Spring Security Oauth2 JWT

The identity authentication

• User identity authentication: When a user accesses system resources, the system authenticates the user’s identity to ensure that the user’s identity is valid. Common forms of user identity authentication include user name and password login and fingerprint punching. In general terms, it’s the same thingVerify that the user account password is correct.

The user authorization

• After a user is authenticated, the system checks whether the user has the permission to access resources.Only system resources that have permission can be accessed. Resources that do not have permission cannot be accessedThis process is called user authorization.

With the platform opening strategy of domestic and foreign giants and the development of mobile Internet, third-party login is no longer a strange product design concept. The so-called third-party login refers to the function of quickly completing the login or registration of your application based on the user’s existing account and password on the third-party platform. The third-party platforms here are generally those with a large number of users, such as Facebook and Twitter in foreign countries and Weibo, wechat and QQ in China.

Advantages of third-party account login

• Compared with local registration, third-party login is generally more convenient and fast, which can significantly reduce the cost of registration and login and facilitate users to quickly log in or register.
• After the first successful binding, the user can then perform one-click logins, making subsequent logins much easier than in-app logins.
• For some applications, the use of third-party logins can meet their needs, so there is no need to design and develop their own account system.
• Through authorization, users can share their in-app activities on third-party platforms to promote themselves and increase product awareness.
• Through authorization, users can obtain social information such as friends or fans on third-party platforms, so as to carry out targeted marketing campaigns on users’ social networks, providing another channel for product marketing.

To realize single sign-on (SSO) in distributed systems, authentication systems are usually extracted independently and user identity information is stored in a separate storage medium, such as MySQL and Redis. Considering performance requirements, it is usually stored in Redis, as shown in the following figure:

Single sign-on features:

• The authentication system is an independent system.
• Each subsystem communicates with the authentication system through Http or other protocols to complete user authentication.
• User identity information is stored in the Redis cluster.

Single sign-on user authentication framework in Java:

• Apache Shiro
• CAS
• Spring security CAS

The third party authentication technology solution is mainly to solve the general standard of authentication protocol, because to achieve cross-system authentication, each system must follow a certain interface protocol.

• Reference: baike.baidu.com/item/oAuth/…
• Request: tools.ietf.org/html/rfc674…

Below analysis of an Oauth2 authentication example, dark horse programmer website using wechat authentication process:

Oauth2 includes the following roles:

• 1. The client itself does not store resources, and requires the authorization of the resource owner to request resources from the resource server, such as Changgou Online Android client, Changgou online Web client (browser), wechat client, etc.
• 2. The owner of the resource is usually the user or the application, that is, the owner of the resource.
• 3. The authorization server (also called the authentication server) authenticates the identity of the resource and authorizes the access to the resource. To access resources, clients must be authorized by the resource owner through the authentication server.
• 4. Resource server A server that stores resources. For example, the Changgou user management server stores the user information of Changgou. The client ultimately accesses the resource server to obtain resource information.

Oauth2 has the following authorization modes:

• 1. Authorization Code[common]
• 2. Implicit Authorization patterns
• 3. Resource Owner Password Credentials[common]
• 4. Client Credentials

Request authentication service to obtain authorization code:

# Get request:
http://localhost:9001/oauth/authorize?client_id=changgou&response_type=code&scop=app&redirect_uri=http://localhost
Copy the code

The parameter list is as follows:

Authorization configuration class AuthorizationServerConfig. Java has a complete code below!

The browser accesses the above Get request and automatically redirects to the following page:

Enter your account and password and click Login. Upon receiving the request, Spring Security invokes the loadUserByUsername method of the UserDetailsService interface to query the correct password of the user. Enter the client ID of the current project as Changgou and the secret key as Changgou to pass the authentication.

Next, enter the authorization page:

Click Authorize, next return authorization code: authentication service carries authorization code jump redirect_URI,code=aiT1wn is the returned authorization code!

