Commit 9da726ae authored by maqing's avatar maqing

RSA密码加密

parent 8295dd07
......@@ -25,9 +25,9 @@ public class AuthController {
@PostMapping("/token")
@SneakyThrows
public Result<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) {
String password = parameters.get("password");
String decrypt = CsoftSecurityUtil.decrypt(password);
parameters.put("password", decrypt);
// String password = parameters.get("password");
// String decrypt = CsoftSecurityUtil.decrypt(password);
// parameters.put("password", decrypt);
OAuth2AccessToken oAuth2AccessToken = tokenEndpoint.postAccessToken(principal, parameters).getBody();
return Result.success(oAuth2AccessToken);
}
......
......@@ -58,7 +58,11 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu
this.userDetailsService = userDetailsService;
}
/**
* 配置客户信息(jdbc方式获取用户信息)
* @param clients
* @throws Exception
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetails());
......@@ -78,6 +82,7 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
//令牌增强器
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
List<TokenEnhancer> tokenEnhancers = new ArrayList<>();
tokenEnhancers.add(tokenEnhancer());
......@@ -85,22 +90,26 @@ public class AuthorizationServerConfiguration extends AuthorizationServerConfigu
tokenEnhancerChain.setTokenEnhancers(tokenEnhancers);
endpoints
.authenticationManager(authenticationManager)
.authenticationManager(authenticationManager) //认证管理器(认证账号密码是否正确)
.accessTokenConverter(jwtAccessTokenConverter())
.tokenEnhancer(tokenEnhancerChain)
.userDetailsService(userDetailsService)
.userDetailsService(userDetailsService)//密码模式的用户信息管理
// refresh token有两种使用方式:重复使用(true)、非重复使用(false),默认为true
// 1 重复使用:access token过期刷新时, refresh token过期时间未改变,仍以初次生成的时间为准
// 2 非重复使用:access token过期刷新时, refresh token过期时间延续,在refresh token有效期内刷新便永不失效达到无需再次登录的目的
.reuseRefreshTokens(true);
}
/**
* 令牌端点的安全约束
* @param security
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
security.authenticationEntryPoint(authenticationEntryPoint()).passwordEncoder(new BCryptPasswordEncoder())
.tokenKeyAccess("isAuthenticated()")
.tokenKeyAccess("isAuthenticated()") //
.checkTokenAccess("permitAll()")
.allowFormAuthenticationForClients();
.allowFormAuthenticationForClients();//表达认证,申请令牌
}
......
......@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
......@@ -17,10 +18,15 @@ import org.springframework.security.crypto.password.PasswordEncoder;
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled = true)
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 配置用户的安全拦截策略
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable() //关闭csrf保护
......@@ -40,6 +46,10 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
return super.authenticationManagerBean();
}
/**
* 密码加密器
* @return
*/
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
......
......@@ -64,40 +64,40 @@ public class AuthorizationManager implements ReactiveAuthorizationManager<Author
}
// // 从缓存取资源权限角色关系列表
// Map<Object, Object> permissionRoles = redisTemplate.opsForHash().entries(AuthConstants.PERMISSION_ROLES_KEY);
// Iterator<Object> iterator = permissionRoles.keySet().iterator();
// // 请求路径匹配到的资源需要的角色权限集合authorities统计
// Set<String> authorities = new HashSet<>();
// while (iterator.hasNext()) {
// String pattern = (String) iterator.next();
// if (pathMatcher.match(pattern, path)) {
// authorities.addAll(Convert.toList(String.class, permissionRoles.get(pattern)));
// }
// }
// log.info("require authorities:{}", authorities);
// 从缓存取资源权限角色关系列表
Map<Object, Object> permissionRoles = redisTemplate.opsForHash().entries(AuthConstants.PERMISSION_ROLES_KEY);
Iterator<Object> iterator = permissionRoles.keySet().iterator();
// 请求路径匹配到的资源需要的角色权限集合authorities统计
Set<String> authorities = new HashSet<>();
while (iterator.hasNext()) {
String pattern = (String) iterator.next();
if (pathMatcher.match(pattern, path)) {
authorities.addAll(Convert.toList(String.class, permissionRoles.get(pattern)));
}
}
log.info("require authorities:{}", authorities);
//认证通过且角色匹配的用户可访问当前路径
return mono.map(auth -> {
return new AuthorizationDecision(true);
}).defaultIfEmpty(new AuthorizationDecision(false));
// return mono.map(auth -> {
// return new AuthorizationDecision(true);
// }).defaultIfEmpty(new AuthorizationDecision(false));
// return mono
// .filter(Authentication::isAuthenticated)
// .flatMapIterable(Authentication::getAuthorities)
// .map(GrantedAuthority::getAuthority)
// .any(roleId -> {
// // roleId是请求用户的角色(格式:ROLE_{roleId}),authorities是请求资源所需要角色的集合
// log.info("访问路径:{}", path);
// log.info("用户角色信息:{}", roleId);
// log.info("资源需要权限authorities:{}", authorities);
// //如果是管理员 直接放行
// if ("ROLE_0".equals(roleId)) {
// return true;
// }
// return authorities.contains(roleId);
// })
// .map(AuthorizationDecision::new)
// .defaultIfEmpty(new AuthorizationDecision(false));
return mono
.filter(Authentication::isAuthenticated)
.flatMapIterable(Authentication::getAuthorities)
.map(GrantedAuthority::getAuthority)
.any(roleId -> {
// roleId是请求用户的角色(格式:ROLE_{roleId}),authorities是请求资源所需要角色的集合
log.info("访问路径:{}", path);
log.info("用户角色信息:{}", roleId);
log.info("资源需要权限authorities:{}", authorities);
//如果是管理员 直接放行
if ("ROLE_0".equals(roleId)) {
return true;
}
return authorities.contains(roleId);
})
.map(AuthorizationDecision::new)
.defaultIfEmpty(new AuthorizationDecision(false));
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment