SpringCloud Gateway + Jwt + Oauth2 实现网关的鉴权操作

南方葵籽 03-12 1417

前言：

眼前各位老铁们对“springboot oauth2 短信登录”大概比较注重，我们都需要了解一些“springboot oauth2 短信登录”的相关资讯。那么小编也在网络上搜集了一些关于“springboot oauth2 短信登录””的相关文章，希望咱们能喜欢，我们一起来了解一下吧！

一、背景

随着我们的微服务越来越多，如果每个微服务都要自己去实现一套鉴权操作，那么这么操作比较冗余，因此我们可以把鉴权操作统一放到网关去做，如果微服务自己有额外的鉴权处理，可以在自己的微服务中处理。

基于 Spring Boot + MyBatis Plus + Vue & Element 实现的后台管理系统 + 用户小程序，支持 RBAC 动态权限、多租户、数据权限、工作流、三方登录、支付、短信、商城等功能

项目地址：

视频教程：

二、需求

1、在网关层完成url层面的鉴权操作。

所有的OPTION请求都放行。所有不存在请求，直接都拒绝访问。user-provider服务的findAllUsers需要 user.userInfo权限才可以访问。

2、将解析后的jwt token当做请求头传递到下游服务中。3、整合Spring Security Oauth2 Resource Server

基于 Spring Cloud Alibaba + Gateway + Nacos + RocketMQ + Vue & Element 实现的后台管理系统 + 用户小程序，支持 RBAC 动态权限、多租户、数据权限、工作流、三方登录、支付、短信、商城等功能

项目地址：

视频教程：

三、前置条件

1、搭建一个可用的认证服务器

2、知道Spring Security Oauth2 Resource Server资源服务器如何使用

四、项目结构

项目结构

五、网关层代码的编写1、引入jar包

<dependency>    <groupId>com.alibaba.cloud</groupId>    <artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId></dependency><dependency>    <groupId>org.springframework.cloud</groupId>    <artifactId>spring-cloud-starter-gateway</artifactId></dependency><dependency>    <groupId>org.springframework.boot</groupId>    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId></dependency><dependency>    <groupId>org.springframework.boot</groupId>    <artifactId>spring-boot-starter-security</artifactId></dependency><dependency>    <groupId>org.springframework.cloud</groupId>    <artifactId>spring-cloud-starter-loadbalancer</artifactId></dependency>

2、自定义授权管理器

自定义授权管理器，判断用户是否有权限访问

此处我们简单判断

放行所有的 OPTION 请求。判断某个请求(url)用户是否有权限访问。所有不存在的请求(url)直接无权限访问。

package com.huan.study.gateway.config;import com.google.common.collect.Maps;import lombok.extern.slf4j.Slf4j;import org.springframework.http.HttpMethod;import org.springframework.http.server.reactive.ServerHttpRequest;import org.springframework.security.authentication.AbstractAuthenticationToken;import org.springframework.security.authorization.AuthorizationDecision;import org.springframework.security.authorization.ReactiveAuthorizationManager;import org.springframework.security.core.Authentication;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;import org.springframework.security.web.server.authorization.AuthorizationContext;import org.springframework.stereotype.Component;import org.springframework.util.AntPathMatcher;import org.springframework.util.PathMatcher;import org.springframework.util.StringUtils;import org.springframework.web.server.ServerWebExchange;import reactor.core.publisher.Mono;import javax.annotation.PostConstruct;import java.util.Map;import java.util.Objects;/** * 自定义授权管理器，判断用户是否有权限访问 */@Component@Slf4jpublic class CustomReactiveAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {    /**     * 此处保存的是资源对应的权限，可以从数据库中获取     */    private static final Map<String, String> AUTH_MAP = Maps.newConcurrentMap();    @PostConstruct    public void initAuthMap() {        AUTH_MAP.put("/user/findAllUsers", "user.userInfo");        AUTH_MAP.put("/user/addUser", "ROLE_ADMIN");    }    @Override    public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext authorizationContext) {        ServerWebExchange exchange = authorizationContext.getExchange();        ServerHttpRequest request = exchange.getRequest();        String path = request.getURI().getPath();        // 带通配符的可以使用这个进行匹配        PathMatcher pathMatcher = new AntPathMatcher();        String authorities = AUTH_MAP.get(path);        log.info("访问路径:[{}],所需要的权限是:[{}]", path, authorities);        // option 请求，全部放行        if (request.getMethod() == HttpMethod.OPTIONS) {            return Mono.just(new AuthorizationDecision(true));        }        // 不在权限范围内的url，全部拒绝        if (!StringUtils.hasText(authorities)) {            return Mono.just(new AuthorizationDecision(false));        }        return authentication                .filter(Authentication::isAuthenticated)                .filter(a -> a instanceof JwtAuthenticationToken)                .cast(JwtAuthenticationToken.class)                .doOnNext(token -> {                    System.out.println(token.getToken().getHeaders());                    System.out.println(token.getTokenAttributes());                })                .flatMapIterable(AbstractAuthenticationToken::getAuthorities)                .map(GrantedAuthority::getAuthority)                .any(authority -> Objects.equals(authority, authorities))                .map(AuthorizationDecision::new)                .defaultIfEmpty(new AuthorizationDecision(false));    }}

