Shulou(Shulou.com)06/02 Report--

Editor to share with you how to solve the token storage problem of using JWT as Spring Security OAuth2. I hope you will get something after reading this article. Let's discuss it together.

Order

Spring Security OAuth3's demo has been mentioned in previous articles. In those modes, RemoteTokenService calls the authorization server to verify the token and returns the verified user information to be obtained in the context.

This way will increase the load on the authorization server, you think, when the user is not authorized to obtain token, you have to find the authorization server. If you have token to access the resource server, you also have to access the authorization server. This is equivalent to saying that every request has to access the authorization server, so the load on the authorization server will be very heavy.

There are two conventional ways to solve this problem:

Using JWT as Token delivery

Using Redis to store Token, the resource server accesses Redis locally to verify Token

Both JWT and Redis can be used to verify Token in the resource server, thus reducing the workload of the authorization server.

JWT uses the HMACSHA256 symmetric encryption algorithm by default. The following records the integration of the default algorithm with the asymmetric RSA algorithm. The encryption and decryption test methods using different algorithms are consistent, so put it at the end of the article.

Authorization server integrates JWT-- symmetric encryption and decryption algorithm

The overall code structure of the authorization server

Introducing dependency into pom.xml

Org.springframework.boot spring-boot-starter-security 2.2.1.RELEASE org.springframework.security.oauth spring-security-oauth3 2.4.0.RELEASE org.springframework.security spring-security-jwt 1.1.0.RELEASE

SecurityConfig configuration, mainly need to explicitly declare AuthenticationManager and UserDetailsService these two bean

@ Configuration@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {@ Bean public AuthenticationManager authenticationManager () throws Exception {return super.authenticationManager ();} @ Bean public UserDetailsService userDetailsService () {/ / mainly configure this Bean to inject return super.userDetailsService () into the authorization server configuration;} @ Bean public PasswordEncoder passwordEncoder () {return new BCryptPasswordEncoder () } @ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {/ / @ formatter: off auth.inMemoryAuthentication () .withUser ("hellxz") .password (passwordEncoder (). Encode ("xyz")) .authorities (Collections.emptyList ()) / / @ formatter: on} @ Override protected void configure (HttpSecurity http) throws Exception {http.authorizeRequests () .anyRequest () .authenticated () / / all requests need to be authenticated. And () .httpBasic () / / Basic submit .and () .csrf () .disable () / / Cross-domain protection}}

Authorization server configuration AuthorizationConfig

@ Configuration@EnableAuthorizationServer / / Open the authorization service public class AuthorizationConfig extends AuthorizationServerConfigurerAdapter {@ Autowired private AuthenticationManager authenticationManager; @ Autowired public UserDetailsService userDetailsService; @ Autowired private PasswordEncoder passwordEncoder; @ Override public void configure (AuthorizationServerSecurityConfigurer security) throws Exception {/ / allow form submission to security.allowFormAuthenticationForClients () .checkTokenAccess ("permitAll ()") .tokenK eyAccess ("permitAll ()") } @ Override public void configure (ClientDetailsServiceConfigurer clients) throws Exception {/ / @ formatter: off clients.inMemory () .withClient ("client-a") / / the password of the client that uniquely identifies .secret (passwordEncoder.encode ("client-a-secret")) / / client-a The password here should be the encrypted .authorizedGrantTypes ("authorization_code", "password", "refresh_token") / / authorization mode identification. Here the main test uses password mode, and refresh_token is not a mode. But you can use it to refresh access_token (within its validity) .scopes ("read_user_info") / scope .resourceIds ("resource1") / / resource id. If you do not need to restrict the resource id, note here .redirectUris ("http://localhost:9001/callback");"). / / callback address / / @ formatter: on} @ Override public void configure (AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints.authenticationManager (authenticationManager) .userDe tailsService (userDetailsService) .tokenStore (jwtTokenStore ()) / / set jwtToken to tokenStore .accessTokenConverter (jwtAccessTokenConverter ()) / / set access_token converter} / * jwt access token converter * / @ Bean public JwtAccessTokenConverter jwtAccessTokenConverter () {JwtAccessTokenConverter converter = new JwtAccessTokenConverter (); converter.setSigningKey ("my-sign-key"); / / Resource server needs to configure this option to decrypt the token return converter of jwt } / token storage object of jwt * / @ Bean public JwtTokenStore jwtTokenStore () {return new JwtTokenStore (jwtAccessTokenConverter ());}}

Here, we mainly add the tokenStore and access_token converters of JWT to the endpoint configuration of configure (AuthorizationServerEndpointsConfigurer endpoints) authorization service, and the declaration Bean method of both.

