03 springsecurity通过oauth2完成单点登录
springsecurity对oauth2有着很好的支持,这一节我们将整合它们完成单点登录。
1、前提约束
- idea2018.1
- maven3.6.1
2、操作步骤
2.1 创建auth-server
auth-server当中包括资源服务器,授权服务器,认证服务器,其他客户端的请求都会到这里通过认证获取资源。
- 创建springboot项目,依赖如下:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.2.1.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.9.RELEASE</version>
</dependency>
- 配置application.yml
server:
port: 8003
servlet:
context-path: '/auth'
- 设置主启动类
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
@SpringBootApplication
@EnableResourceServer//资源服务器
public class AuthServerApplication {
public static void main(String[] args) {
SpringApplication.run(AuthServerApplication.class, args);
}
}
- 在主启动类同级目录下,创建AuthServerConfig.java以完成授权服务器:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import javax.annotation.Resource;
/**
* 授权服务器配置
*/
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Resource
private BCryptPasswordEncoder passwordEncoder;
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll")
.checkTokenAccess("isAuthenticated()");
}
@Override
/**
* ClientDetailsServiceConfigurer 能够使用内存或 JDBC 方式实现获取已注册的客户端详情,有几个重要的属性:
*
* clientId:客户端标识 ID(账号)
* secret:客户端安全码(密码)
* scope:客户端访问范围,默认为空则拥有全部范围
* authorizedGrantTypes:客户端使用的授权类型,默认为空
* authorities:客户端可使用的权限
*/
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("SampleClientId")
.secret(passwordEncoder.encode("secret"))
.authorizedGrantTypes("authorization_code")
.scopes("user_info")
.autoApprove(true)
.redirectUris("http://localhost:8001/login", "http://localhost:8002/login");
}
}
- 在主启动类同级目录下创建SecurityConfig.java以完成安全设置:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/login", "/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll()
.and().csrf().disable();
}
@Override
//登录密码应该从数据库中获取,这个例子中固定是为了方便
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("ali")
.password(passwordEncoder().encode("123456"))
.roles("USER");
}
@Bean
//密码加密
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
- 在主启动类同级目录下创建UserController.java,提供获取用户信息的api
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.security.Principal;
@RestController
public class UserController {
@GetMapping(value = "/user")
public Principal me(Principal principal) {
System.out.println("调用me接口获取用户信息:" + principal);
return principal;
}
}
- 启动,测试,访问http://localhost:8003/auth/login,进入以下页面:
![中心服务器登录页面]()
2.2 创建客户端client1
client1就是访问中心服务器的客户端。
- 创建springboot项目client1,依赖如下:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!-- 引入thymeleaf和thymeleaf security的依赖 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.0.0.RELEASE</version>
<scope>compile</scope>
</dependency>
- 修改application.yml
server:
port: 8001 #client2要改为8002
servlet:
session:
cookie:
name: CLIENT1_SESSION #client2要改为CLIENT2_SESSION
security:
oauth2:
client:
client-id: SampleClientId
client-secret: secret
access-token-uri: http://localhost:8003/auth/oauth/token # 获取tokenurl
user-authorization-uri: http://localhost:8003/auth/oauth/authorize #授权url
resource:
user-info-uri: http://localhost:8003/auth/user # 从授权服务器获取当前登录用户信息的地址
spring:
thymeleaf:
cache: false
main:
allow-bean-definition-overriding: true
- 在项目/src/main/resources/templates文件夹下创建index.html和welcome.html
index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SSO</title>
</head>
<body>
<!--注意,client2要改为客户端2-->
<h1>SSO 客户端1</h1>
<a class="btn btn-primary" href="welcome">Login</a>
</div>
</body>
</html>
welcome.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>SSO</title>
</head>
<body>
<!--注意,client2要改为客户端2-->
<h1>客户端1</h1>
你好, <span th:text="${#authentication.name}"></span>
</div>
</body>
</html>
- 在主启动类同级目录下创建MySecurityConfig.java
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableOAuth2Sso
@Configuration
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/login")
.permitAll()
.anyRequest()
.authenticated();
}
}
- 在主启动类同级目录下创建PageController.java
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class PageController {
@GetMapping(value = "")
public String index() {
return "index.html";
}
@GetMapping(value = "welcome")
public String home() {
return "welcome.html";
}
}
2.3 以同样的方式创建client2,注意要修改的地方上面已经标出。
2.4 测试
- 启动auth-server,client1, client2
- 先访问http://localhost:8001,得到以下界面:
![客户端1登录界面]()
- 点击Login,进入auth-server的登录界面
![中心服务器的登录界面]()
- 输入ali/123456,点击Sign In,回调到client1的欢迎界面
![client1的欢迎界面]()
- 访问http://localhost:8002,得到以下界面:
![客户端2登录界面]()
- 点击Login,不用再次登录,直接进入client2的欢迎界面
![客户端2欢迎界面]()
以上就是我们使用springsecurity和oauth2完成的单点登录。
浙公网安备 33010602011771号