我要评论1. oauth2 基础概念与原理
1.1 oauth2 是什么
oauth 2.0(开放授权 2.0)是一个行业标准的授权协议,它允许用户在不将用户名和密码提供给第三方应用的情况下,授权第三方应用访问用户存储在服务提供方的资源。
1.2 oauth2 核心角色
- 资源所有者 (resource owner):能够授权访问受保护资源的实体,通常是最终用户
- 客户端 (client):请求访问受保护资源的应用程序
- 授权服务器 (authorization server):在认证资源所有者并获取授权后,向客户端颁发访问令牌的服务器
- 资源服务器 (resource server):托管受保护资源的服务器,能够接受和响应使用访问令牌的受保护资源请求
1.3 oauth2 授权模式
- 授权码模式 (authorization code):最安全、最常用的模式,适用于有后端的 web 应用
- 简化模式 (implicit):适用于纯前端 spa 应用
- 密码模式 (resource owner password credentials):适用于信任的客户端,如官方应用
- 客户端模式 (client credentials):适用于客户端访问自己的资源
2. 环境准备与项目搭建
2.1 创建 spring boot 项目
使用 spring initializr 创建项目,选择以下依赖:
- spring web
- spring security
- spring security oauth2
- spring data jpa
- mysql driver
- lombok
2.2 maven 依赖配置
<?xml version="1.0" encoding="utf-8"?>
<project xmlns="http://maven.apache.org/pom/4.0.0"
xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
xsi:schemalocation="http://maven.apache.org/pom/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelversion>4.0.0</modelversion>
<parent>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-parent</artifactid>
<version>2.7.0</version>
<relativepath/>
</parent>
<groupid>com.example</groupid>
<artifactid>spring-security-oauth2-demo</artifactid>
<version>1.0.0</version>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!-- spring boot starter -->
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-web</artifactid>
</dependency>
<!-- spring security -->
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-security</artifactid>
</dependency>
<!-- oauth2 自动配置 -->
<dependency>
<groupid>org.springframework.security.oauth.boot</groupid>
<artifactid>spring-security-oauth2-autoconfigure</artifactid>
<version>2.1.0.release</version>
</dependency>
<!-- spring data jpa -->
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-data-jpa</artifactid>
</dependency>
<!-- mysql 驱动 -->
<dependency>
<groupid>mysql</groupid>
<artifactid>mysql-connector-java</artifactid>
<scope>runtime</scope>
</dependency>
<!-- lombok -->
<dependency>
<groupid>org.projectlombok</groupid>
<artifactid>lombok</artifactid>
<optional>true</optional>
</dependency>
<!-- jjwt for jwt tokens -->
<dependency>
<groupid>io.jsonwebtoken</groupid>
<artifactid>jjwt</artifactid>
<version>0.9.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-maven-plugin</artifactid>
</plugin>
</plugins>
</build>
</project>3. 数据库设计
3.1 用户表结构
create table `sys_user` ( `id` bigint(20) not null auto_increment, `username` varchar(50) not null comment '用户名', `password` varchar(100) not null comment '密码', `email` varchar(100) default null comment '邮箱', `phone` varchar(20) default null comment '手机号', `enabled` tinyint(1) default '1' comment '状态:1-有效,0-禁用', `account_non_expired` tinyint(1) default '1' comment '账户是否过期', `credentials_non_expired` tinyint(1) default '1' comment '密码是否过期', `account_non_locked` tinyint(1) default '1' comment '账户是否锁定', `create_time` datetime default current_timestamp comment '创建时间', `update_time` datetime default current_timestamp on update current_timestamp comment '修改时间', primary key (`id`), unique key `uk_username` (`username`) ) engine=innodb default charset=utf8mb4 comment='用户表';
3.2 角色表结构
create table `sys_role` ( `id` bigint(20) not null auto_increment, `role_name` varchar(50) not null comment '角色名称', `role_code` varchar(50) not null comment '角色编码', `description` varchar(100) default null comment '描述', `create_time` datetime default current_timestamp comment '创建时间', primary key (`id`), unique key `uk_role_code` (`role_code`) ) engine=innodb default charset=utf8mb4 comment='角色表';
3.3 用户角色关联表
create table `sys_user_role` ( `id` bigint(20) not null auto_increment, `user_id` bigint(20) not null comment '用户id', `role_id` bigint(20) not null comment '角色id', `create_time` datetime default current_timestamp comment '创建时间', primary key (`id`), key `idx_user_id` (`user_id`), key `idx_role_id` (`role_id`) ) engine=innodb default charset=utf8mb4 comment='用户角色关联表';
3.4 oauth2 客户端表
