前提: shiro与spring security 都可以实现单体服务器的认证,鉴权.
微服务,分布式项目中解决方案: SSO(单点登录),分布式session.但是权限服务器流量大,还需要考虑存储同步的问题.
Zuul: 网关相当于流量的前门.可以集成zuul+oauth3.0(授权协议)+jwt(json web token)实现代替认证鉴权.原理举例:1.请求微信服务器授权,输入账号密码,确认授权.2.申请微信服务器的令牌.拿到令牌. 3.使用令牌找资源服务器.返回资源.
Jwt的组成: header头部使用jwt的签名算法,Payload载荷:包含自定义或者非自定义的认证信息.Sinature签名:将头部算法与载荷使用点(.)连接,使用头部的签名算法生成签名信息拼接到末尾.
oauth原理:
创新互联服务电话:18980820575,为您提供成都网站建设网页设计及定制高端网站建设服务,创新互联网页制作领域十载,包括成都自上料搅拌车等多个领域拥有多年的网站设计经验,选择创新互联,为网站保驾护航。
根据分析需要按照该步骤实现开发: 1.eureka-server 2.zuul-server 3.auth-server 4.eureka-client.
1.微服务客户端定义:
1.1:pom.xml:
1.2:application.xml:
server.port=8089
spring.application.name=demo-client1
eureka.client.service-url.defaultZone=http://localhost:8080/eureka/
1.3:容器与服务定义:
容器:
@SpringBootApplication
br/>
1.2:application.xml:
server.port=8089
spring.application.name=demo-client1
eureka.client.service-url.defaultZone=http://localhost:8080/eureka/
1.3:容器与服务定义:
容器:
@SpringBootApplication
br/>@EnableResourceServer
public class EurekaClient1Application extends ResourceServerConfigurerAdapter {@Override
br/>@Override
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/test/test1")
.hasAuthority("WRIGTH_WRITE")
.antMatchers("/**").authenticated();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources
.resourceId("WRIGTH")
.tokenStore(jwtTokenStore());
}
@Bean
protected JwtAccessTokenConverter jwtTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("springcloud123");
return converter;
}
@Bean
public TokenStore jwtTokenStore() {
return new JwtTokenStore(jwtTokenConverter());
}
}服务:
@Controller
br/>服务:
@Controller
@RequestMapping(value = "/test/test1" , method = RequestMethod.GET)
@ResponseBody
public String test1(Integer a , Integer b,HttpServletRequest request){
System.out.println("----------------header----------------");
Enumeration headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String key = (String) headerNames.nextElement();
System.out.println(key + ": " + request.getHeader(key));
}
System.out.println("----------------header----------------");
System.out.println("请求成功...."+a+" ------------- "+ b);
return "test1..........ok!!!";
}
@GetMapping("/add")
@ResponseBody
public Integer add(Integer a, Integer b){
return a + b;
}
}
2.zuul-server网关服务器:
2.1:pom.xml:
2.2:bootstrap.yml 认证服务器与路由配置:
spring:
application:
name: c-client6
server:
port: 9000
eureka:
client:
serviceUrl:
defaultZone: http://${eureka.host:127.0.0.1}:${eureka.port:8080}/eureka/
instance:
prefer-ip-address: true
zuul:
routes:
demo-client1:
path: /**
serviceId: demo-client1
security:
oauth3:
client:
access-token-uri: http://localhost:7777/uaa/oauth/token #令牌端点
user-authorization-uri: http://localhost:7777/uaa/oauth/authorize #授权端点
client-id: c-client6-id #OAuth3客户端ID
client-secret: secret #OAuth3客户端密钥
resource:
jwt:
key-value: springcloud123 #使用对称加密方式,默认算法为HS256,如果需要更安全,可使用非对称加密.生成私钥与公钥放这.2.3:容器中的认证规则:
@SpringBootApplication
br/>2.3:容器中的认证规则:
@SpringBootApplication
br/>@EnableDiscoveryClient
public class CClient6Application extends WebSecurityConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(CClient6Application.class, args);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
//这些功能支持免验证:
.antMatchers("/login")
.permitAll()
//其他任意请求都需要验证.
.anyRequest()
.authenticated()
.and()
//关闭csrf认证,容易引起***.
.csrf()
.disable();
}
}
3.auth-server认证服务器:
3.1:pom.xml:
3.2:bootstrap.yml:
spring:
application:
name: auth-server
server:
port: 7777
servlet:
contextPath: /uaa #web基路径
eureka:
client:
serviceUrl:
defaultZone: http://${eureka.host:127.0.0.1}:${eureka.port:8080}/eureka/
instance:
prefer-ip-address: true3.3:认证的实现与token的存储:
@SpringBootApplication
br/>3.3:认证的实现与token的存储:
@SpringBootApplication
public class DClient7Application extends WebSecurityConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(DClient7Application.class, args);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("guest").password("guest").authorities("WRIGTH_READ")
.and()
.withUser("admin").password("admin").authorities("WRIGTH_WRITE");
}
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}
}//------------------------------自定义配置生成token实现存储:
@Configuration
br/>//------------------------------自定义配置生成token实现存储:
@Configuration
public class OAuthConfiguration extends AuthorizationServerConfigurerAdapter {
@Resource
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("c-client6-id")
.secret("secret")
.scopes("WRIGTH", "read").autoApprove(true)
.authorities("WRIGTH_READ", "WRIGTH_WRITE")
.authorizedGrantTypes("implicit", "refresh_token", "password", "authorization_code");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(jwtTokenStore())
.tokenEnhancer(jwtTokenConverter())
.authenticationManager(authenticationManager);
}
@Bean
public TokenStore jwtTokenStore() {
return new JwtTokenStore(jwtTokenConverter());
}
@Bean
protected JwtAccessTokenConverter jwtTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("springcloud123");
return converter;
}
}
4.测试:
前提: 启动服务:eureka-server-->zuul-server-->eureka-client-->auth-server.
4.1: 测试访问eureka-client 是否无权直接访问.
4.2:测试访问zuul-server网关:
http://localhost:8090/test/test1?a=10&b=20 : 登录且需要权限.
http://localhost:8090/add?a=10&b=20 : 登录无需权限.