1. 首頁
  2. 問答
  3. 確保微服務春雲安全Oauth2

確保微服務春雲安全Oauth2

2017-10-05 109 views
0

我正在使用Spring雲安全和Oauth2來保護我的微服務。現在出海如下:確保微服務春雲安全Oauth2

http://maven.apache.org/xsd/maven-4.0.0.xsd「> 4.0.0

<groupId>com.oreilly.cloud</groupId> 
<artifactId>spring-microservices-oauth-server</artifactId> 
<version>0.0.1-SNAPSHOT</version> 
<packaging>jar</packaging> 

<name>spring-microservices-oauth-server</name> 
<description>Demo project for Spring Boot</description> 

<parent> 
    <groupId>org.springframework.boot</groupId> 
    <artifactId>spring-boot-starter-parent</artifactId> 
    <version>1.5.7.RELEASE</version> 
    <relativePath/> <!-- lookup parent from repository --> 
</parent> 

<properties> 
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> 
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> 
    <java.version>1.8</java.version> 
    <spring-cloud.version>Dalston.SR3</spring-cloud.version> 
</properties> 

<dependencies> 
    <dependency> 
     <groupId>org.springframework.cloud</groupId> 
     <artifactId>spring-cloud-starter-oauth2</artifactId> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework.boot</groupId> 
     <artifactId>spring-boot-starter-jdbc</artifactId> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework.boot</groupId> 
     <artifactId>spring-boot-starter-security</artifactId> 
    </dependency> 

    <dependency> 
     <groupId>org.hsqldb</groupId> 
     <artifactId>hsqldb</artifactId> 
     <scope>runtime</scope> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework.boot</groupId> 
     <artifactId>spring-boot-starter-test</artifactId> 
     <scope>test</scope> 
    </dependency> 
</dependencies> 

<dependencyManagement> 
    <dependencies> 
     <dependency> 
      <groupId>org.springframework.cloud</groupId> 
      <artifactId>spring-cloud-dependencies</artifactId> 
      <version>${spring-cloud.version}</version> 
      <type>pom</type> 
      <scope>import</scope> 
     </dependency> 
    </dependencies> 
</dependencyManagement> 

<build> 
    <plugins> 
     <plugin> 
      <groupId>org.springframework.boot</groupId> 
      <artifactId>spring-boot-maven-plugin</artifactId> 
     </plugin> 
    </plugins> 
</build> 

<repositories> 
    <repository> 
     <id>spring-snapshots</id> 
     <name>Spring Snapshots</name> 
     <url>https://repo.spring.io/snapshot</url> 
     <snapshots> 
      <enabled>true</enabled> 
     </snapshots> 
    </repository> 
    <repository> 
     <id>spring-milestones</id> 
     <name>Spring Milestones</name> 
     <url>https://repo.spring.io/milestone</url> 
     <snapshots> 
      <enabled>false</enabled> 
     </snapshots> 
    </repository> 
</repositories>

春天-boot主類是如下:

package com.oreilly.cloud; 

import org.springframework.boot.SpringApplication; 
import org.springframework.boot.autoconfigure.SpringBootApplication; 
import org.springframework.security.access.prepost.PreAuthorize; 
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.bind.annotation.RestController; 

@SpringBootApplication 
@EnableAuthorizationServer 
@EnableResourceServer 
@RestController 
@EnableGlobalMethodSecurity(prePostEnabled=true) 
public class SpringMicroservicesOauthServerApplication { 

    @RequestMapping("/resource/endpoint") 
    @PreAuthorize("hasRole('ADMIN')") 
    public String endpoint(){ 
     return "This message is protected by the resource server."; 
    } 

    public static void main(String[] args) { 
     SpringApplication.run(SpringMicroservicesOauthServerApplication.class, args); 
    } 
}

授權服務器配置如下:

package com.oreilly.cloud; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.authentication.AuthenticationManager; 
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; 
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; 
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; 

@Configuration 
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { 

    @Autowired 
    private AuthenticationManager authManager; 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
     endpoints.authenticationManager(authManager); 
    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     clients.inMemory().withClient("webapp").secret("websecret").authorizedGrantTypes("password") 
       .scopes("read,write,trust"); 
    } 

}

注意驗證管理器自動連線到授權配置

在下面的類中的驗證管理器進行配置和返回abean,以便它可以被裝配到上面的類:

package com.oreilly.cloud; 

import org.springframework.context.annotation.Bean; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.authentication.AuthenticationManager; 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 