create table `oauth_client_details` ( `client_id` varchar(256) not null comment '客户端id', `resource_ids` varchar(256) default null comment '资源id', `client_secret` varchar(256) default null comment '客户端密钥', `scope` varchar(256) default null comment '权限范围', `authorized_grant_types` varchar(256) default null comment '授权类型', `web_server_redirect_uri` varchar(256) default null comment '重定向uri', `authorities` varchar(256) default null comment '权限', `access_token_validity` int(11) default null comment '访问令牌有效期', `refresh_token_validity` int(11) default null comment '刷新令牌有效期', `additional_information` varchar(4096) default null comment '附加信息', `autoapprove` varchar(256) default null comment '自动批准', primary key (`client_id`) ) engine=innodb default charset=utf8mb4 comment='oauth2客户端表';
4. 实体类设计
4.1 用户实体
package com.example.oauth2.entity;
import lombok.data;
import org.springframework.security.core.grantedauthority;
import org.springframework.security.core.authority.simplegrantedauthority;
import org.springframework.security.core.userdetails.userdetails;
import javax.persistence.*;
import java.util.collection;
import java.util.date;
import java.util.list;
import java.util.stream.collectors;
@data
@entity
@table(name = "sys_user")
public class sysuser implements userdetails {
@id
@generatedvalue(strategy = generationtype.identity)
private long id;
@column(name = "username", unique = true, nullable = false, length = 50)
private string username;
@column(name = "password", nullable = false, length = 100)
private string password;
@column(name = "email", length = 100)
private string email;
@column(name = "phone", length = 20)
private string phone;
@column(name = "enabled")
private boolean enabled = true;
@column(name = "account_non_expired")
private boolean accountnonexpired = true;
@column(name = "credentials_non_expired")
private boolean credentialsnonexpired = true;
@column(name = "account_non_locked")
private boolean accountnonlocked = true;
@column(name = "create_time")
private date createtime;
@column(name = "update_time")
private date updatetime;
@manytomany(fetch = fetchtype.eager)
@jointable(
name = "sys_user_role",
joincolumns = @joincolumn(name = "user_id"),
inversejoincolumns = @joincolumn(name = "role_id")
)
private list<sysrole> roles;
@override
public collection<? extends grantedauthority> getauthorities() {
return roles.stream()
.map(role -> new simplegrantedauthority(role.getrolecode()))
.collect(collectors.tolist());
}
@override
public boolean isaccountnonexpired() {
return accountnonexpired;
}
@override
public boolean isaccountnonlocked() {
return accountnonlocked;
}
@override
public boolean iscredentialsnonexpired() {
return credentialsnonexpired;
}
@override
public boolean isenabled() {
return enabled;
}
}4.2 角色实体
package com.example.oauth2.entity;
import lombok.data;
import javax.persistence.*;
import java.util.date;
@data
@entity
@table(name = "sys_role")
public class sysrole {
@id
@generatedvalue(strategy = generationtype.identity)
private long id;
@column(name = "role_name", nullable = false, length = 50)
private string rolename;
@column(name = "role_code", nullable = false, length = 50)
private string rolecode;
@column(name = "description", length = 100)
private string description;
@column(name = "create_time")
private date createtime;
}5. 数据访问层
5.1 用户 repository
package com.example.oauth2.repository;
import com.example.oauth2.entity.sysuser;
import org.springframework.data.jpa.repository.jparepository;
import org.springframework.data.jpa.repository.query;
import org.springframework.data.repository.query.param;
import org.springframework.stereotype.repository;
import java.util.optional;
@repository
public interface userrepository extends jparepository<sysuser, long> {
optional<sysuser> findbyusername(string username);
boolean existsbyusername(string username);
boolean existsbyemail(string email);
@query("select u from sysuser u left join fetch u.roles where u.username = :username")
optional<sysuser> findbyusernamewithroles(@param("username") string username);
}5.2 角色 repository
package com.example.oauth2.repository;
import com.example.oauth2.entity.sysrole;
