螞蟻課堂
1唠摹,如何保證Api 接口合理安全調(diào)用
2爆捞,OAuth2.0授權(quán)認(rèn)證平臺(tái)設(shè)計(jì)
3,OAuth2.0 認(rèn)證協(xié)議四種模式
4勾拉,oauth2.0實(shí)現(xiàn)對(duì)接口的調(diào)用:
Oauth2.0****模式分類
授權(quán)碼模式
簡(jiǎn)化模式
密碼模式
客戶端模式
Oauth2.0模式分類
1.授權(quán)碼模式
2.簡(jiǎn)化模式
3.密碼模式
4.客戶端模式
授權(quán)碼模式
授權(quán)碼模式
Maven依賴
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.1.RELEASE</version>
</parent>
<dependencies>
<!-- SpringBoot整合Web組件 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!-- springboot整合freemarker -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-freemarker</artifactId>
</dependency>
<!-->spring-boot 整合security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Spring Security OAuth2 -->
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.2.1.RELEASE</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.6.0</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.62</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
</dependencies>
相關(guān)配置的類
@Component
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.
inMemoryAuthentication()
.withUser("mayikt")
.password(passwordEncoder().encode("123456"))
.authorities("/*");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated() //所有請(qǐng)求都需要通過認(rèn)證
.and()
.httpBasic() //Basic登錄
.and()
.csrf().disable(); //關(guān)跨域保護(hù)
}
}
@Component
@EnableAuthorizationServer
public class AuthorizationConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
//允許表單提交
security.allowFormAuthenticationForClients()
.checkTokenAccess("permitAll()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
// appid
.withClient("mayikt")
// appsecret
.secret(passwordEncoder.encode("mayikt_secret"))
// 授權(quán)碼
.authorizedGrantTypes("authorization_code")
// 作用域
.scopes("all")
// 資源的id
.resourceIds("mayikt_resource")
// 回調(diào)地址
.redirectUris("http://www.mayikt.com/callback");
}
}
訪問授權(quán)鏈接獲取授權(quán)碼
http://localhost:8080/oauth/authorize?client_id=mayikt&response_type=code
根據(jù)授權(quán)碼獲取accessToken
接口:http://localhost:8080/oauth/token
Code:授權(quán)碼
grant_type:authorization_code
redirect_uri:回調(diào)地址
Scope: 作用域
http://localhost:8080/oauth/token?code=IDXeHy&grant_type=authorization_code&redirect_uri=http://www.mayikt.com/callback&scope=all
訪問/oauth/token401不足
解決辦法:
需要BasicAuth認(rèn)證授權(quán) 傳遞參數(shù)clent_id煮甥、client_secret
access_token=dc9bce8a-7657-44bb-b6b6-1e4baecdfd7b
資源端服務(wù)器端
相關(guān)配置的類
/**
* 資源Server端
*/
@Configuration
@EnableResourceServer
public class ResourceConfig extends ResourceServerConfigurerAdapter {
@Value("${mayikt.appid}")
private String mayiktAppId;
@Value("${mayikt.appsecret}")
private String mayiktAppSecret;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Primary
@Bean
public RemoteTokenServices remoteTokenServices() {
final RemoteTokenServices tokenServices = new RemoteTokenServices();
//設(shè)置授權(quán)服務(wù)器check_token端點(diǎn)完整地址
tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
//設(shè)置客戶端id與secret,注意:client_secret值不能使用passwordEncoder加密藕赞!
tokenServices.setClientId(mayiktAppId);
tokenServices.setClientSecret(mayiktAppSecret);
return tokenServices;
}
@Override
public void configure(HttpSecurity http) throws Exception {
//設(shè)置創(chuàng)建session策略
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
//@formatter:off
//所有請(qǐng)求必須授權(quán)
http.authorizeRequests()
.anyRequest().authenticated();
//@formatter:on
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId("mayikt_resource").stateless(true);
}
}
@RestController
public class MemberService {
@GetMapping("/getMember")
public String getMember() {
return "我是會(huì)員服務(wù)接口";
}
}
基于令牌訪問接口
127.0.0.1:8081/getMember 訪問該接口
或者直接在請(qǐng)求中傳遞
Authorization=Bearer a9011867-236b-4751-a508-48ceed63bffc
設(shè)計(jì)綜合oatuh api接口
1.獲取access_token請(qǐng)求(/oauth/token)
2.檢查頭肯是否有效請(qǐng)求(/oauth/check_token)
<u>http://localhost:8080/oauth/check_token?token=ea2c1b1e-5541-4018-8728-07f1ac87e9e8</u>
3.刷新token
