2. 科技
    3. springcloud+zuul+oauth2微服务安全配置详解

    springcloud+zuul+oauth2微服务安全配置详解

    科技2026-04-16  5

    springcloud+zuul+oauth2微服务网关安全配置详解

    一、构建webserver服务器二、构建zuul网关服务三、测试网关授权服务

    上一篇:oauth2认证详情配置:https://blog.csdn.net/qq_46564068/article/details/108961557

    一、构建webserver服务器

    pom配置:

    <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.tends.aopthinkd</groupId> <artifactId>thinkd-webserve</artifactId> <version>0.0.1-SNAPSHOT</version> <name>thinkd-webserve</name> <packaging>jar</packaging> <parent> <groupId>com.tends</groupId> <artifactId>aopthink</artifactId> <version>0.0.1-SNAPSHOT</version> </parent> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-websocket</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <!-- optional=true依赖不会传递, 之后依赖的boot项目如果想要使用devtools, 需要重新引入 --> <optional>true</optional> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> </dependency> <!--<dependency>--> <!-- <groupId>org.springframework.cloud</groupId>--> <!-- <artifactId>spring-cloud-starter-security</artifactId>--> <!--</dependency>--> <!--<dependency>--> <!-- <groupId>org.springframework.security.oauth.boot</groupId>--> <!-- <artifactId>spring-security-oauth2-autoconfigure</artifactId>--> <!--</dependency>--> </dependencies> </project>

    项目配置文件:

    # 解决bean重复定义的。设置为true时,后定义的bean会覆盖之前定义的相同名称的bean #spring.main.allow-bean-definition-overriding=true spring.application.name=thinkd-webserve server.port=9800 #server.port=${random.int(9800,9809)} eureka.instance.ip-address=true eureka.client.service-url.defaultZone=http://localhost:9000/eureka,http://localhost:9001/eureka # 默认情况下很多端点是不允许访问的,会返回401:Unauthorized management.security.enabled=false management.endpoints.web.exposure.include=* # 开启 热部署 及 # 监听目录 spring.devtools.restart.enabled=true spring.devtools.restart.additional-paths=src/main/java ## druid数据库配置 默认type=com.zaxxer.hikari.HikariDataSource spring.datasource.url=jdbc:mysql://localhost:3306/my_devdb?useSSL=false&serverTimezone=UTC&characterEncoding=utf8&useUnicode=true #spring.datasource.url=jdbc:mysql://localhost:3306/tends_testdb?useSSL=false&serverTimezone=UTC&characterEncoding=utf8&useUnicode=true spring.datasource.type=com.alibaba.druid.pool.DruidDataSource spring.datasource.username=root spring.datasource.password=root spring.datasource.driver-class-name=com.mysql.jdbc.Driver security.basic.enabled=false # security client必须要 不要设成/ 不然重定向获取code的时候回被拦截,看情况 server.servlet.context-path=/webserve security.oauth2.client.client-id=baidu security.oauth2.client.client-secret=user #security.oauth2.client.scope=read,write # 密码模式需要用到的获取 token 的接口 security.oauth2.client.access-token-uri=http://localhost:9810/oauth/token # authorization_code 模式 授权码认证方式需要 security.oauth2.client.user-authorization-uri=http://localhost:9810/oauth/authorize # JWT模式管理token 认证服务端JwtAccessTokenConverter设置的SigningKey==key-value,不然会导致无法正常解码JWT security.oauth2.resource.jwt.key-uri=http://localhost:9810/oauth/token_key security.oauth2.resource.jwt.key-value=dev # 使用thinkd-admin进行认证授权 security.oauth2.resource.user-info-uri=http://localhost:9810/user/sys/user security.oauth2.resource.prefer-token-info=false #security.oauth2.resource.id=baidu # 服务端做 token 验证 security.oauth2.authorization.check-token-access=http://localhost:9810/oauth/check_token

    OAuth-Resource配置:

    @Configuration @EnableResourceServer //OAuthor2 启用资源服务器 @EnableGlobalMethodSecurity(prePostEnabled = true) public class AuthdResourceConfig extends ResourceServerConfigurerAdapter { @Bean //JWT模式token public TokenStore jwtTokenStore() { return new JwtTokenStore(jwtAccessTokenConverter()); } @Bean public JwtAccessTokenConverter jwtAccessTokenConverter() { JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter(); accessTokenConverter.setSigningKey("dev"); accessTokenConverter.setVerifierKey("dev"); return accessTokenConverter; } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.tokenStore(jwtTokenStore()); super.configure(resources); } @Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests().antMatchers("/webserve/prodtest/index").permitAll() //不需要授权认证 .and().authorizeRequests().anyRequest().authenticated() .and().exceptionHandling() .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED)) ;//.and().httpBasic(); } }

    写个controller:

    @Controller public class AuthdDefController { @GetMapping(value = "/get") //@PreAuthorize("hasAuthority('member:detail')") @PreAuthorize("hasAnyRole('ROLE_ADMIN')") @ResponseBody //只有访问用户具有ADMIN权限才能访问,否则返回401未授权 public Object get(Authentication authentication){ //通过Authentication参数或SecurityContextHolder.getContext().getAuthentication()可以拿到授权信息 //Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); authentication.getCredentials(); OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails)authentication.getDetails(); return details.getTokenValue(); } @GetMapping("/prodinfo/{userId}") @ResponseBody public String findAll(@PathVariable("userId") Long userId) { if (userId == null) userId = 0L; return "恭喜用户【" + userId + "】号,查询产品列表成功!"; } @RequestMapping("/prodtest/index") @ResponseBody public String findAll(String userName) { return "恭喜用户【" + userName + "】,查询产品列表成功!"; }

    配置启动类:

