-
Spring Security 自定义授权服务器实践
相关文章:
前言
在之前我们已经对接过了GitHub、Gitee客户端,使用OAuth2 Client能够快速便捷的集成第三方登录,集成第三方登录一方面降低了企业的获客成本,同时为用户提供更为便捷的登录体验。
但是随着企业的发展壮大,越来越有必要搭建自己的OAuth2服务器。
OAuth2不仅包括前面的OAuth客户端,还包括了授权服务器,在这里我们要通过最小化配置搭建自己的授权服务器。
授权服务器主要提供OAuth Client注册、用户认证、token分发、token验证、token刷新等功能。实际应用中授权服务器与资源服务器可以在同一个应用中实现,也可以拆分成两个独立应用,在这里为了方便理解,我们拆分成两个应用。授权服务器变迁
授权服务器(Authorization Server)目前并没有集成在Spring Security项目中,而是作为独立项目存在于Spring生态中,图1为Spring Authorization Server 在Spring 项目列表中的位置。
图1 Spring Authorization Server 为什么没被集成在Spring Security中呢?
起因是因为Spring 中的Spring Security OAuth、Spring Cloud Security都对OAuth有自己的实现,Spring团队开始是想把OAuth独立出来放到Spring Security中,但是后面Spring团队意识到OAuth授权服务并不适合包含在Spring Security框架中,于是在2019年11月Spring宣布不在Spring Security中支持授权服务器。原文如下:
原文:
Since the Spring Security OAuth project was created, the number of authorization server choices has grown significantly. Additionally, we did not feel like creating an authorization server was a common scenario. Nor did we feel like it was appropriate to provide authorization support within a framework with no library support. After careful consideration, the Spring Security team decided that we would not formally support creating authorization servers.但是对于Spring Security不再支持授权服务器,社区反应强烈。于是在2020年4月,Spring推出了Spring Authorization Server项目。
目前项目最新GA版本为0.3 GA,预览版本1.0.0-M1。最小化配置
安装授权服务器
1、新创建一个Spring Boot项目,命名为
spring-security-authorization-server
2、引入pom依赖<dependency> <groupId>org.springframework.bootgroupId> <artifactId>spring-boot-starter-securityartifactId> dependency> <dependency> <groupId>org.springframework.securitygroupId> <artifactId>spring-security-oauth2-authorization-serverartifactId> <version>0.3.1version> dependency> <dependency> <groupId>org.springframework.bootgroupId> <artifactId>spring-boot-starter-webartifactId> dependency>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
配置授权服务器
import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jose.jwk.source.ImmutableJWKSet; import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.proc.SecurityContext; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.config.ClientSettings; import org.springframework.security.oauth2.server.authorization.config.ProviderSettings; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; import org.springframework.security.web.util.matcher.RequestMatcher; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.util.UUID; @Configuration(proxyBeanMethods = false) public class AuthorizationServerConfig { //授权端点过滤器链 @Bean @Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer<>(); RequestMatcher endpointsMatcher = authorizationServerConfigurer .getEndpointsMatcher(); http //没有认证会自动跳转到/login页面 .exceptionHandling((exceptions) -> exceptions .authenticationEntryPoint( new LoginUrlAuthenticationEntryPoint("/login")) ) .requestMatcher(endpointsMatcher) .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated() ) .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher)) .apply(authorizationServerConfigurer); return http.build(); } //用于身份验证的过滤器链 @Bean @Order(2) public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .anyRequest().authenticated() ) .formLogin(Customizer.withDefaults()); return http.build(); } //配置主体用户 @Bean public UserDetailsService userDetailsService() { UserDetails userDetails = User.withDefaultPasswordEncoder() .username("user") .password("user") .roles("USER") .build(); return new InMemoryUserDetailsManager(userDetails); } //注册客户端 @Bean public RegisteredClientRepository registeredClientRepository() { RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString()) //客户端id .clientId("testClientId") //客户端秘钥,授权服务器需要加密存储 .clientSecret(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("testClientSecret")) //授权方法 .