The default symmetric MAC algorithm is used here, that is, encryption and decryption use the same key

Instead of starting the class, open the main method of @ SpringBootApplicatin

Resource server integrates JWT-- symmetric encryption and decryption algorithm

The resource server mainly has one resource configuration class.

@ Configuration@EnableResourceServerpublic class ResourceConfig extends ResourceServerConfigurerAdapter {@ Bean public PasswordEncoder passwordEncoder () {return new BCryptPasswordEncoder ();} @ Override public void configure (HttpSecurity http) throws Exception {/ / set the creation of session policy http.sessionManagement (). SessionCreationPolicy (SessionCreationPolicy.IF_REQUIRED); / / @ formatter:off / / all requests must authorize http.authorizeRequests () .anyRequest (). Authenticated () / / @ formatter:on} @ Override public void configure (ResourceServerSecurityConfigurer resources) {/ / @ formatter:off / / if you do not need to restrict the resource id, remove the resourceIds configuration resources.resourceId ("resource1") .tokenStore (jwtTokenStore ()) in the authorization configuration. / / @ formatter:on} / * jwt accesses the token converter * / @ Bean public JwtAccessTokenConverter jwtAccessTokenConverter () {JwtAccessTokenConverter converter = new JwtAccessTokenConverter (); converter.setSigningKey ("my-sign-key"); / / same signingKey return converter as the license server } / token storage object of jwt * / @ Bean public JwtTokenStore jwtTokenStore () {return new JwtTokenStore (jwtAccessTokenConverter ());}}

The TokenStore and AccessTokenConverter for configuring JWT are the same as the authorization server. Add startup classes to complete the configuration.

OAuth integrates JWT-- asymmetric encryption and decryption RSA

This section is based on symmetric encryption and only shows the parts that need to be modified.

First, use keytool to generate a jks (Java Key Store) key, and enter information such as last name as prompted

Keytool-genkeypair-alias hellxz-jwt-validity 3650-keyalg RSA-keypass hellxzTest-keystore hellxz-jwt.jks-storepass hellxzTest

The generated private key file will be in the current directory and copy the hellxz-jwt.jks to the resources directory of the license server

The authorization server needs to modify jwtAccessTokenConverter ()

@ Bean public JwtAccessTokenConverter jwtAccessTokenConverter () {JwtAccessTokenConverter converter = new JwtAccessTokenConverter (); KeyStoreKeyFactory storeKeyFactory = new KeyStoreKeyFactory (new ClassPathResource ("hellxz-jwt.jks"), "hellxzTest" .toCharArray ()); converter.setKeyPair (storeKeyFactory.getKeyPair ("hellxz-jwt")); return converter;}

In the same directory as hellxz-jwt.jks, execute the command to generate the public key.

➜keytool-list-rfc-- keystore hellxz-jwt.jks | openssl x509-inform pem-pubkey

Enter KeyStore password: hellxzTest

-BEGIN PUBLIC KEY-

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxU7zulFUVBXmZD28xwM4

Ul5e9yFrToLgWKHlNLlp904/GbiWBoZ4tcBcNq3VxLGBN9VOqfP1P5C7fRgz95UI

7ShKCKgsFFGL2rAqsplMDClN/adfsxmpF06rVIkGgce9tR0Q0iONcaN+b/lArK4T

Au76QsQwn9MLXlznVfczclZOZSfDNju+1JuBzqt6fEPWqalBUVYdV0zCUDG8ikN1

L9D0m1tSSaKpiTrU2yEUGUjiqi 79Ury7Y8BClEX6d4CTl9TQAhL5g32GoJEC0S2y+

0bqeqUsv1nUt9KiJT9kiOvA+Q7o2T8OHuqQT9le7kvmIi4gSX5vSNvvZagE2Uglh

ZQIDAQAB

-END PUBLIC KEY-

-BEGIN CERTIFICATE-

MIIDUTCCAjmgAwIBAgIEePeDczANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJD

