官网
https://docs.spring.io/spring-authorization-server
1.概念理解
https://zhuanlan.zhihu.com/p/496695229?utm_id=0
2.最新实用
https://mp.weixin.qq.com/s?__biz=Mzg3Njc1NjAxMw==&mid=2247484868&idx=1&sn=6ea61f66cf57badc4b2434dfa84aa745&chksm=cf2c2886f85ba190808469a0c7f2b526808553c917922ca680a0f0bcf9ed2787893b18124c20&cur_album_id=2823815577264685059&scene=189#wechat_redirect
在Spring Security Oauth2中, 获取token整个流程为tokenEndpoint-->tokenGranter-->AuthenticationManager-->ProviderManager-->Tokenservice -->AccessTokenConverter-->token。
1.1 tokenEndpoint对比
token转化accessTokenRequestConvertes
认证管理器AuthenticationProvider
请求匹配器RequestMatcher
tokenEndpoint
获取token的端口 /oauth2/token
token自省端口/oauth2/introspect
1.2 tokenEndpoint token端口相关配置
当然如果你想修改这些端口,只需自定义即可。如改成/oauth2/token/test
/***
@Bean
public AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings
.builder()
.tokenEndpoint("/oauth2/token/test")
.build();
}
*/
1.3.1 资源服务器配置
只需配置过滤器链SecurityFilterChain
/***
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http
// 开放自定义的部分端点
.authorizeRequests(authorizeRequests -> authorizeRequests.antMatchers("/token/*").permitAll()
.anyRequest().authenticated())
.headers()
.frameOptions()
.sameOrigin()// 避免iframe同源无法登录
.and()
// 表单登录个性化
.apply(new FormIdentityLoginConfigurer());
// 处理 UsernamePasswordAuthenticationToken
http.authenticationProvider(new PigDaoAuthenticationProvider());
return http.build();
}
public final class FormIdentityLoginConfigurer
extends AbstractHttpConfigurer<FormIdentityLoginConfigurer, HttpSecurity> {
@Override
public void init(HttpSecurity http) throws Exception {
http.formLogin(formLogin -> {
formLogin.loginPage("/token/login");
formLogin.loginProcessingUrl("/token/form");
formLogin.failureHandler(new FormAuthenticationFailureHandler());
}).logout() // SSO登出成功处理
.logoutSuccessHandler(new SsoLogoutSuccessHandler()).deleteCookies("JSESSIONID")
.invalidateHttpSession(true).and().csrf().disable();
}
}
/
1.3.2 认证服务器配置
只需配置过滤器链SecurityFilterChain
/**
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();
// 个性化认证授权端点
http.apply(authorizationServerConfigurer.tokenEndpoint((tokenEndpoint) -> {
// 注入自定义的授权认证Converter
tokenEndpoint.accessTokenRequestConverter(accessTokenRequestConverter())
// 登录成功处理器
.accessTokenResponseHandler(new PigAuthenticationSuccessEventHandler())
// 登录失败处理器
.errorResponseHandler(new PigAuthenticationFailureEventHandler());
// 个性化客户端认证
}).clientAuthentication(oAuth2ClientAuthenticationConfigurer ->
// 处理客户端认证异常
oAuth2ClientAuthenticationConfigurer.errorResponseHandler(new PigAuthenticationFailureEventHandler()))
// 授权码端点个性化confirm页面
.authorizationEndpoint(authorizationEndpoint -> authorizationEndpoint
.consentPage(SecurityConstants.CUSTOM_CONSENT_PAGE_URI)));
RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();
DefaultSecurityFilterChain securityFilterChain = http.requestMatcher(endpointsMatcher)
.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
// redis存储token的实现
.apply(authorizationServerConfigurer.authorizationService(authorizationService)
//token端口配置
.authorizationServerSettings(AuthorizationServerSettings.builder()
.issuer(SecurityConstants.PROJECT_LICENSE).build()))
// 授权码登录的登录页个性化
.and().apply(new FormIdentityLoginConfigurer()).and().build();
// 注入自定义授权模式实现
addCustomOAuth2GrantAuthenticationProvider(http);
return securityFilterChain;
}
*/
1.4.许可类型对比
1.4.1 密码模式默认不支持
https://docs.spring.io/spring-authorization-server/docs/current/reference/html/overview.html
