在將Keycloak集成到SpringBoot之前,需要先了解一下SpringSecurity代兵。
SpringSecurity 是 Spring 項目組中用來提供安全認證服務(wù)的框架,它對Web安全性的支持大量地依賴于Servlet過濾器尝哆,也就是Spring的DispatcherServlet帕棉,這些過濾器攔截請求空盼,并且在應(yīng)用程序處理該請求之前進行某些安全處理亩歹。
啟用SpringSecurity
在SpringBoot項目中匙监,啟用僅需加入依賴即可:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
先寫一個HelloWorld的Controller:
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "hello";
}
}
啟動應(yīng)用,當(dāng)沒有配置SpringSecurity的依賴時捆憎,通過瀏覽器訪問http://localhost:8080/hello會直接顯示hello這個字符串舅柜,而在加入SpringSecurity的依賴后,頁面會自動跳轉(zhuǎn)到http://localhost:8080/login躲惰,頁面如下圖所示:
login.png
此時,我們并沒有配置任何用戶信息变抽,SpringSecurity為該項目添加了一個默認的用戶础拨,用戶名為:
user,而密碼可以在啟動的控制臺內(nèi)看到:
...
2019-12-29 21:41:08.214 INFO 74643 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2019-12-29 21:41:08.214 INFO 74643 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 940 ms
2019-12-29 21:41:08.349 INFO 74643 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2019-12-29 21:41:08.508 INFO 74643 --- [ main] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: c8c72970-1213-41da-bd41-cca672655681
2019-12-29 21:41:08.589 INFO 74643 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@11a7ba62, org.springframework.security.web.context.SecurityContextPersistenceFilter@50825a02, org.springframework.security.web.header.HeaderWriterFilter@4d33940d, org.springframework.security.web.csrf.CsrfFilter@7e8a46b7, org.springframework.security.web.authentication.logout.LogoutFilter@30135202, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@304a3655, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@ff6077, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@340b7ef6, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7923f5b3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@703feacd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@64f555e7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@30404dba, org.springframework.security.web.session.SessionManagementFilter@37c5fc56, org.springframework.security.web.access.ExceptionTranslationFilter@1ddd3478, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6ff37443]
2019-12-29 21:41:08.642 INFO 74643 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2019-12-29 21:41:08.645 INFO 74643 --- [ main] c.e.s.SecurityIntegrationApplication : Started SecurityIntegrationApplication in 1.729 seconds (JVM running for 2.182)
2019-12-29 21:41:19.460 INFO 74643 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2019-12-29 21:41:19.460 INFO 74643 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
...
在輸入完用戶名密碼后绍载,頁面會跳轉(zhuǎn)至http://localhost:8080/hello诡宗,并顯示hello這個字符串。若打開Chrome的調(diào)試工具击儡,可以看到如下:
chrome.png
在/hello這個請求中帶著這樣一段Cookie塔沃,這段Cookie就是在login成功后被設(shè)置的。
添加用戶
接下來阳谍,我們?yōu)檫@個應(yīng)用添加一些默認的用戶蛀柴,添加用戶的方式共有三種:
- 基于memory db的用戶
- 在application.properties中配置
- 從db中讀取
鑒于現(xiàn)在對SpringSecurity的了解是為了之后集成Keycloak,因此此處使用了第一種方式矫夯,也是較為簡單的方式鸽疾。為了添加用戶,我們需要對SpringSecurity進行配置训貌,需要編譯一個繼承自WebSecurityConfigurerAdapter的配置類制肮,并為該類添加@Configuration注解:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").roles("user")
.password(passwordEncoder().encode("123"))
.and()
.withUser("admin").roles("admin")
.password(passwordEncoder().encode("123"));
}
}
實現(xiàn)void configure(AuthenticationManagerBuilder auth)方法冒窍,在其中進行配置用戶信息,在此配置了兩個用戶分別為user和admin豺鼻。而上方的那個@Bean是用來給密碼加密/加鹽的综液。
在添加了這個配置類后,重啟應(yīng)用儒飒,此時在控制臺中就不再有默認的密碼信息了谬莹,再次訪問/hello,就可以通過剛剛配置的兩個用戶進行登錄了约素。
忽略某些endpoint
在我們沒有進行任何配置的情況下届良,SpringSecurity將保護所有的endpoint,通常情況下圣猎,我們是需要暴露某些endpoint的士葫,此時就需要實現(xiàn)配置類的另一個方法:
...