Refreshing a token is to generate a new token when the token is about to expire. It is different from token generation by authorization code and password authorization. Refreshing a token does not require authorization code, account number and password, but only a refreshing token, client ID and client password.

# Post request:
http://localhost:9001/oauth/token
Copy the code

The difference between the Resource Owner Password Credentials mode and the authorization code mode is that the authentication codes are no longer used to apply for tokens. Instead, the user name and Password are used to apply for tokens.

# Post request:
http://localhost:9001/oauth/token
Copy the code

And this link requires HTTP Basic authentication:

The test results are as follows:

Refreshing a token is to generate a new token when the token is about to expire. It is different from token generation by authorization code and password authorization. Refreshing a token does not require authorization code, account number and password, but only a refreshing token, client ID and client password.

# Post request
http://localhost:9001/oauth/token
Copy the code

A successful refresh of the token generates a new access token and a refresh token, which also has a longer validity period than the old token.

Refreshing a token is usually done when the token is about to expire.

Resource server authorization process as shown above, the client go to the license server application token, a token of your application, carrying the token access server resources, resource server access authorization service check the legitimacy of the token, authorized service returns the check result, if check successful will be returned to the user information to server resources, resource server if received by the calibration results, The resource is returned to the client.

The problem of traditional authorization methods is that each time a user requests resource services, the resource service needs to carry a token to access the authentication service to verify the validity of the token and obtain user information according to the token, which results in low performance.

In the era of symmetric encryption, encryption and decryption used the same key, which was used for both encryption and decryption. There’s an obvious downside to this. If you transfer files between two people, both of them need to know the key. If it’s three, what about five? Asymmetric encryption results, with one key for encryption (public key) and another key for decryption (private key).

Spring Security provides support for JWT. In this section, we use JwtHelper provided by Spring Security to create JWT tokens, verify JWT tokens, and so on. Here we use asymmetric algorithm to encrypt JWT tokens, so we want to encrypt them into public and private keys.

(1) Generate a key certificate The following command generates a key certificate using the RSA algorithm. Each certificate contains a public key and a private key

Create a folder where you can run the following CMD command:

keytool -genkeypair -alias changgou -keyalg RSA -keypass changgou -keystore changgou.jks -storepass changgou 
Copy the code

Keytool is a certificate management tool provided by Java. The parameters are as follows:

This command is executed in the resources directory of the project:

(2) Query the certificate information

keytool -list -keystore changgou.jks
Copy the code

(3) Delete the alias.

keytool -delete -alias changgou -keystore changgou.jsk
Copy the code

(1) Create token data

In changgou – user – create a test class com oauth2 engineering. Changgou. Token. CreateJwtTest, use it to create the token information, code is as follows:

/ * * *@Auther: csp1999
 * @Date: 2021/01/25/7:30 *@Description: * /
public class CreateJwtTest {

    /** * Create token test */
    @Test
    public void testCreateToken(a){
        // Certificate file path
        String key_location="changgou.jks";

        // Keystore password
        String key_password="changgou";

        // The key password
        String keypwd = "changgou";

        // Alias of the key
        String alias = "changgou";

        // Access certificate path: Load the certificate
        ClassPathResource resource = new ClassPathResource(key_location);

        // Create a key factory: read the certificate data
        KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(resource,key_password.toCharArray());

        // Read the key pair (public, private)
        KeyPair keyPair = keyStoreKeyFactory.getKeyPair(alias,keypwd.toCharArray());

        // Get private key -> RSA algorithm
        RSAPrivateKey rsaPrivate = (RSAPrivateKey) keyPair.getPrivate();

        / / define content
        Map<String, Object> tokenMap = new HashMap<>();
        tokenMap.put("id"."1");
        tokenMap.put("name"."itheima");
        tokenMap.put("roles"."ROLE_VIP,ROLE_USER");

        // Encrypt: generate a Jwt token
        Jwt jwt = JwtHelper.encode(JSON.toJSONString(tokenMap), new RsaSigner(rsaPrivate));

