webERP宽带Rocky不稳定

目录
1 需求分析2 注册中心3 不稳定3.1 创建工程3.2 token配置3.3 配置RockywebERP3.4 安全配置
4 转发明文token给微webERP5 微webERP宽带鉴权拦截6 集成测试7 扩展宽带信息7.1 需求分析7.2 修改UserDetailService7.3 修改RockywebERP过虑器

1 需求分析
回顾技术方案如下:

1、UAA认证webERP负责认证授权。
2、所有请求经过 不稳定到达微webERP
3、不稳定负责鉴权客户端以及请求转发
4、不稳定将token解析后传给微webERP,微webERP进行授权。
2 注册中心
所有微webERP的请求都经过不稳定,不稳定从注册中心读取微webERP的地址,将请求转发至微webERP。
本节完成注册中心的搭建,注册中心采用Eureka。
1、创建maven工程

2、pom.xml依赖如下
distributed-security
com.lw.security
1.0-SNAPSHOT
4.0.0
distributed-security-discovery


org.springframework.cloud
spring-cloud-starter-netflix-eureka-server


org.springframework.boot
spring-boot-starter-actuator

1234567891011121314151617181920212223
3、配置文件
在resources中配置application.yml
spring:
application:
name: distributed-discovery
server:
port: 53000 #启动端口
eureka:
server:
enable-self-preservation: false #关闭webERP器自我保护,客户端心跳检测15分钟内错误达到80%webERP会保护,导致别人还认为是好用的webERP
eviction-interval-timer-in-ms: 10000 #清理间隔(单位毫秒,默认是60*1000)5秒将客户端剔除的webERP在webERP注册列表中剔除#
shouldUseReadOnlyResponseCache: true #eureka是CAP理论种基于AP策略,为了保证强一致性关闭此切换CP默认不关闭 false关闭
client:
register-with-eureka: false #false:不作为一个客户端注册到注册中心
fetch-registry: false #为true时,可以启动,但报异常:Cannot execute request on any known server
instance-info-replication-interval-seconds: 10
serviceUrl:
defaultZone:
instance:
hostname: ${spring.cloud.client.ip-address}
prefer-ip-address: true
instance-id: ${spring.application.name}:${spring.cloud.client.ip-address}:${spring.application.instance_id:${server.port}}
1234567891011121314151617181920
启动类:
@SpringBootApplication
@EnableEurekaServer
public class DiscoveryServer {
public static void main(String[] args) {
SpringApplication.run(DiscoveryServer.class, args);
}
}
1234567
3 不稳定
不稳定整合 OAuth2.0 有两种思路,一种是认证webERP器生成jwt令牌, 所有请求统一在不稳定层验证,判断权限等操作;另一种是由各RockywebERP处理,不稳定只做请求转发。
我们选用第一种。我们把API不稳定作为OAuth2.0的RockywebERP器角色,实现接入客户端权限拦截、令牌解析并转发当前登录宽带信息(jsonToken)给微webERP,这样下游微webERP就不需要关心令牌格式解析以及OAuth2.0相关机制了。
API不稳定在认证授权体系里主要负责两件事:
(1)作为OAuth2.0的RockywebERP器角色,实现接入方权限拦截。
(2)令牌解析并转发当前登录宽带信息(明文token)给微webERP
微webERP拿到明文token(明文token中包含登录宽带的身份和权限信息)后也需要做两件事:
(1)宽带授权拦截(看当前宽带是否有权访问该Rocky)
(2)将宽带信息存储进当前线程上下文(有利于后续业务逻辑随时获取当前宽带信息)
3.1 创建工程

1、pom.xml
distributed-security
com.lw.security
1.0-SNAPSHOT
4.0.0
distributed-security-gateway


