Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to achieve single sign-on and logout functions in SpringSecurity OAuth2. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

1. Single sign-on

Single sign-on means that there are multiple subsystems and an authentication authority. When visiting any of the subsystems, if you find that you are not logged in, you will jump to the authentication center to log in, and then jump back to the subsystem after the login is completed. At this point, when you access other subsystems, you are already logged in. Logout unified logout from the certification center, after logout, each subsystem can not be accessed, need to log in again.

Spring Security OAuth is built on top of Spring Security, so most of the configuration is in Security, Security completes the authentication and authorization of users, and OAuth completes single sign-on.

The single sign-on of Spring Security OAuth is mainly realized by @ EnableOAuth3Sso, which simplifies the SSO process from the resource server to the authentication and authorization server, and uses the authorization code to obtain it.

1.1 use memory to save client and user information

1.1.1 Certification Authority auth-server

Add dependency

Org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-thymeleaf org.springframework.boot spring-boot-starter-security org.springframework.security.oauth spring-security-oauth3 2.3.8.RELEASE org.springframework.boot spring-boot-starter-data-redis org.apache.commons commons-pool2 2.4.2 com.alibaba fastjson 1.2.60

Application.yml

Server: port: 8000 servlet: context-path: / auth-server session: cookie: name: oauth-auth-serverspring: redis: # Redis has 16 shards by default. Specific shards are configured here. Default is 0 database: 0 host: localhost port: 6379 # connection password (empty by default) password: # connection timeout (milliseconds) timeout: 10000ms lettuce: pool: # maximum number of connections in connection pool (use negative values for no limit) default 8 max-active: 8 # connection pool maximum blocking wait time (use negative Value indicates no limit) default-1 max-wait:-1 # maximum idle connection in connection pool default 8 max-idle: minimum idle connection in 8 # connection pool default 0 min-idle: 0

Add authorization server configuration, security of primary token paths, client details and token storage.

A client is configured to support authenticator mode and refresh Token, and the Token is stored in the Redis.

@ Configuration@EnableAuthorizationServerpublic class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {private static final String RESOURCE_ID = "resource-1"; @ Autowired private PasswordEncoder passwordEncoder; @ Autowired private RedisConnectionFactory redisConnectionFactory / * configure the security of the authorization server Security constraints of token endpoints * * @ param security * @ throws Exception * / @ Override public void configure (AuthorizationServerSecurityConfigurer security) throws Exception {security / / enable / oauth/check_token .tokenKe yAccess ("permitAll ()") / / enable / oauth/token_key .checkTokenAccess ( "isAuthenticated ()") / / allow form authentication / / if configured And if there are client_id and client_secret in url, then go ClientCredentialsTokenEndpointFilter / / if there is no configuration, but there is no client_id and client_secret in url, use basic authentication protection. } / * configure the client Can exist in memory and database * * @ param clients * @ throws Exception * / @ Override public void configure (ClientDetailsServiceConfigurer clients) throws Exception {clients .inMemory () .withClient ("client_1") .resou rceIds (RESOURCE_ID) .authorizedGrantTypes ("authorization_code") "refresh_token") .scopes ("read") .authorities ("client") .secret (passwordEncoder.encode ("123456")) / / must be added Will match the redirect address on request with .redirectUris ("http://localhost:8001/service1/login") / / automatic approval. After successful login, it will not jump to the approval page and ask the resource owner to approve / / .autoApps (true)). } / * * configure non-security features of authorization server endpoints, such as token storage, token customization, user approval and grant types * * @ param endpoints * @ throws Exception * / @ Override public void configure (AuthorizationServerEndpointsConfigurer endpoints) throws Exception {endpoints / / token exists redis .tokenStore (tokenStore ()) } / * configure redis, use redis to store token * @ return * / @ Bean public TokenStore tokenStore () {return new RedisTokenStore (redisConnectionFactory);}}

Add resource server configuration, mainly configuring resource id and url requiring Token authentication

For the same url, if both are configured with authentication, it will first enter ResourceServerConfigurerAdapter, which will be processed by OAuth3AuthenticationProcessingFilter and validated by token, but will not authenticate the form of WebSecurityConfigurerAdapter, etc.

