公司项目是基于dubbo和zookeeper在门户项目端提供接口统一鉴权的，一直没有接触过spring security。出于好奇一直想了解下spring security怎么使用以及oauth2和jwt的鉴权过程，这次学习过程中将spring security搭上oauth2和jwt做一个示例程序。

OAuth 2.0

OAuth 2.0是一套关于授权的开放标准，主要针对第三方应用认证授权场景，详细信息可参考RFC 6749。
OAuth 2.0定义了四个角色：

• resource owner：资源所有者，即用户本身
• resource server：资源服务器，服务提供商存放用户应用资源的服务器
• client：客户端，即第三方应用
• authorization server：授权服务器，服务提供商专门处理认证授权的服务器

打个比方，我打开简书发现没有账号但又懒得注册，点击使用QQ账号登录，那么这里的我就是resource owner，简书是client，QQ保存账号信息比如头像的服务器就是resource server，QQ用来处理登录授权的服务器就是authorization server，如果以上操作按照OAuth 2.0的标准，它的流程大致如下：

OAuth 2.0授权流程

其中关键就是授权码token的获取，对于token的获取OAuth 2.0定义了四种方式：

• Authorization Code：授权码模式，例如微信上给第三方小程序授权
• Implicit：简化模式，授权码模式的简化版本，嫌授权码模式麻烦时用
• Resource Owner Password Credentials：资源所有者密码凭证模式，一般高信任的内部应用间使用
• Client Credentials：客户端凭证模式，一般用于开放API调用

JWT

即JSON Web Token的缩写，json格式的token，包含三部分：

• Header：头部，包含类型和签名算法名称
• Payload：载荷，主要内容，包含需要传递的信息
• Signature：签名，对头部和载荷哈希后的内容

使用JWT主要是服务器端不需要存储token，资源服务器也不需要访问授权服务器验证token，每次访问只需对应资源服务器验证token有效性，减少服务器开销。

Spring security

Spring security框架基于OAuth 2.0做了相关实现，我们只需要做相应的配置就能实现一个基于OAuth 2.0和JWT的授权服务。

引入相关依赖

这里是使用gradle做依赖管理

dependencies {
    compile group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.1.3.RELEASE'
    compile group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc', version: '2.1.3.RELEASE'
    compile group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa', version: '2.1.3.RELEASE'
    compile group: 'org.springframework.cloud', name: 'spring-cloud-starter-security', version: '2.1.1.RELEASE'
    compile group: 'org.springframework.cloud', name: 'spring-cloud-starter-oauth2', version: '2.1.1.RELEASE'
    compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.8.1'
    compile group: 'com.google.code.gson', name: 'gson', version: '2.8.5'
    compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.9.8'

    runtime group: 'com.alibaba', name: 'druid', version: '1.1.13'
    runtime group: 'mysql', name: 'mysql-connector-java', version: '5.1.47'
}

配置spring security

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService authUserDetailsService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(authUserDetailsService).passwordEncoder(passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/oauth/**").permitAll();
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

配置授权服务器

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private TokenStore jwtTokenStore;

    @Autowired
    private JwtAccessTokenConverter jwtAccessTokenConverter;

    @Autowired
    @Qualifier("jwtTokenEnhancer")
    private TokenEnhancer jwtTokenEnhancer;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        //允许表单认证
        security.allowFormAuthenticationForClients();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("client_admin")
                .resourceIds("resource")
                .authorizedGrantTypes("password", "client_credentials", "refresh_token")
                .scopes("read")
                .authorities("admin")
                .secret(passwordEncoder.encode("123456"))
                .accessTokenValiditySeconds(3 * 60 * 60)
                .refreshTokenValiditySeconds(6 * 60 * 60);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
        List<TokenEnhancer> enhancerList = new ArrayList<>();
        enhancerList.add(jwtTokenEnhancer);
        enhancerList.add(jwtAccessTokenConverter);
        enhancerChain.setTokenEnhancers(enhancerList);

        endpoints.authenticationManager(authenticationManager)
                .tokenStore(jwtTokenStore)
                .accessTokenConverter(jwtAccessTokenConverter)
                .tokenEnhancer(enhancerChain)
                .exceptionTranslator(loggingExceptionTranslator());
    }

