个简单的认证流程了,测试访问:http://localhost:3000/login 应该可以完成一个简单的认证流程