【新增】将授权模块抽取到网关、由网关做统一的认证

pig-common/src/main/java/com/github/pig/common/web/BaseController.java

@@ -0,0 +1,30 @@
+package com.github.pig.common.web;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Base64;
+
+/**
+ * @author lengleng
+ * @date 2017/10/28
+ */
+public class BaseController {
+    @Autowired
+    private HttpServletRequest request;
+
+    /**
+     * 根据请求heard中的token获取用户
+     * @return
+     */
+    public String getUser() {
+        String authorization = request.getHeader("Authorization");
+        String token = StringUtils.substringAfter(authorization, "Bearer ");
+        String key = Base64.getEncoder().encodeToString("pig".getBytes());
+        Claims claims = Jwts.parser().setSigningKey(key).parseClaimsJws(token).getBody();
+        return claims.get("user_name").toString();
+    }
+}

pig-demo-service/pom.xml

@@ -18,10 +18,10 @@
 	</parent>
 
 	<dependencies>
-		<!--oauth2.0-->
 		<dependency>
-			<groupId>org.springframework.cloud</groupId>
-			<artifactId>spring-cloud-starter-oauth2</artifactId>
+			<groupId>com.github.pig</groupId>
+			<artifactId>pig-common</artifactId>
+			<version>0.0.1-SNAPSHOT</version>
 		</dependency>
 	</dependencies>
 

pig-demo-service/src/main/java/com/github/pig/common/DemoResourceApplication.java

@@ -1,13 +1,9 @@
-package com.github.pig.demo;
+package com.github.pig.common;
 
-import com.github.pig.demo.annotation.HasAdminRole;
+import com.github.pig.common.web.BaseController;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.autoconfigure.security.oauth2.OAuth2AutoConfiguration;
 import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
-import org.springframework.security.access.method.P;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -21,11 +17,10 @@ import java.security.Principal;
 @SpringBootApplication
 @EnableDiscoveryClient
 @RestController
-@EnableGlobalMethodSecurity(prePostEnabled = true)
-public class DemoResourceApplication {
+public class DemoResourceApplication extends BaseController {
     @GetMapping("/demo")
-    public Principal demo(Principal principal) {
-        return principal;
+    public String demo() {
+        return getUser();
     }
 
     @RequestMapping("/user")
@@ -36,9 +31,4 @@ public class DemoResourceApplication {
     public static void main(String[] args) {
         SpringApplication.run(DemoResourceApplication.class, args);
     }
-
-//    @Bean
-//    LoadBalancerInterceptor loadBalancerInterceptor(LoadBalancerClient loadBalance) {
-//        return new LoadBalancerInterceptor(loadBalance);
-//    }
 }

pig-demo-service/src/main/java/com/github/pig/demo/annotation/HasAdminRole.java

@@ -1,17 +0,0 @@
-package com.github.pig.demo.annotation;
-
-import org.springframework.security.access.prepost.PreAuthorize;
-
-import java.lang.annotation.*;
-
-/**
- * @author lengleng
- * @date 2017/10/28
- */
-@Target({ElementType.METHOD, ElementType.TYPE})
-@Retention(RetentionPolicy.RUNTIME)
-@Inherited
-@Documented
-@PreAuthorize("('ROLE_ADMIN22')")
-public @interface HasAdminRole {
-}

pig-demo-service/src/main/resources/bootstrap.yml

@@ -4,15 +4,6 @@ spring:
   application:
     name: pig-demo-service
 
-security:
-  sessions: stateless
-  oauth2:
-    resource:
-      loadBalanced: true
-      user-info-uri: http://pig-service-auth/user
-      prefer-token-info: false
-      service-id: pig-demo-service
-
 eureka:
   instance:
     prefer-ip-address: true

pig-gateway/pom.xml

@@ -18,6 +18,11 @@
     </parent>
 
     <dependencies>
+        <dependency>
+            <groupId>com.github.pig</groupId>
+            <artifactId>pig-common</artifactId>
+            <version>0.0.1-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-zuul</artifactId>
@@ -27,6 +32,11 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-bus-amqp</artifactId>
         </dependency>
+        <!--oauth2.0-->
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-oauth2</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

pig-gateway/src/main/java/com/github/pig/gateway/PigGatewayApplication.java

@@ -4,6 +4,7 @@ import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
 import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 
 /**
  * @author lengleng
@@ -11,6 +12,7 @@ import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
 @EnableZuulProxy
 @EnableDiscoveryClient
 @SpringBootApplication
+@EnableGlobalMethodSecurity(prePostEnabled = true)
 public class PigGatewayApplication {
 
 	public static void main(String[] args) {

pig-gateway/src/main/java/com/github/pig/gateway/config/ResourceServerConfiguration.java

