http://www.baeldung.com/spring-security-oauth-jwt

****************************************************

1. Overview

In this tutorial we’ll discuss how to get our Spring Security OAuth2 implementation to make use of JSON Web Tokens.

We’re also continuing to built on top of the previous article in this OAuth series.

2. Maven Configuration

First, we need to add spring-security-jwt dependency to our pom.xml:

<dependency>

    <groupId>org.springframework.security</groupId>

    <artifactId>spring-security-jwt</artifactId>

</dependency>

Note that we need to add spring-security-jwt dependency to both Authorization Server and Resource Server.

3. Authorization Server

Next, we will configure our authorization server to use JwtTokenStore – as follows:

@Configuration

@EnableAuthorizationServer

public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override

    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

        endpoints.tokenStore(tokenStore())

                 .accessTokenConverter(accessTokenConverter())

                 .authenticationManager(authenticationManager);

    }

    @Bean

    public TokenStore tokenStore() {

        return new JwtTokenStore(accessTokenConverter());

    }

    @Bean

    public JwtAccessTokenConverter accessTokenConverter() {

        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

        converter.setSigningKey("123");

        return converter;

    }

    @Bean

    @Primary

    public DefaultTokenServices tokenServices() {

        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();

        defaultTokenServices.setTokenStore(tokenStore());

        defaultTokenServices.setSupportRefreshToken(true);

        return defaultTokenServices;

    }

}

Note that we used a symmetric key in our JwtAccessTokenConverter to sign our tokens – which means we will need to use the same exact key for the Resources Server as well.

4. Resource Server

Now, let’s take a look at our Resource Server configuration – which is very similar to the config of the Authorization Server:

@Configuration

@EnableResourceServer

public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override

    public void configure(ResourceServerSecurityConfigurer config) {

        config.tokenServices(tokenServices());

    }

    @Bean

    public TokenStore tokenStore() {

        return new JwtTokenStore(accessTokenConverter());

    }

    @Bean

    public JwtAccessTokenConverter accessTokenConverter() {

        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

        converter.setSigningKey("123");

        return converter;

    }

    @Bean

    @Primary

    public DefaultTokenServices tokenServices() {

        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();

        defaultTokenServices.setTokenStore(tokenStore());

        return defaultTokenServices;

    }

}

Keep in mind that we’re defining these two servers as entirely separate and independently deployable. That’s the reason we need to declare some of the same beans again here, in the new configuration.

5. Custom Claims in the Token

Let’s now set up some infrastructure to be able to add a few custom claims in the Access Token.
The standard claims provided by the framework are all well and good,
but most of the time we’ll need some extra information in the token to
utilize on the client side.

We’ll define a TokenEnhancer to customize our Access Token with these additional claims.

In the following example, we will add an extra field “organization” to our Access Token – with this CustomTokenEnhancer:

public class CustomTokenEnhancer implements TokenEnhancer {

    @Override

    public OAuth2AccessToken enhance(

     OAuth2AccessToken accessToken,

     OAuth2Authentication authentication) {

        Map<String, Object> additionalInfo = new HashMap<>();

        additionalInfo.put("organization", authentication.getName() + randomAlphabetic(4));

        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);

        return accessToken;

    }

}

Then, we’ll wire that into our Authorization Server configuration – as follows:

@Override

public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

    TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();

    tokenEnhancerChain.setTokenEnhancers(

      Arrays.asList(tokenEnhancer(), accessTokenConverter()));

    endpoints.tokenStore(tokenStore())

             .tokenEnhancer(tokenEnhancerChain)

             .authenticationManager(authenticationManager);

}

@Bean

public TokenEnhancer tokenEnhancer() {

    return new CustomTokenEnhancer();

}

With this new configuration up and running – here’s what a token token payload would look like:

{

    "user_name": "john",

    "scope": [

        "foo",

        "read",

        "write"

    ],

    "organization": "johnIiCh",

    "exp": 1458126622,

    "authorities": [

        "ROLE_USER"

    ],

    "jti": "e0ad1ef3-a8a5-4eef-998d-00b26bc2c53f",

    "client_id": "fooClientIdPassword"

}

5.1. Use the Access Token in the JS Client

Finally, we’ll want to make use of the token information over in our AngualrJS client application. We’ll use the angular-jwt library for that.