    @Bean
    public WebResponseExceptionTranslator loggingExceptionTranslator() {
        return new DefaultWebResponseExceptionTranslator() {
            private Log log = LogFactory.getLog(getClass());

            @Override
            public ResponseEntity<OAuth2Exception> translate(Exception e) throws Exception {
                //异常堆栈信息输出
                log.error("异常堆栈信息", e);
                return super.translate(e);
            }
        };
    }
}

配置资源服务器

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    private ResourceServerTokenServices resourceJwtTokenServices;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        //resource资源只允许基于令牌的身份验证
        resources.resourceId("resource").stateless(true);
        resources.tokenServices(resourceJwtTokenServices);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                // 由于我们希望在用户界面中访问受保护的资源，因此我们需要允许创建会话
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .and()
                .requestMatchers().anyRequest()
                .and()
                //启用匿名登录，不可访问受保护资源
                .anonymous()
                .and()
                .authorizeRequests()
                //配置protected访问控制，必须认证过后才可以访问
                .antMatchers("/protected/**").authenticated();
    }
}

JWT配置

@Configuration
public class JwtTokenConfig {

    private static KeyPair KEY_PAIR;

    //此处只有在授权服务器和资源服务器在一起的时候才能这样搞，实际使用RSA还是需要用JDK和openssl去生成证书
    static {
        try {
            KEY_PAIR = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
    }


    @Autowired
    private SystemAccountDao systemAccountDao;

    @Bean
    public TokenStore jwtTokenStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter();
        accessTokenConverter.setKeyPair(KEY_PAIR);
        return accessTokenConverter;
    }

    @Bean
    public ResourceServerTokenServices resourceJwtTokenServices() {
        final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        // 使用自定义的Token转换器
        defaultTokenServices.setTokenEnhancer(jwtAccessTokenConverter());
        // 使用自定义的tokenStore
        defaultTokenServices.setTokenStore(jwtTokenStore());
        return defaultTokenServices;
    }

    /**
     * token信息扩展
     */
    @Bean
    public TokenEnhancer jwtTokenEnhancer() {
        return new TokenEnhancer() {
            @Override
            public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
                Authentication userAuthentication = authentication.getUserAuthentication();
                if (userAuthentication != null) {
                    String userName = userAuthentication.getName();
                    List<SystemAccount> list = systemAccountDao.findByAccount(userName);
                    if (list != null && !list.isEmpty()) {
                        SystemAccount account = list.get(0);
                        Map<String, Object> additionalInformation = new HashMap<>();
                        Map<String, String> map = new HashMap<>();
                        map.put("account", account.getAccount());
                        map.put("createTime", account.getCreateTime().toString());
                        map.put("state", String.valueOf(account.getState()));
                        additionalInformation.put("user", GsonUtil.toJson(map));
                        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInformation);
                    }
                }
                return accessToken;
            }
        };
    }
}

配置UserService

@Component
public class AuthUserDetailsService implements UserDetailsService {

    @Autowired
    private SystemAccountDao systemAccountDao;

    @Autowired
    private SystemAccountRoleDao systemAccountRoleDao;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        List<SystemAccount> list = systemAccountDao.findByAccount(username);
        if (list != null && !list.isEmpty()) {
            SystemAccount account = list.get(0);
            List<SystemAccountRole> roleList = systemAccountRoleDao.findByAccountId(account.getId());
            Collection<SimpleGrantedAuthority> authorities = new HashSet<>();
            if (roleList != null && !roleList.isEmpty()) {
                for (SystemAccountRole accountRole : roleList) {
                    authorities.add(new SimpleGrantedAuthority(String.valueOf(accountRole.getRoleId())));
                }
            }
            return new User(username, account.getPassword(),
                    account.getState() == 1, true, true, true,
                    authorities);
        }
        return null;
    }
}

password模式访问示例

password模式访问

客户端模式访问示例

客户端模式访问

携带token访问受保护资源

携带token访问受保护资源

项目地址

示例项目代码可到我的Github上下载：https://github.com/DexterQY/authentication