http://www.baeldung.com/spring-security-oauth-jwt

****************************************************

1. Overview

In this tutorial we’ll discuss how to get our Spring Security OAuth2 implementation to make use of JSON Web Tokens.

We’re also continuing to built on top of the previous article in this OAuth series.

2. Maven Configuration

First, we need to add spring-security-jwt dependency to our pom.xml:

<dependency>

    <groupId>org.springframework.security</groupId>

    <artifactId>spring-security-jwt</artifactId>

</dependency>

Note that we need to add spring-security-jwt dependency to both Authorization Server and Resource Server.

3. Authorization Server

Next, we will configure our authorization server to use JwtTokenStore – as follows:

@Configuration

@EnableAuthorizationServer

public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override

    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

        endpoints.tokenStore(tokenStore())

                 .accessTokenConverter(accessTokenConverter())

                 .authenticationManager(authenticationManager);

    }

    @Bean

    public TokenStore tokenStore() {

        return new JwtTokenStore(accessTokenConverter());

    }

    @Bean

    public JwtAccessTokenConverter accessTokenConverter() {

        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

        converter.setSigningKey("123");

        return converter;

    }

    @Bean

    @Primary

    public DefaultTokenServices tokenServices() {

        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();

        defaultTokenServices.setTokenStore(tokenStore());

        defaultTokenServices.setSupportRefreshToken(true);

        return defaultTokenServices;

    }

}

Note that we used a symmetric key in our JwtAccessTokenConverter to sign our tokens – which means we will need to use the same exact key for the Resources Server as well.

4. Resource Server

Now, let’s take a look at our Resource Server configuration – which is very similar to the config of the Authorization Server:

@Configuration

@EnableResourceServer

public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override

    public void configure(ResourceServerSecurityConfigurer config) {

        config.tokenServices(tokenServices());

    }

    @Bean

    public TokenStore tokenStore() {

        return new JwtTokenStore(accessTokenConverter());

    }

    @Bean

    public JwtAccessTokenConverter accessTokenConverter() {

        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

        converter.setSigningKey("123");

        return converter;

    }

    @Bean

    @Primary

    public DefaultTokenServices tokenServices() {

        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();

        defaultTokenServices.setTokenStore(tokenStore());

        return defaultTokenServices;

    }

}

Keep in mind that we’re defining these two servers as entirely separate and independently deployable. That’s the reason we need to declare some of the same beans again here, in the new configuration.

5. Custom Claims in the Token

Let’s now set up some infrastructure to be able to add a few custom claims in the Access Token.
The standard claims provided by the framework are all well and good,
but most of the time we’ll need some extra information in the token to
utilize on the client side.

We’ll define a TokenEnhancer to customize our Access Token with these additional claims.

In the following example, we will add an extra field “organization” to our Access Token – with this CustomTokenEnhancer:

public class CustomTokenEnhancer implements TokenEnhancer {

    @Override

    public OAuth2AccessToken enhance(

     OAuth2AccessToken accessToken,

     OAuth2Authentication authentication) {

        Map<String, Object> additionalInfo = new HashMap<>();

        additionalInfo.put("organization", authentication.getName() + randomAlphabetic(4));

        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);

        return accessToken;

    }

}

Then, we’ll wire that into our Authorization Server configuration – as follows:

@Override

public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

    TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();

    tokenEnhancerChain.setTokenEnhancers(

      Arrays.asList(tokenEnhancer(), accessTokenConverter()));

    endpoints.tokenStore(tokenStore())

             .tokenEnhancer(tokenEnhancerChain)

             .authenticationManager(authenticationManager);

}

@Bean

public TokenEnhancer tokenEnhancer() {

    return new CustomTokenEnhancer();

}

With this new configuration up and running – here’s what a token token payload would look like:

{

    "user_name": "john",

    "scope": [

        "foo",

        "read",

        "write"

    ],

    "organization": "johnIiCh",

    "exp": 1458126622,

    "authorities": [

        "ROLE_USER"

    ],

    "jti": "e0ad1ef3-a8a5-4eef-998d-00b26bc2c53f",

    "client_id": "fooClientIdPassword"

}

5.1. Use the Access Token in the JS Client

Finally, we’ll want to make use of the token information over in our AngualrJS client application. We’ll use the angular-jwt library for that.