import org.springframework.data.jpa.repository.jparepository;
import org.springframework.stereotype.repository;
import java.util.optional;
@repository
public interface rolerepository extends jparepository<sysrole, long> {
optional<sysrole> findbyrolecode(string rolecode);
}6. 安全配置
6.1 spring security 配置
package com.example.oauth2.config;
import com.example.oauth2.service.userdetailsserviceimpl;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.context.annotation.bean;
import org.springframework.context.annotation.configuration;
import org.springframework.security.authentication.authenticationmanager;
import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder;
import org.springframework.security.config.annotation.method.configuration.enableglobalmethodsecurity;
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;
import org.springframework.security.crypto.bcrypt.bcryptpasswordencoder;
import org.springframework.security.crypto.password.passwordencoder;
@configuration
@enablewebsecurity
@enableglobalmethodsecurity(prepostenabled = true, securedenabled = true, jsr250enabled = true)
public class securityconfig extends websecurityconfigureradapter {
@autowired
private userdetailsserviceimpl userdetailsservice;
/**
* 密码编码器
*/
@bean
public passwordencoder passwordencoder() {
return new bcryptpasswordencoder();
}
/**
* 认证管理器
*/
@bean
@override
public authenticationmanager authenticationmanagerbean() throws exception {
return super.authenticationmanagerbean();
}
/**
* 配置用户认证
*/
@override
protected void configure(authenticationmanagerbuilder auth) throws exception {
auth.userdetailsservice(userdetailsservice)
.passwordencoder(passwordencoder());
}
/**
* http安全配置
*/
@override
protected void configure(httpsecurity http) throws exception {
http
.authorizerequests()
.antmatchers("/oauth/**", "/login/**", "/logout/**").permitall()
.anyrequest().authenticated()
.and()
.formlogin().permitall()
.and()
.csrf().disable();
}
}6.2 用户详情服务
package com.example.oauth2.service;
import com.example.oauth2.entity.sysuser;
import com.example.oauth2.repository.userrepository;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.security.core.userdetails.userdetails;
import org.springframework.security.core.userdetails.userdetailsservice;
import org.springframework.security.core.userdetails.usernamenotfoundexception;
import org.springframework.stereotype.service;
@slf4j
@service
public class userdetailsserviceimpl implements userdetailsservice {
@autowired
private userrepository userrepository;
@override
public userdetails loaduserbyusername(string username) throws usernamenotfoundexception {
sysuser user = userrepository.findbyusernamewithroles(username)
.orelsethrow(() -> new usernamenotfoundexception("用户不存在: " + username));
log.info("用户 {} 登录成功,角色: {}", username,
user.getroles().stream().map(role -> role.getrolecode()).toarray());
return user;
}
}7. oauth2 授权服务器配置
7.1 授权服务器配置
package com.example.oauth2.config;
import com.example.oauth2.service.userdetailsserviceimpl;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.context.annotation.bean;
import org.springframework.context.annotation.configuration;
import org.springframework.data.redis.connection.redisconnectionfactory;
import org.springframework.security.authentication.authenticationmanager;
import org.springframework.security.crypto.password.passwordencoder;
import org.springframework.security.oauth2.config.annotation.configurers.clientdetailsserviceconfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.authorizationserverconfigureradapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.enableauthorizationserver;
import org.springframework.security.oauth2.config.annotation.web.configurers.authorizationserverendpointsconfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.authorizationserversecurityconfigurer;
import org.springframework.security.oauth2.provider.clientdetailsservice;
import org.springframework.security.oauth2.provider.client.jdbcclientdetailsservice;
import org.springframework.security.oauth2.provider.token.tokenenhancer;
