一、什么是单点登陆
单点登录(Single Sign On),简称为 SSO,是目前比较流行的企业业务整合的解决方案之一。SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统
二、简单的运行机制
单点登录的机制其实是比较简单的,用一个现实中的例子做比较。某公园内部有许多独立的景点,游客可以在各个景点门口单独买票。
对于需要游玩所有的景点的游客,这种买票方式很不方便,需要在每个景点门口排队买票,钱包拿 进拿出的,容易丢失,很不安全。
于是绝大多数游客选择在大门口买一张通票(也叫套票),就可以玩遍所有的景点而不需要重新再买票。他们只需要在每个景点门 口出示一下刚才买的套票就能够被允许进入每个独立的景点。
单点登录的机制也一样,如下图所示,
用户认证:这一环节主要是用户向认证服务器发起认证请求,认证服务器给用户返回一个成功的令牌token,主要在认证服务器中完成,即图中的认证系统,注意认证系统只能有一个。
身份校验:这一环节是用户携带token去访问其他服务器时,在其他服务器中要对token的真伪进行检验,主要在资源服务器中完成,即图中的应用系统2 3
三、JWT介绍
概念说明从分布式认证流程中,我们不难发现,这中间起最关键作用的就是token,token的安全与否,直接关系到系统的健壮性,这里我们选择使用JWT来实现token的生成和校验。
JWT,全称JSON Web Token,官网地址https://jwt.io,是一款出色的分布式身份校验方案。可以生成token,也可以解析检验token。
JWT生成的token由三部分组成: 头部:主要设置一些规范信息,签名部分的编码格式就在头部中声明。 载荷:token中存放有效信息的部分,比如用户名,用户角色,过期时间等,但是不要放密码,会泄露! 签名:将头部与载荷分别采用base64编码后,用“.”相连,再加入盐,最后使用头部声明的编码类型进行编码,就得到了签名。 JWT生成token的安全性分析从JWT生成的token组成上来看,要想避免token被伪造,主要就得看签名部分了,而签名部分又有三部分组成,其中头部和载荷的base64编码,几乎是透明的,毫无安全性可言,那么最终守护token安全的重担就落在了加入的盐上面了!
试想:如果生成token所用的盐与解析token时加入的盐是一样的。岂不是类似于中国人民银行把人民币防伪技术公开了?大家可以用这个盐来解析token,就能用来伪造token。这时,我们就需要对盐采用非对称加密的方式进行加密,以达到生成token与校验token方所用的盐不一致的安全效果!
非对称加密RSA介绍基本原理:同时生成两把密钥:私钥和公钥,私钥隐秘保存,公钥可以下发给信任客户端
私钥加密,持有私钥或公钥才可以解密 公钥加密,持有私钥才可解密优点:安全,难以破解
缺点:算法比较耗时,为了安全,可以接受
历史:三位数学家Rivest、Shamir 和 Adleman 设计了一种算法,可以实现非对称加密。这种算法用他们三个人的名字缩写:RSA。
四、SpringSecurity整合JWT
1.认证思路分析SpringSecurity主要是通过过滤器来实现功能的!我们要找到SpringSecurity实现认证和校验身份的过滤器!
回顾集中式认证流程用户认证:使用
过滤器中
UsernamePasswordAuthenticationFilterattemptAuthentication
方法实现认证功能,该过滤器父类中successfulAuthentication
方法实现认证成功后的操作。
身份校验:使用BasicAuthenticationFilter
过滤器中doFilterInternal
方法验证是否登录,以决定能否进入后续过滤器。
用户认证:
由于分布式项目,多数是前后端分离的架构设计,我们要满足可以接受异步post的认证请求参数,需要修改
过滤器中
UsernamePasswordAuthenticationFilterattemptAuthentication
方法,让其能够接收请求体。
另外,默认successfulAuthentication
方法在认证通过后,是把用户信息直接放入session就完事了,现在我们需要修改这个方法,在认证通过后生成token并返回给用户。
身份校验:
原来BasicAuthenticationFilter过滤器中doFilterInternal方法校验用户是否登录,就是看session中是否有用户信息,我们要修改为,验证用户携带的token是否合法,并解析出用户信息,交给SpringSecurity,以便于后续的授权功能可以正常使用。
2.具体实现为了演示单点登录的效果,我们设计如下项目结构
2.1父工程创建因为本案例需要创建多个系统,所以我们使用maven聚合工程来实现,首先创建一个父工程,导入springboot的父依赖即可
<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.1.3.RELEASE</version><relativePath/></parent>
2.2公共工程创建 然后创建一个common工程,其他工程依赖此系统
导入JWT相关的依赖
<dependencies><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-api</artifactId><version>0.10.7</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-impl</artifactId><version>0.10.7</version><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-jackson</artifactId><version>0.10.7</version><scope>runtime</scope></dependency><!--jackson包--><dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-databind</artifactId><version>2.9.9</version></dependency><!--日志包--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-logging</artifactId></dependency><dependency><groupId>joda-time</groupId><artifactId>joda-time</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId></dependency></dependencies>
创建相关的工具类
Payload
@Datapublic class Payload <T>{private String id;private T userInfo;private Date expiration;}
JsonUtils
public classJsonUtils{public static final ObjectMapper mapper = new ObjectMapper;private static final Logger logger = LoggerFactory.getLogger(JsonUtils.class);public static String toString(Object obj) {if (obj == ) {return ;}if (obj.getClass == String.class) {return (String) obj;}try {return mapper.writevalueAsString(obj);} catch (JsonProcessingException e) {logger.error("json序列化出错:" + obj, e);return ;}}public static <T> T toBean(String json, Class<T> tClass) {try {return mapper.readValue(json, tClass);} catch (IOException e) {logger.error("json解析出错:" + json, e);return ;}}public static <E> List<E> toList(String json, Class<E> eClass) {try {return mapper.readValue(json, mapper.getTypeFactory.constructCollectionType(List.class, eClass));} catch (IOException e) {logger.error("json解析出错:" + json, e);return ;}}public static <K, V> Map<K, V> toMap(String json, Class<K> kClass, Class<V> vClass) {try {return mapper.readValue(json, mapper.getTypeFactory.constructMapType(Map.class, kClass, vClass));} catch (IOException e) {logger.error("json解析出错:" + json, e);return ;}}public static <T> T nativeRead(String json, TypeReference<T> type) {try {return mapper.readValue(json, type);} catch (IOException e) {logger.error("json解析出错:" + json, e);return ;}}}