@ Configuration@EnableResourceServerpublic class ResourceServerConfig extends ResourceServerConfigurerAdapter {private static final String RESOURCE_ID = "resource-1"; / * add attributes specific to the resource server * * @ param resources * / @ Override public void configure (ResourceServerSecurityConfigurer resources) throws Exception {resources .resourceId (RESOURCE_ID) } / * use this to configure access rules for security resources and configure url that requires token authentication. By default, all resources that are not in "/ oauth/**" are protected. * * @ param http * @ throws Exception * / @ Override public void configure (HttpSecurity http) throws Exception {/ / only / security/getUserInfo needs token to verify http .requestMatrices (). AntMatchers ("/ security/getUserInfo") .and () .authorizeRequests () .anyRequest (). Authenticated ();}}

Security configuration, user data, custom login page, successful and failed Handler,session, configuration of unprotected URL, etc.

Two users and configuration such as login page have been added here.

@ Configurationpublic class ServerWebSecurityConfig extends WebSecurityConfigurerAdapter {/ * Authentication Manager configuration for information acquisition source (UserDetails) and password verification rules (PasswordEncoder) * * @ param auth * @ throws Exception * / @ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {auth / / use memory authentication Keep two users in memory .inMemoryAuthentication () .passwordEncoder (passwordEncoder ()) / admin has permissions for ADMIN and USER. Withuser ("admin") .password (passwordEncoder (). Encode ("admin"). Roles ("ADMIN") "USER") .and () / user has permission for USER. WithUser ("user") .password (passwordEncoder () .encode ("user")) .roles ("USER") } / * Core filter configuration, more use of ignoring () to ignore the control of static resources * @ param web * @ throws Exception * / @ Override public void configure (WebSecurity web) throws Exception {web. Matching () .antMatrices ("/ static/js/**") } / * Security filter chain configuration, custom security access policy * @ param http * @ throws Exception * / @ Override protected void configure (HttpSecurity http) throws Exception {http .authorizeRequests () / login and / oauth/authorize paths are configured to not require any authentication All other paths must be verified. AntMatrices ("/ login" "/ oauth/authorize") .permitAll () / / other requests need to be authenticated. AnyRequest (). Authenticated () .and () / log in to .formLogin () / custom username and password parameters .usernameParameter ( "login_username") .passwordParameter ("login_password") / / Custom login page address .loginPage ("/ loginPage") / / address of the verification form Intercepted by filter UsernamePasswordAuthenticationFilter to handle .loginProcessingUrl ("/ login") .permitAll () .and () .csrf () .disable () @ Bean public static BCryptPasswordEncoder passwordEncoder () {return new BCryptPasswordEncoder ();}}

Get the current user information for the client to obtain

@ RestController@RequestMapping ("/ security") public class SecurityController {@ GetMapping ("/ getUserInfo") @ ResponseBody public Principal getUserInfo (Principal principal) {return principal;}}

1.1.2 Subsystem service-1

Add dependency

Org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-thymeleaf org.springframework.security.oauth.boot spring-security-oauth3-autoconfigure 2.1.13.RELEASE

Application.yml

Server: port: 8001 servlet: context-path: / service1 session: cookie: name: oauth-service-1security: oauth3: client: clientId: client_1 clientSecret: 123456 # get access token URI accessTokenUri: http://localhost:8000/auth-server/oauth/token # Authorization URI userAuthorizationUri: http://localhost:8000/auth to which the user is redirected -server/oauth/authorize resource: # get current user details userInfoUri: http://localhost:8000/auth-server/security/getUserInfo

Security configuration. If you need to control the url of service-1, you need to add WebSecurityConfigurerAdapter configuration, configure which interfaces in the subsystem require auth-server authentication, configure unprotected URL, and so on.

The @ Configuration// @ EnableOAuth3Sso annotation inherits from the WebSecurityConfigurerAdapter class and / / represents the enhancement of the OAuth3Sso-related configuration based on the subclass configuration. @ EnableOAuth3Sso@EnableGlobalMethodSecurity (prePostEnabled = true) public class ClientWebSecurityConfig extends WebSecurityConfigurerAdapter {/ * Security filter chain configuration, custom security access policy. Configurable client unprotected resources * * @ param http * @ throws Exception * / @ Override public void configure (HttpSecurity http) throws Exception {http .antMatcher ("/ *") .authorizeRequests () / visit / / home do not need to authenticate .antMat chers ("/") "/ home") .permitAll () .anyRequest () .authenticated () .and () / insufficient permissions to jump / 401.promotionHandling () .accessDeniedPage ("/ 401") } / * Core filter configuration, more use of ignoring () to ignore the control of static resources and filter the interface of feign between microservices * * @ param web * @ throws Exception * / @ Override public void configure (WebSecurity web) throws Exception {web (js/**) .antMatrices ("/ js/**");}}

Client resource server configuration, only / api/* requires token authentication

@ Configuration@EnableResourceServerpublic class ResourceServerConfig extends ResourceServerConfigurerAdapter {private static final String RESOURCE_ID = "resource-1"; / * add attributes specific to the resource server * * @ param resources * / @ Override public void configure (ResourceServerSecurityConfigurer resources) throws Exception {resources .resourceId (RESOURCE_ID) } / * use this to configure access rules for security resources and configure url that requires token authentication. By default, all resources that are not in "/ oauth/**" are protected. * * @ param http * @ throws Exception * / @ Override public void configure (HttpSecurity http) throws Exception {/ api/* all require token verification Will be processed by OAuth3AuthenticationProcessingFilter http .requestMatrices () .antMatrices ("/ api/*") .and () .authorizeRequests () .anyRequest (). Authenticated () }}

Service1 controller

@ Controllerpublic class Service1Controller {@ RequestMapping (path = {"/", "/ home"}) public ModelAndView home () {return new ModelAndView ("home");} @ PreAuthorize ("hasRole ('USER')") @ RequestMapping ("/ user") public ModelAndView user () {return new ModelAndView ("user");} @ PreAuthorize ("hasRole (' ADMIN')") @ RequestMapping ("/ admin") public ModelAndView admin () {return new ModelAndView ("admin") To test whether / api/* is blocked by the resource server, token * @ return * / @ GetMapping ("/ api/getUserInfo") @ ResponseBody public Principal getUserInfo () {return SecurityContextHolder.getContext () .getAuthentication ();} @ GetMapping ("/ api2/getUserInfo") @ ResponseBody public Principal getUserInfo2 () {return SecurityContextHolder.getContext () .getAuthentication () } @ Controllerpublic class Service1Controller {@ RequestMapping (path = {"/", "/ home"}) public ModelAndView home () {return new ModelAndView ("home");} @ PreAuthorize ("hasRole ('USER')") @ RequestMapping ("/ user") public ModelAndView user () {return new ModelAndView ("user") } @ PreAuthorize ("hasRole ('ADMIN')") @ RequestMapping ("/ admin") public ModelAndView admin () {return new ModelAndView ("admin") To test whether / api/* is blocked by the resource server, token * @ return * / @ GetMapping ("/ api/getUserInfo") @ ResponseBody public Principal getUserInfo () {return SecurityContextHolder.getContext () .getAuthentication ();} @ GetMapping ("/ api2/getUserInfo") @ ResponseBody public Principal getUserInfo2 () {return SecurityContextHolder.getContext () .getAuthentication ();}}

1.1.3 Test

Service-2 copies it according to service-1.

Service-1 and service-2 can access / / home without logging in

To access the resources that need authentication for / user, you will first go to auth-server for authentication

Resource owner approval

Access to / user is not available until approved

Service-2 's / user is also accessible, that is, single sign-on is implemented.

