新闻资讯

新闻资讯 通知公告

Spring Security自定义生成JWT令牌API

编辑:016     时间:2020-02-15


某些对于小程序我们已经在微信认证过了,只需要到Spring Security直接生成token就可以了。

针对这类需求,虽然通过上一篇文章自定义登录方式也可以实现,但是我们希望把这件事做的简单点,只有傻子才把简单的事情复杂化。因此,我们在Spring Security实现了一个简单粗暴的API,即直接通过API获取JWT Tokn

上码

代码很简单

@RequestMapping(value = "token", method = RequestMethod.POST)
    public ResponseEntity<OAuth2AccessToken> getUserToken(Principal principal, @RequestBody Map<String, String> parameters) {
        // 调用端需要被提供client_credentials if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
        }

        // 保存请求参数
        String clientId = this.getClientId(principal);
        ClientDetails authenticatedClient = this.clientDetailsService.loadClientByClientId(clientId);
        TokenRequest tokenRequest = this.oAuth2RequestFactory.createTokenRequest(parameters, authenticatedClient);
        CustomAuthenticationToken authentication = customAuthenticationTokeService.createAuthenticationToken(clientId, parameters);
        
        // 生成token
        CustomTokenGranter tokenGranter = new CustomTokenGranter(
                tokenServiceFactory.customJwtTokenService(), clientDetailsService, authentication);

        OAuth2AccessToken token = tokenGranter.grant(tokenRequest.getGrantType(), tokenRequest); if (token == null) {
            throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
        } else { return this.getResponse(token);
        }
    } 复制代码
  1. 首先检查principal是否存在,调用端需要提供client_credentials,否则不可以调用
  2. 生成CustomAuthenticationTokenCustomAuthenticationToken为我们自定义的数据类,用于保存请求参数
  3. 重点是通过CustomTokenGranter生成token

CustomAuthenticationToken可以自行定义,只要能保存请求参数即可。CustomAuthenticationToken

public class CustomAuthenticationToken extends AbstractAuthenticationToken {

    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    private String authType;

    private Map<String,String[]> authParams;

    private Object principal;

    private Object credentials;
} 复制代码

不过我们在createAuthenticationToken中会做一些参数检查,如要求必须有principal和auth_type参数且要求auth_type = auth_finished“。如果有需要的话,还可以加上一些自定义的内容到CustomAuthenticationToken中。

@Service
public class CustomAuthenticationTokenServiceImpl implements CustomAuthenticationTokeService {

    @Override
    public CustomAuthenticationToken createAuthenticationToken(String clientId, Map<String, String> params) { if (!params.containsKey("principal") || !params.containsKey("auth_type")) { return null;
        } if (params.get("auth_type").equals("auth_finished")) {

            List<GrantedAuthority> authorities = new ArrayList<>();
            authorities.add(new SimpleGrantedAuthority("user"));
            Map<String, Object> detail = new HashMap<>(1);
            detail.put("principal", params.get("principal"));

            CustomAuthenticationToken token = new CustomAuthenticationToken(
                    params.get("auth_type"), params.get("username"), null, null, authorities);
            token.setDetails(detail); return token;
        } return null;
    }
} 复制代码

CustomTokenGranter用来生成令牌,最重要的不是grant方法,或者构造函数我们传递的用于生成令牌的AuthorizationServerTokenServices

public class CustomTokenGranter extends AbstractTokenGranter {
    private static final String GRANT_TYPE = "mini_app";
    private boolean allowRefresh;
    private Authentication authentication;

    public CustomTokenGranter(
            AuthorizationServerTokenServices tokenServices,
            ClientDetailsService clientDetailsService,
            Authentication authentication) {
        super(tokenServices, clientDetailsService, new DefaultOAuth2RequestFactory(clientDetailsService), GRANT_TYPE);
        this.authentication = authentication;
    }

    @Override
    public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
        OAuth2AccessToken token = super.grant(grantType, tokenRequest); if (token != null) {
            DefaultOAuth2AccessToken noRefresh = new DefaultOAuth2AccessToken(token); if (!this.allowRefresh) {
                noRefresh.setRefreshToken((null));
            }
            token = noRefresh;
        } return token;
    }

    @Override
    protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
        OAuth2Request storedOAuth2Request = this.getRequestFactory().createOAuth2Request(client, tokenRequest); return new OAuth2Authentication(storedOAuth2Request, authentication);
    }

    public void setAuthentication(Authentication authentication) {
        this.authentication = authentication;
    }

    public void setAllowRefresh(boolean allowRefresh) {
        this.allowRefresh = allowRefresh;
    }
} 复制代码

AuthorizationServerTokenServices我们在上一篇文章有介绍过,不过在讲一遍加深印象。

  1. 首先要配置
  2. 定义你需要定义的内容加入你的配置中

配置令牌

token核心的生成逻辑defaultTokenService还是有Spring Security提供,但是我们其中其中的一部分加入了CustomTokenEnhancer用于令牌的内容中加入我们需要的内容,accessTokenConverter设置了我们令牌的密钥和公钥(密钥生成参考:www.jianshu.com/ p / c9d5a2aa8…