import org.springframework.security.oauth2.provider.token.tokenenhancerchain;
import org.springframework.security.oauth2.provider.token.tokenstore;
import org.springframework.security.oauth2.provider.token.store.jwtaccesstokenconverter;
import org.springframework.security.oauth2.provider.token.store.jwttokenstore;
import org.springframework.security.oauth2.provider.token.store.redis.redistokenstore;
import javax.sql.datasource;
import java.util.arrays;
@configuration
@enableauthorizationserver
public class authorizationserverconfig extends authorizationserverconfigureradapter {
@autowired
private authenticationmanager authenticationmanager;
@autowired
private userdetailsserviceimpl userdetailsservice;
@autowired
private passwordencoder passwordencoder;
@autowired
private datasource datasource;
@autowired
private redisconnectionfactory redisconnectionfactory;
/**
* 配置客户端详情服务
*/
@override
public void configure(clientdetailsserviceconfigurer clients) throws exception {
// 使用jdbc存储客户端信息
clients.withclientdetails(jdbcclientdetailsservice());
// 内存方式配置客户端(测试用)
// clients.inmemory()
// .withclient("client")
// .secret(passwordencoder.encode("secret"))
// .authorizedgranttypes("password", "refresh_token")
// .scopes("all")
// .accesstokenvalidityseconds(3600)
// .refreshtokenvalidityseconds(86400);
}
/**
* 配置令牌端点安全约束
*/
@override
public void configure(authorizationserversecurityconfigurer security) throws exception {
security
.tokenkeyaccess("permitall()") // 公开/oauth/token_key接口
.checktokenaccess("isauthenticated()") // 认证后可访问/oauth/check_token
.allowformauthenticationforclients(); // 允许表单认证
}
/**
* 配置授权端点
*/
@override
public void configure(authorizationserverendpointsconfigurer endpoints) throws exception {
// 令牌增强链
tokenenhancerchain tokenenhancerchain = new tokenenhancerchain();
tokenenhancerchain.settokenenhancers(
arrays.aslist(tokenenhancer(), jwtaccesstokenconverter()));
endpoints
.authenticationmanager(authenticationmanager) // 认证管理器
.userdetailsservice(userdetailsservice) // 用户详情服务
.tokenstore(tokenstore()) // 令牌存储方式
.tokenenhancer(tokenenhancerchain) // 令牌增强
.accesstokenconverter(jwtaccesstokenconverter()) // jwt转换器
.reuserefreshtokens(false); // 是否重用刷新令牌
}
/**
* 令牌存储 - 使用redis
*/
@bean
public tokenstore tokenstore() {
// 使用redis存储令牌
return new redistokenstore(redisconnectionfactory);
// 使用jwt存储令牌
// return new jwttokenstore(jwtaccesstokenconverter());
}
/**
* 客户端详情服务 - 使用jdbc
*/
@bean
public clientdetailsservice jdbcclientdetailsservice() {
jdbcclientdetailsservice clientdetailsservice = new jdbcclientdetailsservice(datasource);
clientdetailsservice.setpasswordencoder(passwordencoder);
return clientdetailsservice;
}
/**
* jwt令牌转换器
*/
@bean
public jwtaccesstokenconverter jwtaccesstokenconverter() {
jwtaccesstokenconverter converter = new jwtaccesstokenconverter();
// 设置jwt签名密钥
converter.setsigningkey("my-signing-key");
return converter;
}
/**
* jwt令牌增强器
*/
@bean
public tokenenhancer tokenenhancer() {
return new customtokenenhancer();
}
}7.2 自定义令牌增强器
package com.example.oauth2.config;
import com.example.oauth2.entity.sysuser;
import org.springframework.security.core.userdetails.user;
import org.springframework.security.oauth2.common.defaultoauth2accesstoken;
import org.springframework.security.oauth2.common.oauth2accesstoken;
import org.springframework.security.oauth2.provider.oauth2authentication;
import org.springframework.security.oauth2.provider.token.tokenenhancer;
import java.util.hashmap;
import java.util.map;
public class customtokenenhancer implements tokenenhancer {
@override
public oauth2accesstoken enhance(oauth2accesstoken accesstoken, oauth2authentication authentication) {
map<string, object> additionalinfo = new hashmap<>();
// 添加自定义信息到令牌中
object principal = authentication.getuserauthentication().getprincipal();
if (principal instanceof sysuser) {
sysuser user = (sysuser) principal;
additionalinfo.put("user_id", user.getid());
additionalinfo.put("username", user.getusername());
additionalinfo.put("email", user.getemail());
} else if (principal instanceof user) {
