这篇文章主要介绍了spring Security如何实现分布式系统授权,具有一定借鉴价值,感兴趣的朋友可以参考下,希望大家阅读完这篇文章之后大有收获,下面让小编带着大家一起了解一下。1 需求分析回顾技术方案如下:UAA认证服务负责
这篇文章主要介绍了spring Security如何实现分布式系统授权,具有一定借鉴价值,感兴趣的朋友可以参考下,希望大家阅读完这篇文章之后大有收获,下面让小编带着大家一起了解一下。
回顾技术方案如下:
UAA认证服务负责认证授权。
所有请求经过 网关到达微服务
网关负责鉴权客户端以及请求转发
网关将token解析后传给微服务,微服务进行授权。
所有微服务的请求都经过网关,网关从注册中心读取微服务的地址,将请求转发至微服务。
本节完成注册中心的搭建,注册中心采用Eureka。
创建Maven工程
pom.xml依赖如下
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="Http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>distributed-security</artifactId> <groupId>com.lw.security</groupId> <version>1.0-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>distributed-security-discovery</artifactId> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> </dependencies></project>配置文件
在resources中配置application.yml
spring: application: name: distributed-discoveryserver: port: 53000 #启动端口eureka: server: enable-self-preservation: false #关闭服务器自我保护,客户端心跳检测15分钟内错误达到80%服务会保护,导致别人还认为是好用的服务 eviction-interval-timer-in-ms: 10000 #清理间隔(单位毫秒,默认是60*1000)5秒将客户端剔除的服务在服务注册列表中剔除# shouldUseReadOnlyResponseCache: true #eureka是CAP理论种基于AP策略,为了保证强一致性关闭此切换CP默认不关闭 false关闭 client: reGISter-with-eureka: false #false:不作为一个客户端注册到注册中心 fetch-registry: false #为true时,可以启动,但报异常:Cannot execute request on any known server instance-info-replication-interval-seconds: 10 serviceUrl: defaultZone: http://localhost:${server.port}/eureka/ instance: hostname: ${spring.cloud.client.ip-address} prefer-ip-address: true instance-id: ${spring.application.name}:${spring.cloud.client.ip-address}:${spring.application.instance_id:${server.port}}启动类:
@SpringBootApplication@EnableEurekaServerpublic class DiscoveryServer { public static void main(String[] args) { SpringApplication.run(DiscoveryServer.class, args); }}网关整合 OAuth3.0 有两种思路,一种是认证服务器生成Jwt令牌, 所有请求统一在网关层验证,判断权限等操作;另一种是由各资源服务处理,网关只做请求转发。
我们选用第一种。我们把api网关作为OAuth3.0的资源服务器角色,实现接入客户端权限拦截、令牌解析并转发当前登录用户信息(JSONToken)给微服务,这样下游微服务就不需要关心令牌格式解析以及OAuth3.0相关机制了。
API网关在认证授权体系里主要负责两件事:
(1)作为OAuth3.0的资源服务器角色,实现接入方权限拦截。
(2)令牌解析并转发当前登录用户信息(明文token)给微服务
微服务拿到明文token(明文token中包含登录用户的身份和权限信息)后也需要做两件事:
(1)用户授权拦截(看当前用户是否有权访问该资源)
(2)将用户信息存储进当前线程上下文(有利于后续业务逻辑随时获取当前用户信息)
pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>distributed-security</artifactId> <groupId>com.lw.security</groupId> <version>1.0-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>distributed-security-gateway</artifactId> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-hystrix</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-ribbon</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-openfeign</artifactId> </dependency> <dependency> <groupId>com.netflix.hystrix</groupId> <artifactId>hystrix-javanica</artifactId> </dependency> <dependency> <groupId>org.springframework.retry</groupId> <artifactId>spring-retry</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-WEB</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-zuul</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth3</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-jwt</artifactId> </dependency> <dependency> <groupId>javax.interceptor</groupId> <artifactId>javax.interceptor-api</artifactId> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </dependency> </dependencies></project>配置文件
配置application.properties
spring.application.name=gateway-serverserver.port=53010spring.main.allow-bean-definition-overriding = truelogging.level.root = infologging.level.org.springframework = infozuul.retryable = truezuul.ignoredServices = *zuul.add-host-header = truezuul.sensitiveHeaders = *zuul.routes.uaa-service.stripPrefix = falsezuul.routes.uaa-service.path = /uaa @Configuration @EnableResourceServer public class UAAServerConfig extends ResourceServerConfigurerAdapter { @Autowired private TokenStore tokenStore; @Override public void configure(ResourceServerSecurityConfigurer resources){ resources.tokenStore(tokenStore).resourceId(RESOURCE_ID) .stateless(true); } @Override public void configure(httpsecurity http) throws Exception { http.authorizeRequests() .antMatchers("/uaa@Configuration @EnableResourceServer public class OrderServerConfig extends ResourceServerConfigurerAdapter { @Autowired private TokenStore tokenStore; @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.tokenStore(tokenStore).resourceId(RESOURCE_ID) .stateless(true); } @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/orderpublic class AuthFilter extends ZuulFilter { @Override public boolean shouldFilter() { return true; } @Override public String filterType() { return "pre"; } @Override public int filterOrder() { return 0; } @Override public Object run() { RequestContext ctx = RequestContext.getCurrentContext(); Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if(!