Insufficient access / admin user privileges

1.2 use a database to save client and user information

You only need to modify how the client and user information is obtained in auth-server.

In the part of user information, modify the security configuration and refer to the use of database in Spring Security to save user information.

Because information such as Token is stored in Redis, only client information needs to be saved in the database. Modify AuthorizationServerConfig

@ Autowiredprivate DataSource dataSource;@Overridepublic void configure (ClientDetailsServiceConfigurer clients) throws Exception {clients .withClientDetails (clientDetails (dataSource));} / * * get the client details service, and JDBC implements * @ return * / @ Beanpublic ClientDetailsService clientDetails (DataSource dataSource) {return new JdbcClientDetailsService (dataSource);}

Add tables and data, the password is encrypted with BCrypt, and the data is consistent with memory.

CREATE TABLE `oauth_client_ details`, `resource_ ids` varchar, `resource_ ids` varchar, `client_ secret` varchar, `scope` varchar, `authorized_grant_ types` varchar `web_server_redirect_ uri` varchar (256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, `authorities` varchar (256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, `access_token_ validity` int (11) NULL DEFAULT NULL, `refresh_token_ validity` int (11) NULL DEFAULT NULL, `additional_ information` varchar (4096) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, `autoapprove` varchar (256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL PRIMARY KEY (`client_ id`) USING BTREE) ENGINE = InnoDB CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Compact INSERT INTO `oauth_client_ details` VALUES ('client_1',' resource-1','$2a$10 $TfM5Bisse4ewbmIDfqZcxuYl5dI39/lEzzvkzlxFELKglHQM78FIu', 'read',' authorization_code,refresh_token', 'http://localhost:8001/service1/login,http://localhost:8002/service2/login', NULL, NULL)

The effect is the same as when using memory.

1.3 single sign-on proc

Open F12 to see the following redirection process, and you can see the general steps:

Request authorization code, determine not logged in, redirect login page

Login is successful. Redirect continues to request authorization code, which is not approved by the resource owner. Return to the approval page.

Resource owner approval, redirect return authorization code

The client gets the authorization code and requests Token

Get Token, redirect / user

1.2.1 request authorization code, determine whether you are not logged in, and redirect the login page

Access the client protected resource localhost:8001/service1/user, and redirect to localhost:8001/service1/login for login authentication without login. Because single sign-on @ EnableOAuth3Sso is configured, the single sign-on interceptor will read the configuration of the authorization server and initiate a request to obtain the authorization code.

Http://localhost:8000/auth-server/oauth/authorize?client_id=client_1&redirect_uri=http://localhost:8001/service1/login&response_type=code&state=eEoQJJ

Handled by AuthorizationEndpoint.authorize () of auth-server, an exception was thrown because no authentication was logged in

If (! (principal instanceof Authentication) | |! ((Authentication) principal) .isAuthenticated () {throw new InsufficientAuthenticationException ("User must be authenticated with Spring Security before authorization can be completed.");}

Exceptions are handled in ExceptionTranslationFilter.doFilter ()

HandleSpringSecurityException (request, response, chain, ase)

Call the LoginUrlAuthenticationEntryPoint.commence () method to get the login page address and redirect

RedirectUrl = buildRedirectUrlToLoginPage (request, response, authException)

1.2.2 Login succeeded. Redirect continues to request authorization code, which is not approved by the resource owner. Return to the approval page.

In auth-server, the user password is handled by AbstractAuthenticationProcessingFilter.doFilter (), and UsernamePasswordAuthenticationFilter is inherited from AbstractAuthenticationProcessingFilter. In the parent class doFilter () method, the attemptAuthentication method implemented by the subclass is called to obtain authentication information.

AuthResult = attemptAuthentication (request, response)

In the attemptAuthentication () method, the user name and password are encapsulated into token and authenticated, and after additional information is added, authentication is performed.

