参考教程:https://my.oschina.net/wotrd/blog/3056409
教程给出大致的实现途径,但还是遇到了一些坑,遂记录下。
本示例实现最简配置下的实现单点,排除其他干扰
创建springcloud项目
1.导入关键的依赖org.springframework.cloud spring-cloud-starter-oauth2
完整依赖pom见:pom.xml
2.配置认证服务创建AuthConfig,继承AuthorizationServerConfigurerAdapter
redirectUris的配置,要和外部请求的重定向地址一致,不然出错
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
// 开启认证服务
@Configuration
@EnableAuthorizationServer
public class AuthConfig extends AuthorizationServerConfigurerAdapter {
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client") //客户端client_id
.secret(passwordEncoder().encode("secret")) // 客户端 secret
.authorizedGrantTypes("authorization_code") // 授权类型, 授权码
.scopes("app") // 范围
.redirectUris("https://www.hao123.com/"); // 重定向地址 登录地址
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("permitAll()")
.allowFormAuthenticationForClients();
}
}
创建WebSecurityConfig,继承WebSecurityConfigurerAdapter
创建两个测试账号
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
BCryptPasswordEncoder passwordEncoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password(passwordEncoder.encode("123456")).roles("ADMIN")
.and()
.withUser("user").password(passwordEncoder.encode("123456")).roles("USER");
}
}
3.项目结构
4.测试
4.1登录
启动项目后,浏览器访问:
http://localhost:9000/oauth/authorize?client_id=client&response_type=code
输入admin 123456
选择Approve
4.3获取授权码code 4.4获取tokenpostman请求获取token,(code一次有效)
创建springcloud项目
1.导入关键的依赖org.springframework.boot spring-boot-starter-thymeleaforg.springframework.cloud spring-cloud-starter-oauth2
完整依赖pom见:pom.xml
2.调整启动类启动类加入@EnableOAuth2Sso注解,标识本项目为客户端
3.配置属性在application.properties加入配置
# 应用名称 spring.application.name=sso-client-1 # 应用服务 WEB 访问端口 server.port=9005 # 登录路径 security.oauth2.sso.login-path=/index #资源客户端配置 security.oauth2.client.client-id=client security.oauth2.client.client-secret=secret security.oauth2.resource.id=resource #认证端需要授权路径 security.oauth2.resource.token-info-uri=http://localhost:9000/oauth/check_token #请求认证地址 security.oauth2.client.user-authorization-uri=http://localhost:9000/oauth/authorize #获取token地址 security.oauth2.client.access-token-uri=http://localhost:9000/oauth/token #reresh_token验证周期 security.oauth2.client.refresh-token-validity-seconds=10 #禁止同名sessionid,是个坑,不加会报错 server.servlet.session.cookie.name=OAUTH2_SESSION4.配置ResourceServerConfig
ResourceServerConfig,继承ResourceServerConfigurerAdapter,放开一些拦截;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
private static final String[] EXCLUDED_AUTH_PAGES = {
"/actuatorfavicon.ico", "/index", "*.html", "*.css", "*.js"
};
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(EXCLUDED_AUTH_PAGES)
.permitAll()
.anyRequest()
.authenticated();
}
}
5.创建欢迎页
templates下创建index.html
Title
welcome to sso client!
6. 调整认证服务端
- AuthConfig下的redirectUris重定向地址调整为"http://localhost:9005/index"
1.访问客户端:http://localhost:9005
可以看到,会重定向到服务端的登录页
输入admin 123456 登录后,会跳转到客户端的http://localhost:9005/index,欢迎页
再访问其他测试接口,也不会拦截了
配套项目源码:https://gitee.com/varz/sso-parent/tree/f_01_basics
END