So what we’re going to do is we’re going to make use of the “organization” claim in our index.html:

<p class="navbar-text navbar-right">{{organization}}</p>

<script type="text/javascript"

  src="https://cdn.rawgit.com/auth0/angular-jwt/master/dist/angular-jwt.js">

</script>

<script>

var app = angular.module('myApp', ["ngResource","ngRoute", "ngCookies", "angular-jwt"]);

app.controller('mainCtrl', function($scope, $cookies, jwtHelper,...) {

    $scope.organiztion = "";

    function getOrganization(){

        var token = $cookies.get("access_token");

        var payload = jwtHelper.decodeToken(token);

        $scope.organization = payload.organization;

    }

    ...

});

6. Asymmetric KeyPair

In our previous configuration we used symmetric keys to sign our token:

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

    converter.setSigningKey("123");

    return converter;

}

We can also use asymmetric keys (Public and Private keys) to do the signing process.

6.1. Generate JKS Java KeyStore File

Let’s first generate the keys – and more specifically a .jks file – using the command line tool keytool:

keytool -genkeypair -alias mytest

                    -keyalg RSA

                    -keypass mypass

                    -keystore mytest.jks

                    -storepass mypass

The command will generate a file called mytest.jks which contains our keys -the Public and Private keys.

Also make sure keypass and storepass are the same.

6.2. Export Public Key

Next, we need to export our Public key from generated JKS, we can use the following command to do so:

keytool -list -rfc --keystore mytest.jks | openssl x509 -inform pem -pubkey

A sample response will look like this:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgIK2Wt4x2EtDl41C7vfp

