蚂蚁课堂
1,如何保证Api 接口合理安全调用
2,OAuth2.0授权认证平台设计
3,OAuth2.0 认证协议四种模式
4,oauth2.0实现对接口的调用:
Oauth2.0****模式分类
授权码模式
简化模式
密码模式
客户端模式
Oauth2.0模式分类
1.授权码模式
2.简化模式
3.密码模式
4.客户端模式
授权码模式
授权码模式
Maven依赖
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.1.RELEASE</version>
</parent>
<dependencies>
<!-- SpringBoot整合Web组件 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!-- springboot整合freemarker -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-freemarker</artifactId>
</dependency>
<!-->spring-boot 整合security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Spring Security OAuth2 -->
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.2.1.RELEASE</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.6.0</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.62</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
</dependencies>
相关配置的类
@Component
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.
inMemoryAuthentication()
.withUser("mayikt")
.password(passwordEncoder().encode("123456"))
.authorities("/*");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated() //所有请求都需要通过认证
.and()
.httpBasic() //Basic登录
.and()
.csrf().disable(); //关跨域保护
}
}
@Component
@EnableAuthorizationServer
public class AuthorizationConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
//允许表单提交
security.allowFormAuthenticationForClients()
.checkTokenAccess("permitAll()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
// appid
.withClient("mayikt")
// appsecret
.secret(passwordEncoder.encode("mayikt_secret"))
// 授权码
.authorizedGrantTypes("authorization_code")
// 作用域
.scopes("all")
// 资源的id
.resourceIds("mayikt_resource")
// 回调地址
.redirectUris("http://www.mayikt.com/callback");
}
}
访问授权链接获取授权码
http://localhost:8080/oauth/authorize?client_id=mayikt&response_type=code
image.png
根据授权码获取accessToken
接口:http://localhost:8080/oauth/token
Code:授权码
grant_type:authorization_code
redirect_uri:回调地址
Scope: 作用域
http://localhost:8080/oauth/token?code=IDXeHy&grant_type=authorization_code&redirect_uri=http://www.mayikt.com/callback&scope=all
访问/oauth/token401不足
image.png
解决办法:
需要BasicAuth认证授权 传递参数clent_id、client_secret
image.png
access_token=dc9bce8a-7657-44bb-b6b6-1e4baecdfd7b
资源端服务器端
相关配置的类
/**
* 资源Server端
*/
@Configuration
@EnableResourceServer
public class ResourceConfig extends ResourceServerConfigurerAdapter {
@Value("${mayikt.appid}")
private String mayiktAppId;
@Value("${mayikt.appsecret}")
private String mayiktAppSecret;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Primary
@Bean
public RemoteTokenServices remoteTokenServices() {
final RemoteTokenServices tokenServices = new RemoteTokenServices();
//设置授权服务器check_token端点完整地址
tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
//设置客户端id与secret,注意:client_secret值不能使用passwordEncoder加密!
tokenServices.setClientId(mayiktAppId);
tokenServices.setClientSecret(mayiktAppSecret);
return tokenServices;
}
@Override
public void configure(HttpSecurity http) throws Exception {
//设置创建session策略
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
//@formatter:off
//所有请求必须授权
http.authorizeRequests()
.anyRequest().authenticated();
//@formatter:on
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId("mayikt_resource").stateless(true);
}
}
@RestController
public class MemberService {
@GetMapping("/getMember")
public String getMember() {
return "我是会员服务接口";
}
}
基于令牌访问接口
127.0.0.1:8081/getMember 访问该接口
image.png
或者直接在请求中传递
Authorization=Bearer a9011867-236b-4751-a508-48ceed63bffc
设计综合oatuh api接口
1.获取access_token请求(/oauth/token)
2.检查头肯是否有效请求(/oauth/check_token)
<u>http://localhost:8080/oauth/check_token?token=ea2c1b1e-5541-4018-8728-07f1ac87e9e8</u>
3.刷新token
image.png
image.png
