oltu是一个开源的oauth2.0协议的实现,本人在此开源项目的基础上进行修改,实现一个自定义的oauth2.0模块。
关于oltu的使用大家可以看这里:http://oltu.apache.org/
项目可以从这里下载:http://mirror.bit.edu.cn/apache/oltu/org.apache.oltu.oauth2/
项目中我将四种授权方式都做了实现(授权码模式、简化模式、密码模式及客户端模式),但是这里仅以授权码模式为例,服务端采用Jersey框架实现,而客户端采用spring mvc实现。
服务器端实现:为了方便开发,我将oltu的所有源码都拖进了项目中,而不是导入jar,因为很多地方可能在我所开发的项目中不适用,这样可以方便修改和跟踪代码。
其实服务端开发很简单,主要集中在两个比较主要的文件中,一个是请求授权的AuthzEndpoint.java,一个是生成令牌的TokenEndpoint.java,如图所示。
至于资源控制器由于我开发的项目中,资源访问控制是采用过滤器的方式,因此没有用到oltu提供的java类,两个主要类文件的代码修改如下:
AuthzEndpoint.java
/** * Copyright 2010 Newcastle University * * * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.oltu.oauth2.integration.endpoints; import java.net.URI; import java.net.URISyntaxException; import java.text.SimpleDateFormat; import java.util.HashMap; import java.util.Map; import java.util.Properties; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; import org.apache.ibatis.session.SqlSession; import org.apache.oltu.oauth2.as.issuer.MD5Generator; import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl; import org.apache.oltu.oauth2.as.request.OAuthAuthzRequest; import org.apache.oltu.oauth2.as.response.OAuthASResponse; import org.apache.oltu.oauth2.common.OAuth; import org.apache.oltu.oauth2.common.error.OAuthError; import org.apache.oltu.oauth2.common.error.ServerErrorType; import org.apache.oltu.oauth2.common.exception.OAuthProblemException; import org.apache.oltu.oauth2.common.exception.OAuthSystemException; import org.apache.oltu.oauth2.common.message.OAuthResponse; import org.apache.oltu.oauth2.common.message.types.ResponseType; import org.apache.oltu.oauth2.integration.utils.Cache; import org.apache.oltu.oauth2.integration.utils.CacheManager; import com.cz.bean.App; import com.cz.bean.Authority; import com.cz.bean.RefreshToken; import com.cz.dao.AppMapper; import com.cz.dao.AuthorityMapper; import com.cz.dao.RefreshTokenMapper; import com.cz.util.DbUtil; /** * * client request authorization * */ @Path("/authz") public class AuthzEndpoint { SqlSession sqlSession = DbUtil.getSessionFactory().openSession(true); AppMapper appDao = sqlSession.getMapper(AppMapper.class); AuthorityMapper authorityDao = sqlSession.getMapper(AuthorityMapper.class); RefreshTokenMapper refreshTokenDao = sqlSession .getMapper(RefreshTokenMapper.class); //登录页面 private static String loginPage; //错误页面 private static String errorPage; static { Properties p = new Properties(); try { p.load(AuthzEndpoint.class.getClassLoader().getResourceAsStream( "config.properties")); loginPage = p.getProperty("loginPage"); errorPage = p.getProperty("errorPage"); } catch (Exception e) { e.printStackTrace(); } } public static final String INVALID_CLIENT_DESCRIPTION = "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."; @GET public Response authorize(@Context HttpServletRequest request) throws URISyntaxException, OAuthSystemException { OAuthAuthzRequest oauthRequest = null; OAuthIssuerImpl oauthIssuerImpl = new OAuthIssuerImpl( new MD5Generator()); try { oauthRequest = new OAuthAuthzRequest(request); /* * 当前登录的用户,模拟一个从session中获取的登录用户 * 该方法未实现,待模块与养老平台整合时,应调用养老平台方法判断用户是否已登录 * 并获得对应用户的userId */ String userId = "1"; if ("".equals(userId) || userId == null) { // 用户没有登录就跳转到登录页面 return Response.temporaryRedirect(new URI(loginPage)).build(); } App app = null; if(oauthRequest.getClientId()!