JwtUtils
public classJwtUtils{private static final String JWT_PAYLOAD_USER_KEY = "user";public static String generateTokenExpireInMinutes(Object userInfo, PrivateKey privateKey, int expire) {return Jwts.builder.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo)).setId(createJTI).setExpiration(DateTime.now.plusMinutes(expire).toDate).signWith(privateKey, SignatureAlgorithm.RS256).compact;}public static String generateTokenExpireInSeconds(Object userInfo, PrivateKey privateKey, int expire) {return Jwts.builder.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo)).setId(createJTI).setExpiration(DateTime.now.plusSeconds(expire).toDate).signWith(privateKey, SignatureAlgorithm.RS256).compact;}private static Jws<Claims> parserToken(String token, PublicKey publicKey) {return Jwts.parser.setSigningKey(publicKey).parseClaimsJws(token);}private static String createJTI {return new String(base64.getEncoder.encode(UUID.randomUUID.toString.getBytes));}public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey, Class<T> userType) {Jws<Claims> claimsJws = parserToken(token, publicKey);Claims body = claimsJws.getBody;Payload<T> claims = new Payload<>;claims.setId(body.getId);claims.setUserInfo(JsonUtils.toBean(body.get(JWT_PAYLOAD_USER_KEY).toString, userType));claims.setExpiration(body.getExpiration);return claims;}public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey) {Jws<Claims> claimsJws = parserToken(token, publicKey);Claims body = claimsJws.getBody;Payload<T> claims = new Payload<>;claims.setId(body.getId);claims.setExpiration(body.getExpiration);return claims;}}
RsaUtils
public classRsaUtils{private static final int DEFAULT_KEY_SIZE = 2048;public static PublicKey getPublicKey(String filename) throws Exception {byte bytes = readFile(filename);return getPublicKey(bytes);}public static PrivateKey getPrivateKey(String filename) throws Exception {byte bytes = readFile(filename);return getPrivateKey(bytes);}private static PublicKey getPublicKey(byte[] bytes) throws Exception {bytes = base64.getDecoder.decode(bytes);X509EncodedKeySpec spec = new X509EncodedKeySpec(bytes);KeyFactory factory = KeyFactory.getInstance("RSA");return factory.generatePublic(spec);}private static PrivateKey getPrivateKey(byte[] bytes) throws NoSuchAlgorithmException, InvalidKeySpecException {bytes = base64.getDecoder.decode(bytes);PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);KeyFactory factory = KeyFactory.getInstance("RSA");return factory.generatePrivate(spec);}public static void generateKey(String publicKeyFilename, String privateKeyFilename, String secret, int keySize) throws Exception {KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");SecureRandom secureRandom = new SecureRandom(secret.getBytes);keyPairGenerator.initialize(Math.max(keySize, DEFAULT_KEY_SIZE), secureRandom);KeyPair keyPair = keyPairGenerator.genKeyPair;// 获取公钥并写出byte publicKeyBytes = keyPair.getPublic.getEncoded;publicKeyBytes = base64.getEncoder.encode(publicKeyBytes);writeFile(publicKeyFilename, publicKeyBytes);// 获取私钥并写出byte privateKeyBytes = keyPair.getPrivate.getEncoded;privateKeyBytes = base64.getEncoder.encode(privateKeyBytes);writeFile(privateKeyFilename, privateKeyBytes);}private static byte readFile(String fileName) throws Exception {return Files.readAllBytes(new File(fileName).toPath);}private static void writeFile(String destPath, byte[] bytes) throws IOException {File dest = new File(destPath);if (!dest.exists) {dest.createNewFile;}Files.write(dest.toPath, bytes);}}
在通用子模块中编写测试类生成rsa公钥和私钥
public classJwtTest{private String privateKey = "c:/tools/auth_key/id_key_rsa";private String publicKey = "c:/tools/auth_key/id_key_rsa.pub";@Testpublic void test1 throws Exception{RsaUtils.generateKey(publicKey,privateKey,"dpb",1024);}}
2.3认证系统创建 接下来我们创建我们的认证服务。
导入相关的依赖