user user = (user) principal;
additionalinfo.put("username", user.getusername());
}
((defaultoauth2accesstoken) accesstoken).setadditionalinformation(additionalinfo);
return accesstoken;
}
}8. oauth2 资源服务器配置
8.1 资源服务器配置
package com.example.oauth2.config;
import org.springframework.context.annotation.configuration;
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.enableresourceserver;
import org.springframework.security.oauth2.config.annotation.web.configuration.resourceserverconfigureradapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.resourceserversecurityconfigurer;
import org.springframework.security.oauth2.provider.token.tokenstore;
import javax.annotation.resource;
@configuration
@enableresourceserver
public class resourceserverconfig extends resourceserverconfigureradapter {
private static final string resource_id = "resource-server";
@resource
private tokenstore tokenstore;
/**
* 配置资源id和令牌服务
*/
@override
public void configure(resourceserversecurityconfigurer resources) {
resources
.resourceid(resource_id)
.tokenstore(tokenstore)
.stateless(true); // 无状态模式
}
/**
* 配置资源权限规则
*/
@override
public void configure(httpsecurity http) throws exception {
http
.authorizerequests()
.antmatchers("/api/public/**").permitall() // 公开接口
.antmatchers("/api/admin/**").hasrole("admin") // 需要admin角色
.antmatchers("/api/user/**").hasrole("user") // 需要user角色
.anyrequest().authenticated() // 其他接口需要认证
.and()
.csrf().disable();
}
}9. jwt 令牌配置
9.1 jwt 工具类
package com.example.oauth2.util;
import io.jsonwebtoken.claims;
import io.jsonwebtoken.jwts;
import io.jsonwebtoken.signaturealgorithm;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.value;
import org.springframework.security.core.userdetails.userdetails;
import org.springframework.stereotype.component;
import java.util.date;
import java.util.hashmap;
import java.util.map;
import java.util.function.function;
@slf4j
@component
public class jwttokenutil {
@value("${jwt.secret:mysecretkey}")
private string secret;
@value("${jwt.expiration:86400}")
private long expiration;
/**
* 从令牌中获取用户名
*/
public string getusernamefromtoken(string token) {
return getclaimfromtoken(token, claims::getsubject);
}
/**
* 从令牌中获取过期时间
*/
public date getexpirationdatefromtoken(string token) {
return getclaimfromtoken(token, claims::getexpiration);
}
/**
* 从令牌中获取声明
*/
public <t> t getclaimfromtoken(string token, function<claims, t> claimsresolver) {
claims claims = getallclaimsfromtoken(token);
return claimsresolver.apply(claims);
}
/**
* 从令牌中获取所有声明
*/
private claims getallclaimsfromtoken(string token) {
return jwts.parser()
.setsigningkey(secret)
.parseclaimsjws(token)
.getbody();
}
/**
* 检查令牌是否过期
*/
private boolean istokenexpired(string token) {
date expiration = getexpirationdatefromtoken(token);
return expiration.before(new date());
}
/**
* 生成令牌
*/
public string generatetoken(userdetails userdetails) {
map<string, object> claims = new hashmap<>();
return dogeneratetoken(claims, userdetails.getusername());
}
/**
* 生成令牌
*/
private string dogeneratetoken(map<string, object> claims, string subject) {
date createddate = new date();
date expirationdate = new date(createddate.gettime() + expiration * 1000);
return jwts.builder()
.setclaims(claims)
.setsubject(subject)
.setissuedat(createddate)
.setexpiration(expirationdate)
.signwith(signaturealgorithm.hs512, secret)
.compact();
}
/**
* 验证令牌
*/
public boolean validatetoken(string token, userdetails userdetails) {
string username = getusernamefromtoken(token);
return (username.equals(userdetails.getusername()) && !istokenexpired(token));
}
/**
* 刷新令牌
*/
public string refreshtoken(string token) {
string username = getusernamefromtoken(token);
return generatetoken(new org.springframework.security.core.userdetails.user(
username, "", java.util.collections.emptylist()));
}
}10. 控制器开发
10.1 用户控制器
package com.example.oauth2.controller;
import com.example.oauth2.entity.sysuser;
import com.example.oauth2.service.userservice;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.http.responseentity;