OsMquZMyOyteO2RsVeMLF/hXIeYvicKr0SQzVkodHEBCMiGXQDz5prijTq3RHPy2

/5WJBCYq7yHgTLvspMy6sivXN7NdYE7I5pXo/KHk4nz+Fa6P3L8+L90E/3qwf6j3

DKWnAgJFRY8AbSYXt1d5ELiIG1/gEqzC0fZmNhhfrBtxwWXrlpUDT0Kfvf0QVmPR

xxCLXT+tEe1seWGEqeOLL5vXRLqmzZcBe1RZ9kQQm43+a9Qn5icSRnDfTAesQ3Cr

lAWJKl2kcWU1HwJqw+dZRSZ1X4kEXNMyzPdPBbGmU6MHdhpywI7SKZT7mX4BDnUK

eQIDAQAB

-----END PUBLIC KEY-----

-----BEGIN CERTIFICATE-----

MIIDCzCCAfOgAwIBAgIEGtZIUzANBgkqhkiG9w0BAQsFADA2MQswCQYDVQQGEwJ1

czELMAkGA1UECBMCY2ExCzAJBgNVBAcTAmxhMQ0wCwYDVQQDEwR0ZXN0MB4XDTE2

MDMxNTA4MTAzMFoXDTE2MDYxMzA4MTAzMFowNjELMAkGA1UEBhMCdXMxCzAJBgNV

BAgTAmNhMQswCQYDVQQHEwJsYTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN

AQEBBQADggEPADCCAQoCggEBAICCtlreMdhLQ5eNQu736TrDKrmTMjsrXjtkbFXj

Cxf4VyHmL4nCq9EkM1ZKHRxAQjIhl0A8+aa4o06t0Rz8tv+ViQQmKu8h4Ey77KTM

urIr1zezXWBOyOaV6Pyh5OJ8/hWuj9y/Pi/dBP96sH+o9wylpwICRUWPAG0mF7dX

eRC4iBtf4BKswtH2ZjYYX6wbccFl65aVA09Cn739EFZj0ccQi10/rRHtbHlhhKnj

iy+b10S6ps2XAXtUWfZEEJuN/mvUJ+YnEkZw30wHrENwq5QFiSpdpHFlNR8CasPn

WUUmdV+JBFzTMsz3TwWxplOjB3YacsCO0imU+5l+AQ51CnkCAwEAAaMhMB8wHQYD

VR0OBBYEFOGefUBGquEX9Ujak34PyRskHk+WMA0GCSqGSIb3DQEBCwUAA4IBAQB3

1eLfNeq45yO1cXNl0C1IQLknP2WXg89AHEbKkUOA1ZKTOizNYJIHW5MYJU/zScu0

yBobhTDe5hDTsATMa9sN5CPOaLJwzpWV/ZC6WyhAWTfljzZC6d2rL3QYrSIRxmsp

/J1Vq9WkesQdShnEGy7GgRgJn4A8CKecHSzqyzXulQ7Zah6GoEUD+vjb+BheP4aN

hiYY1OuXD+HsdKeQqS+7eM5U7WW6dz2Q8mtFJ5qAxjY75T0pPrHwZMlJUhUZ+Q2V

FfweJEaoNB9w9McPe1cAiE+oeejZ0jq0el3/dJsx3rlVqZN+lMhRJJeVHFyeb3XF

lLFCUGhA7hxn2xf3x1JW

-----END CERTIFICATE-----

We take only our Public key and copy it to our resource server src/main/resources/public.txt:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgIK2Wt4x2EtDl41C7vfp

OsMquZMyOyteO2RsVeMLF/hXIeYvicKr0SQzVkodHEBCMiGXQDz5prijTq3RHPy2

/5WJBCYq7yHgTLvspMy6sivXN7NdYE7I5pXo/KHk4nz+Fa6P3L8+L90E/3qwf6j3

DKWnAgJFRY8AbSYXt1d5ELiIG1/gEqzC0fZmNhhfrBtxwWXrlpUDT0Kfvf0QVmPR

xxCLXT+tEe1seWGEqeOLL5vXRLqmzZcBe1RZ9kQQm43+a9Qn5icSRnDfTAesQ3Cr

lAWJKl2kcWU1HwJqw+dZRSZ1X4kEXNMyzPdPBbGmU6MHdhpywI7SKZT7mX4BDnUK

eQIDAQAB

-----END PUBLIC KEY-----

6.3. Maven Configuration

Next, we don’t want the JKS file to be picked up by the maven filtering process – so we’ll make sure to exclude it in the pom.xml:

<build>

    <resources>

        <resource>

            <directory>src/main/resources</directory>

            <filtering>true</filtering>

            <excludes>

                <exclude>*.jks</exclude>

            </excludes>

        </resource>

    </resources>

</build>

If we’re using Spring Boot, we need to make sure that our JKS file is added to application classpath via the Spring Boot Maven Plugin – addResources:

<build>

    <plugins>

        <plugin>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-maven-plugin</artifactId>

            <configuration>

                <addResources>true</addResources>

            </configuration>

        </plugin>

    </plugins>

</build>

6.4. Authorization Server

Now, we will configure JwtAccessTokenConverter to use our KeyPair from mytest.jks – as follows:

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

    KeyStoreKeyFactory keyStoreKeyFactory =

      new KeyStoreKeyFactory(new ClassPathResource("mytest.jks"), "mypass".toCharArray());

    converter.setKeyPair(keyStoreKeyFactory.getKeyPair("mytest"));

    return converter;

}

6.5. Resource Server

Finally, we need to configure our resource server to use Public key – as follows:

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

    Resource resource = new ClassPathResource("public.txt");

    String publicKey = null;

    try {

        publicKey = IOUtils.toString(resource.getInputStream());

    } catch (final IOException e) {

        throw new RuntimeException(e);

    }

    converter.setVerifierKey(publicKey);

    return converter;

}

7. Conclusion

In this quick article we focused on setting up our Spring Security OAuth2 project to use JSON Web Tokens.

The full implementation of this tutorial can be found in the github project – this is an Eclipse based project, so it should be easy to import and run as it is.

Using JWT with Spring Security OAuth的更多相关文章

  1. 将JWT与Spring Security OAuth结合使用

    1.概述 在本教程中,我们将讨论如何使用Spring Security OAuth2实现来使用JSON Web令牌. 我们还将继续构建此OAuth系列的上一篇文章. 2. Maven配置 首先,我们需 ...

  2. Spring Security OAuth 2.0

    续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...

  3. Spring Security OAuth笔记

    因为工作需要,系统权限安全方面可能要用到Spring Security OAuth2.0,所以,近几天了解了一下OAuth相关的东西.目前好像还没有系统的学习资料,学习主要是通过博客,内容都是大同小异 ...