        // Retrieve the token
        String encoded = jwt.getEncoded();

        // Test the output
        System.out.println(encoded);
        / / the result:
        // eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlcyI6IlJPTEVfVklQLFJPTEVfVVNFUiIsIm5hbWUiOiJpdGhlaW1hIiwiaWQiOiIxIn0.IR9Qu9Z qYZ2gU2qgAziyT38UhEeL4Oi69ko-dzC_P9-Vjz40hwZDqxl8wZ-W2WAw1eWGIHV1EYDjg0-eilogJZ5UikyWw1bewXCpvlM-ZRtYQQqHFTlfDiVcFetyTay askwa-x_BVS4pTWAskiaIKbKR4KcME2E5o1rEek-3YPkqAiZ6WP1UOmpaCJDaaFSdninqG0gzSCuGvLuG40x0Ngpfk7mPOecsIi5cbJElpdYUsCr9oXc53RO yfvYpHjzV7c2D5eIZu3leUPXRvvVAPJFEcSBiisxUSEeiGpmuQhaFZd1g-yJ1WQrixFvehMeLX2XU6W1nlL5ARTpQf_Jjiw
        
    }

    /*** * Parse validation token tests */
    @Test
    public void testParseToken(a){
        / / token
        String token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlcyI6IlJPTEVfVklQLFJPTEVfVVNFUiIsIm5hbWUiOiJpdGhlaW1hIiwiaWQiOiIxIn0.IR9Qu9 ZqYZ2gU2qgAziyT38UhEeL4Oi69ko-dzC_P9-Vjz40hwZDqxl8wZ-W2WAw1eWGIHV1EYDjg0-eilogJZ5UikyWw1bewXCpvlM-ZRtYQQqHFTlfDiVcFetyTa yaskwa-x_BVS4pTWAskiaIKbKR4KcME2E5o1rEek-3YPkqAiZ6WP1UOmpaCJDaaFSdninqG0gzSCuGvLuG40x0Ngpfk7mPOecsIi5cbJElpdYUsCr9oXc53R OyfvYpHjzV7c2D5eIZu3leUPXRvvVAPJFEcSBiisxUSEeiGpmuQhaFZd1g-yJ1WQrixFvehMeLX2XU6W1nlL5ARTpQf_Jjiw";

        / / the public key
        String publickey = "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvFsEiaLvij9C1Mz+oyAmt47whAaRkRu/8kePM+X8760UGU0RMwGti6Z9y3LQ0RvK6I0b rXmbGB/RsN38PVnhcP8ZfxGUH26kX0RK+tlrxcrG+HkPYOH4XPAL8Q1lu1n9x3tLcIPxq8ZZtuIyKYEmoLKyMsvTviG5flTpDprT25unWgE4md1kthRWXOnf WHATVY7Y/r4obiOL1mS5bEa/iNKotQNnvIAKtjBM4RlIDWMa6dmz+lHtLtqDD2LF1qwoiSIHI75LQZ/CNYaHCfZSxtOydpNKq8eb1/PGiLNolD4La2zf0/1d lcr5mkesV570NxRmU1tFm8Zd3MZlZmyv9QIDAQAB-----END PUBLIC KEY-----";

        / / check Jwt
        Jwt jwt = JwtHelper.decodeAndVerify(token, new RsaVerifier(publickey));

        // Get the original Jwt content
        String claims = jwt.getClaims();
        System.out.println(claims);// {"roles":"ROLE_VIP,ROLE_USER","name":"itheima","id":"1"}

        / / JWT token
        //String encoded = jwt.getEncoded();
        //System.out.println(encoded);}}Copy the code

The flow chart of user login is as follows:

Execution process:

