官網(wǎng)
https://docs.spring.io/spring-authorization-server
1.概念理解
https://zhuanlan.zhihu.com/p/496695229?utm_id=0
2.最新實用
https://mp.weixin.qq.com/s?__biz=Mzg3Njc1NjAxMw==&mid=2247484868&idx=1&sn=6ea61f66cf57badc4b2434dfa84aa745&chksm=cf2c2886f85ba190808469a0c7f2b526808553c917922ca680a0f0bcf9ed2787893b18124c20&cur_album_id=2823815577264685059&scene=189#wechat_redirect
在Spring Security Oauth2中, 獲取token整個流程為tokenEndpoint-->tokenGranter-->AuthenticationManager-->ProviderManager-->Tokenservice -->AccessTokenConverter-->token碟刺。
1.1 tokenEndpoint對比
token轉化accessTokenRequestConvertes
認證管理器AuthenticationProvider
請求匹配器RequestMatcher
tokenEndpoint
獲取token的端口 /oauth2/token
token自省端口/oauth2/introspect
1.2 tokenEndpoint token端口相關配置
當然如果你想修改這些端口锁保,只需自定義即可。如改成/oauth2/token/test
/***
@Bean
public AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings
.builder()
.tokenEndpoint("/oauth2/token/test")
.build();
}
*/
1.3.1 資源服務器配置
只需配置過濾器鏈SecurityFilterChain
/***
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http
// 開放自定義的部分端點
.authorizeRequests(authorizeRequests -> authorizeRequests.antMatchers("/token/*").permitAll()
.anyRequest().authenticated())
.headers()
.frameOptions()
.sameOrigin()// 避免iframe同源無法登錄
.and()
// 表單登錄個性化
.apply(new FormIdentityLoginConfigurer());
// 處理 UsernamePasswordAuthenticationToken
http.authenticationProvider(new PigDaoAuthenticationProvider());
return http.build();
}
public final class FormIdentityLoginConfigurer
extends AbstractHttpConfigurer<FormIdentityLoginConfigurer, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.formLogin(formLogin -> {
formLogin.loginPage("/token/login");
formLogin.loginProcessingUrl("/token/form");
formLogin.failureHandler(new FormAuthenticationFailureHandler());
}).logout() // SSO登出成功處理
.logoutSuccessHandler(new SsoLogoutSuccessHandler()).deleteCookies("JSESSIONID")
.invalidateHttpSession(true).and().csrf().disable();
}
}
/
1.3.2 認證服務器配置
只需配置過濾器鏈SecurityFilterChain
/**
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();
// 個性化認證授權端點
http.apply(authorizationServerConfigurer.tokenEndpoint((tokenEndpoint) -> {
// 注入自定義的授權認證Converter
tokenEndpoint.accessTokenRequestConverter(accessTokenRequestConverter())
// 登錄成功處理器
.accessTokenResponseHandler(new PigAuthenticationSuccessEventHandler())
// 登錄失敗處理器
.errorResponseHandler(new PigAuthenticationFailureEventHandler());
// 個性化客戶端認證
}).clientAuthentication(oAuth2ClientAuthenticationConfigurer ->
// 處理客戶端認證異常
oAuth2ClientAuthenticationConfigurer.errorResponseHandler(new PigAuthenticationFailureEventHandler()))
// 授權碼端點個性化confirm頁面
.authorizationEndpoint(authorizationEndpoint -> authorizationEndpoint
.consentPage(SecurityConstants.CUSTOM_CONSENT_PAGE_URI)));
RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();
DefaultSecurityFilterChain securityFilterChain = http.requestMatcher(endpointsMatcher)
.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
// redis存儲token的實現(xiàn)
.apply(authorizationServerConfigurer.authorizationService(authorizationService)
//token端口配置
.authorizationServerSettings(AuthorizationServerSettings.builder()
.issuer(SecurityConstants.PROJECT_LICENSE).build()))
// 授權碼登錄的登錄頁個性化
.and().apply(new FormIdentityLoginConfigurer()).and().build();
// 注入自定義授權模式實現(xiàn)
addCustomOAuth2GrantAuthenticationProvider(http);
return securityFilterChain;
}
*/
1.4.許可類型對比
1.4.1 密碼模式默認不支持
https://docs.spring.io/spring-authorization-server/docs/current/reference/html/overview.html
