Spring security implements authorization code mode# Series article directory
SpringSecurity implements OAuth2
JWT and OAuth2 under SpringBoot
spring security implements authorization code mode
Summary
In order to safely expose the old project interface to third parties, I used OAuth 2.0 authorization code technology to authenticate the interface. Using spring security authorization code mode, the method of customizing resources in the OAuthServer program is discussed. In the project, 自定义登录页面replace the default login page to make the style UI consistent with the style of your own system; adopt 设置自动授权, save the need to click approve for secondary confirmation after successful login; adopt 自定义密码验证, connect the old system account data and old system password code verification To keep it consistent, replace the corresponding client_secret password encoding; adopt it 跳转登录页面http转httpsto make the login page link consistent with the server https environment.
Custom login page
The custom login page must be placed in the back-end project and in the same domain as the authorization interface.
If this is your login page html
resources/static/login.html
<form action="./login.html" method="post">
<div class="input">
<label for="name">用户名</label>
<input type="text" name="username" id="username">
<span class="spin"></span>
</div>
<div class="input">
<label for="pass">密码</label>
<input type="password" name="password" id="password">
<span class="spin"></span>
</div>
<div class="button login">
<button type="submit">
<span>登录</span>
<i class="fa fa-check"></i>
</button>
</div>
</form>
Corresponding configuration needs to be done in the HttpSecurity method
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.formLogin().loginPage("/login.html")
.permitAll()
.and()
.csrf().disable()
;
}
After doing the above configuration, spring security will automatically map the default login interface to /login.html, and the form action on the login page is also written as form action="./login.html".
Automatic authorization
Automatic authorization is configured in autoapprove in the oauth_client_details table. After the configuration, the login page data account password verification is successful, and it will directly jump to redirect_uri?code=xxxx.
Custom password verification
First implement the PasswordEncoder interface.
After implementing and using your own PasswordEncoder, client_secret must also be written to the database using this encoding method.
public class CustomPasswordEncoder implements PasswordEncoder {
private static Logger log = LoggerFactory.getLogger(CustomPasswordEncoder.class);
@Override
public String encode(CharSequence rawPassword) {
return EncryptUtil.encodePassword(rawPassword.toString());
}
/**
rawPassword 数据来自表单输入;
encodedPassword 数据来自UserDetailsService#loadUserByUsername;
*/
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
if (encodedPassword == null || encodedPassword.length() == 0) {
log.warn("Empty encoded password");
return false;
}
return encode(rawPassword).equals(encodedPassword);
}
}
The bean defining the Encoder in the WebSecurityConfigurerAdapter will be used.
@Bean
public PasswordEncoder passwordEncoder() {
return new CustomPasswordEncoder();
}
Remember to modify the UserDetailsService#loadUserByUsername method.
Jump to the login page http to https
Here we take springboot’s tomcat as an example.
server:
tomcat:
redirect-context-root: true
remote-ip-header: x-forwarded-for
protocol-header-https-value: https
protocol-header: x-forwarded-proto
Release the endpoint of refresh token
Configure in the inheritance class of AuthorizationServerConfigurerAdapter:
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// 设置令牌
endpoints.tokenStore(tokenStore())
.userDetailsService(userDetailsService); // 此配置是将refresh token放出来。
}