《SpringCloud Alibaba微服务实战十四 - SpringCloud Gateway集成Oauth2.0.docx》由会员分享,可在线阅读,更多相关《SpringCloud Alibaba微服务实战十四 - SpringCloud Gateway集成Oauth2.0.docx(9页珍藏版)》请在金锄头文库上搜索。
1、SpringCloud Alibaba微服务实战十四 - SpringCloud Gateway集成Oauth2.0导读:上篇文章我们已经抽取出了单独的认证服务,本章主要内容是让SpringCloud Gateway 集成Oauth2。概念部分在网关集成Oauth2.0后,我们的流程架构如上。主要逻辑如下:1、客户端应用通过api网关请求认证服务器获取access_token http:/localhost:8090/auth-service/oauth/token2、认证服务器返回access_token access_token: f938d0c1-9633-460d-acdd-f0693
2、a6b5f4c, token_type: bearer, refresh_token: 4baea735-3c0d-4dfd-b826-91c6772a0962, expires_in: 43199, scope: web3、客户端携带access_token通过API网关访问后端服务4、API网关收到access_token后通过 AuthenticationWebFilter 对access_token认证5、API网关转发后端请求,后端服务请求Oauth2认证服务器获取当前用户在前面文章中我们搭建好了单独的Oauth2认证授权服务,基本功能框架都实现了,这次主要是来实现第四条,Sprin
3、gCloud 整合 Oauth2 后如何进行access_token过滤校验。代码示例引入组件 org.springframework.boot spring-boot-starter-security org.springframework.security spring-security-oauth2-resource-server org.springframework.cloud spring-cloud-starter-oauth2 org.springframework.boot spring-boot-starter-jdbc mysql mysql-connector-java
4、主要引入跟oauth2相关的jar包,这里还需要引入数据库相关的jar包,因为我们的token是存在数据库中,要想在网关层校验token的有效性必须先从数据库取出token。bootstrap.yml 配置修改spring: application: name: cloud-gateway datasource: type: com.zaxxer.hikari.HikariDataSource url: jdbc:mysql:/xx.0.xx.xx:3306/oauth2_config?characterEncoding=utf8&zeroDateTimeBehavior=convertToN
5、ull&useSSL=false username: xxxxx password: xxxxxxx driver-class-name: com.mysql.jdbc.Driver主要配置oauth2的数据库连接地址自定义认证接口管理类在webFlux环境下通过实现 ReactiveAuthenticationManager 接口 自定义认证接口管理,由于我们的token是存在jdbc中所以命名上就叫ReactiveJdbcAuthenticationManagerSlf4jpublic class ReactiveJdbcAuthenticationManager implements R
6、eactiveAuthenticationManager private TokenStore tokenStore; public JdbcAuthenticationManager(TokenStore tokenStore) this.tokenStore = tokenStore; Override public Mono authenticate(Authentication authentication) return Mono.justOrEmpty(authentication) .filter(a - a instanceof BearerTokenAuthenticatio
7、nToken) .cast(BearerTokenAuthenticationToken.class) .map(BearerTokenAuthenticationToken:getToken) .flatMap(accessToken - log.info(accessToken is :,accessToken); OAuth2AccessToken oAuth2AccessToken = this.tokenStore.readAccessToken(accessToken); /根据access_token从数据库获取不到OAuth2AccessToken if(oAuth2Acces
8、sToken = null) return Mono.error(new InvalidTokenException(invalid access token,please check); else if(oAuth2AccessToken.isExpired() return Mono.error(new InvalidTokenException(access token has expired,please reacquire token); OAuth2Authentication oAuth2Authentication =this.tokenStore.readAuthentica
9、tion(accessToken); if(oAuth2Authentication = null) return Mono.error(new InvalidTokenException(Access Token 无效!); else return Mono.just(oAuth2Authentication); ).cast(Authentication.class); 网关层的安全配置Configurationpublic class SecurityConfig private static final String MAX_AGE = 18000L; Autowired privat
10、e DataSource dataSource; Autowired private AccessManager accessManager; /* * 跨域配置 */ public WebFilter corsFilter() return (ServerWebExchange ctx, WebFilterChain chain) - ServerHttpRequest request = ctx.getRequest(); if (CorsUtils.isCorsRequest(request) HttpHeaders requestHeaders = request.getHeaders
11、(); ServerHttpResponse response = ctx.getResponse(); HttpMethod requestMethod = requestHeaders.getAccessControlRequestMethod(); HttpHeaders headers = response.getHeaders(); headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, requestHeaders.getOrigin(); headers.addAll(HttpHeaders.ACCESS_CONTROL_ALLO
12、W_HEADERS, requestHeaders.getAccessControlRequestHeaders(); if (requestMethod != null) headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, requestMethod.name(); headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, true); headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, *); headers.add(HttpHeaders.ACCESS_CO
