Spring-Security-Oauth2 基于JDBC存储令牌和RBAC权限认证

相关配置来自李哥博客:  https://funtl.com/zh/spring-security-oauth2/   (本文仅记录自己学习记录,说的不详细,可以观看李哥博客)

认证服务器和资源服务器pom.xml配置  (李哥博客用的是tk.mybatis 我用的是spring  jpa)

<dependencies>
    <dependency>
        <groupId>com.zaxxer</groupId>
        <artifactId>HikariCP</artifactId>
    </dependency>
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-oauth2</artifactId>
    </dependency>

    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
        <exclusions>
            <exclusion>
                <groupId>org.junit.vintage</groupId>
                <artifactId>junit-vintage-engine</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
</dependencies>

认证服务器: 

apllication.yml:

server:
  port: 9999
spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: (自己的数据库)
    username: (账号)
    password: (密码)
    hikari:
      minimum-idle: 5
      idle-timeout: 600000
      maximum-pool-size: 10
      auto-commit: true
      pool-name: MyHikariCP
      max-lifetime: 1800000
      connection-timeout: 30000
      connection-test-query: SELECT 1

认证服务器配置:

认证客服端:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
    @Bean
    @Primary
    @ConfigurationProperties(prefix = "spring.datasource")
    public DataSource dataSource() {
        // 配置数据源(使用的是 HikariCP 连接池),以上注解是指定数据源,否则会有冲突
        return DataSourceBuilder.create().build();
    }
    @Bean
    public TokenStore tokenStore() {
        // 基于 JDBC 实现,令牌保存到数据
        return new JdbcTokenStore(dataSource());
    }

    @Bean
    public ClientDetailsService jdbcClientDetails() {
        // 基于 JDBC 实现,需要事先在数据库配置客户端信息
        return new JdbcClientDetailsService(dataSource());
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        // 设置令牌
        endpoints.tokenStore(tokenStore());
    }
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // 读取客户端配置
        clients.withClientDetails(jdbcClientDetails());
    }
}

用户授权:

@Configurationpublic class UserDetailsServiceConfiguration implements UserDetailsService {    @Autowired    private TbUserService  tbUserService;    @Autowired    private TbPermissionService tbPermissionService;    @Override    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {        TbUser tbUser  = tbUserService.findByUsername(username);        List<GrantedAuthority> grantedAuthorities = new ArrayList<>();        if (tbUser != null) {            // 获取用户授权            List<TbPermission> tbPermissions = tbPermissionService.selectByUserId(tbUser.getId());            // 声明用户授权            tbPermissions.forEach(tbPermission -> {                if (tbPermission != null && tbPermission.getEnname() != null) {                    GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(tbPermission.getEnname());                    grantedAuthorities.add(grantedAuthority);                }            });        }

        return new User(tbUser.getUsername(), tbUser.getPassword(), grantedAuthorities);

    }}

安全配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsServiceConfiguration userDetailsServiceConfiguration;
    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        // 设置默认的加密方式
        return new BCryptPasswordEncoder();
    }
    @Bean
    @Override
    public UserDetailsService userDetailsService(){
        return userDetailsServiceConfiguration;
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // 使用自定义认证与授权
        auth.userDetailsService(userDetailsService());
    }
    @Override
    public void configure(WebSecurity web)  {
        // 将 check_token 暴露出去,否则资源服务器访问时报 403 错误
        web.ignoring().antMatchers("/oauth/check_token");
    }
}

 获取用户信息和权限信息目录和代码:

@Repository
public  interface TbPermissionRepository extends JpaRepository<TbPermission,Long> {
    @Query(value = "SELECT\n" +
            "  p.*\n" +
            "FROM\n" +
            "  tb_user AS u\n" +
            "  LEFT JOIN tb_user_role AS ur\n" +
            "    ON u.id = ur.user_id\n" +
            "  LEFT JOIN tb_role AS r\n" +
            "    ON r.id = ur.role_id\n" +
            "  LEFT JOIN tb_role_permission AS rp\n" +
            "    ON r.id = rp.role_id\n" +
            "  LEFT JOIN tb_permission AS p\n" +
            "    ON p.id = rp.permission_id\n" +
            "WHERE u.id = ?1",nativeQuery = true)
    public List<TbPermission> selectByUserId(Long id);
}
@Repository
public interface TbUserRepository extends JpaRepository<TbUser,Long> {
    @Query(value = "select * from tb_user where username = ?1",nativeQuery = true)
    public TbUser findByUsername(String username);
}

