Spring Boot - 使用JWT,OAuth和单独的资源和身份验证服务器

时间:2018-01-04 15:12:40

标签: spring spring-security oauth jwt spring-security-oauth2

我正在尝试构建一个使用JWT令牌和OAuth2协议的Spring应用程序。由于this tutorial,我运行了身份验证服务器。但是,我正在努力让Resource Server正常运行。从关注文章开始,感谢对prior question的回复,这是我目前的尝试:

资源服务器的安全配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${security.signing-key}")
    private String signingKey;

    @Value("${security.encoding-strength}")
    private Integer clientID;

    @Value("${security.security-realm}")
    private String securityRealm;

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setVerifierKey(signingKey);
        return converter;
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean ResourceServerTokenServices tokenService() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }
    @Override
    public AuthenticationManager authenticationManager() throws Exception {
        OAuth2AuthenticationManager authManager = new OAuth2AuthenticationManager();
        authManager.setTokenServices(tokenService());
        return authManager;
    }

}

资源服务器配置:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Autowired
    private ResourceServerTokenServices tokenServices;

@Value("${security.jwt.resource-ids}")
private String resourceIds;

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId(resourceIds).tokenServices(tokenServices);
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http.requestMatchers().and().authorizeRequests().antMatchers("/actuator/**", "/api-docs/**").permitAll()
            .antMatchers("/**").authenticated();
}

}

授权服务器的安全配置(来自注释教程):

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${security.signing-key}")
    private String signingKey;

    @Value("${security.encoding-strength}")
    private Integer encodingStrength;

    @Value("${security.security-realm}")
    private String securityRealm;

    @Autowired
    private UserDetailsService userDetailsService;

    @Bean
    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService)
                .passwordEncoder(new ShaPasswordEncoder(encodingStrength));
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .httpBasic()
                .realmName(securityRealm)
                .and()
                .csrf()
                .disable();

    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey(signingKey);
        return converter;
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    @Primary //Making this primary to avoid any accidental duplication with another token service instance of the same name
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }
}

现在,当我尝试向资源服务器发出请求时,收到如下错误:

{"error":"invalid_token","error_description":"Invalid access token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsidGVzdGp3dHJlc291cmNlaWQiXSwidXNlcl9uYW1lIjoiam9obi5kb2UiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiZXh wIjoxNTE1MTE3NTU4LCJhdXRob3JpdGllcyI6WyJTVEFOREFSRF"}

我有几个问题:

  • 据我了解,这个问题通常与令牌存储有关。当使用JwtTokenStore时,如何处理服务器的分离?
  • 其次,目前,我的资源应用程序依赖于访问密钥。根据我对JWT和0Auth规范的理解,这不应该是必要的。相反,我应该能够将验证委托给身份验证服务器本身。从Spring文档中,我认为以下属性可能适用security.oauth2.resource.token-info-uri=http://localhost:8080/oauth/check_token。但是,如果我尝试不依赖我的资源服务器上的密钥,那么我在设置ResourceServerTokenService时会遇到困难。该服务需要一个令牌存储,JWTTokenStore使用JwtAccessTokenConverter,转换器使用一个密钥(删除密钥导致我之前遇到的invalid token错误。)

我真的很难找到展示如何分离Auth和资源服务器的文章。任何建议将不胜感激。

编辑: 实际上,资源服务器的代码现在无法使用以下消息进行编译:

Caused by: java.lang.IllegalStateException: For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key

2 个答案:

答案 0 :(得分:3)

我尝试过spring oauth,但我遇到了同样的错误:

Caused by: java.lang.IllegalStateException: For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key

我的错误是我的公共证书是:

-----BEGIN PUBLIC KEY-----
tadadada
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
tadadada
-----END CERTIFICATE-----

这是不允许的。删除证书,只需将公钥放在此文件中:

-----BEGIN PUBLIC KEY-----
tadadada
-----END PUBLIC KEY-----

启动错误将消失。

关于你的第二个问题,这就是我所理解的:

  • 身份验证服务器为您提供加密令牌(使用私钥加密),其中包含用户的所有权限。

  • 资源服务器使用公钥解密令牌,并假定令牌中包含的权限为TRUE。

希望这有帮助。

答案 1 :(得分:0)

我的公钥格式如下时,我遇到了这个问题:

"-----BEGIN RSA PUBLIC KEY-----\n${encoder.encodeToString(keyPair.public.encoded)}\n-----END RSA PUBLIC KEY-----\n"

当我将其更改为:

"-----BEGIN PUBLIC KEY-----\n${encoder.encodeToString(keyPair.public.encoded)}\n-----END PUBLIC KEY-----\n"

密钥已被接受。

相关问题
最新问题