This.getAuthenticationManager () authenticate (authRequest)

The getAuthenticationManager () method gets the AuthenticationManager implementation class ProviderManager. In the authenticate () method, find the appropriate AuthenticationProvider to handle authentication. Here is DaoAuthenticationProvider, and its parent class, AbstractUserDetailsAuthenticationProvider, implements this method.

Result = provider.authenticate (authentication)

The parent class calls the retrieveUser () method to retrieve the user, which is implemented in the DaoAuthenticationProvider

User = retrieveUser (username, (UsernamePasswordAuthenticationToken) authentication)

Here is to get the user from memory or database, and then verify the password. After success, the information is saved to Authentication and returned. Call successful Handler, remember me and so on.

If the login is successful by default, the previously requested address will be redirected

Http://localhost:8000/auth-server/oauth/authorize?client_id=client_1&redirect_uri=http://localhost:8001/service1/login&response_type=code&state=eEoQJJ

Once again, it is processed by AuthorizationEndpoint.authorize () of auth-server, when there is user authentication information, obtain client information, check, check whether the resource owner approves or not (the client can set whether to approve automatically)

If not, return to the approval page and request to forward the forward:/oauth/confirm_access

Return getUserApprovalPageResponse (model, authorizationRequest, (Authentication) principal)

1.2.3 Resource owner approval, redirect returns authorization code

After the user is approved, it is processed by the AuthorizationEndpoint.approveOrDeny () method, returns the authorization code, and redirects the address set by the user (/ login) with code and state

Return getAuthorizationCodeResponse (authorizationRequest, (Authentication) principal)

1.2.4 the client obtains the authorization code and requests Token

Processing in client-side AbstractAuthenticationProcessingFilter

AuthResult = attemptAuthentication (request, response)

It is processed by the subclass OAuth3ClientAuthenticationProcessingFilter.attemptAuthentication () to determine whether token is empty.

AccessToken = restTemplate.getAccessToken ()

If it is empty, in the AuthorizationCodeAccessTokenProvider.obtainAccessToken () method, get the returned authorization code and request Token from auth-server

Return retrieveToken (request, resource, getParametersForTokenRequest (resource, request), getHeadersForTokenRequest (request))

In auth-server, the TokenEndpoint.getAccessToken () method gets the token, generates the token after client-side verification, and returns

OAuth3AccessToken token = getTokenGranter () .grant (tokenRequest.getGrantType (), tokenRequest)

1.2.5 get Token and redirect / user

Go back to the client side OAuth3ClientAuthenticationProcessingFilter.attemptAuthentication (), get the token, take the token, and request the user information from the auth-server.

The default Token is to use uuid to generate token for authentication and Token for refresh. The authentication Token expires within 12 hours by default, and the refreshed Token expires within 30 days by default.

OAuth3Authentication result = tokenServices.loadAuthentication (accessToken.getValue ())

After the auth-server is processed by OAuth3AuthenticationProcessingFilter, the token is fetched from the header and verified, and the request is completed.

The client obtains the user information, completes the login process on the client, and finally obtains the redirect address (i.e. / user) in the default login success Handler and redirects it.

1.3 JWT Token

1.3.1 tokenServices is not added to the resource server

You only need to modify the authorization server in auth-server.

Add dependency

Org.springframework.security spring-security-jwt 1.0.11.RELEASE

Customize the information carried by the generated token

@ Componentpublic class CustomTokenEnhancer implements TokenEnhancer {@ Override public OAuth3AccessToken enhance (OAuth3AccessToken accessToken, OAuth3Authentication authentication) {final Map additionalInfo = new HashMap (2); UserDetails user = (UserDetails) authentication.getUserAuthentication (). GetPrincipal (); additionalInfo.put ("userName", user.getUsername ()); additionalInfo.put ("authorities", user.getAuthorities ()); ((DefaultOAuth3AccessToken) accessToken) .setAdditionalInformation (additionalInfo); return accessToken;}}