• 1. The user logs in and requests the authentication service
• 2. The authentication service passes the authentication, generates the JWT token, and writes the JWT token and related information into the cookie
• 3. The user accesses the resource page and takes the cookie to the gateway
• 4. The gateway obtains the token from the cookie. If the token exists, the gateway verifies the validity of the token
• 5. The user exits, requests the authentication service, and deletes the token in the cookie

server:
  # Authenticate microservice port
  port: 9001
# Spring related configuration
spring:
  application:
    # Micro service name
    name: user-auth
  # Redis configuration
  redis:
    # Redis database index (default 0)
    database: 0
    # Redis server address
    host: 8.13166.136.
    # Redis server connection port
    port: 6379
    # Redis server connection password (default null)
    password: csp19990129
  # Database configuration
  datasource:
    driver-class-name: com.mysql.jdbc.Driver
    url: JDBC: mysql: / / 127.0.0.1:3306 / changgou_oauth? useUnicode=true&characterEncoding=utf-8&useSSL=false&allowMultiQueries=true&serverTimezone=UTC
    username: root
    password: root
  main:
    allow-bean-definition-overriding: true
# Eureka configuration
eureka:
  instance:
    prefer-ip-address: true
  client:
    service-url:
      defaultZone: http://127.0.0.1:7001/eureka
# auth related configuration
auth:
  The expiration time of the token stored to Redis
  ttl: 3600
  # unique ID of client
  clientId: changgou
  # client key
  clientSecret: changgou
  # the cookie domain name
  cookieDomain: localhost
  cookieMaxAge: - 1
Configure the local certificate, key, and certificate password
encrypt:
  key-store:
    Certificate path (resources path)
    location: classpath:/changgou.jks
    # key
    The public key (provided to each microservice) can be encrypted to verify the validity of the token --> the private key (provided to the authentication microservice) can be decrypted to generate the token --> the asymmetric encryption algorithm RSA
    # We did MD5 encryption algorithm before, using digest encryption algorithm, irreversible!
    # AES/DESC uses symmetric encryption, can encrypt and decrypt, encryption decrypt key is the same!
    secret: changgou
    # certificate alias
    alias: changgou
    # certificate password
    password: changgou
Copy the code

AuthorizationServerConfig

@Configuration
@EnableAuthorizationServer
class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    /** * data source, used to fetch data from the database for authentication operations, tests can be fetched from memory */
    @Autowired
    private DataSource dataSource;
    /** * JWT token converter */
    @Autowired
    private JwtAccessTokenConverter jwtAccessTokenConverter;

    /** * SpringSecurity user - defined authorization */
    @Autowired
    UserDetailsService userDetailsService;

    /** * Authorization manager */
    @Autowired
    AuthenticationManager authenticationManager;

    /** * token persistent storage interface */
    @Autowired
    TokenStore tokenStore;

    @Autowired
    private CustomUserAuthenticationConverter customUserAuthenticationConverter;

    /** * Client information configuration **@param clients
     * @throws Exception
     */
    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("changgou")          // Client ID
                .secret("changgou")                     / / the secret key
                .redirectUris("http://localhost")       // Redirect the address
                .accessTokenValiditySeconds(3600)       // Access the token validity period
                .refreshTokenValiditySeconds(3600)      // Refresh the token validity period
                .authorizedGrantTypes(
                        "authorization_code".// Generate tokens based on authorization codes
                        "client_credentials".// Client authentication
                        "refresh_token".// Refresh the token
                        "password")                     // Password authentication
                .scopes("app");                         // Client scope, name user-defined, mandatory
    }

    /** * Authorization server endpoint configuration **@param endpoints
     * @throws Exception
     */
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.accessTokenConverter(jwtAccessTokenConverter)
                .authenticationManager(authenticationManager)  // Authentication manager
                .tokenStore(tokenStore)                        // Token store
                .userDetailsService(userDetailsService);       // User information service
    }

    /** * Authorization server security configuration **@param oauthServer
     * @throws Exception
     */
    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.allowFormAuthenticationForClients()
                .passwordEncoder(new BCryptPasswordEncoder())
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()");
    }