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/yo");
}
...
看方法名即可看出,將忽略掉/yo這個endpoint送悔。
根據(jù)role來匹配可以訪問的endpoint
在void configure(AuthenticationManagerBuilder auth)配置中慢显,我們配置了兩個用戶,并且分別給與了兩個不同的身份欠啤,若想根據(jù)身份的不同來限制訪問荚藻,就需要實現(xiàn)另一個方法了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin").hasRole("admin")
.antMatchers("/hello").hasRole("user")
.anyRequest().authenticated()
.and()
.formLogin();
}
我們逐一來解釋一下:
.authorizeRequests(): 表示開始配置訪問權(quán)限;
.antMatchers("/admin").hasRole("admin"): admin這個endpoint洁段,只有admin身份的用戶可以訪問应狱,若使用user身份的用戶登錄時,是無法訪問admin這個endpoint的祠丝;
.anyRequest().authenticated(): 通常和上述身份配置共同使用疾呻,它表示其余的endpoint都需要登錄后才能訪問,任何一個身份登錄后都可以訪問写半。若沒有這一配置則其余的endpoint都是public的岸蜗;
.formLogin(): 表示登錄的方式為表單登錄,也就是開篇時那個SpringSecurity為我們預(yù)制的登錄頁面叠蝇,也可以使用其他的表單形式如:.httpBasic()璃岳;
使用Postman進行登錄
以上我們看到的都是在web中的使用方式,那么如何使用Postman進行登錄呢悔捶?需要對上述配置進行修改:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin").hasRole("admin")
.antMatchers("/hello").hasRole("user")
.anyRequest().authenticated()
.and()
.formLogin() //if loginPage(String) is not specified a default login page will be generated.
.loginPage("/login")
.successHandler((request, response, authentication) -> {
RespBean ok = RespBean.ok("登錄成功铃慷!",authentication.getPrincipal());
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
out.write(new ObjectMapper().writeValueAsString(ok));
out.flush();
out.close();
})
.failureHandler((request, response, exception) -> {
RespBean error = RespBean.error("登錄失敗炎功!", null);
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
out.write(new ObjectMapper().writeValueAsString(error));
out.flush();
})
.permitAll()
.and()
.csrf().disable();
}
在這個方法中配置了一些handler已經(jīng)登錄需要用到的endpoint:/login枚冗,對于loginPage這樣也進行了聲明,并在HelloController中進行了重新的定義蛇损,目的是用于覆蓋SpringBoot自帶的登錄頁面:
@GetMapping("/login")
public RespBean login() {
return RespBean.error("尚未登錄赁温,請登錄", null);
}
并且通過successHandler以及failureHandler重寫了登錄成功和失敗的處理邏輯坛怪。.permitAll()用于打開login這個endpoint的訪問權(quán)限,任何人都可訪問它股囊。.csrf().disable()用于關(guān)閉CSRF袜匿。此時,便可以在Postman中使用Post請求進行登錄稚疹,此處的編碼方式選擇為form-data
postman.png
在Postman中便可在同一個session中訪問
/hello了居灯。
使用JSON的方式進行登錄
上面的例子我們發(fā)送login請求時,使用的是form-data的編碼方式内狗,若想使用JSON格式登錄怪嫌,則需要進行進一步的改寫。如果我們打個斷點在登錄的handler上柳沙,可以發(fā)現(xiàn)驗證用戶名密碼的功能是由一個UsernamePasswordAuthenticationFilter來處理的岩灭,也是由這個Filter來提取form-data中的數(shù)據(jù)的,若想使用JSON來登錄赂鲤,需要自定義一個Filter:
public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)) {
ObjectMapper mapper = new ObjectMapper();
UsernamePasswordAuthenticationToken authRequest = null;
try (InputStream is = request.getInputStream()) {
Map<String, String> authenticationBean = mapper.readValue(is, Map.class);
String username = authenticationBean.get("username");
String password = authenticationBean.get("password");
authRequest = new UsernamePasswordAuthenticationToken(username, password);
} catch (IOException e) {
e.printStackTrace();
authRequest = new UsernamePasswordAuthenticationToken("", "");
} finally {
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
} else {
return super.attemptAuthentication(request, response);
}
}
}
在配置類中需要些一個Bean:
@Bean
CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
filter.setAuthenticationSuccessHandler((request, response, authentication) -> {
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
RespBean respBean = RespBean.ok("登錄成功!", authentication.getPrincipal());
out.write(new ObjectMapper().writeValueAsString(respBean));
out.flush();
out.close();
});
filter.setAuthenticationFailureHandler((request, response, exception) -> {
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
RespBean respBean = RespBean.error("登錄失敗!", null);
out.write(new ObjectMapper().writeValueAsString(respBean));
out.flush();
out.close();
});
filter.setAuthenticationManager(authenticationManagerBean()); // ?
