我们拥有微服务架构和一个整体应用程序,其中我们需要从微服务通信到需要身份验证的整体应用程序API。
微服务是由具有以下架构的时髦创建的
授权服务器的配置如下
@Configuration
@EnableAuthorizationServer
public class UaaConfiguration extends AuthorizationServerConfigurerAdapter implements ApplicationContextAware {
/**
* Access tokens will not expire any earlier than this.
*/
private static final int MIN_ACCESS_TOKEN_VALIDITY_SECS = 60;
private ApplicationContext applicationContext;
@Override
public void setApplicationContext(ApplicationContext applicationContext) {
this.applicationContext = applicationContext;
}
@EnableResourceServer
public static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private final TokenStore tokenStore;
private final CorsFilter corsFilter;
public ResourceServerConfiguration(TokenStore tokenStore, CorsFilter corsFilter) {
this.tokenStore = tokenStore;
this.corsFilter = corsFilter;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
.csrf().disable()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/public/**").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/management/**", "/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.GA)
.antMatchers("/v2/api-docs/**", "/swagger-resources/configuration/ui").permitAll();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("jhipster-uaa").tokenStore(tokenStore);
}
}
private final JHipsterProperties jHipsterProperties;
private final UaaProperties uaaProperties;
private final PasswordEncoder passwordEncoder;
public UaaConfiguration(JHipsterProperties jHipsterProperties, UaaProperties uaaProperties, PasswordEncoder passwordEncoder) {
this.jHipsterProperties = jHipsterProperties;
this.uaaProperties = uaaProperties;
this.passwordEncoder = passwordEncoder;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
int accessTokenValidity = uaaProperties.getWebClientConfiguration().getAccessTokenValidityInSeconds();
accessTokenValidity = Math.max(accessTokenValidity, MIN_ACCESS_TOKEN_VALIDITY_SECS);
int refreshTokenValidity = uaaProperties.getWebClientConfiguration().getRefreshTokenValidityInSecondsForRememberMe();
refreshTokenValidity = Math.max(refreshTokenValidity, accessTokenValidity);
/*
For a better client design, this should be done by a ClientDetailsService (similar to UserDetailsService).
*/
clients.inMemory()
.withClient(uaaProperties.getWebClientConfiguration().getClientId())
.secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret()))
.scopes("openid")
.autoApprove(true)
.authorizedGrantTypes("implicit","refresh_token", "password", "authorization_code")
.accessTokenValiditySeconds(accessTokenValidity)
.refreshTokenValiditySeconds(refreshTokenValidity)
.and()
.withClient(jHipsterProperties.getSecurity().getClientAuthorization().getClientId())
.secret(passwordEncoder.encode(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret()))
.scopes("web-app")
.authorities("ROLE_GA")
.autoApprove(true)
.authorizedGrantTypes("client_credentials")
.accessTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds())
.refreshTokenValiditySeconds((int) jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSecondsForRememberMe());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
//pick up all TokenEnhancers incl. those defined in the application
//this avoids changes to this class if an application wants to add its own to the chain
Collection<TokenEnhancer> tokenEnhancers = applicationContext.getBeansOfType(TokenEnhancer.class).values();
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(new ArrayList<>(tokenEnhancers));
endpoints
.authenticationManager(authenticationManager)
.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.reuseRefreshTokens(false); //don't reuse or we will run into session inactivity timeouts
}
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
/**
* Apply the token converter (and enhancer) for token store.
* @return the {@link JwtTokenStore} managing the tokens.
*/
@Bean
public JwtTokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
/**
* This bean generates an token enhancer, which manages the exchange between JWT access tokens and Authentication
* in both directions.
*
* @return an access token converter configured with the authorization server's public/private keys.