So what we’re going to do is we’re going to make use of the “organization” claim in our index.html:

<p class="navbar-text navbar-right">{{organization}}</p>

<script type="text/javascript"

  src="https://cdn.rawgit.com/auth0/angular-jwt/master/dist/angular-jwt.js">

</script>

<script>

var app = angular.module('myApp', ["ngResource","ngRoute", "ngCookies", "angular-jwt"]);

app.controller('mainCtrl', function($scope, $cookies, jwtHelper,...) {

    $scope.organiztion = "";

    function getOrganization(){

        var token = $cookies.get("access_token");

        var payload = jwtHelper.decodeToken(token);

        $scope.organization = payload.organization;

    }

    ...

});

6. Asymmetric KeyPair

In our previous configuration we used symmetric keys to sign our token:

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

    converter.setSigningKey("123");

    return converter;

}

We can also use asymmetric keys (Public and Private keys) to do the signing process.

6.1. Generate JKS Java KeyStore File

Let’s first generate the keys – and more specifically a .jks file – using the command line tool keytool:

keytool -genkeypair -alias mytest

                    -keyalg RSA

                    -keypass mypass

                    -keystore mytest.jks

                    -storepass mypass

The command will generate a file called mytest.jks which contains our keys -the Public and Private keys.

Also make sure keypass and storepass are the same.

6.2. Export Public Key

Next, we need to export our Public key from generated JKS, we can use the following command to do so:

keytool -list -rfc --keystore mytest.jks | openssl x509 -inform pem -pubkey

A sample response will look like this:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgIK2Wt4x2EtDl41C7vfp