=null && !"".equals(oauthRequest.getClientId())){ app = appDao.selectByPrimaryKey(oauthRequest.getClientId()); }else{ return Response.temporaryRedirect(new URI(errorPage+"?error="+ServerErrorType.CLIENT_ID_IS_NULL)).build(); } // 根据response_type创建response String responseType = oauthRequest .getParam(OAuth.OAUTH_RESPONSE_TYPE); OAuthASResponse.OAuthAuthorizationResponseBuilder builder = OAuthASResponse .authorizationResponse(request, HttpServletResponse.SC_FOUND); // 检查传入的客户端id是否正确 if (app == null) { return Response.temporaryRedirect(new URI(errorPage+"?error="+ServerErrorType.UNKOWN_CLIENT_ID)).build(); } String scope = oauthRequest.getParam(OAuth.OAUTH_SCOPE); // 授权请求类型 if (responseType.equals(ResponseType.CODE.toString())) { String code = oauthIssuerImpl.authorizationCode(); builder.setCode(code); CacheManager.putCache(userId+"_code", new Cache("code", code, 216000000, false)); CacheManager.putCache(userId+"_scope", new Cache("scope", scope, 216000000, false)); } if (responseType.equals(ResponseType.TOKEN.toString())) { // 校验client_secret if (!app.getSecret_key().equals(oauthRequest.getClientSecret())) { OAuthResponse response = OAuthASResponse.errorResponse(HttpServletResponse.SC_OK) .setError(OAuthError.TokenResponse.INVALID_CLIENT).setErrorDescription(INVALID_CLIENT_DESCRIPTION) .buildJSONMessage(); return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); } String accessToken = oauthIssuerImpl.accessToken(); builder.setAccessToken(accessToken); builder.setExpiresIn(3600l); //判断是否已经授权----待调整是放在authz部分还是token部分 Map<String,Object> aQueryParam = new HashMap<>(); aQueryParam.put("appKey",oauthRequest.getClientId()); aQueryParam.put("userId",Integer.valueOf(userId)); if(authorityDao.findUnique(aQueryParam)==null){ Authority authority = new Authority(); authority.setApp_key(oauthRequest.getClientId()); authority.setUser_id(Integer.valueOf(userId)); authorityDao.insert(authority); } // 存储token,已授权则更新令牌,未授权则新增令牌 Map<String,Object> rQueryParam = new HashMap<>(); rQueryParam.put("appKey", oauthRequest.getClientId()); rQueryParam.put("userId", Integer.valueOf(userId)); if (refreshTokenDao.findUnique(rQueryParam) != null) { Map<String,Object> map = new HashMap<>(); map.put("accessToken", accessToken); map.put("appKey", oauthRequest.getClientId()); map.put("userId", Integer.valueOf(userId)); map.put("createTime", getDate()); map.put("scope", scope); map.put("authorizationTime", getDate()); refreshTokenDao.updateAccessToken(map); } else { RefreshToken rt = new RefreshToken(); rt.setApp_key(oauthRequest.getClientId()); rt.setUser_id(Integer.valueOf(userId)); rt.setAccess_token(accessToken); rt.setCreate_time(getDate()); rt.setAuthorization_time(getDate()); rt.setExpire("3600"); rt.setScope(scope); rt.setAuthorization_time(getDate()); refreshTokenDao.insert(rt); } } // 客户端跳转URI String redirectURI = oauthRequest .getParam(OAuth.OAUTH_REDIRECT_URI); final OAuthResponse response = builder.location(redirectURI).setParam("scope", scope) .buildQueryMessage(); String test = response.getLocationUri(); URI url = new URI(response.getLocationUri()); return Response.status(response.getResponseStatus()).location(url) .build(); } catch (OAuthProblemException e) { return Response.temporaryRedirect(new URI(errorPage+"?error="+ServerErrorType.BAD_RQUEST)).build(); } } private String getDate() { SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); return sdf.format(System.currentTimeMillis()); } } |