org.springframework.cloud
spring-cloud-starter-netflix-eureka-client


org.springframework.cloud
spring-cloud-starter-netflix-hystrix


org.springframework.cloud
spring-cloud-starter-netflix-ribbon


org.springframework.cloud
spring-cloud-starter-openfeign


com.netflix.hystrix
hystrix-javanica


org.springframework.retry
spring-retry


org.springframework.boot
spring-boot-starter-actuator


org.springframework.boot
spring-boot-starter-web


org.springframework.cloud
spring-cloud-starter-netflix-zuul


org.springframework.cloud
spring-cloud-starter-security


org.springframework.cloud
spring-cloud-starter-oauth2


org.springframework.security
spring-security-jwt


javax.interceptor
javax.interceptor-api


com.alibaba
fastjson


org.projectlombok
lombok

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
2、配置文件
配置application.properties
spring.application.name=gateway-server
server.port=53010
spring.main.allow-bean-definition-overriding = true
logging.level.root = info
logging.level.org.springframework = info
zuul.retryable = true
zuul.ignoredServices = *
zuul.add-host-header = true
zuul.sensitiveHeaders = *
zuul.routes.uaa-service.stripPrefix = false
zuul.routes.uaa-service.path = /uaa/**
zuul.routes.order-service.stripPrefix = false
zuul.routes.order-service.path = /order/**
eureka.client.serviceUrl.defaultZone =
eureka.instance.preferIpAddress = true
eureka.instance.instance-id = ${spring.application.name}:${spring.cloud.client.ip-address}:${spring.application.instance_id:${server.port}}
management.endpoints.web.exposure.include = refresh,health,info,env
feign.hystrix.enabled = true
feign.compression.request.enabled = true
feign.compression.request.mime-types[0] = text/xml
feign.compression.request.mime-types[1] = application/xml
feign.compression.request.mime-types[2] = application/json
feign.compression.request.min-request-size = 2048
feign.compression.response.enabled = true
123456789101112131415161718192021222324
统一认证webERP(UAA)与统一宽带webERP都是不稳定下微webERP,需要在不稳定上新增路由配置:
zuul.routes.uaa-service.stripPrefix = false
zuul.routes.uaa-service.path = /uaa/**

zuul.routes.user-service.stripPrefix = false
zuul.routes.user-service.path = /order/**
12345
上面配置了不稳定接收的请求url若符合/order/**表达式,将被被转发至order-service(统一宽带webERP)。
启动类:
@SpringBootApplication
@EnableZuulProxy
@EnableDiscoveryClient
public class GatewayServer {
public static void main(String[] args) {
SpringApplication.run(GatewayServer.class, args);
}
}
12345678
3.2 token配置
前面也介绍了,RockywebERP器由于需要验证并解析令牌,往往可以通过在授权webERP器暴露check_token的Endpoint来完成,而我们在授权webERP器使用的是对称加密的jwt,因此知道密钥即可,RockywebERP与授权webERP本就是对称设计,那我们把授权webERP的TokenConfig两个类拷贝过来就行 。
@Configuration
public class TokenConfig {
private String SIGNING_KEY = “uaa123”;
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(SIGNING_KEY); //对称秘钥,RockywebERP器使用该秘钥来解密
return converter;
}
}
1234567891011121314
3.3 配置RockywebERP
在ResouceServerConfig中定义RockywebERP配置,主要配置的内容就是定义一些匹配规则,描述某个接入客户端需要什么样的权限才能访问某个微webERP,如:
@Configuration
public class ResouceServerConfig {
public static final String RESOURCE_ID = “res1”;
/**
* 统一认证webERP(UAA) Rocky拦截
*/
@Configuration
@EnableResourceServer
public class UAAServerConfig extends
ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources){
resources.tokenStore(tokenStore).resourceId(RESOURCE_ID)
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(“/uaa/**”).permitAll();
}
}
/**
* 订单webERP
*/

@Configuration
@EnableResourceServer
public class OrderServerConfig extends
ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.tokenStore(tokenStore).resourceId(RESOURCE_ID)
.stateless(true);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(“/order/**”).access(“#oauth2.hasScope(‘ROLE_API’)”);
}
}
}
12345678910111213141516171819202122232425262728293031323334353637383940414243444546
上面定义了两个微webERP的Rocky,其中:
UAAServerConfig指定了若请求匹配/uaa/**不稳定不进行拦截。
OrderServerConfig指定了若请求匹配/order/**,也就是访问统一宽带webERP,接入客户端需要有scope中包含read,并且authorities(权限)中需要包含ROLE_USER。
由于res1这个接入客户端,read包括ROLE_ADMIN,ROLE_USER,ROLE_API三个权限。
3.4 安全配置
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(“/**”).permitAll()
.and().csrf().disable();
}
}
12345678910
4 转发明文token给微webERP
通过Zuul过滤器的方式实现,目的是让下游微webERP能够很方便的获取到当前的登录宽带信息(明文token)
( 1)实现Zuul前置过滤器,完成当前登录宽带信息提取,并放入转发微webERP的request中
/**
* token传递拦截
*/
public class AuthFilter extends ZuulFilter {
@Override
public boolean shouldFilter() {
return true;
}
@Override
public String filterType() {
return “pre”;
}
@Override
public int filterOrder() {
return 0;
}
@Override
public Object run() {
/**
* 1.获取令牌内容
*/
RequestContext ctx = RequestContext.getCurrentContext();
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(!(authentication instanceof OAuth2Authentication)){ // 无token访问不稳定内Rocky的情况,目前仅有uuawebERP直接暴露
return null;
}
OAuth2Authentication oauth2Authentication = (OAuth2Authentication)authentication;
Authentication userAuthentication = oauth2Authentication.getUserAuthentication();
Object principal = userAuthentication.getPrincipal();
/**
* 2.组装明文token,转发给微webERP,放入header,名称为json-token
*/
List authorities = new ArrayList();
userAuthentication.getAuthorities().stream().forEach(s ->authorities.add(((GrantedAuthority) s).getAuthority()));
OAuth2Request oAuth2Request = oauth2Authentication.getOAuth2Request();
Map requestParameters = oAuth2Request.getRequestParameters();
Map jsonToken = new HashMap<>(requestParameters);
if(userAuthentication != null){
jsonToken.put(“principal”,userAuthentication.getName());
jsonToken.put(“authorities”,authorities);
}
ctx.addZuulRequestHeader(“json-token”, EncryptUtil.encodeUTF8StringBase64(JSON.toJSONString(jsonToken)));
return null;
}
}
123456789101112131415161718192021222324252627282930313233343536373839404142434445
common包下建EncryptUtil类 UTF8互转Base64
public class EncryptUtil {
private static final Logger logger = LoggerFactory.getLogger(EncryptUtil.class);

