OAUTH协议为用户资源的授权提供了一个安全的、开放而又简易的标准。与以往的授权方式不同之处是OAUTH的授权不会使第三方触及到用户的帐号信息(如用户名与密码),即第三方无需使用用户的用户名与密码就可以申请获得该用户资源的授权,因此OAUTH是安全的。
OAUTH有1.0和2.0两个版本,2.0版本在1.0版本的基础上做了很多调整和改进,但目前尚不完善。
Spring Secrutiy的大名相信大家都应该有所了解,新的Spring Security版本对oAuth1.0有了完美的支持,支持oAuth2.0的版本目前正在开发过程中。
Spring Security官网上给出的sparklr和tonr的样例对于象笔者这样的初学者可能还是有点难以理解,所以我把学习过程中自己设计的一个Hello World的例子整理了一下与大家分享。
Server端的web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/security</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/oauth/*</url-pattern>
</servlet-mapping>
下面是spring mvc配置(/WEB-INF/spring-servlet.xml):
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<bean name="/security" class="com.coolfancy.oauth.server.SecurityController" />
<bean name="/confirm_access" class="com.coolfancy.oauth.server.ConfirmationController">
<property name="tokenServices" ref="tokenServices" />
<property name="consumerDetailsService" ref="consumerDetails" />
</bean>
下面是spring security的配置(/WEB-INF/spring-security.xml):
<http auto-config='true' access-denied-page="/public/index">
<intercept-url pattern="/security" access="ROLE_USER" />
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<intercept-url pattern="/request_token_authorized.jsp" access="ROLE_USER" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>
<authentication-provider>
<user-service>
<user name="a" password="a" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<oauth:provider
consumer-details-service-ref="consumerDetails"
token-services-ref="tokenServices"
request-token-url="/oauth/request_token"
authenticate-token-url="/oauth/authorize"
authentication-failed-url="/oauth/confirm_access"
access-granted-url="/request_token_authorized.jsp"
access-token-url="/oauth/access_token"
require10a="false" />
<oauth:consumer-details-service id="consumerDetails">
<oauth:consumer name="Fancy"
key="fancy-consumer-key"
secret="SHHHHH!!!!!!!!!!"
resourceName="Your Secrect"
resourceDescription="Your Secrect Response!" />
</oauth:consumer-details-service>
<oauth:token-services id="tokenServices" />
ConfirmationController:
package com.coolfancy.oauth.server;
import java.util.TreeMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.oauth.provider.ConsumerDetails;
import org.springframework.security.oauth.provider.ConsumerDetailsService;
import org.springframework.security.oauth.provider.token.OAuthProviderToken;
import org.springframework.security.oauth.provider.token.OAuthProviderTokenServices;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractController;
public class ConfirmationController extends AbstractController {
private OAuthProviderTokenServices tokenServices;
private ConsumerDetailsService consumerDetailsService;
@Override
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
String token = request.getParameter("oauth_token");
if (token == null) {
throw new IllegalArgumentException("A request token to authorize must be provided.");
}
OAuthProviderToken providerToken = getTokenServices().getToken(token);
ConsumerDetails consumer = getConsumerDetailsService().loadConsumerByConsumerKey(providerToken.getConsumerKey());
String callback = request.getParameter("oauth_callback");
TreeMap<String, Object> model = new TreeMap<String, Object>();
model.put("oauth_token", token);
if (callback != null) {
model.put("oauth_callback", callback);
}
model.put("consumer", consumer);
return new ModelAndView("access_confirmation", model);
}
public OAuthProviderTokenServices getTokenServices() {
return tokenServices;
}
public void setTokenServices(OAuthProviderTokenServices tokenServices) {
this.tokenServices = tokenServices;
}
public ConsumerDetailsService getConsumerDetailsService() {
return consumerDetailsService;
}
public void setConsumerDetailsService(ConsumerDetailsService consumerDetailsService) {
this.consumerDetailsService = consumerDetailsService;
}
}
SecurityController:
package com.coolfancy.oauth.server;
import java.io.PrintWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractController;
public class SecurityController extends AbstractController {
@Override
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
response.setContentType("html/plain");
final PrintWriter out = response.getWriter();
out.println("Hello World!");
out.close();
return null;
}
}
下面是客户端,首先是web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/security/*</url-pattern>
</servlet-mapping>
Spring MVC配置(/WEB-INF/spring-servlet.xml):
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<bean name="/test" class="com.coolfancy.oauth.client.SecurityController">
