The first configuration: zuul only responsible for forwarding, flow control, etc. (not responsible for certification)
1 Introduction
(1) eureka discovery service, each service is configured not made, just look on this certification;
2 Configure the authentication server
(1) add a dependency (OAuth already contains security)
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> </dependency>
(2) Authentication Configuration
@Configuration
public class MyConfig {
// set the user information processing type, here 123, a user name a password in order to test arbitrarily
@Component
public static class myUserDetailsService the implements the UserDetailsService {
@Autowired
Private The PasswordEncoder PasswordEncoder;
@Override
public the UserDetails loadUserByUsername (String username) throws UsernameNotFoundException {
return new new the User (username, passwordEncoder.encode ( "123"),
AuthorityUtils.commaSeparatedStringToAuthorityList ( "users with the ROLE_USER"));
}
}
// authentication server
@EnableAuthorizationServer
@Configuration
public static class the extends the Authorization {AuthorizationServerConfigurerAdapter
@Autowired
the AuthenticationManager the authenticationManager;
@Autowired
BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
myUserDetailsService myUserDetailsService;
// To test client certificate stored in the memory (of production should be used to store the database, oauth standard database templates)
@Override
public void the configure (ClientDetailsServiceConfigurer Clients) throws {Exception
clients.inMemory ()
.withClient ( "client") // client_id
}
.secret (bCryptPasswordEncoder.encode ( "123")) // client_secret
.authorizedGrantTypes ( "authorization_code", "password ") // allows the client license type
.scopes ( "app"); // allow mandates
public void configure (AuthorizationServerSecurityConfigurer Security) throws Exception {
// authenticationManager use with the password mode, tokenstore available production Redis
@Override
public void Configure (AuthorizationServerEndpointsConfigurer Endpoints) throws Exception {
endpoints.authenticationManager (the authenticationManager)
.tokenStore (new new InMemoryTokenStore ())
.userDetailsService (myUserDetailsService);
}
// token configuration state query
@Override
security.tokenKeyAccess ( "permitAll ()");
security.checkTokenAccess ( "isAuthenticated ()");
}
}
// use an authentication server must comply with Security
@Configuration
public static class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//这里只验证是否带有token的失败返回authenticationEntryPoint
@Override
Configure void protected (HttpSecurity HTTP) throws Exception {
HTTP
.httpBasic () and ().
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint ((REQ, RESP, Exception) -> {
resp.setContentType (MediaType.APPLICATION_JSON_UTF8_VALUE);
. resp.getWriter () Write (new new ObjectMapper () writeValueAsString. (new new the HashMap () {{
PUT ( "Status", 0);
PUT ( "error", "no authority");
}}));
.}) and ()
.authorizeRequests () anyRequest. () .authenticated ();
}
}
// resource allocation processor, in order to access the other clients user login information and the like
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().exceptionHandling().authenticationEntryPoint((req, resp, exception) -> {
resp.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
resp.getWriter().write(new ObjectMapper().writeValueAsString(new HashMap() {{
put("status", 0);
put("error", "没有权限");
}}));
}).and().authorizeRequests().anyRequest().authenticated();
}
}
}
(3) provide customer information
@RestController
public class ResourceWeb {
@GetMapping ( "/ Member")
public the Principal User (the Principal Member) {
// get the current user information
return Member;
}
}
(4) Process
Here is the password, the general service for local calls itself the resources;
(Client, secret) on behalf of a client account password, in this test, the client actually says that if local service is a third party, the latter apply to the account password, you can get the resources to call upon user authorization.;
(Username, password) is the main user of this service, all clients access to resources requires a local user login before they get after a successful authorization, the use of landing security strategy;
3. Configure the resource server (local resources)
(1) Add the same dependency oauth
(2) configure remote authentication service:
security:
oauth2:
resource:
user-info-uri: http://localhost:8082/member
prefer-token-info: false
@Configuration
public class MyConfig {
//配置资源服务器
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().httpBasic().disable().exceptionHandling().authenticationEntryPoint((req, resp, exception) -> {
resp.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
resp.getWriter().write(new ObjectMapper().writeValueAsString(new HashMap() {{
put("status", 0);
put("error", "没有权限");
}}));
})
.and().authorizeRequests().antMatchers("/noauth").permitAll()
.and().authorizeRequests().anyRequest().authenticated();
}
}
}
4. Configuration zuul
Zuul: #routes: # Mechant: #-Service-ID: Mechant # path: / Mechant / ** Strip-prefix: when when true # false, the request address -> MECHANT-> http: // localhost : 8081 / api / mechant / ping, returned 404 prefix: / API request # prefix sensitive-headers: # do not write here can not carry header; if the client request is made with the X-ABC, then the X-ABC will not be passed to downstream services #ignoredHeaders: X-ABC # If the client request is made with the X-ABC, then the X-ABC will still be passed to downstream services. But if the downstream services will be filtered and then forwarded
5. Test
(1) application token (using zuul access)
(2) using the token (using zuul access)