    /** * Read the key configuration **@return* /
    @Bean("keyProp")
    public KeyProperties keyProperties(a) {
        return new KeyProperties();
    }

    @Resource(name = "keyProp")
    private KeyProperties keyProperties;

    /** * Client configuration */
    @Bean
    public ClientDetailsService clientDetails(a) {
        return new JdbcClientDetailsService(dataSource);
    }

    @Bean
    @Autowired
    public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
        return new JwtTokenStore(jwtAccessTokenConverter);
    }

    /** * JWT token converter **@param customUserAuthenticationConverter
     * @return* /
    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter(CustomUserAuthenticationConverter customUserAuthenticationConverter) {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        KeyPair keyPair = new KeyStoreKeyFactory(
                keyProperties.getKeyStore().getLocation(),                          // Certificate path changgo.jks
                keyProperties.getKeyStore().getSecret().toCharArray())              // Certificate key changgouapp
                .getKeyPair(
                        keyProperties.getKeyStore().getAlias(),                     // Certificate alias changgou
                        keyProperties.getKeyStore().getPassword().toCharArray());   // Certificate password changgou
        converter.setKeyPair(keyPair);
        / / configure custom CustomUserAuthenticationConverter
        DefaultAccessTokenConverter accessTokenConverter = (DefaultAccessTokenConverter) converter.getAccessTokenConverter();
        accessTokenConverter.setUserTokenConverter(customUserAuthenticationConverter);
        returnconverter; }}Copy the code

CustomUserAuthenticationConverter

@Component
public class CustomUserAuthenticationConverter extends DefaultUserAuthenticationConverter {

    @Autowired
    UserDetailsService userDetailsService;

    @Override
    publicMap<String, ? > convertUserAuthentication(Authentication authentication) { LinkedHashMap response =new LinkedHashMap();
        String name = authentication.getName();
        response.put("username", name);

        Object principal = authentication.getPrincipal();
        UserJwt userJwt = null;
        if (principal instanceof UserJwt) {
            userJwt = (UserJwt) principal;
        } else {
            // Refresh_token by default does not call the userdetailService to get user information. Here we call it manually to get UserJwt
            UserDetails userDetails = userDetailsService.loadUserByUsername(name);
            userJwt = (UserJwt) userDetails;
        }
        response.put("name", userJwt.getName());
        response.put("id", userJwt.getId());
        response.put("company", userJwt.getCompany());
        response.put("address", userJwt.getAddress());

        if(authentication.getAuthorities() ! =null && !authentication.getAuthorities().isEmpty()) {
            response.put("authorities", AuthorityUtils.authorityListToSet(authentication.getAuthorities()));
        }
        returnresponse; }}Copy the code

UserDetailsServiceImpl

/** * Custom authentication */
@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    ClientDetailsService clientDetailsService;

    /** * Custom authentication **@param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // Retrieve the identity. If the identity is empty, there is no authentication
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Client_id and client_secret are stored in httpBasic. Client_id and client_secret are authenticated
        if (authentication == null) {
            ClientDetails clientDetails = clientDetailsService.loadClientByClientId(username);
            if(clientDetails ! =null) {
                / / the secret key
                String clientSecret = clientDetails.getClientSecret();
                // Static mode
                return new User(username, new BCryptPasswordEncoder().encode(clientSecret), AuthorityUtils.commaSeparatedStringToAuthorityList(""));
                // Database lookup
                //return new User(username,clientSecret, AuthorityUtils.commaSeparatedStringToAuthorityList(""));}}if (StringUtils.isEmpty(username)) {
            return null;
        }

        // Query user information based on the user name
        String pwd = new BCryptPasswordEncoder().encode("szitheima");
        // Create the User object
        String permissions = "goods_list,seckill_list";

        UserJwt userDetails = new UserJwt(username, pwd, AuthorityUtils.commaSeparatedStringToAuthorityList(permissions));