上面的代码是授权码认证的第一步,当用户同意授权之后向服务器请求授权码。你可以使用一下腾讯的授权功能来加深一下体会,因为我所开发的模块也是参考腾讯的授权认证流程来实现的,客户端通过提交请求,访问类似http://192.168.19.75:10087/oauth/authz?client_id=s6BhdRkqt3&client_secret=12345&redirect_uri=http://localhost:8080/redirect.jsp&state=y&response_type=authorization_code的链接来访问上面的程序,参数的含义如下
client_id :客户端id
client_secret:客户端密钥
redirect_uri:回调地址,第三方应用定义的地址
State:状态,服务器将返回一个一模一样的参数。
response_type:授权方式,这里必须是authorization_code,表示授权码 方式。
这个过程结束时,服务器会跳转至第三方应用定义的回调地址并附上授权码,而第三方通过这个回调地址获得授权码并进行相应的处理,而这个过程在oltu的实现中其实就是几行简单的代码:
// 创建response wrapper OAuthAuthzResponse oar = null; oar = OAuthAuthzResponse.oauthCodeAuthzResponse(request); // 获得授权码 String code = oar.getCode(); |
上面的代码就是oltu客户端接收服务器发回的授权码的代码,其中request是一个HttpServletRequest对象,获得了授权码之后,按照下一步的流程,自然就是向授权服务器请求令牌并附上上一步获得的授权码。服务器获得授权码并进行相应处理的代码如下:
TokenEndpoint.java
/** * Copyright 2010 Newcastle University * * * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.oltu.oauth2.integration.endpoints; import java.net.URI; import java.net.URISyntaxException; import java.text.SimpleDateFormat; import java.util.HashMap; import java.util.Map; import java.util.Properties; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.Consumes; import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; import org.apache.ibatis.session.SqlSession; import org.apache.oltu.oauth2.as.issuer.MD5Generator; import org.apache.oltu.oauth2.as.issuer.OAuthIssuer; import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl; import org.apache.oltu.oauth2.as.request.OAuthTokenRequest; import org.apache.oltu.oauth2.as.response.OAuthASResponse; import org.apache.oltu.oauth2.common.OAuth; import org.apache.oltu.oauth2.common.error.OAuthError; import org.apache.oltu.oauth2.common.error.ServerErrorType; import org.apache.oltu.oauth2.common.exception.OAuthProblemException; import org.apache.oltu.oauth2.common.exception.OAuthSystemException; import org.apache.oltu.oauth2.common.message.OAuthResponse; import org.apache.oltu.oauth2.common.message.types.GrantType; import org.apache.oltu.oauth2.integration.utils.CacheManager; import com.cz.bean.App; import com.cz.bean.Authority; import com.cz.bean.RefreshToken; import com.cz.bean.User; import com.cz.dao.AppMapper; import com.cz.dao.AuthorityMapper; import com.cz.dao.RefreshTokenMapper; import com.cz.dao.UserMapper; import com.cz.util.DbUtil; /** * * get access token * */ @Path("/token") public class TokenEndpoint { SqlSession sqlSession = DbUtil.getSessionFactory().openSession(true); AppMapper appDao = sqlSession.getMapper(AppMapper.class); RefreshTokenMapper refreshTokenDao = sqlSession .getMapper(RefreshTokenMapper.class); UserMapper dao = sqlSession.getMapper(UserMapper.class); AuthorityMapper authorityDao = sqlSession.getMapper(AuthorityMapper.class); // 登录页面 private static String loginPage; // 错误页面 private static String errorPage; static { Properties p = new Properties(); try { p.load(AuthzEndpoint.class.getClassLoader().getResourceAsStream( "config.properties")); loginPage = p.getProperty("loginPage"); errorPage = p.getProperty("errorPage"); } catch (Exception e) { e.printStackTrace(); } } public static final String INVALID_CLIENT_DESCRIPTION = "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."; @SuppressWarnings({ "unchecked", "rawtypes" }) @POST @Consumes("application/x-www-form-urlencoded") @Produces("application/json") public Response authorize(@Context HttpServletRequest request) throws OAuthSystemException, URISyntaxException { OAuthTokenRequest oauthRequest = null; String scope = ""; OAuthIssuer oauthIssuerImpl = new OAuthIssuerImpl(new MD5Generator()); try { oauthRequest = new OAuthTokenRequest(request); /* * 当前登录的用户,模拟一个从session中获取的登录用户 * 该方法未实现,待模块与养老平台整合时,应调用养老平台方法判断用户是否已登录 */ String userId = "1"; if ("".equals(userId) || userId == null) { // 用户没有登录的话就跳转到登录页面 return Response.temporaryRedirect(new URI(loginPage)).build(); } App app = null; if (oauthRequest.getClientId() != null && !"".equals(oauthRequest.getClientId())) { app = appDao.selectByPrimaryKey(oauthRequest.getClientId()); } else { return Response.temporaryRedirect(new URI(errorPage + "?error=" + ServerErrorType.CLIENT_ID_IS_NULL)).build(); } // 校验clientid if (app == null || !app.getApp_key().toString().equals(oauthRequest.getClientId())) { if(oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.AUTHORIZATION_CODE.toString())){ return Response.temporaryRedirect(new URI(errorPage + "?error=" + ServerErrorType.UNKOWN_CLIENT_ID)).build(); }else{ OAuthResponse response = OAuthASResponse.errorResponse(HttpServletResponse.SC_OK) .setError(OAuthError.TokenResponse.INVALID_CLIENT).setErrorDescription(INVALID_CLIENT_DESCRIPTION) .buildJSONMessage(); return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); } } // 校验client_secret if (!app.getSecret_key().equals(oauthRequest.getClientSecret())) { if(oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.AUTHORIZATION_CODE.toString())){ return Response.temporaryRedirect(new URI(errorPage + "?error=" + ServerErrorType.UNKOWN_CLIENT_SECRET)).build(); }else{ OAuthResponse response = OAuthASResponse.errorResponse(HttpServletResponse.SC_OK) .setError(OAuthError.TokenResponse.INVALID_CLIENT).setErrorDescription(INVALID_CLIENT_DESCRIPTION) .buildJSONMessage(); return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); } } // 校验不同类型的授权方式 if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.AUTHORIZATION_CODE.toString())) { String cacheCode = null; if (CacheManager.getCacheInfo(userId + "_code").getValue() != null) { cacheCode = CacheManager.getCacheInfo(userId + "_code") .getValue().toString(); } else { // 用户没有登录的话就跳转到登录页面 return Response.temporaryRedirect(new URI(loginPage)).build(); } if (!cacheCode.equals(oauthRequest.getParam(OAuth.OAUTH_CODE))) { return Response.temporaryRedirect(new URI(errorPage+ "?error=" + ServerErrorType.INVALID_AUTHORIZATION_CODE)).build(); } if(CacheManager.getCacheInfo(userId+"_scope").getValue()!=null){ scope = CacheManager.getCacheInfo(userId+"_scope").getValue().toString(); } } else if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.PASSWORD.toString())) { User user = dao.getById(userId); if (!user.getPassword().equals(oauthRequest.getPassword())|| !user.getName().equals(oauthRequest.getUsername())) { OAuthResponse response = OAuthASResponse .errorResponse(HttpServletResponse.SC_OK) .setError(OAuthError.TokenResponse.INVALID_CLIENT) .setErrorDescription("Invalid username or password.") .buildJSONMessage(); return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); } } else