@Service
public class TbPermissionService{
    @Autowired
    private TbPermissionRepository tbPermissionRepository;
    public List<TbPermission> selectByUserId(Long id){
        List<TbPermission> tbPermissions = tbPermissionRepository.selectByUserId(id);
        return tbPermissions;
    }
}

@Service
public class TbUserService {
    @Autowired
    private TbUserRepository tbUserRepository;
    public TbUser findByUsername(String username){
        TbUser byUsername = tbUserRepository.findByUsername(username);
        return byUsername;
    }
}

客服端表:oauth_client_details

获取code请求地址(GET请求):  http://{you ip}:{you port}/oauth/authorize?client_id=client&response_type=code (client_id为上图中的client_id,成功之后会回调url 为上面的web_server_redicrct_uri)

获取token请求地址(POST请求:) :http://client:[email protected]{you ip}:{you port}/oauth/token   携带参数为: grant_type (为上图中的authorization_grant_type)  code (上面返回的code)

资源服务器:

application.yml:

server:
  port: 10000
spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: (自己的数据库)
    username: (账号)
    password: (密码)
    hikari:
      minimum-idle: 5
      idle-timeout: 600000
      maximum-pool-size: 10
      auto-commit: true
      pool-name: MyHikariCP
      max-lifetime: 1800000
      connection-timeout: 30000
      connection-test-query: SELECT 1
security:
  oauth2:
    client:
      client-id: client
      client-secret: secret
      access-token-uri: http://localhost:9999/oauth/token
      user-authorization-uri: http://localhost:9999/oauth/authorize
    resource:
      token-info-uri: http://localhost:9999/oauth/check_token

资源服务器就是普通的CRUD和对接Oauth2认证授权服务端

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .exceptionHandling()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                // 以下为配置所需保护的资源路径及权限,需要与认证服务器配置的授权部分对应
                .antMatchers("/").hasAuthority("System")
                .antMatchers("/view/**").hasAuthority("SystemContentView")
                .antMatchers("/insert/**").hasAuthority("SystemContentInsert")
                .antMatchers("/update/**").hasAuthority("SystemContentUpdate")
                .antMatchers("/delete/**").hasAuthority("SystemContentDelete");
    }
}

  

数据库相关sql语句:

jdbc存储令牌:

CREATE TABLE `clientdetails` (
  `appId` varchar(128) NOT NULL,
  `resourceIds` varchar(256) DEFAULT NULL,
  `appSecret` varchar(256) DEFAULT NULL,
  `scope` varchar(256) DEFAULT NULL,
  `grantTypes` varchar(256) DEFAULT NULL,
  `redirectUrl` varchar(256) DEFAULT NULL,
  `authorities` varchar(256) DEFAULT NULL,
  `access_token_validity` int(11) DEFAULT NULL,
  `refresh_token_validity` int(11) DEFAULT NULL,
  `additionalInformation` varchar(4096) DEFAULT NULL,
  `autoApproveScopes` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`appId`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_access_token` (
  `token_id` varchar(256) DEFAULT NULL,
  `token` blob,
  `authentication_id` varchar(128) NOT NULL,
  `user_name` varchar(256) DEFAULT NULL,
  `client_id` varchar(256) DEFAULT NULL,
  `authentication` blob,
  `refresh_token` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`authentication_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_approvals` (
  `userId` varchar(256) DEFAULT NULL,
  `clientId` varchar(256) DEFAULT NULL,
  `scope` varchar(256) DEFAULT NULL,
  `status` varchar(10) DEFAULT NULL,
  `expiresAt` timestamp NULL DEFAULT NULL,
  `lastModifiedAt` timestamp NULL DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_client_details` (
  `client_id` varchar(128) NOT NULL,
  `resource_ids` varchar(256) DEFAULT NULL,
  `client_secret` varchar(256) DEFAULT NULL,
  `scope` varchar(256) DEFAULT NULL,
  `authorized_grant_types` varchar(256) DEFAULT NULL,
  `web_server_redirect_uri` varchar(256) DEFAULT NULL,
  `authorities` varchar(256) DEFAULT NULL,
  `access_token_validity` int(11) DEFAULT NULL,
  `refresh_token_validity` int(11) DEFAULT NULL,
  `additional_information` varchar(4096) DEFAULT NULL,
  `autoapprove` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`client_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_client_token` (
  `token_id` varchar(256) DEFAULT NULL,
  `token` blob,
  `authentication_id` varchar(128) NOT NULL,
  `user_name` varchar(256) DEFAULT NULL,
  `client_id` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`authentication_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_code` (
  `code` varchar(256) DEFAULT NULL,
  `authentication` blob
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `oauth_refresh_token` (
  `token_id` varchar(256) DEFAULT NULL,
  `token` blob,
  `authentication` blob
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