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) //支持的授权类型 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) //回调地址,支持多个,本地测试不能使用localhost .redirectUri("http://127.0.0.1:8080/login/oauth2/code/customize") .scope(OidcScopes.OPENID) //授权scope .scope("message.read") .scope("userinfo") .scope("message.write") //是否需要授权页面,开启跳转到授权页面,需要手动确认 .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()) .build(); return new InMemoryRegisteredClientRepository(registeredClient); } //token加密 @Bean public JWKSource<SecurityContext> jwkSource() { KeyPair keyPair = generateRsaKey(); RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); RSAKey rsaKey = new RSAKey.Builder(publicKey) .privateKey(privateKey) .keyID(UUID.randomUUID().toString()) .build(); JWKSet jwkSet = new JWKSet(rsaKey); return new ImmutableJWKSet<>(jwkSet); } private static KeyPair generateRsaKey() { KeyPair keyPair; try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048); keyPair = keyPairGenerator.generateKeyPair(); } catch (Exception ex) { throw new IllegalStateException(ex); } return keyPair; } //配置协议端点,比如/oauth2/authorize、/oauth2/token等 @Bean public ProviderSettings providerSettings() { return ProviderSettings.builder().build(); } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
如上是最小化授权服务器的配置,这里我们将授权主体和客户端都存储在内存中,当然也可以持久化到数据库中,分别使用
JdbcUserDetailsManager、JdbcRegisteredClientRepository。
ProviderSettings.builder().build()使用了默认的配置,这几个地址我们后面就会用到:public static Builder builder() { return new Builder() .authorizationEndpoint("/oauth2/authorize") .tokenEndpoint("/oauth2/token") .jwkSetEndpoint("/oauth2/jwks") .tokenRevocationEndpoint("/oauth2/revoke") .tokenIntrospectionEndpoint("/oauth2/introspect") .oidcClientRegistrationEndpoint("/connect/register") .oidcUserInfoEndpoint("/userinfo"); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
❗ 官方指出@Import(OAuth2AuthorizationServerConfiguration.class)也可以用来最小化配置,但我亲测这种方式没多大用处,并且还有问题。
配置客户端
这里我们要使用自己的搭建授权服务器,需要自定义一个客户端,还是使用前面集成GitHub的示例,只要在配置文件中扩展就可以。
完整配置如下:spring: security: oauth2: client: registration: gitee: client-id: gitee_clientId client-secret: gitee_secret authorization-grant-type: authorization_code redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}' client-name: Gitee github: client-id: github_clientId client-secret: github_secret # 自定义 customize: client-id: testClientId client-secret: testClientSecret authorization-grant-type: authorization_code redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}' client-name: Customize scope: - userinfo provider: gitee: authorization-uri: https://gitee.com/oauth/authorize token-uri: https://gitee.com/oauth/token user-info-uri: https://gitee.com/api/v5/user user-name-attribute: name # 自定义 customize: authorization-uri: http://localhost:9000/oauth2/authorize token-uri: http://localhost:9000/oauth2/token user-info-uri: http://localhost:9000/userinfo user-name-attribute: username- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