Modify AuthorizationServerConfig

@ Autowiredprivate CustomTokenEnhancer customTokenEnhancer;@Autowiredprivate AuthenticationManager authenticationManager;@Overridepublic void configure (AuthorizationServerEndpointsConfigurer endpoints) throws Exception {/ / token enhanced configuration TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain (); tokenEnhancerChain.setTokenEnhancers (Arrays.asList (customTokenEnhancer, jwtAccessTokenConverter () Endpoints / / token with redis .tokenStore (tokenStore ()) .tokenEnhancer (tokenEnhancerChain) / / password authorization is required. AuthenticationManager (authenticationManager) / / oauth/token runs get and post .allowedTokenEndpointReque stMethods (HttpMethod.GET, HttpMethod.POST) } / * the converter used to generate token * @ return * / @ Beanpublic JwtAccessTokenConverter jwtAccessTokenConverter () {JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter (); / / symmetric encryption, set the signature, and use the following value as the key jwtAccessTokenConverter.setSigningKey ("oauth"); return jwtAccessTokenConverter;}

Add client 2 to support password authorization

INSERT INTO `oauth_client_ details` (`client_ id`, `resource_ ids`, `client_ secret`, `scope`, `authorized_grant_ types`, `web_server_redirect_ uri`, `authorities`, `access_token_ validity`, `refresh_token_ validity`, `additional_ information`, `autoapprove`) VALUES ('client_2',' resource-1','$2a$10 $TfM5Bisse4ewbmIDfqZcxuYl5dI39/lEzzvkzlxFELKglHQM78FIu', 'read',' password,refresh_token', NULL, NULL)

test

Use password mode to get token

Interfaces protected by the requested resource server using token

Process flow

Verify the information in the TokenEndpoint of auth-server and get the token. The token request is then processed by OAuth3AuthenticationProcessingFilter in service-1, and the doFilter () method extracts and validates the token.

As configured above, tokenServices is not configured in the resource server

Authentication authResult = authenticationManager.authenticate (authentication)

So when loading Authentication, if tokenServices is UserInfoTokenServices, the configured userInfoUri will be called to auth-server to obtain user information.

OAuth3Authentication auth = tokenServices.loadAuthentication (token)

1.3.2 Resource server add tokenServices

Auth-server

Modify ResourceServerConfig

@ Autowiredprivate TokenStore tokenStore;@Overridepublic void configure (ResourceServerSecurityConfigurer resources) throws Exception {DefaultTokenServices defaultTokenServices = new DefaultTokenServices (); defaultTokenServices.setTokenStore (tokenStore); resources .resourceId (RESOURCE_ID) .tokenServices (defaultTokenServices);}

Service-1

Add dependency

Org.springframework.boot spring-boot-starter-data-redis org.apache.commons commons-pool2 2.4.2

Modify application.yml

Spring: redis: # Redis has 16 shards by default. Specific shards are configured here. Default is 0 database: 0 host: localhost port: 6379 # connection password (empty by default) password: # connection timeout (milliseconds) timeout: 10000ms lettuce: pool: # maximum number of connections in connection pool (use negative values for no limit) default 8 max-active: 8 # connection pool maximum blocking wait time (use negative Value indicates no limit) default-1 max-wait:-1 # maximum idle connection in connection pool default 8 max-idle: minimum idle connection in 8 # connection pool default 0 min-idle: 0

Modify ResourceServerConfig

@ Autowiredprivate RedisConnectionFactory redisConnectionFactory;@Overridepublic void configure (ResourceServerSecurityConfigurer resources) throws Exception {DefaultTokenServices defaultTokenServices = new DefaultTokenServices (); defaultTokenServices.setTokenStore (tokenStore ()); resources .resourceId (RESOURCE_ID) .tokenServices (defaultTokenServices);} / * configure redis, use redis to store token * @ return * / @ Beanpublic TokenStore tokenStore () {return new RedisTokenStore (redisConnectionFactory);}

Process flow

Verify the information in the TokenEndpoint of auth-server and get the token. The token request is then processed by OAuth3AuthenticationProcessingFilter in service-1, and the doFilter () method extracts and validates the token.

