Spring Security OAuth项目已废弃,最新OAuth2.0支持由Spring Security提供。本指南详细介绍如何迁移至Spring Security,包括OAuth提供者和消费者的支持,OAuth1(a)及OAuth2.0特性。
Spring Security OAuth 介绍
Spring Security OAuth 是 Spring Security 的扩展模块,用于实现 OAuth 2.0 协议的认证与授权功能。它提供了 OAuth 2.0 客户端、资源服务器和授权服务器的支持,帮助开发者轻松实现安全的认证和授权机制。
核心功能
-
OAuth 2.0 客户端支持:
- 支持多种授权类型,如授权码模式、客户端凭证模式、密码模式等。
- 提供了
spring-boot-starter-oauth2-client依赖,用于快速集成 OAuth 2.0 客户端。
-
资源服务器支持:
- 提供了
@EnableResourceServer注解,用于将应用配置为资源服务器。 - 资源服务器负责保护资源(如 API),并验证访问令牌的有效性。
- 提供了
-
授权服务器支持:
- 提供了
@EnableAuthorizationServer注解,用于将应用配置为授权服务器。 - 支持自定义客户端信息、令牌存储方式和认证管理器。
- 提供了
-
单点登录(SSO):
- 支持通过 OAuth 2.0 实现单点登录,用户只需登录一次即可访问多个应用。
-
第三方登录:
- 支持通过集成 Google、GitHub 等第三方服务,用户可以使用已有的账户快速登录。
使用示例
-
添加依赖:
- 在项目中添加
spring-boot-starter-oauth2-client和spring-boot-starter-oauth2-resource-server依赖。
- 在项目中添加
-
配置 OAuth 2.0 客户端:
- 在
application.yml文件中配置 OAuth 2.0 客户端信息,例如 Google OAuth2:spring: security: oauth2: client: registration: google: client-id: YOUR_GOOGLE_CLIENT_ID client-secret: YOUR_GOOGLE_CLIENT_SECRET scope: profile, email redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}" client-name: Google provider: google: authorization-uri: https://accounts.google.com/o/oauth2/auth token-uri: https://oauth2.googleapis.com/token user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
- 在
-
配置资源服务器:
- 创建一个配置类,使用
@EnableResourceServer注解,并配置资源服务器的访问规则:@Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/public/**").permitAll() .antMatchers("/api/private/**").authenticated() .and() .oauth2Login(); } }
- 创建一个配置类,使用
-
配置授权服务器:
- 创建一个配置类,使用
@EnableAuthorizationServer注解,并配置授权服务器的客户端信息:@Configuration @EnableAuthorizationServer public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .authenticationManager(authenticationManager) .userDetailsService(new UserDetailsServiceImpl()); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("client-id") .secret("client-secret") .authorizedGrantTypes("authorization_code", "refresh_token", "password") .scopes("read", "write") .redirectUris("http://localhost:8080/callback"); } }
- 创建一个配置类,使用
官方文档
- 更多详细信息可以参考 Spring Security OAuth 2.0 官方文档。
Spring Security OAuth 提供了强大的功能,用于实现 OAuth 2.0 协议的认证与授权,支持单点登录、第三方登录和资源保护等多种场景。
The Spring Security OAuth project is deprecated. The latest OAuth 2.0 support is provided by Spring Security. See the OAuth 2.0 Migration Guide for further details.
Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms.
Features
Support for OAuth providers and OAuth consumers
Oauth 1(a) (including two-legged OAuth, a.k.a. "Signed Fetch")
OAuth 2.0
Applying security to an application is not for the faint of heart, and OAuth is no exception. Before you get started, you’re going to want to make sure you understand OAuth and the problem it’s designed to address. There is good documentation at the OAuth site. You will also want to make sure you understand how Spring and Spring Security work.
You’re going to want to be quite familiar with both OAuth (and/or OAuth2) and Spring Security, to maximize the effectiveness of this developers guide. OAuth for Spring Security is tightly tied to both technologies, so the more familiar you are with them, the more likely you’ll be to recognize the terminology and patterns that are used.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
