From fc42c73f5561f8a97cba644973d4632feeafdcf8 Mon Sep 17 00:00:00 2001 From: PaulShiyc Date: Sun, 10 Sep 2023 00:36:29 +0800 Subject: [PATCH] =?UTF-8?q?FIX-=E8=A1=A5=E5=85=85=E6=B3=A8=E9=87=8A,?= =?UTF-8?q?=E6=B8=85=E6=A5=9A=E6=97=A0=E6=95=88=E5=BC=95=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/cn/paul/auth/AuthApplication.java | 9 ++++- .../AuthorizationServerConfiguration.java | 39 +++++++++++-------- .../auth/config/WebSecurityConfiguration.java | 29 +++++++++++--- .../java/cn/paul/auth/entity/SysUser.java | 8 ++-- .../cn/paul/auth/service/UserService.java | 20 ++++++++-- .../java/cn/paul/order/OrderApplication.java | 10 ++++- .../order/config/ResourceServerConfig.java | 31 ++++++++++----- .../config/WebSecurityConfiguration.java | 8 ++-- .../paul/order/controller/TestController.java | 10 +++-- 9 files changed, 114 insertions(+), 50 deletions(-) diff --git a/demo-auth/src/main/java/cn/paul/auth/AuthApplication.java b/demo-auth/src/main/java/cn/paul/auth/AuthApplication.java index 5d2bffe..5ee81f6 100644 --- a/demo-auth/src/main/java/cn/paul/auth/AuthApplication.java +++ b/demo-auth/src/main/java/cn/paul/auth/AuthApplication.java @@ -7,11 +7,18 @@ import org.springframework.boot.autoconfigure.SpringBootApplication; * @author shichaochao * ClassName:AuthApplication.java * date:2023-09-09 18:53 - * Description: + * Description: 启动类 */ @SpringBootApplication public class AuthApplication { + + /** + * 程序主入口 + * + * @param args 启动参数 + */ public static void main(String[] args) { + //应用启动 SpringApplication.run(AuthApplication.class, args); } } diff --git a/demo-auth/src/main/java/cn/paul/auth/config/AuthorizationServerConfiguration.java b/demo-auth/src/main/java/cn/paul/auth/config/AuthorizationServerConfiguration.java index 67d9559..c36f74a 100644 --- a/demo-auth/src/main/java/cn/paul/auth/config/AuthorizationServerConfiguration.java +++ b/demo-auth/src/main/java/cn/paul/auth/config/AuthorizationServerConfiguration.java @@ -1,13 +1,11 @@ package cn.paul.auth.config; import cn.paul.auth.service.UserService; -import jdk.internal.org.objectweb.asm.tree.FieldInsnNode; import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.core.userdetails.User; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; @@ -27,17 +25,17 @@ import org.springframework.security.oauth2.provider.token.store.InMemoryTokenSto * ClassName:AuthorizationServerConfiguration.java * date:2023-09-09 18:58 * Description: - * ### 授权码模式 最安全 - * 获取授权码 /oauth/authorize?client_id=app&response_type=code&scope=all&redirect_uri=https://www.baidu.com - * 获取token /oauth/token?client_id=app&client_secret=app_pwd&grant_type=authorization_code&scope=all&code=TF2Yv1&redirect_uri=https://www.baidu.com - * ### 简化模式 单页面 相对不安全 - * 授权页 /oauth/authorize?client_id=app&response_type=token&scope=all&redirect_uri=https://www.baidu.com - * 授权后直接跳转重定向页 token将附带在url上 适用于第三方没有服务端只有页面 用于页面接收token - * https://www.baidu.com/#access_token=b62c9b99-bd30-4d44-a0ac-efc522064596&token_type=bearer&expires_in=6617 - * ### 密码模式 相对安全 信任的客户端 - * 获取token /oauth/token?client_id=app&client_secret=app_pwd&grant_type=password&scope=all&redirect_uri=https://www.baidu.com&username=admin&password=123 - * ### 客户端 最方便 但不安全 完全信任的客户端 没有刷新token - * 获取token /oauth/token?client_id=app&client_secret=app_pwd&grant_type=client_credentials + * ### 授权码模式 最安全 + * 获取授权码 /oauth/authorize?client_id=app&response_type=code&scope=all&redirect_uri=https://www.baidu.com + * 获取token /oauth/token?client_id=app&client_secret=app_pwd&grant_type=authorization_code&scope=all&code=TF2Yv1&redirect_uri=https://www.baidu.com + * ### 简化模式 单页面 相对不安全 + * 授权页 /oauth/authorize?client_id=app&response_type=token&scope=all&redirect_uri=https://www.baidu.com + * 授权后直接跳转重定向页 token将附带在url上 适用于第三方没有服务端只有页面 用于页面接收token + * https://www.baidu.com/#access_token=b62c9b99-bd30-4d44-a0ac-efc522064596&token_type=bearer&expires_in=6617 + * ### 密码模式 相对安全 信任的客户端 + * 获取token /oauth/token?client_id=app&client_secret=app_pwd&grant_type=password&scope=all&redirect_uri=https://www.baidu.com&username=admin&password=123 + * ### 客户端 最方便 但不安全 完全信任的客户端 没有刷新token + * 获取token /oauth/token?client_id=app&client_secret=app_pwd&grant_type=client_credentials */ @Configuration @RequiredArgsConstructor @@ -54,6 +52,9 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu */ private final AuthenticationManager authenticationManager; + /** + * 用户服务 + */ private final UserService