OsMquZMyOyteO2RsVeMLF/hXIeYvicKr0SQzVkodHEBCMiGXQDz5prijTq3RHPy2

/5WJBCYq7yHgTLvspMy6sivXN7NdYE7I5pXo/KHk4nz+Fa6P3L8+L90E/3qwf6j3

DKWnAgJFRY8AbSYXt1d5ELiIG1/gEqzC0fZmNhhfrBtxwWXrlpUDT0Kfvf0QVmPR

xxCLXT+tEe1seWGEqeOLL5vXRLqmzZcBe1RZ9kQQm43+a9Qn5icSRnDfTAesQ3Cr

lAWJKl2kcWU1HwJqw+dZRSZ1X4kEXNMyzPdPBbGmU6MHdhpywI7SKZT7mX4BDnUK

eQIDAQAB

-----END PUBLIC KEY-----

-----BEGIN CERTIFICATE-----

MIIDCzCCAfOgAwIBAgIEGtZIUzANBgkqhkiG9w0BAQsFADA2MQswCQYDVQQGEwJ1

czELMAkGA1UECBMCY2ExCzAJBgNVBAcTAmxhMQ0wCwYDVQQDEwR0ZXN0MB4XDTE2

MDMxNTA4MTAzMFoXDTE2MDYxMzA4MTAzMFowNjELMAkGA1UEBhMCdXMxCzAJBgNV

BAgTAmNhMQswCQYDVQQHEwJsYTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN

AQEBBQADggEPADCCAQoCggEBAICCtlreMdhLQ5eNQu736TrDKrmTMjsrXjtkbFXj

Cxf4VyHmL4nCq9EkM1ZKHRxAQjIhl0A8+aa4o06t0Rz8tv+ViQQmKu8h4Ey77KTM

urIr1zezXWBOyOaV6Pyh5OJ8/hWuj9y/Pi/dBP96sH+o9wylpwICRUWPAG0mF7dX

eRC4iBtf4BKswtH2ZjYYX6wbccFl65aVA09Cn739EFZj0ccQi10/rRHtbHlhhKnj

iy+b10S6ps2XAXtUWfZEEJuN/mvUJ+YnEkZw30wHrENwq5QFiSpdpHFlNR8CasPn

WUUmdV+JBFzTMsz3TwWxplOjB3YacsCO0imU+5l+AQ51CnkCAwEAAaMhMB8wHQYD

VR0OBBYEFOGefUBGquEX9Ujak34PyRskHk+WMA0GCSqGSIb3DQEBCwUAA4IBAQB3

1eLfNeq45yO1cXNl0C1IQLknP2WXg89AHEbKkUOA1ZKTOizNYJIHW5MYJU/zScu0

yBobhTDe5hDTsATMa9sN5CPOaLJwzpWV/ZC6WyhAWTfljzZC6d2rL3QYrSIRxmsp

/J1Vq9WkesQdShnEGy7GgRgJn4A8CKecHSzqyzXulQ7Zah6GoEUD+vjb+BheP4aN

hiYY1OuXD+HsdKeQqS+7eM5U7WW6dz2Q8mtFJ5qAxjY75T0pPrHwZMlJUhUZ+Q2V

FfweJEaoNB9w9McPe1cAiE+oeejZ0jq0el3/dJsx3rlVqZN+lMhRJJeVHFyeb3XF

lLFCUGhA7hxn2xf3x1JW

-----END CERTIFICATE-----

We take only our Public key and copy it to our resource server src/main/resources/public.txt:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgIK2Wt4x2EtDl41C7vfp

OsMquZMyOyteO2RsVeMLF/hXIeYvicKr0SQzVkodHEBCMiGXQDz5prijTq3RHPy2

/5WJBCYq7yHgTLvspMy6sivXN7NdYE7I5pXo/KHk4nz+Fa6P3L8+L90E/3qwf6j3

DKWnAgJFRY8AbSYXt1d5ELiIG1/gEqzC0fZmNhhfrBtxwWXrlpUDT0Kfvf0QVmPR

xxCLXT+tEe1seWGEqeOLL5vXRLqmzZcBe1RZ9kQQm43+a9Qn5icSRnDfTAesQ3Cr

lAWJKl2kcWU1HwJqw+dZRSZ1X4kEXNMyzPdPBbGmU6MHdhpywI7SKZT7mX4BDnUK

eQIDAQAB

-----END PUBLIC KEY-----

6.3. Maven Configuration

Next, we don’t want the JKS file to be picked up by the maven filtering process – so we’ll make sure to exclude it in the pom.xml:

<build>

    <resources>

        <resource>

            <directory>src/main/resources</directory>

            <filtering>true</filtering>

            <excludes>

                <exclude>*.jks</exclude>

            </excludes>

        </resource>

    </resources>

</build>

If we’re using Spring Boot, we need to make sure that our JKS file is added to application classpath via the Spring Boot Maven Plugin – addResources:

<build>

    <plugins>

        <plugin>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-maven-plugin</artifactId>

            <configuration>

                <addResources>true</addResources>

            </configuration>

        </plugin>

    </plugins>

</build>

6.4. Authorization Server

Now, we will configure JwtAccessTokenConverter to use our KeyPair from mytest.jks – as follows:

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

    KeyStoreKeyFactory keyStoreKeyFactory =

      new KeyStoreKeyFactory(new ClassPathResource("mytest.jks"), "mypass".toCharArray());

    converter.setKeyPair(keyStoreKeyFactory.getKeyPair("mytest"));

    return converter;

}

6.5. Resource Server

Finally, we need to configure our resource server to use Public key – as follows:

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

    Resource resource = new ClassPathResource("public.txt");

    String publicKey = null;

    try {

        publicKey = IOUtils.toString(resource.getInputStream());

    } catch (final IOException e) {

        throw new RuntimeException(e);

    }

    converter.setVerifierKey(publicKey);

    return converter;

}

7. Conclusion

In this quick article we focused on setting up our Spring Security OAuth2 project to use JSON Web Tokens.

The full implementation of this tutorial can be found in the github project – this is an Eclipse based project, so it should be easy to import and run as it is.

Using JWT with Spring Security OAuth的更多相关文章

  1. 将JWT与Spring Security OAuth结合使用

    1.概述 在本教程中,我们将讨论如何使用Spring Security OAuth2实现来使用JSON Web令牌. 我们还将继续构建此OAuth系列的上一篇文章. 2. Maven配置 首先,我们需 ...

  2. Spring Security OAuth 2.0

    续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...

  3. Spring Security OAuth笔记

    因为工作需要,系统权限安全方面可能要用到Spring Security OAuth2.0,所以,近几天了解了一下OAuth相关的东西.目前好像还没有系统的学习资料,学习主要是通过博客,内容都是大同小异 ...

  4. Spring Security OAuth 2开发者指南译

    Spring Security OAuth 2开发者指南译 介绍 这是用户指南的支持OAuth 2.0.对于OAuth 1.0,一切都是不同的,所以看到它的用户指南. 本用户指南分为两部分,第一部分为 ...