import org.springframework.security.access.prepost.preauthorize;
import org.springframework.security.core.context.securitycontextholder;
import org.springframework.web.bind.annotation.*;
import java.util.list;
@slf4j
@restcontroller
@requestmapping("/api/user")
public class usercontroller {
@autowired
private userservice userservice;
/**
* 获取当前用户信息
*/
@getmapping("/me")
public responseentity<sysuser> getcurrentuser() {
string username = securitycontextholder.getcontext().getauthentication().getname();
sysuser user = userservice.findbyusername(username);
return responseentity.ok(user);
}
/**
* 获取所有用户(需要admin权限)
*/
@preauthorize("hasrole('admin')")
@getmapping("/list")
public responseentity<list<sysuser>> getallusers() {
list<sysuser> users = userservice.findall();
return responseentity.ok(users);
}
/**
* 根据id获取用户
*/
@preauthorize("hasrole('admin')")
@getmapping("/{id}")
public responseentity<sysuser> getuserbyid(@pathvariable long id) {
sysuser user = userservice.findbyid(id);
return responseentity.ok(user);
}
/**
* 创建用户
*/
@preauthorize("hasrole('admin')")
@postmapping
public responseentity<sysuser> createuser(@requestbody sysuser user) {
sysuser createduser = userservice.createuser(user);
return responseentity.ok(createduser);
}
/**
* 更新用户
*/
@preauthorize("hasrole('admin')")
@putmapping("/{id}")
public responseentity<sysuser> updateuser(@pathvariable long id, @requestbody sysuser user) {
user.setid(id);
sysuser updateduser = userservice.updateuser(user);
return responseentity.ok(updateduser);
}
/**
* 删除用户
*/
@preauthorize("hasrole('admin')")
@deletemapping("/{id}")
public responseentity<void> deleteuser(@pathvariable long id) {
userservice.deleteuser(id);
return responseentity.ok().build();
}
}10.2 公开接口控制器
package com.example.oauth2.controller;
import org.springframework.web.bind.annotation.getmapping;
import org.springframework.web.bind.annotation.requestmapping;
import org.springframework.web.bind.annotation.restcontroller;
import java.util.hashmap;
import java.util.map;
@restcontroller
@requestmapping("/api/public")
public class publiccontroller {
@getmapping("/info")
public map<string, string> getpublicinfo() {
map<string, string> result = new hashmap<>();
result.put("message", "这是一个公开接口,无需认证即可访问");
result.put("timestamp", string.valueof(system.currenttimemillis()));
return result;
}
@getmapping("/health")
public map<string, string> healthcheck() {
map<string, string> result = new hashmap<>();
result.put("status", "up");
result.put("service", "oauth2-service");
return result;
}
}11. 服务层实现
11.1 用户服务
package com.example.oauth2.service;
import com.example.oauth2.entity.sysuser;
import com.example.oauth2.repository.userrepository;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.security.crypto.password.passwordencoder;
import org.springframework.stereotype.service;
import org.springframework.transaction.annotation.transactional;
import java.util.date;
import java.util.list;
import java.util.optional;
@slf4j
@service
public class userservice {
@autowired
private userrepository userrepository;
@autowired
private passwordencoder passwordencoder;
/**
* 根据用户名查找用户
*/
public sysuser findbyusername(string username) {
return userrepository.findbyusernamewithroles(username)
.orelsethrow(() -> new runtimeexception("用户不存在: " + username));
}
/**
* 根据id查找用户
*/
public sysuser findbyid(long id) {
return userrepository.findbyid(id)
.orelsethrow(() -> new runtimeexception("用户不存在,id: " + id));
}
/**
* 查找所有用户
*/
public list<sysuser> findall() {
return userrepository.findall();
}
/**
* 创建用户
*/
@transactional
public sysuser createuser(sysuser user) {
// 检查用户名是否已存在
if (userrepository.existsbyusername(user.getusername())) {
throw new runtimeexception("用户名已存在: " + user.getusername());
}
// 检查邮箱是否已存在
if (user.getemail() != null && userrepository.existsbyemail(user.getemail())) {
throw new runtimeexception("邮箱已存在: " + user.getemail());
}
// 加密密码
user.setpassword(passwordencoder.encode(user.getpassword()));
user.setcreatetime(new date());
user.setupdatetime(new date());
return userrepository.save(user);
}
/**