    @SpringBootApplication @EnableDiscoveryClient //@EnableFeignClients(“com.tends.thinkdwebserve.feigns”)

    二、构建zuul网关服务

    pom文件:

    <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.tends.aopthinkd</groupId> <artifactId>eureka-zuul</artifactId> <version>0.0.1-SNAPSHOT</version> <name>eureka-zuul</name> <packaging>jar</packaging> <properties> <java.version>1.8</java.version> <spring-cloud.version>Hoxton.SR8</spring-cloud.version> </properties> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.3.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> </dependency> <!-- springCloud客户端 netflix组件注册 --> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> </dependency> <!-- springCloud网关zuul --> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-zuul</artifactId> </dependency> <!--<dependency>--> <!-- <groupId>com.squareup.okhttp3</groupId>--> <!-- <artifactId>okhttp</artifactId>--> <!--</dependency>--> <!--<dependency>--> <!-- <groupId>org.springframework.retry</groupId>--> <!-- <artifactId>spring-retry</artifactId>--> <!--</dependency>--> </dependencies> <dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-dependencies</artifactId> <version>${spring-cloud.version}</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>

    项目配置文件:

    spring.application.name=eureka-zuul server.port=11111 eureka.instance.ip-address=true eureka.client.service-url.defaultZone=http://localhost:9000/eureka,http://localhost:9001/eureka ## zuul配置 api-gataway网关的地址 #zuul.routes.auth-api.url=http://localhost:9810 zuul.routes.auth-api.path=/auth-api/** zuul.routes.auth-api.service-id=thinkd-admin zuul.routes.auth-api.sensitive-headers= #zuul.routes.user.url=http://localhost:9810/sys/user zuul.routes.user.path=/user/** zuul.routes.user.service-id=thinkd-admin zuul.routes.user.sensitive-headers= zuul.retryable=false zuul.ignored-services=* zuul.add-proxy-headers=true zuul.host.connect-timeout-millis=10000 zuul.host.socket-timeout-millis=60000 security.oauth2.client.access-token-uri=http://localhost:${server.port}/auth-api/oauth/token security.oauth2.client.user-authorization-uri=http://localhost:${server.port}/auth-api/oauth/authorize security.oauth2.client.client-id=baidu #security.oauth2.client.client-secret=user security.oauth2.resource.user-info-uri=http://localhost:${server.port}/auth-api/user/me security.oauth2.resource.prefer-token-info=false #security.oauth2.authorization.check-token-access=http://localhost:${server.port}/auth-api/oauth/check_token

    配置securityconfig:

    @Configuration @EnableWebSecurity @EnableOAuth2Sso //关闭csrf跨站请求伪造并开启Oauth2 client支持 public class ZuulSecurityConfig extends WebSecurityConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable(); } }

    最后配置启动类:

    @SpringBootApplication @EnableDiscoveryClient @EnableZuulProxy @EnableOAuth2Sso public class EurekaZuulApplication { public static void main(String[] args) { SpringApplication.run(EurekaZuulApplication.class, args); } }

    三、测试网关授权服务

    凭证授权获取token

    http://localhost:11111/auth-api/oauth/token?grant_type=client_credentials&client_id=baidu&client_secret=user 返回如下类似json即成功: { “access_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhbGwiXSwiZXhwIjoxNjAyMTY5NjAxLCJhdXRob3JpdGllcyI6WyJST0xFX0FETUlOIl0sImp0aSI6ImEzODUzMzg2LTViMWMtNDVjNi05OTdhLWM5NmIzMWUyMjdhOSIsImNsaWVudF9pZCI6ImJhaWR1In0.dDtVatpMBiJspjAceNV2AH4nOBuwzI41o67MvIftgXs”, “token_type”: “bearer”, “expires_in”: 599, “scope”: “all”, “jti”: “a3853386-5b1c-45c6-997a-c96b31e227a9” }

    密码模式获取token

    http://localhost:11111/auth-api/oauth/token?grant_ type=password&username=admin&password=user&scope=all 返回如下类似json即成功: { “access_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDIxNzI1OTksInVzZXJfbmFtZSI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiUk9MRV9QUk9EVUNUX0FETUlOIiwiUk9MRV9BRE1JTiIsIlJPTEVfVVNFUiJdLCJqdGkiOiI1ZmEwYzMxNS1iZmU2LTQ2NzItYjg2NS1kYjdhNTAzMGZmMzEiLCJjbGllbnRfaWQiOiJiYWlkdSIsInNjb3BlIjpbImFsbCJdfQ.CBzsuWrFIs5vvpQpTR9le3fkrmcRn1qQeY0d9YGiClo”, “token_type”: “bearer”, “refresh_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbImFsbCJdLCJhdGkiOiI1ZmEwYzMxNS1iZmU2LTQ2NzItYjg2NS1kYjdhNTAzMGZmMzEiLCJleHAiOjE2MDQ3NjM5OTksImF1dGhvcml0aWVzIjpbIlJPTEVfUFJPRFVDVF9BRE1JTiIsIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMzM1MzM2NmMtYzU3MS00Nzc1LTkzMzEtMjExZTA2MTEyMTg4IiwiY2xpZW50X2lkIjoiYmFpZHUifQ.wXUwRtQD9HCTsDsOkQynPssEQW1t9hWVLhj3LDVEO70”, “expires_in”: 599, “scope”: “all”, “jti”: “5fa0c315-bfe6-4672-b865-db7a5030ff31” }

    用获取的token获取授权资源信息: OK! 大功告成!! 看着挺容易真的耗时间,特此记录下,有兴趣的可以参考参考!哈哈。。。。。。

    上一篇:oauth2认证详情配置:https://blog.csdn.net/qq_46564068/article/details/108961557

    Processed: 0.016, SQL: 9