<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><artifactId>security-jwt-common</artifactId><groupId>com.dpb</groupId><version>1.0-SNAPSHOT</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.10</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId><optional>true</optional></dependency></dependencies>
创建配置文件
spring:datasource:driver-class-name: com.mysql.jdbc.Driverurl: jdbc:mysql://localhost:3306/srmusername: rootpassword: 123456type: com.alibaba.druid.pool.DruidDataSourcemybatis:type-aliases-package: com.dpb.domainmapper-locations: classpath:mapper@PostConstructpublic void createRsaKey throws Exception {publicKey = RsaUtils.getPublicKey(pubKeyFile);privateKey = RsaUtils.getPrivateKey(priKeyFile);}}创建启动类
@SpringBootApplication@MapperScan("com.dpb.mapper")@EnableConfigurationProperties(RsaKeyProperties.class)public class App {public static void main(String[] args) {SpringApplication.run(App.class,args);}}
完成数据认证的逻辑
pojo
@Datapublic class RolePojo implements GrantedAuthority {private Integer id;private String roleName;private String roleDesc;@JsonIgnore@Overridepublic String getAuthority {return roleName;}}
@DatapublicclassUserPojoimplementsUserDetails{private Integer id;private String username;private String password;private Integer status;private List<RolePojo> roles;@JsonIgnore@Overridepublic Collection<? extends GrantedAuthority> getAuthorities {List<SimpleGrantedAuthority> auth = new ArrayList<>;auth.add(new SimpleGrantedAuthority("ADMIN"));return auth;}@Overridepublic String getPassword {return this.password;}@Overridepublic String getUsername {return this.username;}@JsonIgnore@OverridepublicbooleanisAccountNonExpired {return true;}@JsonIgnore@OverridepublicbooleanisAccountNonLocked {return true;}@JsonIgnore@OverridepublicbooleanisCredentialsNonExpired {return true;}@JsonIgnore@OverridepublicbooleanisEnabled {return true;}}
Mapper接口
public interface UserMapper {public UserPojo queryByUserName(@Param("userName") String userName);}
Mapper映射文件
<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.dpb.mapper.UserMapper"><select id="queryByUserName" resultType="UserPojo">select * from t_user where username = #{userName}</select></mapper>
Service
public interfaceUserServiceextendsUserDetailsService{}
@Service@TransactionalpublicclassUserServiceImplimplementsUserService{@Autowiredprivate UserMapper mapper;@Overridepublic UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {UserPojo user = mapper.queryByUserName(s);return user;}}
自定义认证过滤器
public class TokenLoginFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;private RsaKeyProperties prop;public TokenLoginFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {this.authenticationManager = authenticationManager;this.prop = prop;}public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {try {UserPojo sysUser = new ObjectMapper.readValue(request.getInputStream, UserPojo.class);UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(sysUser.getUsername, sysUser.getPassword);return authenticationManager.authenticate(authRequest);}catch (Exception e){try {response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);PrintWriter out = response.getWriter;Map resultMap = new HashMap;resultMap.put("code", HttpServletResponse.SC_UNAUTHORIZED);resultMap.put("msg", "用户名或密码错误!");out.write(new ObjectMapper.writevalueAsString(resultMap));out.flush;out.close;}catch (Exception outEx){outEx.printStackTrace;}throw new RuntimeException(e);}}public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {UserPojo user = new UserPojo;user.setUsername(authResult.getName);user.setRoles((List<RolePojo>)authResult.getAuthorities);String token = JwtUtils.generateTokenExpireInMinutes(user, prop.getPrivateKey, 24 * 60);response.addHeader("Authorization", "Bearer "+token);try {response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_OK);PrintWriter out = response.getWriter;Map resultMap = new HashMap;resultMap.put("code", HttpServletResponse.SC_OK);resultMap.put("msg", "认证通过!");out.write(new ObjectMapper.writevalueAsString(resultMap));out.flush;out.close;}catch (Exception outEx){outEx.printStackTrace;}}}
自定义校验token的过滤器
