SpringBoot actual electricity supplier item mall (20k + star) Address: github.com/macrozheng/...
Summary
Spring Cloud Security is SpringBoot build secure applications provide a range of solutions, combined with Oauth2 can achieve single sign-on, this article will use to log detailed description of its single point.
Single Sign Profile
Single sign-on (Single Sign On) means that when there are multiple systems need to log in, users only need to log in to a system, you can access other systems need to log in without having to log on.
Creating oauth2-client module
Here we create a oauth2-client service as clients need to sign a service, use oauth2-jwt-server service in the previous section as an authentication service, when we log in on oauth2-jwt-server service, you can directly access oauth2 -client need to log interface, to demonstrate single sign-on feature.
- Add its dependencies in pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
复制代码- Configured in application.yml in:
server:
port: 9501
servlet:
session:
cookie:
name: OAUTH2-CLIENT-SESSIONID #防止Cookie冲突,冲突会导致登录验证不通过
oauth2-server-url: http://localhost:9401
spring:
application:
name: oauth2-client
security:
oauth2: #与oauth2-server对应的配置
client:
client-id: admin
client-secret: admin123456
user-authorization-uri: ${oauth2-server-url}/oauth/authorize
access-token-uri: ${oauth2-server-url}/oauth/token
resource:
jwt:
key-uri: ${oauth2-server-url}/oauth/token_key
复制代码- Add @ EnableOAuth2Sso notes on startup classes to enable single sign-on:
@EnableOAuth2Sso
@SpringBootApplication
public class Oauth2ClientApplication {
public static void main(String[] args) {
SpringApplication.run(Oauth2ClientApplication.class, args);
}
}
复制代码- Add interface is used to obtain the currently logged on user information:
/**
* Created by macro on 2019/9/30.
*/
@RestController
@RequestMapping("/user")
public class UserController {
@GetMapping("/getCurrentUser")
public Object getCurrentUser(Authentication authentication) {
return authentication;
}
}
复制代码Change the authentication server configuration
Modify AuthorizationServerConfig class oauth2-jwt-server module, the path is bound to jump HTTP: // localhost: 9501 / the Login , and add obtain identity authentication secret key.
/**
* 认证服务器配置
* Created by macro on 2019/9/30.
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
//以上省略一堆代码...
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("admin")
.secret(passwordEncoder.encode("admin123456"))
.accessTokenValiditySeconds(3600)
.refreshTokenValiditySeconds(864000)
// .redirectUris("http://www.baidu.com")
.redirectUris("http://localhost:9501/login") //单点登录时配置
.scopes("all")
.authorizedGrantTypes("authorization_code","password","refresh_token");
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
security.tokenKeyAccess("isAuthenticated()"); // 获取密钥需要身份认证,使用单点登录时必须配置
}
}
复制代码Web single sign-on demo
-
Start oauth2-client services and oauth2-jwt-server services;
-
Access client requires authorization interface http: // localhost: 9501 / user / getCurrentUser will jump to the login interface authorization services;
- After login operation jumps to the authorization page;
- Will jump to the original post-authorization required permissions interface address, show the user login information;
- If you need to skip the authorization operations may be added automatically authorize
autoApprove(true)configuration:
/**
* 认证服务器配置
* Created by macro on 2019/9/30.
*/
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
//以上省略一堆代码...
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("admin")
.secret(passwordEncoder.encode("admin123456"))
.accessTokenValiditySeconds(3600)
.refreshTokenValiditySeconds(864000)
// .redirectUris("http://www.baidu.com")
.redirectUris("http://localhost:9501/login") //单点登录时配置
.autoApprove(true) //自动授权配置
.scopes("all")
.authorizedGrantTypes("authorization_code","password","refresh_token");
}
}
复制代码Call Interface single sign-on demo
Here we use Postman to demonstrate how to use the right way at the client interface call to register.
-
Access client need to sign an interface: HTTP: // localhost: 9501 / the User / getCurrentUser
-
Use Oauth2 gain access authentication token:
- Enter the token to gain access relevant information, click on the request token:
- At this time, it will jump to the authentication server for login operation:
- After a successful login using the acquired token:
- Finally, request interface can obtain the following information:
{
"authorities": [
{
"authority": "admin"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "63BB793E35383B2FFC608333B3BF4988",
"tokenValue": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYWNybyIsInNjb3BlIjpbImFsbCJdLCJleHAiOjE1NzI2OTAxNzUsImF1dGhvcml0aWVzIjpbImFkbWluIl0sImp0aSI6IjIwN2U5MTQzLTVjNTUtNDhkMS1iZmU3LTgwMzUyZTQ3Y2QyZCIsImNsaWVudF9pZCI6ImFkbWluIiwiZW5oYW5jZSI6ImVuaGFuY2UgaW5mbyJ9.xf3cBu9yCm0sME0j3UcP53FwF4tJVJC5aJbEj_Y2XcU",
"tokenType": "bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "admin"
}
],
"details": null,
"authenticated": true,
"principal": "macro",
"credentials": "N/A",
"name": "macro"
},
"clientOnly": false,
"oauth2Request": {
"clientId": "admin",
"scope": [
"all"
],
"requestParameters": {
"client_id": "admin"
},
"resourceIds": [],
"authorities": [],
"approved": true,
"refresh": false,
"redirectUri": null,
"responseTypes": [],
"extensions": {},
"grantType": null,
"refreshTokenRequest": null
},
"principal": "macro",
"credentials": "",
"name": "macro"
}
复制代码Add oauth2-client privilege check
- Adding Configuration-based open method of checking the permissions:
/**
* 在接口上配置权限时使用
* Created by macro on 2019/10/11.
*/
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(101)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}
复制代码- Add the required permissions admin interface in UserController in:
/**
* Created by macro on 2019/9/30.
*/
@RestController
@RequestMapping("/user")
public class UserController {
@PreAuthorize("hasAuthority('admin')")
@GetMapping("/auth/admin")
public Object adminAuth() {
return "Has admin auth!";
}
}
复制代码- Access requires admin privileges Interface: HTTP: // localhost: 9501 / the User / auth / admin
- Use no
adminauthority account, such asandy:123456access to the interfaces after obtaining a token, you will find no access.
To use the module
springcloud-learning
├── oauth2-jwt-server -- 使用jwt的oauth2认证测试服务
└── oauth2-client -- 单点登录的oauth2客户端服务
复制代码Project Source Address
No public
mall project a full tutorial serialized in public concern number the first time to obtain.