TjEQMA4GA1UECBMHYmVpamluZzEQMA4GA1UEBxMHYmVpamluZzEKMAgGA1UEChMB

MDEKMAgGA1UECxMBMDEOMAwGA1UEAxMFemhhbmcwHhcNMTkxMjE1MDUyOTM2WhcN

MjkxMjEyMDUyOTM2WjBZMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ

MA4GA1UEBxMHYmVpamluZzEKMAgGA1UEChMBMDEKMAgGA1UECxMBMDEOMAwGA1UE

AxMFemhhbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFTvO6UVRU

FeZkPbzHAzi6Xl73IWtOguBYoeU0uWn3Tj8ZuJYGhni1wFw2rdXEsYE31U6p8/U/

KLt9GDP3lQjtKEoIqCwUUYvasCqymUwMKU39p1+zGakXTqtUiQaBx721HRDSI41x

O35v+UCsrhMC7vpCxDCf0wteXOdV9zNyVk5lJ8M2O77Um4HOq3p8Q9apqUFRVh2X

TMJQMbyKQ3WX0PSbW1JJoqmJOtTbIRQZSOL7v1SvLtjwEKURfp3gJOX1NACEvmDf

YagkRzRLbL7Rup6pSy/WdS30qIlP2SI68D5DujZPw4e6pBP2V7uS+YiLiBJfm9I2

+ 9lqATZSCWHNAgMBAAGjITAfMB0GA1UdDgQWBBQF96rK7n0XufnvtJuH9tD9Ixza

6zANBgkqhkiG9w0BAQsFAAOCAQEAuMzWZJhej6+4TGgodQKQ5L5RBtOUbesxA1Ue

S9iA4m/jNZnVCXJE0nY47YVzBCIkIsYALswGooMj1PIJxEMpggXVmIuiJpaPgg+4

SthzISxKzX0ru8IrJTapaglMi74ai6S73LTBSke9GEPgWWnbtdUZoUSiSNt1oJ0J

EhFHdPuzxc36neDFRBOBxW4w3qhsTlKTN2wJm1nLV96nFKmqJhQJhhKt6ihe7hMg

QWxzNsWAqv9gJNdKZt5teqwNKT6H7r1NX5oJkJ0Kn1dZy0O3rDDd5E0KDKkMtwOh

3deJH6UvttGGQu2dW5JG5uiHuzFHnJeAfee =

-END CERTIFICATE-

Copy the public key section to the resources directory where public.cert places it on the resource server

-BEGIN PUBLIC KEY-

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxU7zulFUVBXmZD28xwM4

Ul5e9yFrToLgWKHlNLlp904/GbiWBoZ4tcBcNq3VxLGBN9VOqfP1P5C7fRgz95UI

7ShKCKgsFFGL2rAqsplMDClN/adfsxmpF06rVIkGgce9tR0Q0iONcaN+b/lArK4T

Au76QsQwn9MLXlznVfczclZOZSfDNju+1JuBzqt6fEPWqalBUVYdV0zCUDG8ikN1

L9D0m1tSSaKpiTrU2yEUGUjiqi 79Ury7Y8BClEX6d4CTl9TQAhL5g32GoJEC0S2y+

0bqeqUsv1nUt9KiJT9kiOvA+Q7o2T8OHuqQT9le7kvmIi4gSX5vSNvvZagE2Uglh

ZQIDAQAB

-END PUBLIC KEY-

Modify the resource server jwtAccessTokenConverter () method

@ Bean public JwtAccessTokenConverter jwtAccessTokenConverter () {JwtAccessTokenConverter converter = new JwtAccessTokenConverter (); Resource resource = new ClassPathResource ("public.cert"); String publicKey; try {publicKey = new String (FileCopyUtils.copyToByteArray (resource.getInputStream ();} catch (IOException e) {throw new RuntimeException (e);} converter.setVerifierKey (publicKey); return converter;} Test Verification

Send POST request http://localhost:8080/oauth/token?username=hellxz&password=xyz&scope=read_user_info&grant_type=password

Return the result

Access the resource server with token

The test passed

In addition, when using JWT, you should set the expiration time as short as possible, because the token of JWT cannot revoke manually and can only wait for its expiration time to expire.

After reading this article, I believe you have a certain understanding of "how to solve the token storage problem of using JWT as Spring Security OAuth2". If you want to know more about it, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.