return filter;
}
有了這個Bean之后噪径,就可以在config中來替換原來的Filter了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAt(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
http.authorizeRequests()
.antMatchers("/admin").hasRole("admin")
.antMatchers("/hello").hasRole("user")
.anyRequest().authenticated()
.and()
.csrf().disable();
}
此時便可在Postman中使用JSON登錄了:
postman.png
集成JWT
在前后端分離的情況下,用戶身份的校驗通常是基于一個token的数初,而比較成熟的方案便是JWT找爱,接下來我們看看在SpringSecurity中如何集成JWT。
- 引入依賴:
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
- 添加Filter
有了上一小節(jié)的實踐后泡孩,當(dāng)需要更改登錄方式時车摄,可以使用添加Filter的方式,集成JWT也使用了相同的套路仑鸥。
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password(passwordEncoder().encode("123")).roles("user")
.and()
.withUser("admin").password("456").roles("admin");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/hello").hasRole("user")
.antMatchers("/admin").hasRole("admin")
.antMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(new JwtLoginFilter("/login",authenticationManager()), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new JwtFilter(), UsernamePasswordAuthenticationFilter.class)
.csrf().disable();
}
}
此處练般,添加了兩個Filter:
.addFilterBefore(new JwtLoginFilter("/login",authenticationManager()), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new JwtFilter(), UsernamePasswordAuthenticationFilter.class)
一個用于登錄,一個用于登錄后驗證token的有效性锈候。
public class JwtLoginFilter extends AbstractAuthenticationProcessingFilter {
protected JwtLoginFilter(String defaultFilterProcessesUrl, AuthenticationManager authenticationManager) {
super(new AntPathRequestMatcher(defaultFilterProcessesUrl));
setAuthenticationManager(authenticationManager);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
User user = new ObjectMapper().readValue(httpServletRequest.getInputStream(), User.class);
return getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword()));
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
Collection<? extends GrantedAuthority> authorities = authResult.getAuthorities();
StringBuffer as = new StringBuffer();
// 將用戶角色遍歷然后用一個 , 連接起來
for (GrantedAuthority authority : authorities) {
as.append(authority.getAuthority()).append(",");
}
String jwt = Jwts.builder()
.claim("authorities", as) // 用戶的所有角色,用 , 分割
.setSubject(authResult.getName())
.setExpiration(new Date(System.currentTimeMillis() + 10 * 60 * 1000))
.signWith(SignatureAlgorithm.HS512, "test")
.compact();
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
out.write(new ObjectMapper().writeValueAsString(jwt));
out.flush();
out.close();
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
out.write("登錄失敗!");
out.flush();
out.close();
}
}
public class JwtFilter extends GenericFilterBean {
// 將提取出來的 token 字符串轉(zhuǎn)換為一個 Claims 對象敞贡,
// 再從 Claims 對象中提取出當(dāng)前用戶名和用戶角色泵琳,
// 創(chuàng)建一個 UsernamePasswordAuthenticationToken 放到當(dāng)前的 Context 中,
// 然后執(zhí)行過濾鏈使請求繼續(xù)執(zhí)行下去誊役。
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
String jwtToken = req.getHeader("authorization");
Jws<Claims> jws = Jwts.parser()
.setSigningKey("test")
.parseClaimsJws(jwtToken.replace("Bearer", ""));
Claims claims = jws.getBody();
String username = claims.getSubject();
List<GrantedAuthority> authorities = AuthorityUtils.commaSeparatedStringToAuthorityList((String) claims.get("authorities"));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, null, authorities);
SecurityContextHolder.getContext().setAuthentication(token);
filterChain.doFilter(servletRequest, servletResponse);
}
}
同時也需要一個實現(xiàn)UserDetails協(xié)議的User類:
@Data
public class User implements UserDetails {
private String username;
private String password;
private List<GrantedAuthority> authorities;
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
此時获列,便可以使用Postman發(fā)起登錄請求獲取token了:
login.png
登錄成功后,可以使用這個token進行訪問了:
access by jwt.png