*/
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
KeyPair keyPair = new KeyStoreKeyFactory(
new ClassPathResource(uaaProperties.getKeyStore().getName()), uaaProperties.getKeyStore().getPassword().toCharArray())
.getKeyPair(uaaProperties.getKeyStore().getAlias());
converter.setKeyPair(keyPair);
return converter;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
"isAuthenticated()");
}
}
UAA属性
uaa:
key-store:
name: config/tls/keystore.p12
password: password
alias: selfsigned
web-client-configuration:
# Access Token is valid for 5 mins
access-token-validity-in-seconds: 300
# Refresh Token is valid for 7 days
refresh-token-validity-in-seconds-for-remember-me: 604800
client-id: web_app
secret: secret
令牌详细信息
{
"alg": "RS256",
"typ": "JWT"
}
{
"user_name": "username",
"scope": [
"openid"
],
"exp": 1600274479,
"iat": 1600274179,
"authorities": [
"ROLE_MA",
"ROLE_GA",
"ROLE_XA"
],
"jti": "9b607454-0241-437e-ac81-73f1f7b4f56a",
"client_id": "web_app"
}
用于整体应用程序的令牌生成如下
@Component
public class TokenProvider implements InitializingBean {
private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
private static final String AUTHORITIES_KEY = "auth";
private Key key;
private long tokenValidityInMilliseconds;
private long tokenValidityInMillisecondsForRememberMe;
private final JHipsterProperties jHipsterProperties;
public TokenProvider(JHipsterProperties jHipsterProperties) {
this.jHipsterProperties = jHipsterProperties;
}
@Override
public void afterPropertiesSet() throws Exception {
byte[] keyBytes;
String secret = jHipsterProperties.getSecurity().getAuthentication().getJwt().getSecret();
if (!StringUtils.isEmpty(secret)) {
log.warn("Warning: the JWT key used is not Base64-encoded. " +
"We recommend using the `jhipster.security.authentication.jwt.base64-secret` key for optimum security.");
keyBytes = secret.getBytes(StandardCharsets.UTF_8);
} else {
log.debug("Using a Base64-encoded JWT secret key");
keyBytes = Decoders.BASE64.decode(jHipsterProperties.getSecurity().getAuthentication().getJwt().getBase64Secret());
}
this.key = Keys.hmacShaKeyFor(keyBytes);
this.tokenValidityInMilliseconds =
1000 * jHipsterProperties.getSecurity().getAuthentication().getJwt().getTokenValidityInSeconds();
this.tokenValidityInMillisecondsForRememberMe =
1000 * jHipsterProperties.getSecurity().getAuthentication().getJwt()
.getTokenValidityInSecondsForRememberMe();
}
public String createToken(Authentication authentication, boolean rememberMe) {
String authorities = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.joining(","));
long now = (new Date()).getTime();
Date validity;
if (rememberMe) {
validity = new Date(now + this.tokenValidityInMillisecondsForRememberMe);
} else {
validity = new Date(now + this.tokenValidityInMilliseconds);
}
return Jwts.builder()
.setSubject(authentication.getName())
.claim(AUTHORITIES_KEY, authorities)
.signWith(key, SignatureAlgorithm.HS512)
.setExpiration(validity)
.compact();
}
public Authentication getAuthentication(String token) {
Claims claims = Jwts.parser()
.setSigningKey(key)
.parseClaimsJws(token)
.getBody();
Collection<? extends GrantedAuthority> authorities =
Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(","))
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
User principal = new User(claims.getSubject(), "", authorities);
return new UsernamePasswordAuthenticationToken(principal, token, authorities);
}
public boolean validateToken(String authToken) {
try {
Jwts.parser().setSigningKey(key).parseClaimsJws(authToken);
return true;
} catch (io.jsonwebtoken.security.SecurityException | MalformedJwtException e) {
log.info("Invalid JWT signature.");
log.trace("Invalid JWT signature trace: {}", e);
} catch (ExpiredJwtException e) {
log.info("Expired JWT token.");
log.trace("Expired JWT token trace: {}", e);
} catch (UnsupportedJwtException e) {
log.info("Unsupported JWT token.");
log.trace("Unsupported JWT token trace: {}", e);
} catch (IllegalArgumentException e) {
log.info("JWT token compact of handler are invalid.");
log.trace("JWT token compact of handler are invalid trace: {}", e);
}
return false;
}
}
security:
authentication:
jwt:
# This token must be encoded using Base64 and be at least 256 bits long (you can type `openssl rand -base64 64` on your command line to generate a 512 bits one)
base64-secret: base64-secret-here
# Token is valid 24 hours
token-validity-in-seconds: 86400
token-validity-in-seconds-for-remember-me: 2592000
{
"alg": "HS512"
}
{
"sub": "rvpatel",
"auth": "ROLE_BC,ROLE_BE,ROLE_XE",
"exp": 1602911681
}
问题
当我尝试使用身份验证服务中生成的令牌访问需要从整体应用程序进行身份验证的API时,出现以下异常
不支持的JWT令牌跟踪消息:解析的JWT指示它是 使用RS256签名算法签名,但指定了签名 类型javax.crypto.spec.SecretKeySpec的密钥可能无法用于 验证RS256签名。因为指定的签名密钥反映了 一种特定且预期的算法,而JWT并未反映出这一点 算法,很可能没有预期的JWT,因此 不应该被信任。另一种可能性是解析器是 配置了不正确的签名密钥,但这不能假定 出于安全原因。
正如我们从令牌详细信息中看到的,对于身份验证服务和整体应用程序,算法是不同的。我已将TokenProvider中的算法更改为SignatureAlgorithm.RS256,但结果为
RSA签名密钥必须是PrivateKey实例。