Spring Security OAuth2使用Redis作为token存储
授权application.yml 服务器保存token到Redis
server: port: 8080 spring: redis: host: 127.0.0.1 port: 6379 password: 123 database: 0 #也可以在代码中指定
Maven依赖
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.62</version>
</dependency>
在spring security oauth2中,授权服务使用redis存储token的时候,报错:
java.lang.NoSuchMethodError: org.springframework.data.redis.connection.RedisConnection.set([B[B)V
这说明版本有问题,解决方案是,将oauth2的版本升级到2.3.3,即在pom文件中,加入:
<!-- oauth2 start -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<!-- 指明版本,解决redis存储出现的问题:java.lang.NoSuchMethodError: org.springframework.data.redis.connection.RedisConnection.set([B[B)V问题 -->
<version>2.3.3.RELEASE</version>
</dependency>
<!-- oauth2 end -->
代码分为认证端和客户端两个服务
认证端,也就是我的security服务
有两个文件,一个配置问津,一个
1.AuthResourcesConfig
package com.adao.security.config;
import com.adao.security.common.AuthResourcesConfig;
import com.adao.security.service.SSOUserDetailsService;
import lombok.extern.log4j.Log4j2;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;
/** * @author * @version 1.0 * @date 2021/8/12 * @Description: 资源服务信息公共配置类 */ public class AuthResourcesConfig { /** * token过期时间,单位为秒 */ public static final int TOKEN_SECONDS_ACCESS = 10 * 60; /** * 刷新token时间,单位为秒 */ public static final int TOKEN_SECONDS_REFRESH = 10 * 60; /** * 资源服务客户端ID信息 */ //rtp public static final String CLIENT_RTP = "RTP"; //manage public static final String CLIENT_RTP_MANAGE = "adao-rtp-manage"; /** * 资源节点对应的密钥,目前统一为 adao */ public static final String CLIENT_RTP_SECRET = "adao"; }
2.AuthorizationServerConfig
package com.adao.security.config; import com.adao.security.common.AuthResourcesConfig; import com.adao.security.service.SSOUserDetailsService; import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.data.redis.connection.RedisConnectionFactory; import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory; import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore; /** * @author adao * @version 1.0 * @Description: 认证服务器配置 * @date 2021/8/11 */ @Configuration @EnableAuthorizationServer @Log4j2 public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { /** * 鉴权模式 */ public static final String GRANT_TYPE[] = {"password", "refresh_token"}; @Autowired private AuthenticationManager authenticationManager; /** * 用户服务 */ @Autowired public SSOUserDetailsService userDetailsService; @Autowired private RedisConnectionFactory redisConnectionFactory; @Autowired private StringRedisTemplate redisTemplate; /** * Redis数据库存 */ public static final int REDIS_CONNECTION_DATABASE = 14; /** * 客户端信息配置,可配置多个客户端,可以使用配置文件进行代替 * * @param clients 客户端设置 * @throws Exception 异常 */ @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { // 定义客户端应用的通行证 clients.inMemory() // rtp-manage .withClient(AuthResourcesConfig.CLIENT_RTP_MANAGE) .secret(new BCryptPasswordEncoder().encode(AuthResourcesConfig.CLIENT_RTP_SECRET)) .authorizedGrantTypes(GRANT_TYPE[0], GRANT_TYPE[1]) .scopes("all") .autoApprove(true) // rtp .and() .withClient(AuthResourcesConfig.CLIENT_RTP) .secret(new BCryptPasswordEncoder().encode(AuthResourcesConfig.CLIENT_RTP_SECRET)) .authorizedGrantTypes(GRANT_TYPE[0], GRANT_TYPE[1]) .scopes("all") .autoApprove(true); } /** * 配置端点 * * @param endpoints 端点 * @throws Exception 异常 */ @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { //配置认证管理器 endpoints.authenticationManager(authenticationManager) //配置用户服务 .userDetailsService(userDetailsService) //配置token存储的服务与位置 .tokenServices(tokenService()) .tokenStore(redisTokenStore()); } @Override public void configure(AuthorizationServerSecurityConfigurer security) { //允许用户访问OAuth2 授权接口 security.allowFormAuthenticationForClients(); //允许已授权用户访问 checkToken 接口和获取 token 接口 security.tokenKeyAccess("permitAll()"); //允许已授权用户获取 token 接口 security.checkTokenAccess("permitAll()"); } /** * 设置token存储,资源服务器配置与此处相一致 */ @Bean public RedisTokenStore redisTokenStore() { // 指定redis数据库存储token,与业务库区分。 LettuceConnectionFactory lettuceConnectionFactory = (LettuceConnectionFactory) redisTemplate.getConnectionFactory(); lettuceConnectionFactory.setDatabase(REDIS_CONNECTION_DATABASE); RedisTokenStore redisTokenStore = new RedisTokenStore(lettuceConnectionFactory);
// 也可以用在何种方式,这样用哪个数据库是在配置文件中指定
//RedisTokenStore redisTokenStore = new RedisTokenStore(redisConnectionFactory);
log.info("Oauth2 redis database : [{}]", lettuceConnectionFactory.getDatabase()); //设置redis token存储中的前缀 redisTokenStore.setPrefix("auth-token:"); return redisTokenStore; } @Bean public DefaultTokenServices tokenService() { DefaultTokenServices tokenServices = new DefaultTokenServices(); //配置token存储 tokenServices.setTokenStore(redisTokenStore()); //开启支持refresh_token tokenServices.setSupportRefreshToken(true); //复用refresh_token tokenServices.setReuseRefreshToken(true); //token有效期 tokenServices.setAccessTokenValiditySeconds(AuthResourcesConfig.TOKEN_SECONDS_ACCESS); //refresh_token有效期 tokenServices.setRefreshTokenValiditySeconds(AuthResourcesConfig.TOKEN_SECONDS_REFRESH); return tokenServices; } }