if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals( GrantType.CLIENT_CREDENTIALS.toString())) { // 客户端id以及secret已验证,更多验证规则在这里添加,没有其他验证则程序直接发放令牌 // OAuthResponse response = OAuthASResponse // .errorResponse(HttpServletResponse.SC_OK) // .setError(OAuthError.TokenResponse.INVALID_GRANT) // .setErrorDescription("invalid client") // .buildJSONMessage(); // return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); }else if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals( GrantType.REFRESH_TOKEN.toString())) { // 刷新令牌未实现 } String accessToken = oauthIssuerImpl.accessToken(); String refreshToken = oauthIssuerImpl.refreshToken(); // 构建响应 OAuthResponse response = OAuthASResponse .tokenResponse(HttpServletResponse.SC_OK) .setAccessToken(accessToken).setRefreshToken(refreshToken) .setExpiresIn("3600") .buildJSONMessage(); // 判断是否已经授权----待调整是放在authz部分还是token部分 Map aQueryParam = new HashMap(); aQueryParam.put("appKey", oauthRequest.getClientId()); aQueryParam.put("userId", Integer.valueOf(userId)); if (authorityDao.findUnique(aQueryParam) == null) { Authority authority = new Authority(); authority.setApp_key(oauthRequest.getClientId()); authority.setUser_id(Integer.valueOf(userId)); authorityDao.insert(authority); } // String scope = ""; // if(CacheManager.getCacheInfo(userId+"_scope").getValue()!=null){ // scope = CacheManager.getCacheInfo(userId+"_scope").getValue().toString(); // } // 存储token,已授权则更新令牌,未授权则新增令牌 Map rQueryParam = new HashMap(); rQueryParam.put("appKey", oauthRequest.getClientId()); rQueryParam.put("userId", Integer.valueOf(userId)); if (refreshTokenDao.findUnique(rQueryParam) != null) { Map map = new HashMap(); map.put("accessToken", accessToken); map.put("appKey", oauthRequest.getClientId()); map.put("userId", Integer.valueOf(userId)); map.put("createTime", getDate()); map.put("scope", scope); map.put("authorizationTime", getDate()); refreshTokenDao.updateAccessToken(map); } else { RefreshToken rt = new RefreshToken(); rt.setApp_key(oauthRequest.getClientId()); rt.setUser_id(Integer.valueOf(userId)); rt.setAccess_token(accessToken); rt.setRefresh_token(refreshToken); rt.setCreate_time(getDate()); rt.setAuthorization_time(getDate()); rt.setExpire("3600"); rt.setScope(scope); rt.setAuthorization_time(getDate()); refreshTokenDao.insert(rt); } return Response.status(response.getResponseStatus()) .entity(response.getBody()).build(); } catch (OAuthProblemException e) { System.out.println(e.getDescription()); return Response.temporaryRedirect(new URI(errorPage + "?error="+ ServerErrorType.BAD_RQUEST)).build(); } } private String getDate() { SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); return sdf.format(System.currentTimeMillis()); } } |
上面的代码,处理了客户端发来的申请令牌请求,并向客户端发放访问令牌,而oltu的客户端则通过如下代码来完成这个请求令牌和解析令牌的过程:
OAuthClient client = new OAuthClient(new URLConnectionClient()); OAuthAccessTokenResponse oauthResponse = null; oauthResponse = client.accessToken(request, OAuth.HttpMethod.POST); String token = oauthResponse.getRefreshToken(); |
如果你是第一次开发,oauth2.0的认证过程可能会让你觉得头疼,因为你首先需要对这个流程很熟悉,并且同时要看懂了oltu的代码才好理解这个开源的项目到底是怎么实现这个过程的,因此这里我不过多的粘贴代码,因为这并没有什么卵用,还是运行项目和追踪代码比较容易理解它的原理,下面是我实现的项目代码,代码写得比较简陋,不过对于跟我一样的菜鸟,还是能起到一定的帮助的~
服务端:https://git.oschina.net/honganlei/oauth-server.git
服务端授权登录页面:https://git.oschina.net/honganlei/OauthClient.git
第三方接入授权模块的例子:https://git.oschina.net/honganlei/OauthApp.git