❗ 在配置授权服务器uri的时候,请勿依旧使用127.0.0.1,由于是在本地测试,授权服务器的session和客户端的session会互相覆盖,导致莫名其妙的问题。
请区分回调地址,和授权服务器端点uri的地址。
客户端的session 
授权服务器的session 体验
另外为了能够更好的调式,可以在两个应用增加
@EnableWebSecurity(debug = true)和 log日志,日志如下,打开TRACE级别日志:logging: level: root: INFO org.springframework.web: INFO org.springframework.security: TRACE org.springframework.security.oauth2: TRACE- 1
- 2
- 3
- 4
- 5
- 6
现在启动两个应用,访问
http://127.0.0.1:8080/hello,自动跳转到登录页面。
点击Customize,将跳转至授权服务器,注意看地址栏地址为localhost:9000/login,输入用户名/密码登录,user/user。
登录后,将跳转至授权页面,由于我们没有定制,使用的是默认页面,可以看到该页面的地址为
http://localhost:9000/oauth2/authorize?response_type=code&client_id=testClientId&scope=userinfo&state=yV1ElAN2855yq3bY5kgj_rmilnCclyvZHkxVB7a1d84%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/customize。
我们勾选userinfo,提交后即跳转回客户端。
我们看下客户收到的日志,授权服务器带着code回调了我们填写的回调地址。
Request received for GET '/login/oauth2/code/customize?code=DPAlx5uyrUpfrZIlBKrpIy_mmcgiyC2qCxPFtUeLA0fBrZd238XM2vN8M1jv9XAgl0KA-D54P_KzVH7RbUw7ApBUc2pbnuSVRZUyHazozmNM4YgQ06CZryfr20qLRhW4&state=_Sgak7GLILLKbwr9JVuwA2xVp95CWPgUMByQcvePkgM%3D'************************************************************ Request received for GET '/login/oauth2/code/customize?code=DPAlx5uyrUpfrZIlBKrpIy_mmcgiyC2qCxPFtUeLA0fBrZd238XM2vN8M1jv9XAgl0KA-D54P_KzVH7RbUw7ApBUc2pbnuSVRZUyHazozmNM4YgQ06CZryfr20qLRhW4&state=_Sgak7GLILLKbwr9JVuwA2xVp95CWPgUMByQcvePkgM%3D': org.apache.catalina.connector.RequestFacade@1a8761d0 servletPath:/login/oauth2/code/customize pathInfo:null headers: host: 127.0.0.1:8080 connection: keep-alive upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site: cross-site sec-fetch-mode: navigate sec-fetch-user: ?1 sec-fetch-dest: document sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" referer: http://127.0.0.1:8080/ accept-encoding: gzip, deflate, br accept-language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 cookie: JSESSIONID=2527F412F53FA27A30BFBC39161ABB63 Security filter chain: [ DisableEncodeUrlFilter WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter HeaderWriterFilter CsrfFilter LogoutFilter OAuth2AuthorizationRequestRedirectFilter OAuth2AuthorizationRequestRedirectFilter OAuth2LoginAuthenticationFilter DefaultLoginPageGeneratingFilter DefaultLogoutPageGeneratingFilter RequestCacheAwareFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter OAuth2AuthorizationCodeGrantFilter SessionManagementFilter ExceptionTranslationFilter FilterSecurityInterceptor ] ************************************************************- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
总结
Spring Security 的最小化授权服务器的配置,到这里结束了,该demo虽然代码量非常少,但涉及的知识非常多,并且坑也多。
Spring Security文档中的代码说明更新不及时,比如
@Import(OAuth2AuthorizationServerConfiguration.class)文档中说明是最小化配置,但文档的快速开始又提供了另外一种的最小化配置方式。另外授权服务器如果发生异常,是不会打印堆栈的,而是把错误信息放入到response中,是打算要在页面上显示,然而demo的默认错误页并不会显示错误详情,只有错误编号400,如图。
Spring Authorization Server 还需要多多完善,Spring Security也不例外,不久前我还提了一个PR,把一个持续数个版本的bug给修复了🤣(过了,只是文档中的错误罢了,被标记为文档中的bug😅),看多了外国人的产品,其实也没有太比国内的开源项目好,坑也很多,而我们某些大厂的开源项目其实很好,却被网友门各种喷。
-
相关阅读:
【kerberos】使用 curl 访问受 Kerberos HTTP SPNEGO 保护的 URL
C++ Reference: Standard C++ Library reference: C Library: cmath: atan2
gerrit代码review使用基本方法
jar包加入本地maven仓库
C++用hiredis访问redis
STM32串口printf通过DMA打印(含实测代码)
MQ基础介绍
[含毕业设计论文+PPT+源码等]ssm装潢应用系统小程序+Java后台管理系统|前后分离VUE
车载音频系统中的数据通信
Python2也不错
- 原文地址:https://blog.csdn.net/weixin_40972073/article/details/126397563