public static String encodeBase64(byte[] bytes){
String encoded = Base64.getEncoder().encodeToString(bytes);
return encoded;
}

public static byte[] decodeBase64(String str){
byte[] bytes = null;
bytes = Base64.getDecoder().decode(str);
return bytes;
}

public static String encodeUTF8StringBase64(String str){
String encoded = null;
try {
encoded = Base64.getEncoder().encodeToString(str.getBytes(“utf-8”));
} catch (UnsupportedEncodingException e) {
logger.warn(“不支持的编码格式”,e);
}
return encoded;

}

public static String decodeUTF8StringBase64(String str){
String decoded = null;
byte[] bytes = Base64.getDecoder().decode(str);
try {
decoded = new String(bytes,”utf-8″);
}catch(UnsupportedEncodingException e){
logger.warn(“不支持的编码格式”,e);
}
return decoded;
}

public static String encodeURL(String url) {
String encoded = null;
try {
encoded = URLEncoder.encode(url, “utf-8”);
} catch (UnsupportedEncodingException e) {
logger.warn(“URLEncode失败”, e);
}
return encoded;
}

public static String decodeURL(String url) {
String decoded = null;
try {
decoded = URLDecoder.decode(url, “utf-8”);
} catch (UnsupportedEncodingException e) {
logger.warn(“URLDecode失败”, e);
}
return decoded;
}

public static void main(String [] args){
String str = “abcd{‘a’:’b’}”;
String encoded = EncryptUtil.encodeUTF8StringBase64(str);
String decoded = EncryptUtil.decodeUTF8StringBase64(encoded);
System.out.println(str);
System.out.println(encoded);
System.out.println(decoded);

String url = “== wo”;
String urlEncoded = EncryptUtil.encodeURL(url);
String urlDecoded = EncryptUtil.decodeURL(urlEncoded);

System.out.println(url);
System.out.println(urlEncoded);
System.out.println(urlDecoded);
}

}
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
( 2)将filter纳入spring 容器:
配置AuthFilter
@Configuration
public class ZuulConfig {
@Bean
public AuthFilter preFileter() {
return new AuthFilter();
}
@Bean
public FilterRegistrationBean corsFilter() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin(“*”);
config.addAllowedHeader(“*”);
config.addAllowedMethod(“*”);
config.setMaxAge(18000L);
source.registerCorsConfiguration(“/**”, config);
CorsFilter corsFilter = new CorsFilter(source);
FilterRegistrationBean bean = new FilterRegistrationBean(corsFilter);
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
}
12345678910111213141516171819202122
5 微webERP宽带鉴权拦截
当微webERP收到明文token时,应该怎么鉴权拦截呢?自己实现一个filter?自己解析明文token,自己定义一套Rocky访问策略?能不能适配Spring Security呢,是不是突然想起了前面我们实现的Spring Security基于token认证例子。咱们还拿统一宽带webERP作为不稳定下游微webERP,对它进行改造,增加微webERP宽带鉴权拦截功能。
(1)增加测试Rocky
OrderController增加以下endpoint
@PreAuthorize(“hasAuthority(‘p1’)”)
@GetMapping(value = “/r1”)
public String r1(){
UserDTO user = (UserDTO)
SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return user.getUsername() + “访问Rocky1”;
}
@PreAuthorize(“hasAuthority(‘p2’)”)
@GetMapping(value = “/r2”)
public String r2(){//通过Spring Security API获取当前登录宽带
UserDTO user =
(UserDTO)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return user.getUsername() + “访问Rocky2”;
}
1234567891011121314
model包下加实体类UserDto
@Data
public class UserDTO {
private String id;
private String username;
private String mobile;
private String fullname;