        //userDetails.setComy(songsi);
        returnuserDetails; }}Copy the code

WebSecurityConfig

@Configuration
@EnableWebSecurity
@Order(-1)
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    /** * ignores the security-blocked URL **@param web
     * @throws Exception
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                "/user/login"."/user/logout");
    }

    /** * Create an authorization management authentication object **@return
     * @throws Exception
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean(a) throws Exception {
        AuthenticationManager manager = super.authenticationManagerBean();
        return manager;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        super.configure(auth);
    }

    /** * Use BCryptPasswordEncoder to encode the password **@return* /
    @Bean
    public PasswordEncoder passwordEncoder(a) {
        return new BCryptPasswordEncoder();
    }

    / * * *@param http
     * @throws Exception
     */
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .httpBasic()           // Enable Http basic authentication
                .and()
                .formLogin()           // Enable form authentication
                .and()
                .authorizeRequests()   // Restrict access based on Request
                .anyRequest()
                .authenticated();      // All other requests need to be validated}}Copy the code

Create control layer com. Changgou. Request. Controller. AuthController, writing user login authorization method, the code is as follows:

AuthController

/ * * *@Author: csp1999
 * @Date: 2020/7/7 shew forth *@Description: * /
@RestController
@RequestMapping(value = "/userx")
public class AuthController {

    // Client ID
    @Value("${auth.clientId}")
    private String clientId;

    / / the secret key
    @Value("${auth.clientSecret}")
    private String clientSecret;

    // The domain name of the Cookie
    @Value("${auth.cookieDomain}")
    private String cookieDomain;

    // Cookie life cycle
    @Value("${auth.cookieMaxAge}")
    private int cookieMaxAge;

    @Autowired
    AuthService authService;

    @PostMapping("/login")
    public Result login(String username, String password) {
        if (StringUtils.isEmpty(username)) {
            throw new RuntimeException("User name cannot be empty");
        }
        if (StringUtils.isEmpty(password)) {
            throw new RuntimeException("Passwords cannot be empty.");
        }
        // Apply for a token
        AuthToken authToken = authService.login(username, password, clientId, clientSecret);

        // User identity token
        String access_token = authToken.getAccessToken();
        // Store tokens to cookies
        saveCookie(access_token);

        return new Result(true, StatusCode.OK, "Login successful!");
    }

    /** * store token to cookie **@param token
     */
    private void saveCookie(String token) { HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse();  CookieUtil.addCookie(response, cookieDomain,"/"."Authorization", token, cookieMaxAge, false); }}Copy the code

UserLoginController

/ * * *@Author: csp1999
 * @Date: 2020/7/7 shew forth *@Description: * /
@RestController
@RequestMapping("/user")
public class UserLoginController {

    @Autowired
    private LoginService loginService;

    /** * Client id */
    @Value("${auth.clientId}")
    private String clientId;

    /** * Client key */
    @Value("${auth.clientSecret}")
    private String clientSecret;

    /** * Authorization mode Password mode */
    private static final String GRAND_TYPE = "password";

    /**
     * cookie域名
     */
    @Value("${auth.cookieDomain}")
    private String cookieDomain;

    /** * Cookie life cycle */
    @Value("${auth.cookieMaxAge}")
    private int cookieMaxAge;


    /** * Login method: * 1. Password mode Authentication and authorization mode: grant_type=password **@paramUsername 2. Szitheima *@paramPassword 3. Szitheima *@return* /
    @RequestMapping("/login")
    public Result<Map> login(String username, String password) {
        // call the login method of loginService to login and return the generated token data
        AuthToken authToken = loginService.login(username, password, clientId, clientSecret, GRAND_TYPE);


        // Set to cookie
        saveCookie(authToken.getAccessToken());
        return new Result<>(true, StatusCode.OK, "Token generation successful", authToken);
    }

    // Save the token to the cookie
    private void saveCookie(String token) { HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse();  CookieUtil.addCookie(response, cookieDomain,"/"."Authorization", token, cookieMaxAge, false); }}Copy the code