@Configuration 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Bean 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return super.authenticationManagerBean(); 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
     auth.inMemoryAuthentication().withUser("user1").password("password1").roles("USER").and().withUser("admin") 
       .password("password2").roles("ADMIN"); 
    } 

}

現在application.properties是如下:

server.port=9090

現在我運行SP如下環啓動應用程序:

MVN春季啓動:運行

的應用程序成功啓動,並準備在本地主機上接受9090端口的請求

現在使用郵遞員我發送POST請求得到access_token。有一點背景是,這裏使用的Aoauth2流是密碼授權。所以在上面的AuthorizationServerConfig類中,我定義了一個密碼授權流程並註冊了一個帶有客戶端名稱和密碼的簡單Web應用程序。可以看出客戶端配置在內存中。

從授權服務器獲取訪問令牌的post man請求如下所示:其基本身份驗證標頭具有 用戶名作爲webapp並且密碼爲websecret的發佈請求。

http://localhost:9090/oauth/token?grant_type=password&username=user1&password=password1

這要求有一個訪問令牌JSON成功返回如下:

{ 
    "access_token": "2d632e54-17c3-41f7-af3b-935ca3022d78", 
    "token_type": "bearer", 
    "expires_in": 43199, 
    "scope": "read,write,trust" 
}

現在,當我嘗試上述訪問令牌訪問/地質礦產/端點:

http://localhost:9090/resource/endpoint?access_token=2d632e54-17c3-41f7-af3b-935ca3022d78

而不是返回從服務/資源/端點返回的文本它返回登錄頁面如下:

<html> 
    <head> 
     <title>Login Page</title> 
    </head> 
    <body onload='document.f.username.focus();'> 
     <h3>Login with Username and Password</h3> 
     <form name='f' action='/login' method='POST'> 
      <table> 
       <tr> 
        <td>User:</td> 
        <td> 
         <input type='text' name='username' value=''> 
        </td> 
       </tr> 
       <tr> 
        <td>Password:</td> 
        <td> 
         <input type='password' name='password'/> 
        </td> 
       </tr> 
       <tr> 
        <td colspan='2'> 
         <input name="submit" type="submit" value="Login"/> 
        </td> 
       </tr> 
       <input name="_csrf" type="hidden" value="8dbc1c38-6f89-43c5-a8f8-797c920722a1" /> 
      </table> 
     </form> 
    </body> 
</html>

任何人都可以請幫助我在這裏失蹤?????。

備註我同時在相同的應用程序中配置了授權服務器和資源服務器。這是一個POC,所以我嘗試了Spring-Cloud的安全性,稍後我會將這兩個分開......但以後再說。

來源

2017-10-05 santhoshbhatti

+0

你的問題到底是什麼? –

+1

在你的令牌中,expires_in的值看起來很有趣..它映射到的是什麼,當然不是蜱蟲,你能檢查它嗎? –

+0

@WilliamHampshire我的問題是我通過點擊以下URL獲得訪問令牌:http:// localhost:9090/oauth/token?grant_type = password&username = admin&password = password2帶有指定客戶端用戶名和密碼的基本auth頭,但if我嘗試訪問受保護的資源(/資源/端點/)access_token參數設置爲上述訪問令牌,我得到一個登錄頁面,而不是我的端點應該返回的文本響應 – santhoshbhatti

回答

1

通過查看Spring Boot的根調試日誌,我發現了這個問題。

如果您使用yml

src/main/resources/application.yml 
---------------------------------- 
logging: 
    level: 
    root: DEBUG

或者,如果properties

src/main/resources/application.properties 
---------------------------------- 
logging.level.root=DEBUG

我意識到我沒有在任何用戶身份驗證信息傳遞與GET

o.s.s.w.a.ExceptionTranslationFilter: Access is denied (user is anonymous); ...

所以你可以做兩件事之一:

1.通過url參數添加信譽例如。

curl -X GET \ 
    'http://localhost:9090/resource/endpoint? 
    username=user1&password=password1&access_token=xxxx'

2.通過基本的認證如添加creds。

curl -X GET \ 
    'http://localhost:9090/resource/endpoint?username=user1' \ 
    -H 'Authorization: Basic xxxxxxxxxxxxx

弄來這個離建設微服務使用Spring當然在safaribooksonline,太? :)

我發現爲什麼老師沒有這個問題。他以前必須已經授權了用戶名/密碼 - 它似乎被緩存在某處,因爲在您之後,如果您只用auth_token再次調用該資源,它就會起作用。

來源

2018-03-08 22:14:34

相關問題

 相關問題