  5. Spring Security + OAuth系统环境搭建(一)

    最近在做权限管理系统的重构工作,系统基于Spring Security + OAuth架构,整体架构.技术和之前调研的结果差不多,架构调研时有在这篇博客做过简单记录“Spring Cloud微服务下的 ...

  6. JWT和Spring Security集成

    通常情况下,把API直接暴露出去是风险很大的, 我们一般需要对API划分出一定的权限级别,然后做一个用户的鉴权,依据鉴权结果给予用户对应的API (一)JWT是什么,为什么要使用它? 互联网服务离不开 ...

  7. 【微服务】 数据库案例理解Spring Security OAuth

    突然被问,你是做技术的怎么不走技术路线呢?是啊~仔细想想至今做了这么多年的技术,研发过的系统&产品五花八门,涉及到的领域各行各业:政府.军队.公安.国安.石油&石化.金融.教育.华为等 ...

  8. Spring Security OAuth 格式化 token 输出

    个性化token 背景 上一篇文章<Spring Security OAuth 个性化token(一)>有提到,oauth2.0 接口默认返回的报文格式如下: {     "ac ...

  9. Spring Security OAuth 笔记

    1  单点登录 关于单点登录的原理,我觉得下面这位老哥讲的比较清楚,有兴趣可以看一下,下面我把其中的重点在此做个笔记总结 https://juejin.cn/post/6844904079274197 ...

随机推荐

  1. ZZY的宠物(矩阵运算+快速幂)

    E :ZZY的宠物 描述 ZZY领养了一对刚刚出生的不知名小宠物..巨萌巨可爱!!...小宠物的生命为5个单位时间并且不会在中间出意外翘辫子(如: 从0出生能活到5但活不到6)..小宠物经过2个单位时 ...

  2. calibre,完成对各种格式的电子书籍的管理和格式转换及同步

    Calibre是免费的电子书制作.阅读软件,源代码开放,拥有跨平台的设计,支持多个基于不同系统的便携式移动设备,包括苹果iPhone.Amazon电子书等设备.它是一个完整的电子图书馆,包括图书馆管理 ...

  3. RS报表自动适应屏幕分辨率大小

    问题:同一个报表,由于用户电脑显示器大小,分辨率大小不同显示的不一样,看起来不完整或者很不协调 原因:设计报表大小属性的时候使用了固定值属性,比如限制为宽:1200px 那么在电脑屏幕小分辨率很小的情 ...

  4. Java打包生成exe(使用exe4j和inno setup)

    Java打包生成exe 生成jar 先使用eclipse生成可执行的jar[可执行的jar包含内容更全面,包括指定主类的.mf] Exe4j的使用 一定要可执行jar进行打包. Project typ ...

  5. Flutter 动画使用

    旋转动画  透明度变换动画  在Android中,可以通过View.animate()对视图进行动画处理,那在Flutter中怎样才能对Widget进行处理 在Flutter中,可以通过动画库给wid ...

  6. 算法笔记_037:寻找和为定值的两个数(Java)

    目录 1 问题描述 2 解决方案 2.1 排序夹逼法   1 问题描述 输入一个整数数组和一个整数,在数组中查找两个数,满足他们的和正好是输入的那个整数.如果有多对数的和等于输入的整数,输出任意一对即 ...

  7. QtGui.QLineEdit

    A QtGui.QLineEdit is a widget that allows to enter and edit a single line of plain text. There are u ...

  8. Kubuntu 初始配置

    1.中文配置 系统设置中地区选择中国.语系使用简体中文(一開始可能仅仅有英文选项,似乎是更新后能够选择其它语言了) 安装中文字体: sudo apt-get install ttf-wqy-micro ...

  9. Hadoop集群+Spark集群搭建(一篇文章就够了)

    本文档环境基于ubuntu16.04版本,(转发请注明出处:http://www.cnblogs.com/zhangyongli2011/ 如发现有错,请留言,谢谢) 一.准备 1.1 软件版本 Ub ...

  10. JAVA变量的执行顺序

    对于静态变量.静态初始化块.变量.初始化块.构造器,它们的初始化顺序以此是(静态变量.静态初始化块)>(变量.初始化块)>构造器.我们也可以通过下面的测试代码来验证这一点: package ...