@Service
public class TokenServiceFactory {

    private TokenKeyConfig tokenKeyConfig;
    private ClientDetailsService clientDetailsService;

    @Autowired
    public TokenServiceFactory(
            TokenKeyConfig tokenKeyConfig,
            ClientDetailsService clientDetailsService) {
        this.tokenKeyConfig = tokenKeyConfig;
        this.clientDetailsService = clientDetailsService;
    }

    @Bean
    public AuthorizationServerTokenServices customJwtTokenService() {
        final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
        tokenEnhancerChain.setTokenEnhancers(Arrays.asList(new CustomTokenEnhancer(), accessTokenConverter())); return defaultTokenService(tokenEnhancerChain);
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setAccessTokenConverter(new CustomAccessTokenConverter());

        final KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(
                new ClassPathResource(tokenKeyConfig.getPath()), tokenKeyConfig.getPassword().toCharArray());
        converter.setKeyPair(keyStoreKeyFactory.getKeyPair(tokenKeyConfig.getAlias())); return converter;
    }

    @Bean
    public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public org.springframework.security.oauth2.provider.token.TokenEnhancer tokenEnhancer() { return new TokenEnhancer();
    }

    private AuthorizationServerTokenServices defaultTokenService(TokenEnhancerChain tokenEnhancerChain) {
        final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        defaultTokenServices.setSupportRefreshToken(true);
        defaultTokenServices.setTokenEnhancer(tokenEnhancerChain);
        defaultTokenServices.setClientDetailsService(clientDetailsService); return defaultTokenServices;
    }
} 复制代码

加入自定义内容

需要我们关心的内容在于CustomTokenEnhancer,因为我们需要在令牌中加入我们自定义的内容,同时是加角色和用户信息

public class CustomTokenEnhancer implements TokenEnhancer {

    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
        final Map<String, Object> additionalInfo = new HashMap<>();
        Set<GrantedAuthority> rolesInfo = new HashSet<>();

        Authentication userAuthentication = authentication.getUserAuthentication();

        // client credential认证,加入管理员角色 if (authentication.isClientOnly()) {
            rolesInfo.add(new SimpleGrantedAuthority("admin"));
        }

        // 自定义认证,增加detail if (CustomAuthenticationToken.class.isAssignableFrom(userAuthentication.getClass())) {
            rolesInfo.addAll(userAuthentication.getAuthorities());
            additionalInfo.put("userInfo", userAuthentication.getDetails());
        }

        // 加入角色
        additionalInfo.put("authorities", rolesInfo.stream().map(auth -> auth.getAuthority()).toArray());
        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo); return accessToken;
    }
} 复制代码

CustomAccessTokenConverter通常是把所有声明放到令牌中

@Component
public class CustomAccessTokenConverter extends DefaultAccessTokenConverter {

    @Override
    public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
        OAuth2Authentication authentication = super.extractAuthentication(claims);
        authentication.setDetails(claims); return authentication;
    }
} 复制代码

看效果

  1. 首先获取client_credential令牌 

使用示例

我们有个一项服务,想帮助小程序获取token,在Spring Cloud中那么它只要使用getUserToken方法即可获取token

@FeignClient(name = "auth", configuration = AuthFeignConfigInterceptor.class)
@Service
public interface AuthClient {

    /**
     * get user token
     * @param parameters parameters
     * @return token
     */
    @RequestMapping(method = RequestMethod.POST, value = "/oauth/api/external/token")
    ResponseEntity<OAuth2AccessToken> getUserToken(@RequestBody Map<String, String> parameters);

} 复制代码

AuthFeignConfigInterceptor用户在getUserToken请求中加入client_credential的令牌

public class AuthFeignConfigInterceptor implements RequestInterceptor {

    private static String TokenHeader = "authorization";
    private static String AccessTokenPrefix = "bearer ";

    private static Logger logger = LoggerFactory.getLogger(AuthFeignConfigInterceptor.class);

    @Autowired
    private ClientCredentialsResourceDetails clientCredentialsResourceDetails;


    @Override
    public void apply(RequestTemplate requestTemplate) {

        requestTemplate.header(TokenHeader, AccessTokenPrefix + getAccessTokenValue());
    }

    private String getAccessTokenValue() {
        try {
            logger.info("auth服务中获取basic access token");
            OAuth2AccessToken accessToken = this.getAccessTokenFromAuth(); return accessToken.getValue();

        } catch (Exception e) {
            logger.error(e.getMessage(), e); return this.getAccessTokenFromAuth().getValue();
        }
    }

    private OAuth2AccessToken getAccessTokenFromAuth() {
        ClientCredentialsAccessTokenProvider provider = new ClientCredentialsAccessTokenProvider(); return provider.obtainAccessToken(clientCredentialsResourceDetails, new DefaultAccessTokenRequest());
    }
} 复制代码

application.yml中需配置

security:
  oauth2:
    client:
      clientId: app
      clientSecret: testpassword
      accessTokenUri: http://localhost:5000/oauth/oauth/token
      grant-type: client_credentials
      scope: all




郑重声明:本文版权归原作者所有,转载文章仅为传播更多信息之目的,如作者信息标记有误,请第一时间联系我们修改或删除,多谢。

回复列表