* 更新用户
*/
@transactional
public sysuser updateuser(sysuser user) {
optional<sysuser> existinguser = userrepository.findbyid(user.getid());
if (!existinguser.ispresent()) {
throw new runtimeexception("用户不存在,id: " + user.getid());
}
sysuser usertoupdate = existinguser.get();
// 更新字段
if (user.getemail() != null) {
usertoupdate.setemail(user.getemail());
}
if (user.getphone() != null) {
usertoupdate.setphone(user.getphone());
}
if (user.getenabled() != null) {
usertoupdate.setenabled(user.getenabled());
}
if (user.getroles() != null) {
usertoupdate.setroles(user.getroles());
}
usertoupdate.setupdatetime(new date());
return userrepository.save(usertoupdate);
}
/**
* 删除用户
*/
@transactional
public void deleteuser(long id) {
if (!userrepository.existsbyid(id)) {
throw new runtimeexception("用户不存在,id: " + id);
}
userrepository.deletebyid(id);
}
/**
* 修改密码
*/
@transactional
public void changepassword(string username, string oldpassword, string newpassword) {
sysuser user = findbyusername(username);
// 验证旧密码
if (!passwordencoder.matches(oldpassword, user.getpassword())) {
throw new runtimeexception("旧密码错误");
}
// 更新密码
user.setpassword(passwordencoder.encode(newpassword));
user.setupdatetime(new date());
userrepository.save(user);
log.info("用户 {} 修改密码成功", username);
}
}12. 全局异常处理
12.1 全局异常处理器
package com.example.oauth2.handler;
import lombok.extern.slf4j.slf4j;
import org.springframework.http.httpstatus;
import org.springframework.http.responseentity;
import org.springframework.security.access.accessdeniedexception;
import org.springframework.security.core.authenticationexception;
import org.springframework.web.bind.annotation.exceptionhandler;
import org.springframework.web.bind.annotation.restcontrolleradvice;
import java.util.hashmap;
import java.util.map;
@slf4j
@restcontrolleradvice
public class globalexceptionhandler {
/**
* 处理认证异常
*/
@exceptionhandler(authenticationexception.class)
public responseentity<map<string, object>> handleauthenticationexception(authenticationexception e) {
log.error("认证异常: {}", e.getmessage());
map<string, object> result = new hashmap<>();
result.put("code", httpstatus.unauthorized.value());
result.put("message", "认证失败: " + e.getmessage());
result.put("timestamp", system.currenttimemillis());
return responseentity.status(httpstatus.unauthorized).body(result);
}
/**
* 处理权限不足异常
*/
@exceptionhandler(accessdeniedexception.class)
public responseentity<map<string, object>> handleaccessdeniedexception(accessdeniedexception e) {
log.error("权限不足: {}", e.getmessage());
map<string, object> result = new hashmap<>();
result.put("code", httpstatus.forbidden.value());
result.put("message", "权限不足: " + e.getmessage());
result.put("timestamp", system.currenttimemillis());
return responseentity.status(httpstatus.forbidden).body(result);
}
/**
* 处理业务异常
*/
@exceptionhandler(runtimeexception.class)
public responseentity<map<string, object>> handleruntimeexception(runtimeexception e) {
log.error("业务异常: {}", e.getmessage());
map<string, object> result = new hashmap<>();
result.put("code", httpstatus.bad_request.value());
result.put("message", e.getmessage());
result.put("timestamp", system.currenttimemillis());
return responseentity.status(httpstatus.bad_request).body(result);
}
/**
* 处理其他异常
*/
@exceptionhandler(exception.class)
public responseentity<map<string, object>> handleexception(exception e) {
log.error("系统异常: {}", e.getmessage(), e);
map<string, object> result = new hashmap<>();
result.put("code", httpstatus.internal_server_error.value());
result.put("message", "系统内部错误");
result.put("timestamp", system.currenttimemillis());
return responseentity.status(httpstatus.internal_server_error).body(result);
}
}13. 配置文件
13.1 application.yml
server:
port: 8080
servlet:
context-path: /
spring:
application:
name: spring-security-oauth2-demo
# 数据源配置
datasource:
driver-class-name: com.mysql.cj.jdbc.driver
url: jdbc:mysql://localhost:3306/oauth2_demo?useunicode=true&characterencoding=utf8&zerodatetimebehavior=converttonull&usessl=true&servertimezone=gmt%2b8
username: root
password: password
