Zuul网关 + oauth授权+json web token令牌实现网关中认证与鉴权集成步骤详解.
前提: shiro与spring security 都可以实现单体服务器的认证,鉴权.
微服务,分布式项目中解决方案: SSO(单点登录),分布式session.但是权限服务器流量大,还需要考虑存储同步的问题.
Zuul: 网关相当于流量的前门.可以集成zuul+oauth3.0(授权协议)+jwt(json web token)实现代替认证鉴权.原理举例:1.请求微信服务器授权,输入账号密码,确认授权.2.申请微信服务器的令牌.拿到令牌. 3.使用令牌找资源服务器.返回资源.
Jwt的组成: header头部使用jwt的签名算法,Payload载荷:包含自定义或者非自定义的认证信息.Sinature签名:将头部算法与载荷使用点(.)连接,使用头部的签名算法生成签名信息拼接到末尾.
oauth原理:
根据分析需要按照该步骤实现开发: 1.eureka-server 2.zuul-server 3.auth-server 4.eureka-client.
1.微服务客户端定义:
1.1:pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth3</artifactId>
</dependency>
<!-- 引入依赖 : eureka-client. --><dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
1.2:application.xml:
server.port=8089
spring.application.name=demo-client1
eureka.client.service-url.defaultZone=http://localhost:8080/eureka/
1.3:容器与服务定义:
容器:
@SpringBootApplication
br/><dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
1.2:application.xml:
server.port=8089
spring.application.name=demo-client1
eureka.client.service-url.defaultZone=http://localhost:8080/eureka/
1.3:容器与服务定义:
容器:
@SpringBootApplication
br/>@EnableResourceServer
public class EurekaClient1Application extends ResourceServerConfigurerAdapter {@Override
br/>@Override
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/test/test1")
.hasAuthority("WRIGTH_WRITE")
.antMatchers("/**").authenticated();
}
@Overridepublic void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources .resourceId("WRIGTH") .tokenStore(jwtTokenStore());}@Beanprotected JwtAccessTokenConverter jwtTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey("springcloud123"); return converter;}@Beanpublic TokenStore jwtTokenStore() { return new JwtTokenStore(jwtTokenConverter());}
}服务:
@Controller
br/>服务:
@Controller
@RequestMapping(value = "/test/test1" , method = RequestMethod.GET)@ResponseBodypublic String test1(Integer a , Integer b,HttpServletRequest request){ System.out.println("----------------header----------------"); Enumeration headerNames = request.getHeaderNames(); while (headerNames.hasMoreElements()) { String key = (String) headerNames.nextElement(); System.out.println(key + ": " + request.getHeader(key)); } System.out.println("----------------header----------------"); System.out.println("请求成功...."+a+" ------------- "+ b); return "test1..........ok!!!";}@GetMapping("/add")@ResponseBodypublic Integer add(Integer a, Integer b){ return a + b;}
}
2.zuul-server网关服务器:
2.1:pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-zuul</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth3</artifactId>
</dependency>
2.2:bootstrap.yml 认证服务器与路由配置:
spring:
application:
name: c-client6
server:
port: 9000
eureka:
client:
serviceUrl:
defaultZone: http://${eureka.host:127.0.0.1}:${eureka.port:8080}/eureka/
instance:
prefer-ip-address: true
zuul:
routes:
demo-client1:
path: /**
serviceId: demo-client1
security:
oauth3:
client:
access-token-uri: http://localhost:7777/uaa/oauth/token #令牌端点
user-authorization-uri: http://localhost:7777/uaa/oauth/authorize #授权端点
client-id: c-client6-id #OAuth3客户端ID
client-secret: secret #OAuth3客户端密钥
resource:
jwt:
key-value: springcloud123 #使用对称加密方式,默认算法为HS256,如果需要更安全,可使用非对称加密.生成私钥与公钥放这.2.3:容器中的认证规则:
@SpringBootApplication
br/>2.3:容器中的认证规则:
@SpringBootApplication
br/>@EnableDiscoveryClient
public class CClient6Application extends WebSecurityConfigurerAdapter {
public static void main(String[] args) { SpringApplication.run(CClient6Application.class, args);}@Overrideprotected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //这些功能支持免验证: .antMatchers("/login") .permitAll() //其他任意请求都需要验证. .anyRequest() .authenticated() .and() //关闭csrf认证,容易引起***. .csrf() .disable();}
}
3.auth-server认证服务器:
3.1:pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth3</artifactId>
</dependency>
3.2:bootstrap.yml:
spring:
application:
name: auth-server
server:
port: 7777
servlet:
contextPath: /uaa #web基路径
eureka:
client:
serviceUrl:
defaultZone: http://${eureka.host:127.0.0.1}:${eureka.port:8080}/eureka/
instance:
prefer-ip-address: true3.3:认证的实现与token的存储:
@SpringBootApplication
br/>3.3:认证的实现与token的存储:
@SpringBootApplication
public class DClient7Application extends WebSecurityConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(DClient7Application.class, args);
}
@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("guest").password("guest").authorities("WRIGTH_READ") .and() .withUser("admin").password("admin").authorities("WRIGTH_WRITE");}@Bean(name = BeanIds.AUTHENTICATION_MANAGER)@Overridepublic AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean();}@Beanpublic static NoOpPasswordEncoder passwordEncoder() { return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();}
}//------------------------------自定义配置生成token实现存储:
@Configuration
br/>//------------------------------自定义配置生成token实现存储:
@Configuration
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter {
@Resourceprivate AuthenticationManager authenticationManager;@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("c-client6-id") .secret("secret") .scopes("WRIGTH", "read").autoApprove(true) .authorities("WRIGTH_READ", "WRIGTH_WRITE") .authorizedGrantTypes("implicit", "refresh_token", "password", "authorization_code");}@Overridepublic void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .tokenStore(jwtTokenStore()) .tokenEnhancer(jwtTokenConverter()) .authenticationManager(authenticationManager);}@Beanpublic TokenStore jwtTokenStore() { return new JwtTokenStore(jwtTokenConverter());}@Beanprotected JwtAccessTokenConverter jwtTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey("springcloud123"); return converter;}
}
4.测试:
前提: 启动服务:eureka-server-->zuul-server-->eureka-client-->auth-server.
4.1: 测试访问eureka-client 是否无权直接访问.
4.2:测试访问zuul-server网关:
http://localhost:8090/test/test1?a=10&b=20 : 登录且需要权限.
http://localhost:8090/add?a=10&b=20 : 登录无需权限.
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。