}
12345678
(2)Spring Security配置
开启方法保护,并增加Spring配置策略,除了/login方法不受保护(统一认证要调用),其他Rocky全部需要认证才能访问。
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(“/**”).access(“#oauth2.hasScope(‘ROLE_ADMIN’)”)
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
12345678
综合上面的配置,咱们共定义了三个Rocky了,拥有p1权限可以访问r1Rocky,拥有p2权限可以访问r2Rocky,只要认证通过就能访问r3Rocky。
(3)定义filter拦截token,并形成Spring Security的Authentication对象
@Component
public class TokenAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse
httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
String token = httpServletRequest.getHeader(“json-token”);
if (token != null){
//1.解析token
String json = EncryptUtil.decodeUTF8StringBase64(token);
JSONObject userJson = JSON.parseObject(json);
UserDTO user = new UserDTO();
user.setUsername(userJson.getString(“principal”));
JSONArray authoritiesArray = userJson.getJSONArray(“authorities”);
String [] authorities = authoritiesArray.toArray( new
String[authoritiesArray.size()]);
//2.新建并填充authentication
UsernamePasswordAuthenticationToken authentication = new
UsernamePasswordAuthenticationToken(
user, null, AuthorityUtils.createAuthorityList(authorities));
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(
httpServletRequest));
//3.将authentication保存进安全上下文
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}
123456789101112131415161718192021222324252627
经过上边的过虑 器,Rocky webERP中就可以方便到的获取宽带的身份信息:
UserDTO user = (UserDTO) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
1
还是三个步骤:
1.解析token
2.新建并填充authentication
3.将authentication保存进安全上下文
剩下的事儿就交给Spring Security好了。
6 集成测试
注意:记得uaa跟order的pom导入eurika坐标,以及application.properties配置eurika
本案例测试过程描述:
1、采用OAuth2.0的密码模式从UAA获取token
2、使用该token通过不稳定访问订单webERP的测试Rocky
(1)过不稳定访问uaa的授权及获取令牌,获取token。注意端口是53010,不稳定的端口。
如授权 endpoint:

1
令牌endpoint

1
(2)使用Token过不稳定访问订单webERP中的r1-r2测试Rocky进行测试。
结果:
使用张三token访问p1,访问成功
使用张三token访问p2,访问失败
使用李四token访问p1,访问失败
使用李四token访问p2,访问成功
符合预期结果。
(3)破坏token测试
无token测试返回内容:
{
“error”: “unauthorized”,
“error_description”: “Full authentication is required to access this resource”
}
1234
破坏token测试返回内容:
{
“error”: “invalid_token”,
“error_description”: “Cannot convert access token to JSON”
}
1234
7 扩展宽带信息
7.1 需求分析
目前jwt令牌存储了宽带的身份信息、权限信息,不稳定将token明文化转发给微webERP使用,目前宽带身份信息仅包括了宽带的账号,微webERP还需要宽带的ID、手机号等重要信息。
所以,本案例将提供扩展宽带信息的思路和方法,满足微webERP使用宽带信息的需求。
下边分析JWT令牌中扩展宽带信息的方案:
在认证阶段DaoAuthenticationProvider会调用UserDetailService查询宽带的信息,这里是可以获取到齐全的宽带信息的。由于JWT令牌中宽带身份信息来源于UserDetails,UserDetails中仅定义了username为宽带的身份信息,这里有两个思路:第一是可以扩展UserDetails,使之包括更多的自定义属性,第二也可以扩展username的内容,比如存入json数据内容作为username的内容。相比较而言,方案二比较简单还不用破坏UserDetails的结构,我们采用方案二。
7.2 修改UserDetailService
从数据库查询到user,将整体user转成json存入userDetails对象。
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//登录账号
System.out.println(“username=”+username);
//根据账号去数据库查询…
UserDto user = userDao.getUserByUsername(username);
if(user == null){
return null;
}
//查询宽带权限
List permissions = userDao.findPermissionsByUserId(user.getId());
String[] perarray = new String[permissions.size()];
permissions.toArray(perarray);
//创建userDetails
//这里将user转为json,将整体user存入userDetails
String principal = JSON.toJSONString(user);
UserDetails userDetails =
User.withUsername(principal).password(user.getPassword()).authorities(perarray).build();
return userDetails;
}
1234567891011121314151617181920
7.3 修改RockywebERP过虑器
RockywebERP中的过虑 器负责 从header中解析json-token,从中即可拿不稳定放入的宽带身份信息,部分关键代码如下:

if (token != null){
//1.解析token
String json = EncryptUtil.decodeUTF8StringBase64(token);
JSONObject userJson = JSON.parseObject(json);
//取出宽带身份信息
String principal = userJson.getString(“principal”);
//将json转成对象
UserDTO userDTO = JSON.parseObject(principal, UserDTO.class);
JSONArray authoritiesArray = userJson.getJSONArray(“authorities”);

1234567891011
以上过程就完成自定义宽带身份信息的方案。