啟動(dòng)sca-resource-ui服務(wù)后，進(jìn)入登陸頁(yè)面，輸入用戶名jack,密碼123456進(jìn)行登陸測(cè)試 。
頒發(fā)登陸成功令牌構(gòu)建令牌配置對(duì)象本次我們借助JWT(Json Web Token-是一種json格式）方式將用戶相關(guān)信息進(jìn)行組織和加密,并作為響應(yīng)令牌(Token),從服務(wù)端響應(yīng)到客戶端,客戶端接收到這個(gè)JWT令牌之后,將其保存在客戶端(例如localStorage),然后攜帶令牌訪問(wèn)資源服務(wù)器,資源服務(wù)器獲取并解析令牌的合法性,基于解析結(jié)果判定是否允許用戶訪問(wèn)資源.
package com.jt.auth.config;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.security.oauth2.provider.token.TokenStore;import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;@Configurationpublic class TokenConfig {//定義簽名key,在執(zhí)行令牌簽名需要這個(gè)key,可以自己指定.private String SIGNING_KEY = "auth";//定義令牌生成策略.@Beanpublic TokenStore tokenStore() {return new JwtTokenStore(jwtAccessTokenConverter());}//定義Jwt轉(zhuǎn)換器,負(fù)責(zé)生成jwt令牌,解析令牌內(nèi)容@Beanpublic JwtAccessTokenConverter jwtAccessTokenConverter(){JwtAccessTokenConverter converter=new JwtAccessTokenConverter();//設(shè)置加密/解密口令converter.setSigningKey(SIGNING_KEY);return converter;}}定義認(rèn)證授權(quán)核心配置第一步：在SecurityConfig中添加如下方法（創(chuàng)建認(rèn)證管理器對(duì)象，后面授權(quán)服務(wù)器會(huì)用到）：
@Beanpublic AuthenticationManager authenticationManagerBean()throws Exception {return super.authenticationManagerBean();}第二步：所有零件準(zhǔn)備好了開(kāi)始拼裝最后的主體部分，這個(gè)主體部分就是授權(quán)服務(wù)器的核心配置
package com.jt.auth.config;import lombok.AllArgsConstructor;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.http.HttpMethod;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.crypto.password.PasswordEncoder;import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;import org.springframework.security.oauth2.provider.token.DefaultTokenServices;import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;import org.springframework.security.oauth2.provider.token.TokenStore;import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;import java.util.Arrays;/** * 完成所有配置的組裝,在這個(gè)配置類(lèi)中完成認(rèn)證授權(quán),JWT令牌簽發(fā)等配置操作 * 1)SpringSecurity (安全認(rèn)證和授權(quán)) * 2)TokenConfig * 3)Oauth2(暫時(shí)不說(shuō)) */@AllArgsConstructor@Configuration@EnableAuthorizationServer //開(kāi)啟認(rèn)證和授權(quán)服務(wù)public class Oauth2Config extends AuthorizationServerConfigurerAdapter {//此對(duì)象負(fù)責(zé)完成認(rèn)證管理private AuthenticationManager authenticationManager;//TokenStore負(fù)責(zé)完成令牌創(chuàng)建,信息讀取private TokenStore tokenStore;//JWT令牌轉(zhuǎn)換器(基于用戶信息構(gòu)建令牌,解析令牌)private JwtAccessTokenConverter jwtAccessTokenConverter;//密碼加密匹配器對(duì)象private PasswordEncoder passwordEncoder;//負(fù)責(zé)獲取用戶信息信息private UserDetailsService userDetailsService;//設(shè)置認(rèn)證端點(diǎn)的配置(/oauth/token),客戶端通過(guò)這個(gè)路徑獲取JWT令牌@Overridepublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints//配置認(rèn)證管理器.authenticationManager(authenticationManager)//驗(yàn)證用戶的方法獲得用戶詳情.userDetailsService(userDetailsService)//要求提交認(rèn)證使用post請(qǐng)求方式,提高安全性.allowedTokenEndpointRequestMethods(HttpMethod.POST,HttpMethod.GET)//要配置令牌的生成,由于令牌生成比較復(fù)雜,下面有方法實(shí)現(xiàn).tokenServices(tokenService());//這個(gè)不配置,默認(rèn)令牌為UUID.randomUUID().toString()}//定義令牌生成策略@Beanpublic AuthorizationServerTokenServices tokenService(){//這個(gè)方法的目標(biāo)就是獲得一個(gè)令牌生成器DefaultTokenServices services=new DefaultTokenServices();//支持令牌刷新策略(令牌有過(guò)期時(shí)間)services.setSupportRefreshToken(true);//設(shè)置令牌生成策略(tokenStore在TokenConfig配置了,本次我們應(yīng)用JWT-定義了一種令牌格式)services.setTokenStore(tokenStore);//設(shè)置令牌增強(qiáng)(允許設(shè)置令牌生成策略,默認(rèn)是非jwt方式,現(xiàn)在設(shè)置為jwt方式,并在令牌Payload部分允許添加擴(kuò)展數(shù)據(jù),例如用戶權(quán)限信息)TokenEnhancerChain chain=new TokenEnhancerChain();chain.setTokenEnhancers(Arrays.asList(jwtAccessTokenConverter));services.setTokenEnhancer(chain);//設(shè)置令牌有效期services.setAccessTokenValiditySeconds(3600);//1小時(shí)//刷新令牌應(yīng)用場(chǎng)景：一般在用戶登錄系統(tǒng)后，令牌快過(guò)期時(shí)，系統(tǒng)自動(dòng)幫助用戶刷新令牌，提高用戶的體驗(yàn)感services.setRefreshTokenValiditySeconds(3600*72);//3天return services;}//設(shè)置客戶端詳情類(lèi)似于用戶詳情@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.inMemory()//客戶端id (客戶端訪問(wèn)時(shí)需要這個(gè)id).withClient("gateway-client")//客戶端秘鑰(客戶端訪問(wèn)時(shí)需要攜帶這個(gè)密鑰).secret(passwordEncoder.encode("123456"))//設(shè)置權(quán)限.scopes("all")//all只是個(gè)名字而已和寫(xiě)abc效果相同//允許客戶端進(jìn)行的操作這里的認(rèn)證方式表示密碼方式,里面的字符串千萬(wàn)不能寫(xiě)錯(cuò).authorizedGrantTypes("password","refresh_token");}// 認(rèn)證成功后的安全約束配置,對(duì)指定資源的訪問(wèn)放行,我們登錄時(shí)需要訪問(wèn)/oauth/token,需要對(duì)這樣的url進(jìn)行放行@Overridepublic void configure(AuthorizationServerSecurityConfigurer security) throws Exception {//認(rèn)證通過(guò)后,允許客戶端進(jìn)行哪些操作security//公開(kāi)oauth/token_key端點(diǎn).tokenKeyAccess("permitAll()")//公開(kāi)oauth/check_token端點(diǎn).checkTokenAccess("permitAll()")//允許提交請(qǐng)求進(jìn)行認(rèn)證(申請(qǐng)令牌).allowFormAuthenticationForClients();}}