(⼋)springcloudOauth2授权-四种授权类型client_credentials
1、创建应⽤资源
@SpringBootApplication
public class ClientOAuth2Application {
public static void main(String[] args) {
SpringApplication.run(ClientOAuth2Application.class, args);
}
improve是什么意思@RestController
@RequestMapping("/api")
class DemoController {
// 可以匿名访问
@GetMapping("/public/{id}")
public String publicResource(@PathVariable long id) {
return "this is public "+id;
}
// 必须经过认证
@GetMapping("/protect/{id}")
public String protectResource(@PathVariable long id) {
return "this is protect "+id;
}
}
}
2、配置认证服务器
//提供/oauth/authorize,/oauth/token,/oauth/check_token,/oauth/confirm_access,/oauth/error
@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
ateDelegatingPasswordEncoder();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
//allow check token
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("demoApp")
.cret(passwordEncoder().encode("demoAppSecret"))
.
authorizedGrantTypes("client_credentials", "password", "refresh_token")
.scopes("all")
.resourceIds("oauth2-resource")
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(50000);
}
}
3、配置资源访问控制
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
/
**
* 配置资源访问控制
*/
@Override
public void configure(HttpSecurity http) throws Exception {
http
.ssionManagement().ssionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
dressy
.and()
.requestMatchers().anyRequest()
.and()
.anonymous()
.
and()
.authorizeRequests()
.antMatchers("/api/public/**").permitAll()
.antMatchers("/api/protect/**").access("#oauth2.hasScope('all')")
.anyRequest().authenticated();
}
}
4、验证
1、启动应⽤,访问资源:
zuizuideMacBook-Pro:~ zuizui$ curl -i localhost:8080/api/public/1
HTTP/1.1 200
makio
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;chart=UTF-8
Content-Length: 16
Date: Sun, 05 May 2019 05:40:52 GMT
this is public 1
zuizuideMacBook-Pro:~ zuizui$ curl -i localhost:8080/api/protect/1
HTTP/1.1 401
Set-Cookie: JSESSIONID=3F3B351204A64E7788A2D988F6F9C53D; Path=/; HttpOnly
Cache-Control: no-store
Pragma: no-cache
WWW-Authenticate: Bearer realm="oauth2-resource", error="unauthorized", error_description="Full authentication is required to access this resource" X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;chart=UTF-8
Transfer-Encoding: chunked
Date: Sun, 05 May 2019 05:41:29 GMT
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
2、获取token
zuizuideMacBook-Pro:~ zuizui$ curl -i demoApp:demoAppSecret@localhost:8080/oauth/token -d grant_type=client_credentials
HTTP/1.1 200
Cache-Control: no-store
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;chart=UTF-8
Transfer-Encoding: chunked
Date: Sun, 05 May 2019 05:43:40 GMT
{"access_token":"2c24ea79-5e80-43a8-844f-458193ce3173","token_type":"bearer","expires_in":1199,"scope":"all"}
3、携带token访问资源
zuizuideMacBook-Pro:~ zuizui$ curl -i -H "Authorization:Bearer 2c24ea79-5e80-43a8-844f-458193ce3173" localhost:8080/api/protect/1
HTTP/1.1 200
rating是什么意思Set-Cookie: JSESSIONID=F3208F6C579CF2F0456F52D070C34B59; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;chart=UTF-8
Content-Length: 17沪江小词典
Date: Sun, 05 May 2019 05:45:32 GMT
this is protect 1
resource owner password credentials
密码模式需要配置UrDetailsService和AuthenticationManager
最新韩国男士发型<dependency>
<groupId>org.springframework.curity.oauth</groupId>
<artifactId>spring-curity-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-curity</artifactId>
</dependency>
1、准备资源
@SpringBootApplication
public class OAuth2PasswordCredentialsApplication {
public static void main(String[] args) {
SpringApplication.run(OAuth2PasswordCredentialsApplication.class, args);
}
@RestController
@RequestMapping("/api")
class DemoController {
@GetMapping("/public/{id}")
public String publicResource(@PathVariable long id) {
return "this is public "+id;
}
@GetMapping("/protect/{id}")
public String protectResource(@PathVariable long id) {
return "this is protect "+id;
}
}
}
2、认证服务器配置
@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
/**
* 注⼊authenticationManager
* 来⽀持 password grant type
*/
@Resource
新概念英语视频private AuthenticationManager authenticationManager;
@Resource
private PasswordEncoder passwordEncoder;
@Bean
public InMemoryTokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.tokenStore(tokenStore());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.
withClient("demoApp")
.de("demoAppSecret"))
.authorizedGrantTypes("client_credentials", "password", "refresh_token")
.scopes("all")
.resourceIds("oauth2-resource")
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(50000);
}
}
3、资源服务器配置
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
/**
* 要正常运⾏,需要反注释掉这段,具体原因见下⾯分析
* 这⾥设置需要token验证的url
* 这些需要在WebSecurityConfigurerAdapter中排查掉
* 否则优先进⼊WebSecurityConfigurerAdapter,进⾏的是basic auth或表单认证,⽽不是token认证 */
@Override
英语自我介绍(带翻译)
public void configure(HttpSecurity http) throws Exception {
.and()
.
