Shulou(Shulou.com)06/02 Report--

What is the encryption configuration of OAuth2.0 in SpringBootSecurity? many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Improvements to the sample code

It is very simple, and the main purpose is to be familiar with the whole process of applying for authorization in OAuth3.0. This simple example certainly cannot be directly used in the production environment. There are still many areas that need to be improved. Let's summarize:

1. Only the form of authorization code is demonstrated, and the other three (hidden, password, client credentials) are not familiar with it.

2. Passwords and keys are unencrypted

3. The client configuration of oauth, including id and secret key, is configured in memory and cannot be dynamically added.

4. Token is also stored in memory and cannot be abolished manually

5. Jwt is generated in a simple secret key form, and it is best to use asymmetric encryption to make it more secure and reliable.

6. The right to apply for tokens is not reasonable.

7. The configuration of jwt and token verification in resource service is not very flexible.

8. The authorization process should be developed and used in conjunction with eureka

9. No verification of token relay features, etc.

As can be seen from the problems listed above, even if the sample code runs, the process is clear, but to learn to use Spring Cloud Security, especially in a production environment, you need to master and understand every detail.

Encryption configuration

First of all, let's improve the first place to implement the encryption configuration. We all know that after user registration, when storing user information, it is best to encrypt the user password in the database and then save it. By the same token, the client information of oauth should eventually be stored in the database rather than directly configured in the code. Its secret field should also be encrypted and then stored. The following is to configure encryption in the authorization service. First, modify the security configuration class and configure the encryption method:

Then configure the login user's password to be encrypted:

Then modify the authorization configuration class to configure the secret in the client configuration to be encrypted:

This completes the encryption configuration. The resource service does not need to make any changes.

test

After configuring the above three encrypted places, the encryption is configured. Let's test it below. In fact, the test process is the same as the previous one. The client is not aware of it, and the resulting access_token is as follows:

The final results of the visit are as follows:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.