Shulou(Shulou.com)06/03 Report--

This article focuses on "how to use Spring Security and Oauth2.0". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn how to use Spring Security and Oauth2.0.

problem

Recently, due to the change in my job, I started to work backstage in Java (back to my old job). At present, the first work project is to set up a user authentication center, so I stepped into the pit of Spring Security. In fact, one of the more popular solutions is Spring Security + Oauth3.0 + JWT. But when I started integrating Spring Security and Oauth3.0, I frowned and suddenly realized that it wasn't easy.

When creating a Springboot project, you can select the following Oauth3.0 dependencies:

Spring-boot-starter-oauth3-clientspring-boot-starter-oauth3-resource-serverspring-cloud-starter-oauth3

I thought to myself why I still rely on so many packages. In line with the principle of programming for Baidu, from a large number of "all over the world article copy" blog, it is found that they also use two other dependencies:

Spring-security-oauth3spring-security-oauth3-autoconfigure

I have a big head. Why is it so complicated? So I have no choice but to search the official documents.

Official document explanation

Seeing Spring's official explanation of Oauth3.0, he said this.

The Spring Security OAuth project is deprecated. The latest OAuth 2.0 support is provided by Spring Security. See the OAuth 2.0 Migration Guide for further details.

In other words, the original Spring Security OAuth3.0 has been abandoned, and the support for OAuth3.0 has been integrated into Spring Security. This makes me confused. Emmm . In other words, if you use spring-security-oauth3 now, most of the methods are crossed out (abandoned). Why are you doing this?

Later, in the spirit of eating melons, I picked up the history of OAuth and Spring communities. It was found that in 2018, the Spring community issued a statement that it would phase out existing OAuth3 support and build the next generation of OAuth3.0 support in Spring Security5. The reason is the confusion of Oauth3 landing: implementations of OAuth3 are available in Spring Security OAuth, Spring Cloud Security, Spring Boot 1.5.x, and the latest Spring Security5.x at the time. Therefore, the authorities should put it in one place.

I think this is a good thing, so that people don't know which one to use. Of course, the official is also very powerful, not only completed the support for Oauth3.0, but also joined the support for OpenID Connect1.0. However, the community has another coquettish operation: it is announced that the authorization server is no longer supported. Because the authorities believe that the license server is a product form, not the framework should be completed, secondly, there are many commercial and open source license servers (such as Keycloak, Okta). However, a large number of developers were not satisfied, and there was a heated discussion in the community. So officials gave in and launched a new project, spring-authorization-server, which has been iterated to version 0.0.3.

Status quo & Migration

After eating melons, let's take a look at the state of these bags.

Spring-security-oauth3- > is discarded. It is recommended not to use it, otherwise spring-security-oauth3-autoconfigure-> automatic configuration cannot be maintained later, and it is useless spring-boot-starter-oauth3-client-> latest spring-boot-starter-oauth3-resource-server-> latest spring-cloud-starter-oauth3-> reference spring-security-oauth3, but not yet marked and discarded.

This makes it clear that the current project needs to reference the corresponding package according to the purpose of the service.

Authorization server

If the service wants to be an authorization server, it can only reference spring-cloud-starter-oauth3 for the time being. Because the package also references spring-security-oauth3, but has not been labeled @ Deprecated, and is still configured with the @ EnableAuthorityServer annotation. Waiting for spring-authorization-server to mature, you need to switch over.

Client

Now if you want to develop a client, you only need to reference spring-boot-starter-oauth3-client, and you only need to call .oauth3Client () in the original SpringSecurity configuration class to configure it, instead of the previous @ EnableOAuth3Client annotation.

@ EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {@ Override protected void configure (HttpSecurity http) throws Exception {http .authorizeRequests () .anyRequest () .authenticated () .and () .formLogin () .loginPage ("/ login") .failureUrl ("/ login-error") .permitAll () .and () .oauth3Client () / /}}

In addition, you also need to configure the two Bean, WebClient and OAuth3AuthorizedClientManager. How to achieve it, dig a hole first, and then fill it later.

Resource server

The resource server only needs to refer to spring-boot-starter-oauth3-resource-server. If you use JWK, the configuration is as follows (just call .oauth3ResourceServer ())

@ Configuration@EnableWebSecuritypublic class MySecurityConfig extends WebSecurityConfigurerAdapter {@ Value ("${spring.security.oauth3.resourceserver.jwt.jwk-set-uri}") private String jwkSetUri @ Override protected void configure (HttpSecurity http) throws Exception {http .oauth3ResourceServer (OAuth3ResourceServerConfigurer::jwt) .csrf () .disable () .authorizeRequests () .antMatrices ("/ message/**"). HasAuthority ("SCOPE_all") .anyRequest (). Authenticated () } @ Bean JwtDecoder jwtDecoder () {return NimbusJwtDecoder.withJwkSetUri (this.jwkSetUri). Build ();}} so far, I believe you have a better understanding of "how to use Spring Security and Oauth2.0". You might as well do it in practice! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.