网关安全(三)-改造微服务使其成为OAuth2资源服务器

1、将微服务改造为OAuth2资源服务器

　　以订单服务为例，将其修改为OAuth2资源服务器

1.1、pom中添加spring-cloud-starter-oauth2依赖

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>
                <version>2.2.0.RELEASE</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>Greenwich.SR2</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <properties>
        <java.version>1.8</java.version>
        <maven.compiler.source>${java.version}</maven.compiler.source>
        <maven.compiler.target>${java.version}</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-oauth2</artifactId>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
    </dependencies>

1.2、ResourceServerConfig 资源服务器配置类

/**
 * 资源服务器配置
 *
 * @author caofanqi
 * @date 2020/2/1 20:10
 */
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        //该资源服务器id
        resources.resourceId("order-server");
    }

}

1.3、WebSecurityConfig Web安全配置类

/**
 * Web安全配置类
 *
 * @author caofanqi
 * @date 2020/2/1 20:13
 */
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    /**
     *  使用OAuth2AuthenticationManager，需要到认证服务器校验用户信息
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
        authenticationManager.setTokenServices(tokenServices());
        return authenticationManager;
    }

    /**
     *  远程校验令牌相关配置
     */
    @Bean
    public ResourceServerTokenServices tokenServices(){
        RemoteTokenServices tokenServices = new RemoteTokenServices();
        tokenServices.setClientId("orderService");
        tokenServices.setClientSecret("123456");
        tokenServices.setCheckTokenEndpointUrl("http://127.0.0.1:9020/oauth/check_token");
        return tokenServices;
    }

}

1.4、可以在Controller方法中通过@AuthenticationPrincipal 获取用户名

    @PostMapping
    public OrderDTO create(@RequestBody OrderDTO orderDTO, @AuthenticationPrincipal String username) {
        log.info("username is :{}", username);
        PriceDTO price = restTemplate.getForObject("http://127.0.0.1:9070/prices/" + orderDTO.getProductId(), PriceDTO.class);
        log.info("price is : {}", price.getPrice());
        return orderDTO;
    }

1.5、启动项目直接访问创建订单，此时返回401，没有进行身份认证，说明我们配置的资源服务器生效了

1.6、通过Authorization请求头，添加从认证服务器获取的令牌，访问成功，控制台打印出令牌所有者zhangsan。

 

项目源码：https://github.com/caofanqi/study-security/tree/dev-ResourceServer