(authentication instanceof OAuth3Authentication)){ // 无token访问网关内资源的情况,目前仅有uua服务直接暴露 return null; } OAuth3Authentication oauth3Authentication = (OAuth3Authentication)authentication; Authentication userAuthentication = oauth3Authentication.getUserAuthentication(); Object principal = userAuthentication.getPrincipal(); List<String> authorities = new ArrayList(); userAuthentication.getAuthorities().stream().forEach(s ->authorities.add(((GrantedAuthority) s).getAuthority())); OAuth3Request oAuth3Request = oauth3Authentication.getOAuth3Request(); Map<String, String> requestParameters = oAuth3Request.getRequestParameters(); Map<String,Object> jsonToken = new HashMap<>(requestParameters); if(userAuthentication != null){ jsonToken.put("principal",userAuthentication.getName()); jsonToken.put("authorities",authorities); } ctx.addZuulRequestHeader("json-token", EncryptUtil.encodeUTF8StringBase64(JSON.toJSONString(jsonToken))); return null; }}common包下建EncryptUtil类 UTF8互转Base64
public class EncryptUtil { private static final Logger logger = LoggerFactory.getLogger(EncryptUtil.class); public static String encodeBase64(byte[] bytes){ String encoded = Base64.getEncoder().encodeToString(bytes); return encoded; } public static byte[] decodeBase64(String str){ byte[] bytes = null; bytes = Base64.getDecoder().decode(str); return bytes; public static String encodeUTF8StringBase64(String str){ String encoded = null; try { encoded = Base64.getEncoder().encodeToString(str.getBytes("utf-8")); } catch (UnsupportedEncodingException e) { logger.warn("不支持的编码格式",e); } public static String decodeUTF8StringBase64(String str){ String decoded = null; byte[] bytes = Base64.getDecoder().decode(str); decoded = new String(bytes,"utf-8"); }catch(UnsupportedEncodingException e){ return decoded; public static String encodeURL(String url) { String encoded = null;try {encoded = URLEncoder.encode(url, "utf-8");} catch (UnsupportedEncodingException e) {logger.warn("URLEncode失败", e);}return encoded;}public static String decodeURL(String url) { String decoded = null;decoded = URLDecoder.decode(url, "utf-8");logger.warn("URLDecode失败", e);return decoded; public static void main(String [] args){ String str = "abcd{'a':'b'}"; String encoded = EncryptUtil.encodeUTF8StringBase64(str); String decoded = EncryptUtil.decodeUTF8StringBase64(encoded); System.out.println(str); System.out.println(encoded); System.out.println(decoded); String url = "== wo"; String urlEncoded = EncryptUtil.encodeURL(url); String urlDecoded = EncryptUtil.decodeURL(urlEncoded); System.out.println(url); System.out.println(urlEncoded); System.out.println(urlDecoded);}( 2)将filter纳入spring 容器:
配置AuthFilter
@Configurationpublic class ZuulConfig { @Bean public AuthFilter preFileter() { return new AuthFilter(); } @Bean public FilterRegistrationBean corsFilter() { final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); final CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); config.addAllowedOrigin("*"); config.addAllowedHeader("*"); config.addAllowedMethod("*"); config.setMaxAge(18000L); source.registerCorsConfiguration("/**", config); CorsFilter corsFilter = new CorsFilter(source); FilterRegistrationBean bean = new FilterRegistrationBean(corsFilter); bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; }}当微服务收到明文token时,应该怎么鉴权拦截呢?自己实现一个filter?自己解析明文token,自己定义一套资源访问策略?能不能适配Spring Security呢,是不是突然想起了前面我们实现的Spring Security基于token认证例子。咱们还拿统一用户服务作为网关下游微服务,对它进行改造,增加微服务用户鉴权拦截功能。
(1)增加测试资源
OrderController增加以下endpoint
@PreAuthorize("hasAuthority('p1')") @GetMapping(value = "/r1") public String r1(){ UserDTO user = (UserDTO)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); return user.getUsername() + "访问资源1"; } @PreAuthorize("hasAuthority('p2')") @GetMapping(value = "/r2") public String r2(){//通过Spring Security API获取当前登录用户 UserDTO user =(UserDTO)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); return user.getUsername() + "访问资源2"; }model包下加实体类UserDto