3、token认证失败、或超时的处理

package com.huan.study.gateway.config;import org.springframework.core.io.buffer.DataBuffer;import org.springframework.core.io.buffer.DataBufferUtils;import org.springframework.http.HttpStatus;import org.springframework.security.core.AuthenticationException;import org.springframework.security.web.server.ServerAuthenticationEntryPoint;import org.springframework.web.server.ServerWebExchange;import reactor.core.publisher.Mono;import java.nio.charset.StandardCharsets;/** * 认证失败异常处理 */public class CustomServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {    @Override    public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex) {        return Mono.defer(() -> Mono.just(exchange.getResponse()))                .flatMap(response -> {                    response.setStatusCode(HttpStatus.UNAUTHORIZED);                    String body = "{\"code\":401,\"msg\":\"token不合法或过期\"}";                    DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));                    return response.writeWith(Mono.just(buffer))                            .doOnError(error -> DataBufferUtils.release(buffer));                });    }}

4、用户没有权限的处理

package com.huan.study.gateway.config;import lombok.extern.slf4j.Slf4j;import org.springframework.context.annotation.Bean;import org.springframework.core.io.buffer.DataBuffer;import org.springframework.core.io.buffer.DataBufferUtils;import org.springframework.http.HttpStatus;import org.springframework.http.server.reactive.ServerHttpRequest;import org.springframework.http.server.reactive.ServerHttpResponse;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;import org.springframework.web.server.ServerWebExchange;import reactor.core.publisher.Mono;import java.nio.charset.StandardCharsets;/** * 无权限访问异常 */@Slf4jpublic class CustomServerAccessDeniedHandler implements ServerAccessDeniedHandler {    @Override    public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {        ServerHttpRequest request = exchange.getRequest();        return exchange.getPrincipal()                .doOnNext(principal -> log.info("用户:[{}]没有访问:[{}]的权限.", principal.getName(), request.getURI()))                .flatMap(principal -> {                    ServerHttpResponse response = exchange.getResponse();                    response.setStatusCode(HttpStatus.FORBIDDEN);                    String body = "{\"code\":403,\"msg\":\"您无权限访问\"}";                    DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));                    return response.writeWith(Mono.just(buffer))                            .doOnError(error -> DataBufferUtils.release(buffer));                });    }}

5、将token信息传递到下游服务器中

package com.huan.study.gateway.config;import com.fasterxml.jackson.core.JsonProcessingException;import com.fasterxml.jackson.databind.ObjectMapper;import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;import org.springframework.http.server.reactive.ServerHttpRequest;import org.springframework.security.core.context.ReactiveSecurityContextHolder;import org.springframework.security.core.context.SecurityContext;import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;import org.springframework.web.server.ServerWebExchange;import org.springframework.web.server.WebFilter;import org.springframework.web.server.WebFilterChain;import reactor.core.publisher.Mono;/** * 将token信息传递到下游服务中 * * @author huan.fu 2021/8/25 - 下午2:49 */public class TokenTransferFilter implements WebFilter {    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();    static {        OBJECT_MAPPER.registerModule(new Jdk8Module());        OBJECT_MAPPER.registerModule(new JavaTimeModule());    }    @Override    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {        return ReactiveSecurityContextHolder.getContext()                .map(SecurityContext::getAuthentication)                .cast(JwtAuthenticationToken.class)                .flatMap(authentication -> {                    ServerHttpRequest request = exchange.getRequest();                    request = request.mutate()                            .header("tokenInfo", toJson(authentication.getPrincipal()))                            .build();                    ServerWebExchange newExchange = exchange.mutate().request(request).build();                    return chain.filter(newExchange);                });    }    public String toJson(Object obj) {        try {            return OBJECT_MAPPER.writeValueAsString(obj);        } catch (JsonProcessingException e) {            return null;        }    }}

