扫二维码与项目经理沟通
我们在微信上24小时期待你的声音
解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流
这篇文章给大家介绍如何进行spring cloud gateway oauth整合,内容非常详细,感兴趣的小伙伴们可以参考借鉴,希望对大家能有所帮助。
鄂伦春ssl适用于网站、小程序/APP、API接口等需要进行数据传输应用场景,ssl证书未来市场广阔!成为创新互联的ssl证书销售渠道,可以享受市场价格4-6折优惠!如果有意向欢迎电话联系或者加微信:13518219792(备注:SSL证书合作)期待与您的合作!
pom依赖
org.springframework.boot spring-boot-starter-security org.springframework.security spring-security-oauth3-resource-server org.springframework.security.oauth spring-security-oauth3 org.springframework.boot spring-boot-starter-webflux org.springframework.cloud spring-cloud-starter-gateway
简易校验
/** * * 程序名 : AccessFilter 建立日期: 2018-09-09 作者 : someday 模块 : 网关 描述 : oauth校验 备注 : * version20180909001 ** 修改历史 序号 日期 修改人 修改原因 */ @Component public class AccessFilter implements GlobalFilter, Ordered { // url匹配器 private AntPathMatcher pathMatcher = new AntPathMatcher(); @Resource private redisTemplate
redisTemplate; @Resource private AuthIgnored authIgnored; @Override public int getOrder() { // TODO Auto-generated method stub return -500; } @Override public Mono filter(ServerWebExchange exchange, GatewayFilterChain chain) { // TODO Auto-generated method stub String accessToken = TokenUtil.extractToken(exchange.getRequest()); // 默认 boolean flag = false; for (String ignored : authIgnored.getIgnored()) { if (pathMatcher.match(ignored, exchange.getRequest().getPath().value())) { flag = true; // 白名单 } } if (flag) { return chain.filter(exchange); } else { Map params = (Map ) redisTemplate.opsForValue().get(UaaConstant.TOKEN+":" + accessToken); if (params != null) { return chain.filter(exchange); } else { exchange.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED); ServerHttpResponse response = exchange.getResponse(); JSONObject message = new JSONObject(); message.put("resp_code", 401); message.put("resp_msg", "未认证通过!"); byte[] bits = message.toJSONString().getBytes(StandardCharsets.UTF_8); DataBuffer buffer = response.bufferFactory().wrap(bits); response.setStatusCode(HttpStatus.UNAUTHORIZED); // 指定编码,否则在浏览器中会中文乱码 response.getHeaders().add("Content-Type", "application/json;charset=UTF-8"); return response.writeWith(Mono.just(buffer)); } } } }
配置资源服务器
package com.open.capacity.client.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.security.authentication.ReactiveAuthenticationManager; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.web.server.SecurityWebFiltersOrder; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.oauth3.common.OAuth3AccessToken; import org.springframework.security.oauth3.provider.token.TokenStore; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.authentication.AuthenticationWebFilter; import org.springframework.web.server.WebFilter; import com.open.capacity.client.handler.ResAccessDeniedHandler; import com.open.capacity.client.handler.ResAuthenticationEntryPoint; import com.open.capacity.client.handler.ResAuthenticationFailureHandler; import com.open.capacity.client.handler.ResAuthenticationSuccessHandler; import com.open.capacity.client.token.AuthorizeConfigManager; import com.open.capacity.client.token.TokenAuthenticationConverter; import com.open.capacity.client.token.TokenAuthenticationManager; import com.open.capacity.common.auth.props.PermitUrlProperties; /** * 资源服务器UAAClientAutoConfig */ @Configuration @EnableConfigurationProperties(PermitUrlProperties.class) public class UAAClientAutoConfig { @Autowired private PermitUrlProperties permitUrlProperties; @Autowired private TokenStore tokenStore; @Autowired private AuthorizeConfigManager authorizeConfigManager ; // @Resource(name="delegatingAuthorizationManager") // private DelegatingReactiveAuthorizationManager delegatingAuthorizationManager; @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { //认证处理器 ReactiveAuthenticationManager tokenAuthenticationManager = new TokenAuthenticationManager(tokenStore); ResAuthenticationEntryPoint resAuthenticationEntryPoint = new ResAuthenticationEntryPoint(); ResAccessDeniedHandler resAccessDeniedHandler = new ResAccessDeniedHandler() ; //构建Bearer Token //请求参数强制加上 Authorization BEARER token http.addFilterAt((WebFilter) (exchange, chain) -> { ServerHttpRequest request = exchange.getRequest(); if(request.getQueryParams().getFirst("access_token")!=null) { exchange.getRequest().mutate().headers(httpHeaders -> httpHeaders.add( "Authorization", OAuth3AccessToken.BEARER_TYPE+" "+request.getQueryParams().getFirst("access_token")) ); } return chain.filter(exchange); }, SecurityWebFiltersOrder.FIRST); //身份认证 AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(tokenAuthenticationManager); authenticationWebFilter.setAuthenticationFailureHandler(new ResAuthenticationFailureHandler()); //登陆验证失败 authenticationWebFilter.setAuthenticationSuccessHandler(new ResAuthenticationSuccessHandler()); //认证成功 //token转换器 TokenAuthenticationConverter tokenAuthenticationConverter = new TokenAuthenticationConverter(); tokenAuthenticationConverter.setAllowUriQueryParameter(true); authenticationWebFilter.setServerAuthenticationConverter(tokenAuthenticationConverter); http.addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION); //访问授权 // AuthorizationWebFilter authorizationWebFilter=new AuthorizationWebFilter(delegatingAuthorizationManager); // http.addFilterAt(authorizationWebFilter, SecurityWebFiltersOrder.FORM_LOGIN); ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange = http.authorizeExchange(); authorizeExchange.matchers(EndpointRequest.toAnyEndpoint()).permitAll(); //无需进行权限过滤的请求路径 authorizeExchange.pathMatchers(permitUrlProperties.getIgnored()).permitAll() ;//无需进行权限过滤的请求路径 authorizeExchange .pathMatchers(HttpMethod.OPTIONS).permitAll() //option 请求默认放行 // .anyExchange().access(authorizeConfigManager) // 应用api权限控制 .anyExchange().authenticated() //token 有效性控制 .and() .exceptionHandling() .accessDeniedHandler(resAccessDeniedHandler) .authenticationEntryPoint(resAuthenticationEntryPoint) .and() .headers() .frameOptions() .disable() .and() .httpBasic().disable() .csrf().disable(); return http.build(); } }