As configured above, tokenServices is not configured in the resource server

Authentication authResult = authenticationManager.authenticate (authentication)

So when loading Authentication, tokenServices is DefaultTokenServices, plus the implementation class with UserDetails, you can parse, so you don't have to call auth-server.

OAuth3Authentication auth = tokenServices.loadAuthentication (token); 2. Single point logout

Except that some of the api configured in the resource server requires token authentication, the others still rely on Spring Security authentication. Spring Security, on the other hand, is a recording user using Cookie and Session. Therefore, the Cookie of the certification authority and each subsystem can be set under the same path, and when the certification authority logs out, the Cookie can be deleted together to realize the logout of the certification authority and each subsystem. Each subsystem needs to know the logout address of the certification center. In this case is http://localhost:8000/auth-server/logout.

Modify the Cookie path of the certification authority and each subsystem, test and find that it can only be implemented under /.

Server: servlet: session: cookie: path: / server: servlet: session: cookie: path: /

Add a Handler that logs out successfully in auth-server

@ Componentpublic class CustomLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler {@ Override public void onLogoutSuccess (HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {/ / delete the cookie of the subsystem Cookie [] cookies = request.getCookies (); if (cookies! = null & & cookies.length > 0) {for (Cookie cookie: cookies) {cookie.setMaxAge (0); cookie.setPath ("/") Response.addCookie (cookie);}} super.handle (request, response, authentication);}}

Modify the ServerWebSecurityConfig of auth-server and add logout configuration

@ Configurationpublic class ServerWebSecurityConfig extends WebSecurityConfigurerAdapter {@ Autowired private CustomLogoutSuccessHandler customLogoutSuccessHandler @ Override protected void configure (HttpSecurity http) throws Exception {http.. and () / / defaults to / logout .logout () .logoutSuccessHandler (customLogoutSuccessHandler) / / invalid session .invalidateHttpSes sion (true) / / clear authentication .clearAuthentication (true) .permitAll (). }}

Of course, if you use OAuth to issue token, you should also need to disable token.

Autowiredprivate TokenStore tokenStore;@GetMapping ("/ revokeToken") public void revokeToken (HttpServletRequest request) {String authHeader = request.getHeader ("Authorization"); if (authHeader! = null) {String tokenValue = authHeader.replace ("Bearer", "") .trim (); OAuth3AccessToken accessToken = tokenStore.readAccessToken (tokenValue); tokenStore.removeAccessToken (accessToken);}} 3. Summary

AuthorizationEndpoint processing / oauth/authorize;TokenEndpoint processing / oauth/token.

@ EnableOAuth3Sso marks the resource server as a client of OAuth 2.0, and it will be responsible for redirecting the resource owner (end user) to the authorization server where the user must enter his or her credentials. When complete, the user will be redirected back to the client with the authorization code. The client then invokes the authorization server to obtain the authorization code and exchange it for an access token. Only after that can the client invoke the resource server with an access token.

@ EnableResourceServer means that the service to which it belongs requires an access token to process the request. Before invoking the resource server, you need to obtain an access token from the authorization server.

All paths configured in the resource server will be processed by OAuth3AuthenticationProcessingFilter to get token.

Previously, it has been puzzling that the client has obtained the token, why there is no Authorization in the request header for accessing / user, and the request can be successful. Actually, it's all because of Security. Without the path configured in the resource server, you do not need to carry token after successful login authentication, but still use the Cookie and Session required by Security.

If the resource server does not configure tokenService, it will call the configured userInfoUri to auth-server to obtain user information; if the resource server is configured with tokenService, coupled with the implementation class of UserDetails, it can be parsed, and there is no need to call auth-server 's API.

This is the end of the article on "how to achieve single sign-on and logout in SpringSecurity OAuth2". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.