authorizeRequests()
.antMatchers("/api/**").authenticated();
}
public static void main(String[] args) {
String encode = Encoder().encodeToString("demoApp:demoAppSecret".getBytes()); System.out.println(encode);
}
}
4、WebSecurity配置
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
.and()
.authorizeRequests()
.antMatchers("/oauth/**").authenticated();
}
//配置内存模式的⽤户
@Bean
@Override
protected UrDetailsService urDetailsService() {
InMemoryUrDetailsManager manager = new InMemoryUrDetailsManager();
.encode("123456")).authorities("USER").build());
.encode("123456")).authorities("USER").build());
return manager;
}
/**
* ⼀定要将 urDetailsService 设置到 AuthenticationManagerBuilder 中
* 不然后⾯校验ClientDetailsService时会找不到UrnamePasswordToken的Provider
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.urDetailsService(urDetailsService());
}
/**
* 需要配置这个⽀持password模式
* support password grant type
*/
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
ateDelegatingPasswordEncoder();
}韦伯词典
}
校验资源
zuizuideMacBook-Pro:~ zuizui$ curl -i localhost:8080/api/public/1
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;chart=UTF-8
Content-Length: 16
Date: Sun, 05 May 2019 06:15:16 GMT
this is public 1
zuizuideMacBook-Pro:~ zuizui$ curl -i localhost:8080/api/protect/1
HTTP/1.1 401
Set-Cookie: JSESSIONID=EB613FD5D191BAE6AAF2F20FCC1358B6; Path=/; HttpOnly
Cache-Control: no-store
Pragma: no-cache
WWW-Authenticate: Bearer realm="oauth2-resource", error="unauthorized", error_description="Full authentication is required to access this resource"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;chart=UTF-8
Transfer-Encoding: chunked
Date: Sun, 05 May 2019 06:15:53 GMT
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
获取token
zuizuideMacBook-Pro:~ zuizui$ curl -H "Authorization:Basic ZGVtb0FwcDpkZW1vQXBwU2VjcmV0" -i -d "grant_type=password&scope=all&urname=demoUr1&password=123456" localhost:8080/oauth/token
HTTP/1.1 200
Cache-Control: no-store
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;chart=UTF-8
Transfer-Encoding: chunked
Date: Mon, 06 May 2019 01:35:06 GMT
{"access_token":"db51190d-eaa1-44f8-b61f-dbd97b5f401d","token_type":"bearer","refresh_token":"aef12b97-a2d6-48cd-afba-d88c5e0ad51f","expires_in":1088,"scope":"all"}
通过token访问资源
zuizuideMacBook-Pro:~ zuizui$ curl -i localhost:8080/api/protect/111 -H "Authorization: Bearer db51190d-eaa1-44f8-b61f-dbd97b5f401d"
HTTP/1.1 200
Set-Cookie: JSESSIONID=B793E39D6562AD2DDA09E04CF849E1DA; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;chart=UTF-8
Content-Length: 19
Date: Mon, 06 May 2019 01:36:08 GMT
this is protect 111
刷新token
zuizuideMacBook-Pro:~ zuizui$ curl -i localhost:8080/oauth/token -d "grant_type=refresh_token&refresh_token=ebf6584f-45d7-4e14-b224-9bdb3a30d684&client_id=demoApp&client_cret=demoAppSecret"
HTTP/1.1 200
Cache-Control: no-store
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;chart=UTF-8
Transfer-Encoding: chunked
Date: Mon, 06 May 2019 02:04:45 GMT
{"access_token":"a13eb573-1946-4bf5-a885-f05039aaf981","token_type":"bearer","refresh_token":"49bb3cd9-6cd2-4d49-91d0-da76de72c36a","expires_in":1199,"scope":"all"}
WebSecurityConfigurerAdapter和ResourceServerConfigurerAdapter
WebSecurityConfigurerAdapter⽤于保护oauth相关的endpoints,同时主要作⽤于⽤户的登录(form login,Basic auth)
ResourceServerConfigurerAdapter⽤于保护oauth要开放的资源,同时主要作⽤于client端以及token的认证(Bearer auth)
因此⼆者是分⼯协作的
在WebSecurityConfigurerAdapter不拦截oauth要开放的资源
在ResourceServerConfigurerAdapter配置需要token验证的资源
authorization_code
在之前的基础上增加授权类型的配置
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("demoApp")
.de("demoAppSecret"))
.authorizedGrantTypes("client_credentials", "password", "refresh_token", "authorization_code")
.scopes("all")
.resourceIds("oauth2-resource")
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(50000);
}
1、请求授权码
GET localhost:8080/oauth/authorize?respon_type=code&client_id=demoApp&redirect_uri=
2、在页⾯进⾏授权,跳转到redirect_uri,并带上了授权码。
3、通过授权码获取token
zuizuideMacBook-Pro:~ zuizui$ curl -i -d "grant_type=authorization_code&code=Fxa2B9&client_id=demoApp&client_cret=demoAppSecret&redirect_uri=&scope=all" -X POST localhost:8080/oauth/token HTTP/1.1 200
Cache-Control: no-store
Pragma: no-cache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: application/json;chart=UTF-8
Transfer-Encoding: chunked
Date: Mon, 06 May 2019 08:44:52 GMT
{"access_token":"af929ab8-333c-4e5d-845a-2fe6a347c3ff","token_type":"bearer","refresh_token":"f186692e-8b39-444a-9554-54777bbf74fa","expires_in":1120,"scope":"all"} 4、使⽤token访问资源
zuizuideMacBook-Pro:~ zuizui$ curl -i -H "Authorization: bearer 833a13f0-f665-4528-8536-6d79c06a1f74" localhost:8080/api/protect/11111
HTTP/1.1 200
Set-Cookie: JSESSIONID=AEEBE7A26AB987143CB6E9486B1B31AB; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;chart=UTF-8
Content-Length: 21
Date: Mon, 06 May 2019 09:04:24 GMT
this is protect 11111stuff