token有效期检测
package com.open.capacity.client.token; import org.springframework.http.HttpStatus; /* * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ import org.springframework.security.authentication.ReactiveAuthenticationManager; import org.springframework.security.core.Authentication; import org.springframework.security.oauth3.common.OAuth3AccessToken; import org.springframework.security.oauth3.common.exceptions.InvalidTokenException; import org.springframework.security.oauth3.core.OAuth3AuthenticationException; import org.springframework.security.oauth3.core.OAuth3Error; import org.springframework.security.oauth3.provider.OAuth3Authentication; import org.springframework.security.oauth3.provider.token.TokenStore; import org.springframework.security.oauth3.server.resource.BearerTokenAuthenticationToken; import org.springframework.security.oauth3.server.resource.BearerTokenError; import org.springframework.security.oauth3.server.resource.BearerTokenErrorCodes; import reactor.core.publisher.Mono; /** * A {@link ReactiveAuthenticationManager} for Jwt tokens. * * @author Rob Winch * @since 5.1 */ public final class TokenAuthenticationManager implements ReactiveAuthenticationManager { private TokenStore tokenStore; public TokenAuthenticationManager(TokenStore tokenStore) { this.tokenStore = tokenStore; } @Override public Monoauthenticate(Authentication authentication) { return Mono.justOrEmpty(authentication) .filter(a -> a instanceof BearerTokenAuthenticationToken) .cast(BearerTokenAuthenticationToken.class) .map(BearerTokenAuthenticationToken::getToken) .flatMap((accessTokenValue -> { OAuth3AccessToken accessToken = tokenStore.readAccessToken(accessTokenValue); if (accessToken == null) { OAuth3Error error = new BearerTokenError( BearerTokenErrorCodes.INVALID_TOKEN, HttpStatus.UNAUTHORIZED, "Invalid access token: " + accessTokenValue, "https://tools.ietf.org/html/rfc6750#section-3.1"); return Mono.error(new OAuth3AuthenticationException(error,"Invalid access token: " + accessTokenValue)); } else if (accessToken.isExpired()) { tokenStore.removeAccessToken(accessToken); OAuth3Error error = new BearerTokenError( BearerTokenErrorCodes.INVALID_TOKEN, HttpStatus.UNAUTHORIZED, "Access token expired: " + accessTokenValue, "https://tools.ietf.org/html/rfc6750#section-3.1"); return Mono.error(new OAuth3AuthenticationException(error,"Access token expired: " + accessTokenValue)); } OAuth3Authentication result = tokenStore.readAuthentication(accessToken); if (result == null) { return Mono.error(new InvalidTokenException("Invalid access token: " + accessTokenValue)); } return Mono.just(result); })) .cast(Authentication.class); } }
应用可访问API列表控制
package com.open.capacity.client.token; import java.util.Iterator; import java.util.List; import java.util.Map; import javax.annotation.Resource; import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.ReactiveAuthorizationManager; import org.springframework.security.core.Authentication; import org.springframework.security.oauth3.provider.OAuth3Authentication; import org.springframework.security.web.server.authorization.AuthorizationContext; import org.springframework.stereotype.Component; import org.springframework.util.AntPathMatcher; import org.springframework.web.server.ServerWebExchange; import com.open.capacity.client.dao.SysClientDao; import com.open.capacity.client.dao.SysServiceDao; import reactor.core.publisher.Mono; /** * @author 作者 owen E-mail: 624191343@qq.com * @version 创建时间:2018年2月1日 下午9:47:00 类说明 */ @Component public class AuthorizeConfigManager implements ReactiveAuthorizationManager{ @Resource private SysServiceDao sysServiceDao; @Resource private SysClientDao sysClientDao; private AntPathMatcher antPathMatcher = new AntPathMatcher(); @Override public Mono check(Mono authentication, AuthorizationContext authorizationContext) { return authentication.map(auth -> { // TODO 目前都是true boolean hasPermission = false; ServerWebExchange exchange = authorizationContext.getExchange(); ServerHttpRequest request = exchange.getRequest(); if (auth instanceof OAuth3Authentication) { OAuth3Authentication athentication = (OAuth3Authentication) auth; String clientId = athentication.getOAuth3Request().getClientId(); Map map = sysClientDao.getClient(clientId); if (map == null) { return new AuthorizationDecision(false); } else { List
关于如何进行spring cloud gateway oauth整合就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。
我们在微信上24小时期待你的声音
解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流