@Datapublic class UserDTO { private String id; private String username; private String mobile; private String fullname;}(2)Spring Security配置
开启方法保护,并增加Spring配置策略,除了/login方法不受保护(统一认证要调用),其他资源全部需要认证才能访问。
@Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/**").access("#oauth3.hasScope('ROLE_ADMIN')") .and().csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }综合上面的配置,咱们共定义了三个资源了,拥有p1权限可以访问r1资源,拥有p2权限可以访问r2资源,只要认证通过就能访问r3资源。
(3)定义filter拦截token,并形成Spring Security的Authentication对象
@Componentpublic class TokenAuthenticationFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponsehttpServletResponse, FilterChain filterChain) throws ServletException, IOException { String token = httpServletRequest.getHeader("json-token"); if (token != null){ //1.解析token String json = EncryptUtil.decodeUTF8StringBase64(token); JSONObject userJson = JSON.parseObject(json); UserDTO user = new UserDTO(); user.setUsername(userJson.getString("principal")); JSONArray authoritiesArray = userJson.getJSONArray("authorities"); String [] authorities = authoritiesArray.toArray( newString[authoritiesArray.size()]); //2.新建并填充authentication UsernamePassWordAuthenticationToken authentication = newUsernamePasswordAuthenticationToken( user, null, AuthorityUtils.createAuthorityList(authorities)); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails( httpServletRequest)); //3.将authentication保存进安全上下文 SecurityContextHolder.getContext().setAuthentication(authentication); } filterChain.doFilter(httpServletRequest, httpServletResponse); }}经过上边的过虑 器,资源 服务中就可以方便到的获取用户的身份信息:
UserDTO user = (UserDTO) SecurityContextHolder.getContext().getAuthentication().getPrincipal();还是三个步骤:
解析token
新建并填充authentication
将authentication保存进安全上下文
剩下的事儿就交给Spring Security好了。
注意:记得uaa跟order的pom导入eurika坐标,以及application.properties配置eurika
本案例测试过程描述:
采用OAuth3.0的密码模式从UAA获取token
使用该token通过网关访问订单服务的测试资源
(1)过网关访问uaa的授权及获取令牌,获取token。注意端口是53010,网关的端口。
如授权 endpoint:
http://localhost:53010/uaa/oauth/authorize?response_type=code&client_id=c1
令牌endpoint
http://localhost:53010/uaa/oauth/token
(2)使用Token过网关访问订单服务中的r1-r2测试资源进行测试。
结果:
使用张三token访问p1,访问成功
使用张三token访问p2,访问失败
使用李四token访问p1,访问失败
使用李四token访问p2,访问成功
符合预期结果。
(3)破坏token测试
无token测试返回内容:
{ "error": "unauthorized", "error_description": "Full authentication is required to access this resource"}破坏token测试返回内容:
{ "error": "invalid_token", "error_description": "Cannot convert access token to JSON"}目前jwt令牌存储了用户的身份信息、权限信息,网关将token明文化转发给微服务使用,目前用户身份信息仅包括了用户的账号,微服务还需要用户的ID、手机号等重要信息。
所以,本案例将提供扩展用户信息的思路和方法,满足微服务使用用户信息的需求。
下边分析JWT令牌中扩展用户信息的方案:
在认证阶段DaoAuthenticationProvider会调用UserDetailService查询用户的信息,这里是可以获取到齐全的用户信息的。由于JWT令牌中用户身份信息来源于UserDetails,UserDetails中仅定义了username为用户的身份信息,这里有两个思路:第一是可以扩展UserDetails,使之包括更多的自定义属性,第二也可以扩展username的内容,比如存入json数据内容作为username的内容。相比较而言,方案二比较简单还不用破坏UserDetails的结构,我们采用方案二。
从数据库查询到user,将整体user转成json存入userDetails对象。
@Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { //登录账号 System.out.println("username="+username); //根据账号去数据库查询... UserDto user = userDao.getUserByUsername(username); if(user == null){ return null; } //查询用户权限 List<String> permissions = userDao.findPermissionsByUserId(user.getId()); String[] perarray = new String[permissions.size()]; permissions.toArray(perarray); //创建userDetails //这里将user转为json,将整体user存入userDetails String principal = JSON.toJSONString(user); UserDetails userDetails =User.withUsername(principal).password(user.getPassword()).authorities(perarray).build(); return userDetails;}资源服务中的过虑 器负责 从header中解析json-token,从中即可拿网关放入的用户身份信息,部分关键代码如下:
... if (token != null){ //1.解析token String json = EncryptUtil.decodeUTF8StringBase64(token); JSONObject userJson = JSON.parseObject(json); //取出用户身份信息 String principal = userJson.getString("principal"); //将json转成对象 UserDTO userDTO = JSON.parseObject(principal, UserDTO.class); JSONArray authoritiesArray = userJson.getJSONArray("authorities"); ...感谢你能够认真阅读完这篇文章,希望小编分享的“Spring Security如何实现分布式系统授权”这篇文章对大家有帮助,同时也希望大家多多支持编程网,关注编程网精选频道,更多相关知识等着你来学习!
--结束END--
本文标题: Spring Security如何实现分布式系统授权
本文链接: https://www.lsjlt.com/news/322128.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
下载Word文档到电脑,方便收藏和打印~
2024-04-28
2024-04-28
2024-04-28
2024-04-28
2024-04-28
2024-04-28
2024-04-28
2024-04-28
2024-04-28
2024-04-28
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
官方手机版
微信公众号
商务合作
0