RBAC:

CREATE TABLE `tb_permission` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `parent_id` bigint(20) DEFAULT NULL COMMENT ‘父权限‘,
  `name` varchar(64) NOT NULL COMMENT ‘权限名称‘,
  `enname` varchar(64) NOT NULL COMMENT ‘权限英文名称‘,
  `url` varchar(255) NOT NULL COMMENT ‘授权路径‘,
  `description` varchar(200) DEFAULT NULL COMMENT ‘备注‘,
  `created` datetime NOT NULL,
  `updated` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=44 DEFAULT CHARSET=utf8 COMMENT=‘权限表‘;
insert  into `tb_permission`(`id`,`parent_id`,`name`,`enname`,`url`,`description`,`created`,`updated`) values
(37,0,‘系统管理‘,‘System‘,‘/‘,NULL,‘2019-04-04 23:22:54‘,‘2019-04-04 23:22:56‘),
(38,37,‘用户管理‘,‘SystemUser‘,‘/users/‘,NULL,‘2019-04-04 23:25:31‘,‘2019-04-04 23:25:33‘),
(39,38,‘查看用户‘,‘SystemUserView‘,‘‘,NULL,‘2019-04-04 15:30:30‘,‘2019-04-04 15:30:43‘),
(40,38,‘新增用户‘,‘SystemUserInsert‘,‘‘,NULL,‘2019-04-04 15:30:31‘,‘2019-04-04 15:30:44‘),
(41,38,‘编辑用户‘,‘SystemUserUpdate‘,‘‘,NULL,‘2019-04-04 15:30:32‘,‘2019-04-04 15:30:45‘),
(42,38,‘删除用户‘,‘SystemUserDelete‘,‘‘,NULL,‘2019-04-04 15:30:48‘,‘2019-04-04 15:30:45‘);

CREATE TABLE `tb_role` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `parent_id` bigint(20) DEFAULT NULL COMMENT ‘父角色‘,
  `name` varchar(64) NOT NULL COMMENT ‘角色名称‘,
  `enname` varchar(64) NOT NULL COMMENT ‘角色英文名称‘,
  `description` varchar(200) DEFAULT NULL COMMENT ‘备注‘,
  `created` datetime NOT NULL,
  `updated` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=38 DEFAULT CHARSET=utf8 COMMENT=‘角色表‘;
insert  into `tb_role`(`id`,`parent_id`,`name`,`enname`,`description`,`created`,`updated`) values
(37,0,‘超级管理员‘,‘admin‘,NULL,‘2019-04-04 23:22:03‘,‘2019-04-04 23:22:05‘);

CREATE TABLE `tb_role_permission` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `role_id` bigint(20) NOT NULL COMMENT ‘角色 ID‘,
  `permission_id` bigint(20) NOT NULL COMMENT ‘权限 ID‘,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=43 DEFAULT CHARSET=utf8 COMMENT=‘角色权限表‘;
insert  into `tb_role_permission`(`id`,`role_id`,`permission_id`) values
(37,37,37),
(38,37,38),
(39,37,39),
(40,37,40),
(41,37,41),
(42,37,42);

CREATE TABLE `tb_user` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL COMMENT ‘用户名‘,
  `password` varchar(64) NOT NULL COMMENT ‘密码,加密存储‘,
  `phone` varchar(20) DEFAULT NULL COMMENT ‘注册手机号‘,
  `email` varchar(50) DEFAULT NULL COMMENT ‘注册邮箱‘,
  `created` datetime NOT NULL,
  `updated` datetime NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`) USING BTREE,
  UNIQUE KEY `phone` (`phone`) USING BTREE,
  UNIQUE KEY `email` (`email`) USING BTREE
) ENGINE=InnoDB AUTO_INCREMENT=38 DEFAULT CHARSET=utf8 COMMENT=‘用户表‘;
insert  into `tb_user`(`id`,`username`,`password`,`phone`,`email`,`created`,`updated`) values
(37,‘admin‘,‘$2a$10$9ZhDOBp.sRKat4l14ygu/.LscxrMUcDAfeVOEPiYwbcRkoB09gCmi‘,‘15888888888‘,‘[email protected]‘,‘2019-04-04 23:21:27‘,‘2019-04-04 23:21:29‘);

CREATE TABLE `tb_user_role` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `user_id` bigint(20) NOT NULL COMMENT ‘用户 ID‘,
  `role_id` bigint(20) NOT NULL COMMENT ‘角色 ID‘,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=38 DEFAULT CHARSET=utf8 COMMENT=‘用户角色表‘;
insert  into `tb_user_role`(`id`,`user_id`,`role_id`) values
(37,37,37);

