微服务和Spring Security OAuth2 [英] Microservices and Spring Security OAuth2

问题描述

我已经在另一个项目中运行了OAuth2授权服务器.现在，我需要使用OAuth2保护几个简单的spring-boot rest-server.但是我发现 Spring文档在以下情况下确实受到限制涉及授权服务器和资源服务器的分离.

I already have a OAuth2 authorization server running in another project. Now I would need to secure several simple spring-boot rest-servers with OAuth2. But I'm finding the Spring documentation really really limited when it comes to separating Authorization and Resource servers.

我还发现了几个问题，其中答案是只要它们共享相同的tokenStore数据源，它们就可以是不同的盒子.这真的可以吗?这对微服务如何起作用?每个其余服务都需要实现自己的OAuth授权服务器，这似乎是一件很奇怪的事情.

I've also found several questions where the answer has been "Well they can be different boxes as long as they share the same tokenStore datasource". Can this really be true? How could this ever work for microservices? It would seem like a really odd thing that every rest service would need to implement it's own OAuth authorization server.

那么如何为引用远程oauth授权服务器(甚至可能不是用Spring编写)的spring-boot其余端点设置Oauth2.0安全性?

So how do I setup Oauth2.0 security for spring-boot rest-endpoints that refer to a remote oauth authorization server (possibly not even written with Spring)?

有一个叫做

There's this thing called RemoteTokenServices that seems promising but it's not really documented at all.

推荐答案

在配置auh服务器时::

While configuring your auh server::

在ClientDetailsServiceConfigurer中为资源服务器创建一个新的clientDetails.将用于配置RemoteTokenService.

Create a new clientDetails in ClientDetailsServiceConfigurer for resource server. which will be used to configure RemoteTokenService.

在资源服务器中配置Spring Security OAuth2:

Configure Spring Security OAuth2 in your resource server:

创建一个用@EnableWebSecurity，@Configuration注释并扩展WebSecurityConfigurerAdapter的类.

Create a class which is annotate with @EnableWebSecurity ,@Configuration and extends WebSecurityConfigurerAdapter.

@Configuration
@EnableWebSecurity
protected static class ResourceConfiguration extends WebSecurityConfigurerAdapter {
  // methods        
}

创建一个带有@Bean注释的方法，该方法将返回TokenService的实例，该实例将用于创建AuthenticationManager.

Create a method with @Bean annotated which will return instance of TokenService, which will be used to create AuthenticationManager.

在此方法中，创建RemoteTokenService的实例并设置clientId，client_secret，checkTokenEndpointUrl和DefaultAccessTokenConverterWithClientRoles(此类是我们的实现，用于在验证 accessToken 时获取 client_authority 在OAuth2服务器中.)

In this method create an instance of RemoteTokenService and set clientId, client_secret , checkTokenEndpointUrl and DefaultAccessTokenConverterWithClientRoles (this class is our implementation to get client_authority while authenticating accessToken in OAuth2 server.)

@Bean
public ResourceServerTokenServices tokenService() {
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setClientId("resource_id");
    tokenServices.setClientSecret("resource_secret");
    tokenServices.setCheckTokenEndpointUrl("http://<server-url>: <port>/oauth/check_token");
    return tokenServices;
}

重写authenticationManagerBean()方法并用@Bean进行注释，并返回注入了TokenService的OAuth2AuthenticationManager实例.

Override authenticationManagerBean() method and annotate it with @Bean and return an instance of OAuth2AuthenticationManager with TokenService injected.

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
    authenticationManager.setTokenServices(tokenService());
    return authenticationManager;
}

创建一个用@EnableResourceServer，@Configuration注释的类，并扩展ResourceServerConfigurerAdapter.

Create a class annotated with @EnableResourceServer , @Configuration and extend ResourceServerConfigurerAdapter.

@Configuration
@EnableResourceServer
protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {
  // Mehotds
}

Override Configure方法构成了用于配置资源服务器的超类. 不同的配置器来配置资源服务器.

Override Configure methods form the super class to configure resource server. Different configurer to configure Resource server.

ResourceServerSecurityConfigurer :配置Resource_id.

ResourceServerSecurityConfigurer : to configure Resource_id.

HttpSecurity :这将配置安全过滤器，以告知用户要求对受保护的URL(API)进行身份验证.

HttpSecurity : This will configure security filter to tell it that user requires authentication for protected URLs (APIs).

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("resource_id");
}

@Override
public void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
     .authorizeRequests()
     .antMatchers("/**").authenticated()
     .and()
     .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    // @formatter:on
}

.antMatcher("/**").authenticated()此行将保护资源服务器的每个api网址. .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)不会创建会话.

.antMatcher("/**").authenticated() this line will secure every api url of your resource server. .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) will not create session.

PS ::如果有什么问题，请告诉我.

PS:: If any thing is wrong then tell me.

这篇关于微服务和Spring Security OAuth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！