6、网关层面的配置

package com.huan.study.gateway.config;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.core.convert.converter.Converter;import org.springframework.core.io.FileSystemResource;import org.springframework.core.io.Resource;import org.springframework.security.authentication.AbstractAuthenticationToken;import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;import org.springframework.security.config.web.server.SecurityWebFiltersOrder;import org.springframework.security.config.web.server.ServerHttpSecurity;import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;import org.springframework.security.oauth2.jwt.Jwt;import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverterAdapter;import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;import org.springframework.security.web.server.SecurityWebFilterChain;import reactor.core.publisher.Mono;import java.io.IOException;import java.nio.file.Files;import java.security.KeyFactory;import java.security.NoSuchAlgorithmException;import java.security.interfaces.RSAPublicKey;import java.security.spec.InvalidKeySpecException;import java.security.spec.X509EncodedKeySpec;import java.util.Base64;/** * 资源服务器配置 */@Configuration@EnableWebFluxSecuritypublic class ResourceServerConfig {    @Autowired    private CustomReactiveAuthorizationManager customReactiveAuthorizationManager;    @Bean    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) throws NoSuchAlgorithmException, IOException, InvalidKeySpecException {        http.oauth2ResourceServer()                .jwt()                    .jwtAuthenticationConverter(jwtAuthenticationConverter())                    .jwtDecoder(jwtDecoder())                    .and()                // 认证成功后没有权限操作                .accessDeniedHandler(new CustomServerAccessDeniedHandler())                // 还没有认证时发生认证异常，比如token过期，token不合法                .authenticationEntryPoint(new CustomServerAuthenticationEntryPoint())                // 将一个字符串token转换成一个认证对象                .bearerTokenConverter(new ServerBearerTokenAuthenticationConverter())                    .and()        .authorizeExchange()                // 所有以 /auth/** 开头的请求全部放行                .pathMatchers("/auth/**", "/favicon.ico").permitAll()                // 所有的请求都交由此处进行权限判断处理                .anyExchange()                    .access(customReactiveAuthorizationManager)                    .and()                .exceptionHandling()                    .accessDeniedHandler(new CustomServerAccessDeniedHandler())                    .authenticationEntryPoint(new CustomServerAuthenticationEntryPoint())                    .and()                .csrf()                    .disable()        .addFilterAfter(new TokenTransferFilter(), SecurityWebFiltersOrder.AUTHENTICATION);        return http.build();    }    /**     * 从jwt令牌中获取认证对象     */    public Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter() {        // 从jwt 中获取该令牌可以访问的权限        JwtGrantedAuthoritiesConverter authoritiesConverter = new JwtGrantedAuthoritiesConverter();        // 取消权限的前缀，默认会加上SCOPE_        authoritiesConverter.setAuthorityPrefix("");        // 从那个字段中获取权限        authoritiesConverter.setAuthoritiesClaimName("scope");        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();        // 获取 principal name        jwtAuthenticationConverter.setPrincipalClaimName("sub");        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(authoritiesConverter);        return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);    }    /**     * 解码jwt     */    public ReactiveJwtDecoder jwtDecoder() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {        Resource resource = new FileSystemResource("/Users/huan/code/study/idea/spring-cloud-alibaba-parent/gateway-oauth2/new-authoriza-server-public-key.pem");        String publicKeyStr = String.join("", Files.readAllLines(resource.getFile().toPath()));        byte[] publicKeyBytes = Base64.getDecoder().decode(publicKeyStr);        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);        KeyFactory keyFactory = KeyFactory.getInstance("RSA");        RSAPublicKey rsaPublicKey = (RSAPublicKey) keyFactory.generatePublic(keySpec);        return NimbusReactiveJwtDecoder.withPublicKey(rsaPublicKey)                .signatureAlgorithm(SignatureAlgorithm.RS256)                .build();    }}

7、网关yaml配置文件

spring:  application:    name: gateway-auth  cloud:    nacos:      discovery:        server-addr: localhost:8847    gateway:      routes:        - id: user-provider          uri: lb://user-provider          predicates:            - Path=/user/**          filters:            - RewritePath=/user(?<segment>/?.*), $\{segment}    compatibility-verifier:      # 取消SpringCloud SpringCloudAlibaba SpringBoot 等的版本检查      enabled: falseserver:  port: 9203debug: true

六、演示

1、客户端 gateway 在认证服务器拥有的权限为 user.userInfo

客户端gateway拥有的权限

2、user-provider服务提供了一个api findAllUsers，它会返回系统中存在的用户(假的数据) 和解码后的token信息。

3、在网关层面，findAllUsers 需要的权限为 user.userInfo，正好 gateway这个客户端有这个权限，所以可以访问。

七、代码路径

原文链接：

本文地址：http://www.longkongtuishu.com/caf33BANsA1cEClQ.html

标签： #springboot oauth2 短信登录