public class TokenVerifyFilter extends BasicAuthenticationFilter {private RsaKeyProperties prop;public TokenVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {super(authenticationManager);this.prop = prop;}public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {String header = request.getHeader("Authorization");if (header == || !header.startsWith("Bearer ")) {//如果携带错误的token,则给用户提示请登录!chain.doFilter(request, response);response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_FORBIDDEN);PrintWriter out = response.getWriter;Map resultMap = new HashMap;resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);resultMap.put("msg", "请登录!");out.write(new ObjectMapper.writevalueAsString(resultMap));out.flush;out.close;} else {//如果携带了正确格式的token要先得到tokenString token = header.replace("Bearer ", "");//验证tken是否正确Payload<UserPojo> payload = JwtUtils.getInfoFromToken(token, prop.getPublicKey, UserPojo.class);UserPojo user = payload.getUserInfo;if(user!=){UsernamePasswordAuthenticationToken authResult = new UsernamePasswordAuthenticationToken(user.getUsername, , user.getAuthorities);SecurityContextHolder.getContext.setAuthentication(authResult);chain.doFilter(request, response);}}}}
编写SpringSecurity的配置类
@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled=true)public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserService userService;@Autowiredprivate RsaKeyProperties prop;@Beanpublic BCryptPasswordEncoder passwordEncoder{return new BCryptPasswordEncoder;}//指定认证对象的来源public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userService).passwordEncoder(passwordEncoder);}//SpringSecurity配置信息public void configure(HttpSecurity http) throws Exception {http.csrf.disable.authorizeRequests.antMatchers("/user/query").hasAnyRole("ADMIN").anyRequest.authenticated.and.addFilter(new TokenLoginFilter(super.authenticationManager, prop)).addFilter(new TokenVerifyFilter(super.authenticationManager, prop)).sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS);}}
启动服务测试
启动服务
通过Postman来访问测试
根据token信息我们访问其他资源
2.4资源系统创建说明
资源服务可以有很多个,这里只拿产品服务为例,记住,资源服务中只能通过公钥验证认证。不能签发token!创建产品服务并导入jar包根据实际业务导包即可,咱们就暂时和认证服务一样了。
接下来我们再创建一个资源服务
导入相关的依赖
<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><artifactId>security-jwt-common</artifactId><groupId>com.dpb</groupId><version>1.0-SNAPSHOT</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.10</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId><optional>true</optional></dependency></dependencies>
编写产品服务配置文件
切记这里只能有公钥地址!
server:port: 9002spring:datasource:driver-class-name: com.mysql.jdbc.Driverurl: jdbc:mysql://localhost:3306/srmusername: rootpassword: 123456type: com.alibaba.druid.pool.DruidDataSourcemybatis:type-aliases-package: com.dpb.domainmapper-locations: classpath:mapper@PostConstructpublic void createRsaKey throws Exception {publicKey = RsaUtils.getPublicKey(pubKeyFile);}}
编写启动类
@SpringBootApplication@MapperScan("com.dpb.mapper")@EnableConfigurationProperties(RsaKeyProperties.class)public class App {public static void main(String[] args) {SpringApplication.run(App.class,args);}}
复制认证服务中,用户对象,角色对象和校验认证的接口
复制认证服务中的相关内容即可
复制认证服务中SpringSecurity配置类做修改
@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled=true)public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserService userService;@Autowiredprivate RsaKeyProperties prop;@Beanpublic BCryptPasswordEncoder passwordEncoder{return new BCryptPasswordEncoder;}//指定认证对象的来源public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userService).passwordEncoder(passwordEncoder);}//SpringSecurity配置信息public void configure(HttpSecurity http) throws Exception {http.csrf.disable.authorizeRequests//.antMatchers("/user/query").hasAnyRole("USER").anyRequest.authenticated.and.addFilter(new TokenVerifyFilter(super.authenticationManager, prop))// 禁用掉session.sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS);}}
去掉“增加自定义认证过滤器”即可!
编写产品处理器
@RestController@RequestMapping("/user")publicclassUserController{@RequestMapping("/query")public String query{return "success";}@RequestMapping("/update")public String update{return "update";}}
测试