oauth2

SLN/%PUBPRJ%-dependencies/pom.xml.ftl

@@ -24,6 +24,19 @@ TARGET=PSSYSTEM
         </#list>
     </#if>
 </#list>
+<#assign oauth2Enable=false>
+<#comment>服务接口微服务平台配置</#comment>
+<#if sys.getAllPSDevSlnMSDepAPIs()??>
+    <#list sys.getAllPSDevSlnMSDepAPIs() as depSysApi>
+        <#if depSysApi.getPSDCMSPlatform()?? >
+            <#assign sysApiPlatform=depSysApi.getPSDCMSPlatform()>
+            <#if sysApiPlatform.getUserParam("ibiz.oauth2.enable","")?? && sysApiPlatform.getUserParam("ibiz.oauth2.enable","")!="">
+                <#assign oauth2Enable=true>
+                <#break >
+            </#if>
+        </#if>
+    </#list>
+</#if>
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -458,6 +471,19 @@ TARGET=PSSYSTEM
             <version>${r'${rocketmq.version}'}</version>
         </dependency>
         </#if>
+        <#if oauth2Enable>
+        <dependency>
+            <groupId>org.springframework.security.oauth</groupId>
+            <artifactId>spring-security-oauth2</artifactId>
+            <version>2.3.6.RELEASE</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-jwt</artifactId>
+            <version>1.0.10.RELEASE</version>
+        </dependency>
+        </#if>
 
         <#comment>引用组件包</#comment>
         <#if pub.getPSSysSFPubPkgs?? && pub.getPSSysSFPubPkgs()??>

SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/OAuth2ResourceServer.java.ftl

+<#ibiztemplate>
+TARGET=PSSYSTEM
+</#ibiztemplate>
+<#assign oauth2Enable=false>
+<#if sysrun?? && sysrun.getPSDevSlnMSDepAPI()?? >
+    <#assign depSysApi=sysrun.getPSDevSlnMSDepAPI()>
+    <#if depSysApi.getPSDCMSPlatformNode()??>
+        <#assign depSysApiPlatformNode=depSysApi.getPSDCMSPlatformNode()>
+        <#assign depSysApiPlatform=depSysApi.getPSDCMSPlatform()>
+        <#if depSysApiPlatform.getUserParam("ibiz.oauth2.enable","")?? && depSysApiPlatform.getUserParam("ibiz.oauth2.enable","")!="">
+            <#assign oauth2Enable=true>
+        </#if>
+    </#if>
+</#if>
+<#if oauth2Enable>
+package ${pub.getPKGCodeName()}.core.util;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
+import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
+import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
+import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
+import org.springframework.security.oauth2.provider.authentication.TokenExtractor;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
+import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.StringUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Enumeration;
+
+/**
+ * oauth资源服务器配置
+ */
+@Configuration
+@EnableResourceServer
+@Slf4j
+public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
+
+    @Value("${r'${ibiz.jwt.oauth2.header:oauth2authorization}'}")
+    private String authorization;
+
+    @Value("${r'${ibiz.jwt.oauth2.signkey:oauth2}'}")
+    private  String SignKey;
+
+    /**
+     * token存储、解析，校验
+     * @param resources
+     */
+    @Override
+    public void configure(ResourceServerSecurityConfigurer resources) {
+        resources.tokenExtractor(new OAuth2TokenExtractor());
+        resources.tokenStore(getTokenStore()).stateless(true);
+    }
+
+    /**
+     * 校验策略，只校验oauth2颁发的token（特定请求头）
+     * @param http
+     * @throws Exception
+     */
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        http.requestMatcher(new OAuth2RequestMatcher());
+        http.authorizeRequests().anyRequest().authenticated();
+    }
+
+    /**
+     * token存储器
+     * @return
+     */
+    @Bean
+    public TokenStore getTokenStore() {
+        return new JwtTokenStore(accessTokenConverter());
+    }
+
+    /**
+     * jwt密签
+     * @return
+     */
+    @Bean
+    public JwtAccessTokenConverter accessTokenConverter() {
+        final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
+        converter.setSigningKey(SignKey);
+        return converter;
+    }
+
+    /**
+     * 匹配特定oauth2请求头token，其余请求交由spring security处理
+     */
+    public class OAuth2RequestMatcher implements RequestMatcher {
+        @Override
+        public boolean matches(HttpServletRequest request) {
+            String header = request.getHeader(authorization);
+            if (!StringUtils.isEmpty(header)) {
+                return true;
+            } else {
+                return false;
+            }
+        }
+    }
+
+    /**
+     * token请求头处理
+     */
+    public class OAuth2TokenExtractor implements TokenExtractor {
+
+        @Override
+        public Authentication extract(HttpServletRequest request) {
+            String tokenValue = this.extractToken(request);
+            if (tokenValue != null) {
+                PreAuthenticatedAuthenticationToken authentication = new PreAuthenticatedAuthenticationToken(tokenValue, "");
+                return authentication;
+            } else {
+                return null;
+            }
+        }
+
+        protected String extractToken(HttpServletRequest request) {
+            String token = this.extractHeaderToken(request);
+            if (token == null) {
+                log.debug("Token not found in headers. Trying request parameters.");
+                token = request.getParameter("access_token");
+                if (token == null) {
+                    log.debug("Token not found in request parameters.  Not an OAuth2 request.");
+                } else {
+                    request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, "Bearer");
+                }
+            }
+
+            return token;
+        }
+
+        protected String extractHeaderToken(HttpServletRequest request) {
+            Enumeration headers = request.getHeaders(authorization);
+
+            String value;
+            do {
+                if (!headers.hasMoreElements()) {
+                    return null;
+                }
+
+                value = (String) headers.nextElement();
+            } while (!value.toLowerCase().startsWith("Bearer".toLowerCase()));
+
+            String authHeaderValue = value.substring("Bearer".length()).trim();
+            request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, value.substring(0, "Bearer".length()).trim());
+            int commaIndex = authHeaderValue.indexOf(44);
+            if (commaIndex > 0) {
+                authHeaderValue = authHeaderValue.substring(0, commaIndex);
+            }
+
+            return authHeaderValue;
+        }
+
+    }
+
+}
+</#if>
\ No newline at end of file