客服端表可以自定义添加记录以及RBAC相关表也可自定义记录;

原文地址:https://www.cnblogs.com/zsifan/p/11745712.html

时间: 2024-08-29 06:47:12

Spring-Security-Oauth2 基于JDBC存储令牌和RBAC权限认证的相关文章

Spring Security OAuth2 Demo -- good

1. 添加依赖授权服务是基于Spring Security的,因此需要在项目中引入两个依赖: <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-security</artifactId> </dependency> <dependency> <groupId>org.springf

springboot+spring security +oauth2.0 demo搭建(password模式)(认证授权端与资源服务端分离的形式)

项目security_simple(认证授权项目) 1.新建springboot项目 这儿选择springboot版本我选择的是2.0.6 点击finish后完成项目的创建 2.引入maven依赖  下面是我引入的依赖 1 <?xml version="1.0" encoding="UTF-8"?> 2 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi=&q

Spring Security OAuth2

Spring Security OAuth2 标签(空格分隔): Spring 1. oAuth(Open Authorization) OAuth协议为用户资源的授权(增删改查)提供了一个安全, 开放而又简易的标准. 和以往授权方式不同之处是oAuth的授权不会使第三方触及到用户的账号信息. 即第三方无需使用用户的用户名和密码就可以申请获得该用户的资源授权. 因此oAuth本身第安全是无害的. 2. Spring Security Spring Security是一个安全框架, 可以为Spri

spring security oauth2 jwt 认证和资源分离的配置文件(java类配置版)

最近再学习spring security oauth2.下载了官方的例子sparklr2和tonr2进行学习.但是例子里包含的东西太多,不知道最简单最主要的配置有哪些.所以决定自己尝试搭建简单版本的例子.学习的过程中搭建了认证和资源在一个工程的例子,将token存储在数据库的例子等等 .最后做了这个认证和资源分离的jwt tokens版本.网上找了一些可用的代码然后做了一个整理, 同时测试了哪些代码是必须的.可能仍有一些不必要的代码在,欢迎大家赐教. 一.创建三个spring boot 工程,分

【OAuth2.0】Spring Security OAuth2.0篇之初识

不吐不快 因为项目需求开始接触OAuth2.0授权协议.断断续续接触了有两周左右的时间.不得不吐槽的,依然是自己的学习习惯问题,总是着急想了解一切,习惯性地钻牛角尖去理解小的细节,而不是从宏观上去掌握,或者说先用起来(少年,一辈子辣么长,你这么着急合适吗?).好在前人们已经做好了很好的demo,我自己照着抄一抄也就理解了大概如何用,依旧手残党,依旧敲不出好代码.忏悔- WHAT? 项目之中实际使用OAuth2.0实现是用的Spring Security OAuth2.0,一套基于Spring S

spring security oauth2.0 实现

oauth应该属于security的一部分.关于oauth的的相关知识可以查看阮一峰的文章:http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html 一.目标 现在很多系统都支持第三方账号密码等登陆我们自己的系统,例如:我们经常会看到,一些系统使用微信账号,微博账号.QQ账号等登陆自己的系统,我们现在就是要模拟这种登陆的方式,很多大的公司已经实现了这种授权登陆的方式,并提供了相应的API,供我们开发人员调用.他们实际上用的也规范是oauth2.0

spring security oauth2.0 实现 解决url-pattern .do .action

参考以下两个文章: http://www.cnblogs.com/0201zcr/p/5328847.html http://wwwcomy.iteye.com/blog/2230265 web.xml 注意这里的<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>   <url-pattern>/*</url-pattern>  而<serv

Spring Security OAuth2 Provider 之 自定义开发

Spring OAuth2默认提供的功能难免无法满足需求,需要特殊定制,这里列举常见的几个需要特殊开发的地方. 相关文章: Spring Security OAuth2 Provider 之 最小实现 Spring Security OAuth2 Provider 之 数据库存储 Spring Security OAuth2 Provider 之 第三方登录简单演示 Spring Security OAuth2 Provider 之 自定义开发 Spring Security OAuth2 Pr

Spring security oauth2最简单入门环境搭建

关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+spring mvc+spring security+Oauth2基本姿势,如果前面都没看过请及时关闭本网页. 我有信心我的这个blog应该是迄今为止使用spring security oauth2最简单的hello world app介绍了,如果你下下来附件源码还看不懂,请留言.. 其他能搜到的如h