userService; /** @@ -73,6 +74,7 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu */ @Bean public AuthorizationServerTokenServices tokenService() { + //默认token服务 DefaultTokenServices tokenServices = new DefaultTokenServices(); //客户端服务 tokenServices.setClientDetailsService(clientDetailsService); @@ -87,9 +89,13 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu return tokenServices; } - + /** + * 注册授权码服务 + * + * @return 授权码服务 + */ @Bean - public AuthorizationCodeServices authorizationCodeServices(){ + public AuthorizationCodeServices authorizationCodeServices() { return new InMemoryAuthorizationCodeServices(); } @@ -101,7 +107,6 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu */ @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { - security //放行公钥端点 .tokenKeyAccess("permitAll()") @@ -119,6 +124,7 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu */ @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { + //基于内存 clients.inMemory() //客户端id .withClient("app") @@ -149,6 +155,7 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu endpoints //密码模式需要配置 认证管理器 .authenticationManager(authenticationManager) + //用户服务 .userDetailsService(userService) //授权码模式需要配置授权码服务 .authorizationCodeServices(authorizationCodeServices()) diff --git a/demo-auth/src/main/java/cn/paul/auth/config/WebSecurityConfiguration.java b/demo-auth/src/main/java/cn/paul/auth/config/WebSecurityConfiguration.java index 4153d63..bec5fca 100644 --- a/demo-auth/src/main/java/cn/paul/auth/config/WebSecurityConfiguration.java +++ b/demo-auth/src/main/java/cn/paul/auth/config/WebSecurityConfiguration.java @@ -3,10 +3,8 @@ package cn.paul.auth.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @@ -15,10 +13,10 @@ import org.springframework.security.crypto.password.PasswordEncoder; * @author shichaochao * ClassName:WebSecurityConfiguration.java * date:2023-09-09 19:54 - * Description: + * Description: 安全配置 */ @Configuration -@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true) +@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true) public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { /** @@ -32,24 +30,43 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { } + /** + * 注册验证管理器 + * + * @return 验证管理器 + * @throws Exception 异常信息 + */ @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } + /** + * 安全配置 + * + * @param http 安全策略 + * @throws Exception 异常信息 + */ @Override protected void configure(HttpSecurity http) throws Exception { + //允许表单提交 http.formLogin() + //放行 .permitAll() .and() + //认证请求 .authorizeRequests() + //ant匹配白名单 .antMatchers("/oauth/**", "/login/**", "/logout/**") + //放行 .permitAll() + //所有请求 .anyRequest() + //均需认证 .authenticated() .and() - .csrf() - .disable(); + //关闭跨域验证 + .csrf().disable(); } } diff --git a/demo-auth/src/main/java/cn/paul/auth/entity/SysUser.java b/demo-auth/src/main/java/cn/paul/auth/entity/SysUser.java index fd88a59..8e93d97 100644 --- a/demo-auth/src/main/java/cn/paul/auth/entity/SysUser.java +++ b/demo-auth/src/main/java/cn/paul/auth/entity/SysUser.java @@ -9,10 +9,10 @@ import org.springframework.security.core.userdetails.UserDetails; import java.util.List; /** - * @ClassName: SysUser - * @Description: TODO - * @Author: Paul Shi - * @Date: 2022/10/27 1:46 + * @author shichaochao + * ClassName:SysUser.java + * date:2023-09-09 23:46 + * Description: 用户实体 */ @Getter @NoArgsConstructor diff --git a/demo-auth/src/main/java/cn/paul/auth/service/UserService.java b/demo-auth/src/main/java/cn/paul/auth/service/UserService.java index 8318db7..f8626df 100644 --- a/demo-auth/src/main/java/cn/paul/auth/service/UserService.java +++ b/demo-auth/src/main/java/cn/paul/auth/service/UserService.java @@ -10,20 +10,32 @@ import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Service; /** - * @ClassName: UserService - * @Description: TODO - * @Author: Paul Shi - * @Date: 2022/10/27 1:46 + * @author shichaochao + * ClassName:SysUser.java + * date:2023-09-09 23:54 + * Description: 用户实体 */ @Service @AllArgsConstructor public class UserService implements UserDetailsService { + /** + * 密码编码器 + */ private final PasswordEncoder passwordEncoder; + /** + * 根据用户名查询用户信息 + * + * @param username 用户名 + * @return 用户信息 + * @throws UsernameNotFoundException 用户名无效 + */ @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { + //临时密码 方便演示 String password = passwordEncoder.encode("123"); + //基于内存创建用户 方便演示 return new