<property name="security_url" value="http://localhost:8080/server/security" />
<property name="support" ref="oauthConsumerSupport" />
</bean>
Spring Security配置(/WEB-INF/applicationContext.xml):
<http auto-config="true">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>
<authentication-provider>
<user-service>
<user name="a" password="a" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<oauth:consumer resource-details-service-ref="resourceDetails">
<oauth:url pattern="/security/**" resources="security_content" />
</oauth:consumer>
<oauth:resource-details-service id="resourceDetails">
<oauth:resource id="security_content" key="fancy-consumer-key" secret="SHHHHH!!!!!!!!!!" request-token-url="http://localhost:8080/server/oauth/request_token"
user-authorization-url="http://localhost:8080/server/oauth/confirm_access" access-token-url="http://localhost:8080/server/oauth/access_token" />
</oauth:resource-details-service>
最后是SecurityController:
package com.coolfancy.oauth.client;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.oauth.consumer.CoreOAuthConsumerSupport;
import org.springframework.security.oauth.consumer.OAuthConsumerProcessingFilter;
import org.springframework.security.oauth.consumer.token.OAuthConsumerToken;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractController;
public class SecurityController extends AbstractController {
private String security_url;
private CoreOAuthConsumerSupport support;
@SuppressWarnings("unchecked")
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
OAuthConsumerToken token = null;
final List<OAuthConsumerToken> tokens = (List<OAuthConsumerToken>) request.getAttribute(OAuthConsumerProcessingFilter.ACCESS_TOKENS_DEFAULT_ATTRIBUTE);
if (tokens != null) {
for (OAuthConsumerToken consumerToken : tokens) {
if (consumerToken.getResourceId().equals("security_content")) {
token = consumerToken;
break;
}
}
}
if (token == null) {
throw new IllegalArgumentException("Access token not found.");
}
final InputStream stream = support.readProtectedResource(new URL(security_url), token, "GET");
final BufferedReader reader = new BufferedReader(new InputStreamReader(stream, "UTF-8"));
final String content = reader.readLine();
reader.close();
return new ModelAndView("security", "content", content);
}
public CoreOAuthConsumerSupport getSupport() {
return support;
}
public void setSupport(CoreOAuthConsumerSupport support) {
this.support = support;
}
public String getSecurity_url() {
return security_url;
}
public void setSecurity_url(String security_url) {
this.security_url = security_url;
}
}
运行效果如下。
访问客户程序首页,点击连接后客户程序请求访问第三方资源:
第三方进行用户认证:
认证后完成后,第三方要求用户确认被授权访问的资源:
授权访问完成,客户程序显示被授权访问的资源内容:
完整的样例工程下载:
spring_security_oauth_helloworld.zip
- 大小: 50 KB
- 大小: 67.8 KB
- 大小: 91 KB
- 大小: 68.6 KB
分享到:
相关推荐
Spring Security OAuth2.0学习笔记 什么是认证、授权、会话。 Java Servlet为支持http会话做了哪些事儿。 基于session认证机制的运作流程。 基于token认证机制的运作流程。 理解Spring Security的工作原理,Spring ...
主要介绍了Spring Security OAuth2集成短信验证码登录以及第三方登录,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
Spring boot+Spring Security Oauth2.0,Sprint cloud+Spring Security Oauth2集成。四种认证方式。附带有代码,和案例,案例,还有视频链接。我保证看完就回,如果视频链接失效,评论回复我,我单独再给你一份。
从官网下载的oauth2实例sparklr2与tonr2
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
主要介绍了Spring Security OAuth2认证授权示例详解,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧
spring security oauth2.0 需要的基础 sql 文件
spring security 基于oauth 2.0 实现 sso 单点登录Demo 使用 spring security 基于oauth 2.0 实现 sso 单点登录Demo spring boot + spring security + spring security oauth
spring security oauth2的源码,方便研究,备份一下。
Spring Security OAuth2.0 MySQL ##修改数据库配置 修改defender-oauth2-authorization\src\main\resources\application.properties中MySQL的主机配置 修改defender-oauth2-resource\src\main\...
视频配套笔记_Spring Security OAuth2.0认证授权_v1.1 完整详细 pdf无障碍阅读,代码完整可复制
spring security 整合oauth2,进行权限授权管理,例子简单好用。
项目中使用到的技术包含SpringBoot、SpringSecurity&oauth2(安全资源和授权中心模式、包括登录接口自定义返回字段、自定义手机号+密码登录、自定义免密登录)、Queue队列、线程池、xss攻击配置、SpringCache、Mybatis...
spring-boot spring-security-oauth2 完整demo,可以使用微信的方式来获取token和查看资源,注意看代码中的备注
该资源是springsecurity+oauth2+jwt实现的单点登录demo,模式为授权码模式,实现自定义登录页面和自定义授权页面。应用数据存在内存中或者存在数据库中(附带数据库表结构),token存储分为数据库或者Redis。demo...
教程视频:spring提供的安全权限框架,Spring Security、Spring Social 、Spring Security OAuth
该资源实现了一个sso单点登陆的功能,类似于在淘宝网登陆之后可以不需要登陆天猫即可访问天猫网;使用了spring security oauth2以及jwt。
Springboot整合Spring security+Oauth2+JWT搭建认证服务器,网关,微服务之间权限认证及授权
本教程是全网最细致地讲解Spring Security、Spring Social 、Spring Security OAuth三种技术开发安全的REST服务,彻底掌握一线互联网公司主流的身份认证和授权方式。 Spring Security是一个能够为基于Spring的企业...