@@ -1,4 +1,4 @@
-package com.github.pig.demo.config;
+package com.github.pig.gateway.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
@@ -22,8 +22,9 @@ public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
 
     @Override
     public void configure(HttpSecurity http) throws Exception {
-        http.anonymous().disable()
+        http
                 .authorizeRequests()
+                .antMatchers("/auth/**").permitAll()
                 .anyRequest().access("@permissionService.hasPermission(request,authentication)");
     }
 

pig-gateway/src/main/java/com/github/pig/gateway/service/PermissionService.java

@@ -1,4 +1,4 @@
-package com.github.pig.demo.service;
+package com.github.pig.gateway.service;
 
 import org.springframework.security.core.Authentication;
 

pig-gateway/src/main/java/com/github/pig/gateway/service/impl/PermissionServiceImpl.java

@@ -1,8 +1,8 @@
-package com.github.pig.demo.service.impl;
+package com.github.pig.gateway.service.impl;
 
-import com.github.pig.demo.service.PermissionService;
+import com.github.pig.gateway.service.PermissionService;
+import org.apache.commons.lang.StringUtils;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.PathMatcher;
@@ -18,8 +18,6 @@ import java.util.Set;
 @Service("permissionService")
 public class PermissionServiceImpl implements PermissionService {
 
-    private PathMatcher pathMatcher = new AntPathMatcher();
-
     @Override
     public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
         Object principal = authentication.getPrincipal();
@@ -31,8 +29,8 @@ public class PermissionServiceImpl implements PermissionService {
             urls.add("/demo");
 
             for (String url : urls) {
-                if (pathMatcher.match(url, request.getRequestURI())) {
-                    hasPermission = true;
+                if (request.getRequestURI().contains(url)){
+                    hasPermission =true;
                     break;
                 }
             }

pig-gateway/src/main/resources/bootstrap.yml

@@ -25,7 +25,11 @@ eureka:
     serviceUrl:
       defaultZone: http://127.0.0.1:9000/eureka/
 
-#关闭安全校验
-management:
-  security:
-    enabled: false
+security:
+  sessions: stateless
+  oauth2:
+    resource:
+      loadBalanced: true
+      user-info-uri: http://pig-service-auth/user
+      prefer-token-info: false
+      service-id: pig-gateway

pig-service-auth/pom.xml

@@ -33,11 +33,6 @@
 			<groupId>org.springframework.cloud</groupId>
 			<artifactId>spring-cloud-starter-oauth2</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>io.jsonwebtoken</groupId>
-			<artifactId>jjwt</artifactId>
-			<version>0.7.0</version>
-		</dependency>
 	</dependencies>
 
 

pig-service-auth/src/main/java/com/github/pig/auth/config/PigAuthorizationConfig.java

@@ -1,6 +1,7 @@
 package com.github.pig.auth.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.data.redis.connection.RedisConnectionFactory;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -45,8 +46,15 @@ public class PigAuthorizationConfig extends AuthorizationServerConfigurerAdapter
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
         endpoints
                 .tokenStore(new RedisTokenStore(redisConnectionFactory))
-                .accessTokenConverter(new JwtAccessTokenConverter())
+                .accessTokenConverter(jwtAccessTokenConverter())
                 .authenticationManager(authenticationManager)
                 .userDetailsService(userDetailsService);
     }
+
+    @Bean
+    public JwtAccessTokenConverter jwtAccessTokenConverter(){
+        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
+        jwtAccessTokenConverter.setSigningKey("pig");
+        return jwtAccessTokenConverter;
+    }
 }

pom.xml

@@ -44,6 +44,7 @@
     </dependencies>
 
     <modules>
+        <module>pig-common</module>
         <module>pig-eureka</module>
         <module>pig-config</module>
         <module>pig-gateway</module>