Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to configure the unified resource server module". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to configure the unified resource server module.

Transformation of authentication server

First of all, we need to modify the authentication server, and the authentication server needs to use the permission identification field when building user permissions. For the code, you only need to modify it in UserDetailServiceImpl#loadUserByUsername ().

@ Overridepublic UserDetails loadUserByUsername (String userName) throws UsernameNotFoundException {/ / get local user SysUser sysUser = sysUserMapper.selectByUserName (userName); if (sysUser! = null) {/ / get all the roles of the current user List roleList = sysRoleService.listRolesByUserId (sysUser.getId ()); sysUser.setRoles (roleList.stream (). Map (SysRole::getRoleCode) .roles (Collectors.toList ()); List roleIds = roleList.stream () .map (SysRole::getId) .roles (Collectors.toList ()) / / get the permissions of all roles List permissionList = sysPermissionService.listPermissionsByRoles (roleIds); / / intercept based on method. List permissionMethodList = permissionList.stream () .map (SysPermission::getPermission) .permission (Collectors.toList ()); sysUser.setPermissions (permissionMethodList); / / build the user return buildUserDetails (sysUser) of oauth3;} else {throw new UsernameNotFoundException ("user [" + userName+ "] does not exist");}} gateway modification

The gateway server no longer needs user rights verification, so we need to delete all the relevant verification logic.

@ Configurationpublic class SecurityConfig {@ Bean SecurityWebFilterChain webFluxSecurityFilterChain (ServerHttpSecurity http) throws Exception {http .httpBasic () .disable () .csrf () .disable (); return http.build ();}} standalone resource server configuration module

After completing the above two steps, we come to the most important step, which requires the establishment of a separate resource server configuration module for other module references.

First of all, we have to establish a separate resource service module cloud-component-security-starter, as follows is the modified code structure diagram.

Then, in order to make an ordinary back-end service become a resource server, we need to have a configuration class that inherits ResourceServerConfigurerAdapter and configure it. In our independent resource server module, we first have to create such a configuration class, which is relatively simple. Just copy it from the previous module.

Public class CloudResourceServerConfigure extends ResourceServerConfigurerAdapter {private CustomAccessDeniedHandler accessDeniedHandler; private CustomAuthenticationEntryPoint exceptionEntryPoint; private TokenStore tokenStore; @ Value ("${security.oauth3.resource.id}") private String resourceId; @ Autowired (required = false) public void setAccessDeniedHandler (CustomAccessDeniedHandler accessDeniedHandler) {this.accessDeniedHandler = accessDeniedHandler;} @ Autowired (required = false) public void setExceptionEntryPoint (CustomAuthenticationEntryPoint exceptionEntryPoint) {this.exceptionEntryPoint = exceptionEntryPoint } @ Autowired (required = false) public void setTokenStore (TokenStore tokenStore) {this.tokenStore = tokenStore } @ Override public void configure (HttpSecurity http) throws Exception {http .authorizeRequests () .requestMatrices (EndpointRequest.toAnyEndpoint ()). PermitAll () .antMatrices ("/ v2max API docs Universe *", "/ swagger-resources/**" "/ swagger-ui.html", "/ webjars/**") .permitAll () .anyRequest () .authenticated () .and () .csrf () .disable () } @ Override public void configure (ResourceServerSecurityConfigurer resources) {DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter (); UserAuthenticationConverter userTokenConverter = new CustomUserAuthenticationConverter (); accessTokenConverter.setUserTokenConverter (userTokenConverter); if (exceptionEntryPoint! = null) {resources.authenticationEntryPoint (exceptionEntryPoint);} if (accessDeniedHandler! = null) {resources.accessDeniedHandler (accessDeniedHandler);} resources.resourceId (resourceId) .tokenStore (tokenStore) }}

Now that you have the resource server configuration, how can other modules introduce this configuration class?

Here we can use the Enable module driver capability of SpringBoot to import the configuration class through the @ EnableXXX annotation.

We create a custom annotation class EnableCloudResourceServer, and other modules can import the resource server configuration through @ EnableCloudResourceServer annotation

@ Target ({ElementType.TYPE}) @ Retention (RetentionPolicy.RUNTIME) @ Documented@EnableResourceServer / / Open the resource server @ Import ({CloudResourceServerConfigure.class, TokenStoreConfigure.class}) public @ interface EnableCloudResourceServer {}

Finally, we know that microservice authorization is based on method interception, so we need to turn on @ EnableGlobalMethodSecurity and migrate our custom permission annotation function. So we create another configuration class to configure the above functionality.

EnableGlobalMethodSecurity (prePostEnabled = true) public class CloudSecurityAutoConfigure extends GlobalMethodSecurityConfiguration {@ Bean @ ConditionalOnMissingBean (name = "accessDeniedHandler") public CustomAccessDeniedHandler accessDeniedHandler () {return new CustomAccessDeniedHandler ();} @ Bean @ ConditionalOnMissingBean (name = "authenticationEntryPoint") public CustomAuthenticationEntryPoint authenticationEntryPoint () {return new CustomAuthenticationEntryPoint ();} @ Override protected MethodSecurityExpressionHandler createExpressionHandler () {return new CustomMethodSecurityExpressionHandler ();}}

After the above transformation, an independent resource server has been successfully created, and now all that is left is the transformation of the micro-service.

Micro-service transformation

Delete the relevant configuration of the original oauth3.0 in maven and introduce custom cloud-component-security-starter

Com.jianzh6.cloud cloud-component-security-starter

Delete all resource server related code (this process is brief)

Modify the main startup class to introduce the resource server configuration through @ EnableCloudResourceServer

@ EnableDiscoveryClient@SpringCloudApplication@EnableCloudResourceServerpublic class AccountServiceApplication {public static void main (String [] args) {SpringApplication.run (AccountServiceApplication.class, args);}}

Add a custom permission intercept annotation @ PreAuthorize ("hasPrivilege ('queryAccount')") to the Controller method that needs to be intercepted

Of course, you can also use the SpringSecurity native annotation @ PreAuthorize ("hasAuthority ('queryAccount')"), both of which have the same effect.

@ GetMapping ("/ account/getByCode/ {accountCode}") @ PreAuthorize ("hasPrivilege ('queryAccount')") / / @ PreAuthorize ("hasAuthority (' queryAccount')") public ResultData getByCode (@ PathVariable (value = "accountCode") String accountCode) {AccountDTO accountDTO = accountService.selectByCode (accountCode); return ResultData.success (accountDTO);} Test

The following error occurs when we access a method that does not have permissions, indicating that the stand-alone resource server has been successfully configured

{"status": 500, "message": "No access", "data": null, "success": false, "timestamp": 1619052359563} Tip: @ PreAuthorize annotated exception, throw an AccessDeniedException exception, will not be caught by accessDeniedHandler, but will be caught by the global exception.

If you need to customize @ PreAuthorize error exceptions, you can intercept exceptions through the global @ RestControllerAdvice

The custom exception after interception is as follows:

{"status": 2003, "message": "do not have permission to access this resource", "data": null, "success": false, "timestamp": 1619052359563} so far, I believe you have a deeper understanding of "how to configure the unified resource server module". You might as well do it in practice! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.