03 springsecurity通过oauth2完成单点登录

springsecurity对oauth2有着很好的支持，这一节我们将整合它们完成单点登录。

1、前提约束

• idea2018.1
• maven3.6.1

2、操作步骤

2.1 创建auth-server

auth-server当中包括资源服务器，授权服务器，认证服务器，其他客户端的请求都会到这里通过认证获取资源。

• 创建springboot项目，依赖如下：

        
            org.springframework.boot
            spring-boot-starter-web
        

        
            org.springframework.boot
            spring-boot-starter-test
            test
        

        
            org.springframework.security.oauth
            spring-security-oauth2
            2.2.1.RELEASE
            compile
        

        
            org.springframework.boot
            spring-boot-starter-security
        

        
            org.springframework.security.oauth.boot
            spring-security-oauth2-autoconfigure
            2.1.9.RELEASE
        

• 配置application.yml

server:
  port: 8003
  servlet:
    context-path: '/auth'

• 设置主启动类

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

@SpringBootApplication
@EnableResourceServer//资源服务器
public class AuthServerApplication {

    public static void main(String[] args) {
        SpringApplication.run(AuthServerApplication.class, args);
    }

}

• 在主启动类同级目录下，创建AuthServerConfig.java以完成授权服务器：

import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;

import javax.annotation.Resource;

/**
 * 授权服务器配置
 */
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

    @Resource
    private BCryptPasswordEncoder passwordEncoder;

    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll")
                .checkTokenAccess("isAuthenticated()");
    }

    @Override
    /**
     * ClientDetailsServiceConfigurer 能够使用内存或 JDBC 方式实现获取已注册的客户端详情，有几个重要的属性：
     *
     *     clientId：客户端标识 ID（账号）
     *     secret：客户端安全码（密码）
     *     scope：客户端访问范围，默认为空则拥有全部范围
     *     authorizedGrantTypes：客户端使用的授权类型，默认为空
     *     authorities：客户端可使用的权限
     */
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("SampleClientId")
                .secret(passwordEncoder.encode("secret"))
                .authorizedGrantTypes("authorization_code")
                .scopes("user_info")
                .autoApprove(true)
                .redirectUris("http://localhost:8001/login", "http://localhost:8002/login");
    }
}

• 在主启动类同级目录下创建SecurityConfig.java以完成安全设置：

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .antMatchers("/login", "/oauth/authorize")
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and().csrf().disable();
    }

    @Override
   //登录密码应该从数据库中获取，这个例子中固定是为了方便
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("ali")
                .password(passwordEncoder().encode("123456"))
                .roles("USER");
    }

    @Bean
   //密码加密
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

• 在主启动类同级目录下创建UserController.java，提供获取用户信息的api

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.security.Principal;

@RestController
public class UserController {

    @GetMapping(value = "/user")
    public Principal me(Principal principal) {
        System.out.println("调用me接口获取用户信息：" + principal);
        return principal;
    }
}

• 启动，测试，访问http://localhost:8003/auth/login，进入以下页面：
  
  中心服务器登录页面

2.2 创建客户端client1

client1就是访问中心服务器的客户端。

• 创建springboot项目client1，依赖如下：

        
            org.springframework.boot
            spring-boot-starter-web
        

        
            org.springframework.boot
            spring-boot-starter-test
            test
        
        
        
            org.springframework.boot
            spring-boot-starter-thymeleaf
        

        
            org.thymeleaf.extras
            thymeleaf-extras-springsecurity5
        
        
            org.springframework.security.oauth.boot
            spring-security-oauth2-autoconfigure
            2.0.0.RELEASE
            compile
        

• 修改application.yml

server:
  port: 8001 #client2要改为8002
  servlet:
    session:
      cookie:
        name: CLIENT1_SESSION #client2要改为CLIENT2_SESSION
security:
  oauth2:
    client:
      client-id: SampleClientId
      client-secret: secret
      access-token-uri: http://localhost:8003/auth/oauth/token # 获取tokenurl
      user-authorization-uri: http://localhost:8003/auth/oauth/authorize #授权url
    resource:
      user-info-uri: http://localhost:8003/auth/user # 从授权服务器获取当前登录用户信息的地址

spring:
  thymeleaf:
    cache: false
  main:
    allow-bean-definition-overriding: true

• 在项目/src/main/resources/templates文件夹下创建index.html和welcome.html
  index.html

    
    



        
        
SSO 客户端1
        Login

welcome.html

    
    




客户端1
你好, 

• 在主启动类同级目录下创建MySecurityConfig.java

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableOAuth2Sso
@Configuration
public class MySecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**")
                .authorizeRequests()
                .antMatchers("/", "/login")
                .permitAll()
                .anyRequest()
                .authenticated();
    }

}

• 在主启动类同级目录下创建PageController.java

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class PageController {

    @GetMapping(value = "")
    public String index() {
        return "index.html";
    }

    @GetMapping(value = "welcome")
    public String home() {
        return "welcome.html";
    }
}

2.3 以同样的方式创建client2，注意要修改的地方上面已经标出。

2.4 测试

• 启动auth-server，client1, client2
• 先访问http://localhost:8001,得到以下界面：
  
  客户端1登录界面

• 点击Login，进入auth-server的登录界面

  
  
  中心服务器的登录界面

• 输入ali/123456，点击Sign In，回调到client1的欢迎界面

  
  
  client1的欢迎界面
• 访问http://localhost:8002,得到以下界面:
  
  客户端2登录界面

• 点击Login，不用再次登录，直接进入client2的欢迎界面

  
  
  客户端2欢迎界面
  
  

  以上就是我们使用springsecurity和oauth2完成的单点登录。