SysUser("admin", password, AuthorityUtils.commaSeparatedStringToAuthorityList("admin")); } } diff --git a/demo-order/src/main/java/cn/paul/order/OrderApplication.java b/demo-order/src/main/java/cn/paul/order/OrderApplication.java index caf1fa6..12e0e2a 100644 --- a/demo-order/src/main/java/cn/paul/order/OrderApplication.java +++ b/demo-order/src/main/java/cn/paul/order/OrderApplication.java @@ -7,12 +7,18 @@ import org.springframework.boot.autoconfigure.SpringBootApplication; * @author shichaochao * ClassName:OrderApplication.java * date:2023-09-09 22:58 - * Description: + * Description: 启动类 */ @SpringBootApplication public class OrderApplication { + /** + * 程序主入口 + * + * @param args 启动参数 + */ public static void main(String[] args) { - SpringApplication.run(OrderApplication.class,args); + //应用启动 + SpringApplication.run(OrderApplication.class, args); } } diff --git a/demo-order/src/main/java/cn/paul/order/config/ResourceServerConfig.java b/demo-order/src/main/java/cn/paul/order/config/ResourceServerConfig.java index 6130fc5..7497da4 100644 --- a/demo-order/src/main/java/cn/paul/order/config/ResourceServerConfig.java +++ b/demo-order/src/main/java/cn/paul/order/config/ResourceServerConfig.java @@ -14,14 +14,33 @@ import org.springframework.security.oauth2.provider.token.ResourceServerTokenSer * @author shichaochao * ClassName:ResourceServerConfig.java * date:2023-09-09 23:02 - * Description: + * Description: 资源服务器配置 */ @Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { + /** + * 注册token服务 + * + * @return token服务 + */ + @Bean + public ResourceServerTokenServices tokenServices() { + //远程token服务 + RemoteTokenServices services = new RemoteTokenServices(); + //验证token地址 + services.setCheckTokenEndpointUrl("http://localhost:8000/oauth/check_token"); + //客户端id + services.setClientId("app"); + //客户端秘钥 + services.setClientSecret("app_pwd"); + return services; + } + /** * 资源服务器配置 + * * @param resources 资源服务配置 * @throws Exception 异常信息 */ @@ -36,6 +55,7 @@ public class ResourceServerConfig extends ResourceServerConfigurerAdapter { /** * 安全策略配置 + * * @param http 安全策略 * @throws Exception 异常信息 */ @@ -52,13 +72,4 @@ public class ResourceServerConfig extends ResourceServerConfigurerAdapter { //禁用session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } - - @Bean - public ResourceServerTokenServices tokenServices(){ - RemoteTokenServices services = new RemoteTokenServices(); - services.setCheckTokenEndpointUrl("http://localhost:8000/oauth/check_token"); - services.setClientId("app"); - services.setClientSecret("app_pwd"); - return services; - } } diff --git a/demo-order/src/main/java/cn/paul/order/config/WebSecurityConfiguration.java b/demo-order/src/main/java/cn/paul/order/config/WebSecurityConfiguration.java index e2e6462..baae13d 100644 --- a/demo-order/src/main/java/cn/paul/order/config/WebSecurityConfiguration.java +++ b/demo-order/src/main/java/cn/paul/order/config/WebSecurityConfiguration.java @@ -1,29 +1,29 @@ package cn.paul.order.config; import org.springframework.context.annotation.Configuration; -import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * @author shichaochao * ClassName:WebSecurityConfiguration.java * date:2023-09-09 23:51 - * Description: + * Description: 安全策略配置 */ @Configuration -@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true) +@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true) public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { /** * 安全拦截策略 不加此配置时 不会验证权限 + * * @param http 安全策略 * @throws Exception 异常信息 */ @Override protected void configure(HttpSecurity http) throws Exception { + //禁用跨域监测 http.csrf().disable() //认证请求 .authorizeRequests() diff --git a/demo-order/src/main/java/cn/paul/order/controller/TestController.java b/demo-order/src/main/java/cn/paul/order/controller/TestController.java index d3dfd86..143d071 100644 --- a/demo-order/src/main/java/cn/paul/order/controller/TestController.java +++ b/demo-order/src/main/java/cn/paul/order/controller/TestController.java @@ -8,15 +8,19 @@ import org.springframework.web.bind.annotation.RestController; * @author shichaochao * ClassName:TestController.java * date:2023-09-09 22:59 - * Description: + * Description: 测试控制器 */ @RestController public class TestController { - + /** + * 测试函数 用于测试用户资源服务器访问权限 + * + * @return 成功信息 + */ @PreAuthorize("hasAnyAuthority('admin')") @RequestMapping("/test") - public String test(){ + public String test() { return "{'code':200}"; } } -- Gitee