3 基于 SpringBoot 实现认证/授权
3.1 授权服务器(Authorization Server)
(1) pom.xml
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> </dependency>
(2) application.properties
server.port=8110 ## 监听端口
(3) AuthorizationServerApplication.java
@EnableResourceServer // 启用资源服务器 public class AuthorizationServerApplication { // ... }
(4) 配置授权服务的参数
@Configuration @EnableAuthorizationServer public class Oauth2AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter { @Override public void configure(final ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("webapp").secret("secret") //客户端 id/secret .authorizedGrantTypes("authorization code") //授权妈模式 .scopes("user_info") .autoApprove(true) //自动审批 .accessTokenValiditySeconds(3600); //有效期1hour } } @Configuration public class Oauth2WebSecurityConfigurer extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requestMatchers() .antMatchers("/login", "/oauth/authorize/oauth/logout") .and().authorizeRequests().anyRequest().authenticated() .and().formLogin().permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("admin").password("admin123").roles("ADMIN"); } }
3.2 客户端(Client, 业务网站)
(1) pom.xml
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> </dependency>
(2) application.properties
server port=8080 security.oauth2.client.client-id=webapp security.oauth2.client.client-secret=secret security.oauth2.client.access-token-uri=http://localhost:8110/oauth/token security.oauth2.client.user-authorization-uri=http://localhost:8110/oauth/authorize security.oauth2.resource.user-info-uri=http://localhost:8110/oauth/user
(3) 配置 WEB 安全
@Configuration @EnableOAuth2Sso public class Oauth2WebsecurityConfigurer extends WebSecurityConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests() .antMatchers("/", "/login").permitAll() .anyRequest().authenticated(); } } @RestController public class Oauth2ClientController { @GetMapping("/") public ModelAndView index() { return new ModelAndView("index"); } @GetMapping("/welcome") public ModelAndView welcome() { return new ModelAndView("welcome"); } }
3.3 用户权限控制(基于角色)
- 授权服务器中,定义各用户拥有的角色: user=USER, admin=ADMIN/USER, root=ROOT/ADMIN/USER
- 业务网站中(client),注解标明哪些角色可
@RestController public class Oauth2ClientController { @GetMapping("/welcome") public ModelAndView welcome() { return new ModelAndView("welcome"); } @GetMapping("/api/user") @PreAuthorize("hasAuthority('USER')") public Map<String, Object> apiUser() { } @GetMapping("/api/admin") @PreAuthorize("hasAuthority('ADMIN')") public Map<String, Object> apiAdmin() { } @GetMapping("/api/root") @PreAuthorize("hasAuthority('ROOT')") public Map<String, Object> apiRoot() { } }
4 综合运用
4.1 权限控制方案
下图是基本的认证/授权控制方案,主要设计了认证授权服务器上相关数据表的基本定义。可对照本文“2.1 生活实例”一节来理解。
4.2 在微服务架构中的应用
与常规服务架构不同,在微服务架构中,Authorization Server/Resource Server 是作为微服务存在的,用户的登录可以通过API网关一次性完成,无需与无法跳转至内网的 Authorization Server 来完成。