接下来是资源端
1.ResourceServerConfig
package com.adao.manage.config; import com.adao.manage.common.AuthExceptionHandler; import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.data.redis.connection.RedisConnectionFactory; import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory; import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore; /** * @author adao * @version 1.0 * @date 2021/8/11 * @description 资源服务配置类 */ @Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true) @Log4j2 public class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Autowired private RedisConnectionFactory redisConnectionFactory; @Autowired private AuthExceptionHandler authExceptionHandler; @Autowired private StringRedisTemplate redisTemplate; /** * Redis数据库存 */ public static final int REDIS_CONNECTION_DATABASE = 14; @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { //状态 resources.stateless(true) .accessDeniedHandler(authExceptionHandler) .authenticationEntryPoint(authExceptionHandler); //设置token存储 resources.tokenStore(redisTokenStore()); } /** * 设置token存储,这一点配置要与授权服务器相一致 */ @Bean public RedisTokenStore redisTokenStore() { // 指定redis数据库存储token,与业务库区分。 LettuceConnectionFactory lettuceConnectionFactory = (LettuceConnectionFactory) redisTemplate.getConnectionFactory(); lettuceConnectionFactory.setDatabase(REDIS_CONNECTION_DATABASE); RedisTokenStore redisTokenStore = new RedisTokenStore(lettuceConnectionFactory); log.info("Oauth2 redis database : [{}]",lettuceConnectionFactory.getDatabase()); //设置redis token存储中的前缀 redisTokenStore.setPrefix("auth-token:"); return redisTokenStore; } @Override public void configure(HttpSecurity http) throws Exception { //请求权限配置 http.authorizeRequests() //下边的路径放行,不需要经过认证 .antMatchers("/actuator/health").permitAll() .antMatchers("/v2/api-docs", "/swagger-resources/configuration/ui", "/swagger-resources", "/swagger-resources/configuration/security", "/swagger-ui.html", "/webjars/**").permitAll() //其余接口没有角色限制,但需要经过认证,只要携带token就可以放行 .antMatchers("/dictionary/**").permitAll() .anyRequest() .authenticated(); } }
AuthExceptionHandler 异常捕获处理类
package com.adao.manage.common; import com.alibaba.fastjson.JSON; import lombok.extern.slf4j.Slf4j; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @author adao * @version 1.0 * @date 2021/8/11 * @Description: 权限不足返回信息处理类 */ @Component @Slf4j public class AuthExceptionHandler implements AuthenticationEntryPoint, AccessDeniedHandler { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { Throwable cause = authException.getCause(); response.setContentType("application/json;charset=UTF-8"); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); // CORS "pre-flight" request response.addHeader("Access-Control-Allow-Origin", "*"); response.addHeader("Cache-Control", "no-cache"); response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with"); response.addHeader("Access-Control-Max-Age", "1800"); if (cause instanceof InvalidTokenException) { log.error("InvalidTokenException : {}", cause.getMessage()); //Token无效 response.getWriter().write(JSON.toJSONString(ApiResult.fail(ApiCode.ACCESS_TOKEN_INVALID))); } else { log.error("AuthenticationException : NoAuthentication"); //资源未授权 response.getWriter().write(JSON.toJSONString(ApiResult.fail(ApiCode.ACCESS_UNAUTHORIZED))); } } @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { response.setContentType("application/json;charset=UTF-8"); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.addHeader("Access-Control-Allow-Origin", "*"); response.addHeader("Cache-Control", "no-cache"); response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with"); response.addHeader("Access-Control-Max-Age", "1800"); //访问资源的用户权限不足 log.error("AccessDeniedException : {}", accessDeniedException.getMessage()); response.getWriter().write(JSON.toJSONString(ApiResult.fail(ApiCode.INSUFFICIENT_PERMISSIONS))); } }
公用的范围code及 含义
package com.adao.manage.common; public enum ApiCode { SUCCESS(200, "操作成功"), /** * 表示接口调用方异常提示 */ ACCESS_TOKEN_INVALID(1001, "access_token 无效"), REFRESH_TOKEN_INVALID(1002, "refresh_token 无效"), INSUFFICIENT_PERMISSIONS(1003, "该用户权限不足以访问该资源接口"), ACCESS_UNAUTHORIZED(1004, "访问此资源需要身份验证"), }
最后开始测试
postman 设置
http://192.168.10.90:6005/oauth/token?grant_type=password&username=zq&password=123456&scope=all
直接结果可以看到,获取到了token数据,这里就结束了。