  4. Spring Security OAuth 2开发者指南译

    Spring Security OAuth 2开发者指南译 介绍 这是用户指南的支持OAuth 2.0.对于OAuth 1.0,一切都是不同的,所以看到它的用户指南. 本用户指南分为两部分,第一部分为 ...

  5. Spring Security + OAuth系统环境搭建(一)

    最近在做权限管理系统的重构工作,系统基于Spring Security + OAuth架构,整体架构.技术和之前调研的结果差不多,架构调研时有在这篇博客做过简单记录“Spring Cloud微服务下的 ...

  6. JWT和Spring Security集成

    通常情况下,把API直接暴露出去是风险很大的, 我们一般需要对API划分出一定的权限级别,然后做一个用户的鉴权,依据鉴权结果给予用户对应的API (一)JWT是什么,为什么要使用它? 互联网服务离不开 ...

  7. 【微服务】 数据库案例理解Spring Security OAuth

    突然被问,你是做技术的怎么不走技术路线呢?是啊~仔细想想至今做了这么多年的技术,研发过的系统&产品五花八门,涉及到的领域各行各业:政府.军队.公安.国安.石油&石化.金融.教育.华为等 ...

  8. Spring Security OAuth 格式化 token 输出

    个性化token 背景 上一篇文章<Spring Security OAuth 个性化token(一)>有提到,oauth2.0 接口默认返回的报文格式如下: {     "ac ...

  9. Spring Security OAuth 笔记

    1  单点登录 关于单点登录的原理,我觉得下面这位老哥讲的比较清楚,有兴趣可以看一下,下面我把其中的重点在此做个笔记总结 https://juejin.cn/post/6844904079274197 ...

随机推荐

  1. django 基础知识回顾

    内容回顾: 1. ajax参数 url: type: data: 1.value不能是字典 {k1:'v1',k2:[1,2,3,],k3; JSON.string} 2.$('').serilize ...

  2. 不要让Javascript的等价表格看上去那么难看

    时不时的会有人贴出一张表格,用来展现javascript的 '==' 比较出来的结果.像最近的这个例子,看看这张表格有多么的无序. 这些文章基本上都是对的,他们指出 '==' 设计的很糟糕.但是他们通 ...

  3. 编程算法 - 从1到n整数中1出现的次数 代码(C)

    从1到n整数中1出现的次数 代码(C) 本文地址: http://blog.csdn.net/caroline_wendy 题目: 输入一个整数n, 求从1到n这n个整数的十进制表示中1出现的次数. ...

  4. Orcla 数据库复习2 --子查询和表连接

    子查询和表连接  ①.查询挣钱最多的人的名字  SELECT ename,sal FROM emp  WHERE sal=(SELECT MAX(sal) FROM emp);  ②.查询有哪些人的工 ...

  5. 查看IE浏览器安装的插件

      请移步至文章:http://blog.sina.com.cn/u/6452627072  

  6. myDate97 设置开始时间和结束时间

      myDate97 设置开始时间和结束时间 CreationTime--2018年8月28日16点46分 Author:Marydon 1.简单示例 第一步:引入My97DatePicker/Wda ...

  7. 【Android】在build/envsetup.sh中添加自己的命令(函数)

    由于测试的需要,经常需要手动刷入boot.img和system.img,把它写到envsetup.sh就可以每次使用一行命令来代替了: function flashtestimage(){ if [[ ...

  8. 让zend studio 支持 redis函数自动提示

    phpredis作者https://github.com/nicolasff/phpredis 写了文档https://github.com/ukko/phpredis-phpdoc上面提到了如何让e ...

  9. 深入RecyclerView-为什么要使用ItemDecoration

    Part 1:不要用view做分割线 首先,什么是ItemDecoration?来看看官网是如何解释的. ItemDecoration允许从adapter的数据集合中为特定的item视图添加特性的绘制 ...

  10. 逻辑回归的相关问题及java实现

    本讲主要说下逻辑回归的相关问题和详细的实现方法 1. 什么是逻辑回归 逻辑回归是线性回归的一种,那么什么是回归,什么是线性回归 回归指的是公式已知,对公式中的未知參数进行预计,注意公式必须是已知的,否 ...