# jpa配置
jpa:
hibernate:
ddl-auto: update
show-sql: true
properties:
hibernate:
dialect: org.hibernate.dialect.mysql5innodbdialect
format_sql: true
# redis配置
redis:
host: localhost
port: 6379
password:
database: 0
lettuce:
pool:
max-active: 8
max-wait: -1ms
max-idle: 8
min-idle: 0
timeout: 3000ms
# 日志配置
logging:
level:
com.example.oauth2: debug
org.springframework.security: debug
org.springframework.security.oauth2: debug
# jwt配置
jwt:
secret: mysecretkey
expiration: 86400
# 安全配置
security:
oauth2:
client:
client-id: client
client-secret: secret
authorization:
check-token-access: permitall()14. 测试数据初始化
14.1 数据初始化脚本
package com.example.oauth2.config;
import com.example.oauth2.entity.sysrole;
import com.example.oauth2.entity.sysuser;
import com.example.oauth2.repository.rolerepository;
import com.example.oauth2.repository.userrepository;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.boot.commandlinerunner;
import org.springframework.security.crypto.password.passwordencoder;
import org.springframework.stereotype.component;
import java.util.arrays;
import java.util.date;
@slf4j
@component
public class datainitializer implements commandlinerunner {
@autowired
private userrepository userrepository;
@autowired
private rolerepository rolerepository;
@autowired
private passwordencoder passwordencoder;
@override
public void run(string... args) throws exception {
// 初始化角色
if (rolerepository.count() == 0) {
sysrole adminrole = new sysrole();
adminrole.setrolename("管理员");
adminrole.setrolecode("role_admin");
adminrole.setdescription("系统管理员");
adminrole.setcreatetime(new date());
sysrole userrole = new sysrole();
userrole.setrolename("普通用户");
userrole.setrolecode("role_user");
userrole.setdescription("普通用户");
userrole.setcreatetime(new date());
rolerepository.saveall(arrays.aslist(adminrole, userrole));
log.info("初始化角色数据完成");
}
// 初始化管理员用户
if (userrepository.count() == 0) {
sysrole adminrole = rolerepository.findbyrolecode("role_admin")
.orelsethrow(() -> new runtimeexception("管理员角色不存在"));
sysuser adminuser = new sysuser();
adminuser.setusername("admin");
adminuser.setpassword(passwordencoder.encode("admin123"));
adminuser.setemail("admin@example.com");
adminuser.setphone("13800000000");
adminuser.setroles(arrays.aslist(adminrole));
adminuser.setcreatetime(new date());
adminuser.setupdatetime(new date());
userrepository.save(adminuser);
log.info("初始化管理员用户完成,用户名: admin, 密码: admin123");
}
// 初始化oauth2客户端
// 这里可以通过sql脚本初始化,也可以在启动后通过管理界面添加
}
}15. 测试与验证
15.1 获取访问令牌
使用密码模式获取访问令牌:
# 获取访问令牌 curl -x post \ http://localhost:8080/oauth/token \ -h 'authorization: basic y2xpzw50onnly3jlda==' \ -h 'content-type: application/x-www-form-urlencoded' \ -d 'grant_type=password&username=admin&password=admin123&scope=all'
响应示例:
{
"access_token": "eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9...",
"token_type": "bearer",
"refresh_token": "eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9...",
"expires_in": 3599,
"scope": "all",
"user_id": 1,
"username": "admin",
"email": "admin@example.com"
}15.2 访问受保护资源
# 访问当前用户信息 curl -x get \ http://localhost:8080/api/user/me \ -h 'authorization: bearer eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9...' # 访问用户列表(需要admin权限) curl -x get \ http://localhost:8080/api/user/list \ -h 'authorization: bearer eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9...' # 访问公开接口(无需认证) curl -x get http://localhost:8080/api/public/info
16. 安全最佳实践
16.1 安全配置建议
- 使用https:在生产环境中始终使用https
- 强密码策略:实施密码复杂度要求
- 令牌过期时间:设置合理的访问令牌和刷新令牌过期时间
- 限制重试次数:防止暴力破解
- 定期更换密钥:定期更换jwt签名密钥
16.2 监控与日志
- 记录认证日志:记录所有认证成功和失败事件
- 监控异常行为:监控异常登录模式
- 定期审计:定期审计权限分配和令牌使用情况
总结
本文详细介绍了 spring boot 2.0 整合 spring security oauth2 的完整流程,包括:
- 理论基础:oauth2 的核心概念和授权模式
- 环境搭建:项目创建和依赖配置
- 数据库设计:用户、角色和oauth2相关表结构
- 实体类设计:jpa实体和spring security集成
- 安全配置:spring security和oauth2服务器配置
- jwt集成:jwt令牌的生成和验证
- api开发:受保护和公开接口的实现
- 异常处理:全局异常处理机制
- 测试验证:完整的测试流程
到此这篇关于spring boot 2.0 整合 spring security oauth2的文章就介绍到这了,更多相关spring boot 整合 spring security oauth2内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论