✨ Add spring-boot-demo-oauth-resource-server.

spring-boot-demo-oauth/pom.xml

@@ -7,6 +7,7 @@
   <version>1.0.0-SNAPSHOT</version>
   <modules>
     <module>spring-boot-demo-oauth-authorization-server</module>
+    <module>spring-boot-demo-oauth-resource-server</module>
   </modules>
   <packaging>pom</packaging>
 
@@ -26,31 +27,6 @@
   </properties>
 
   <dependencies>
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-web</artifactId>
-    </dependency>
-
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-security</artifactId>
-    </dependency>
-
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-thymeleaf</artifactId>
-    </dependency>
-
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-data-jpa</artifactId>
-    </dependency>
-
-    <dependency>
-      <groupId>org.springframework.security.oauth.boot</groupId>
-      <artifactId>spring-security-oauth2-autoconfigure</artifactId>
-      <version>${spring.boot.version}</version>
-    </dependency>
 
     <dependency>
       <groupId>mysql</groupId>

spring-boot-demo-oauth/spring-boot-demo-oauth-authorization-server/pom.xml

@@ -11,5 +11,34 @@
 
   <artifactId>spring-boot-demo-oauth-authorization-server</artifactId>
 
+  <dependencies>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.security.oauth.boot</groupId>
+      <artifactId>spring-security-oauth2-autoconfigure</artifactId>
+      <version>${spring.boot.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-thymeleaf</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-data-jpa</artifactId>
+    </dependency>
+
+  </dependencies>
 
 </project>

spring-boot-demo-oauth/spring-boot-demo-oauth-authorization-server/src/main/resources/application.yml

@@ -3,7 +3,7 @@ server:
 
 spring:
   datasource:
-    url: jdbc:mysql://localhost:3306/oauth
+    url: jdbc:mysql://localhost:3306/oauth?allowPublicKeyRetrieval=true
     username: root
     password: 123456
     hikari:

spring-boot-demo-oauth/spring-boot-demo-oauth-authorization-server/src/main/resources/templates/login.html

@@ -43,7 +43,7 @@
                 <v-btn outlined color="info" @click="previous">{{previousText}}</v-btn>
                 <v-spacer></v-spacer>
                 <v-btn color="info" type="button" @click="next" v-show="window === 0">下一步</v-btn>
-                <v-btn color="info" type="submit" v-show="window === 1">登录</v-btn>
+                <v-btn color="info" type="submit" @click="next" v-show="window === 1">登录</v-btn>
               </v-card-actions>
           </v-form>
         </v-card>

spring-boot-demo-oauth/spring-boot-demo-oauth-resource-server/README.adoc

@@ -0,0 +1,59 @@
+= spring-boot-demo-oauth-resource-server
+Doc Writer <lzy@echocow.cn>
+v1.0, 2019-01-09
+:toc:
+
+spring boot oauth2 资源服务器，同 授权服务器 一起使用。
+
+> 使用 `spring security oauth`
+
+- JWT 解密，远程公钥获取
+- 基于角色访问控制
+- 基于应用授权域访问控制
+
+== jwt 解密
+
+要先获取 jwt 公钥
+
+[source,java]
+.OauthResourceTokenConfig
+----
+public class OauthResourceTokenConfig {
+    // ......
+    private String getPubKey() {
+        // 如果本地没有密钥，就从授权服务器中获取
+        return StringUtils.isEmpty(resourceServerProperties.getJwt().getKeyValue())
+            ? getKeyFromAuthorizationServer()
+            : resourceServerProperties.getJwt().getKeyValue();
+    }
+    // ......
+}
+----
+
+然后配置进去
+
+[source, java]
+.OauthResourceServerConfig
+----
+public class OauthResourceServerConfig extends ResourceServerConfigurerAdapter {
+    @Override
+    public void configure(ResourceServerSecurityConfigurer resources) {
+        resources
+            .tokenStore(tokenStore)
+            .resourceId(resourceServerProperties.getResourceId());
+    }
+}
+----
+
+== 访问控制
+
+通过 `@EnableGlobalMethodSecurity(prePostEnabled = true)` 注解开启 `spring security` 的全局方法安全控制
+
+- `@PreAuthorize("hasRole('ADMIN')")` 校验角色
+- `@PreAuthorize("#oauth2.hasScope('READ')")` 校验令牌授权域
+
+== 测试
+
+测试用例： `com.xkcoding.oauth.controller.TestControllerTest`
+
+先获取 `token`，携带 `token` 去访问资源即可。

spring-boot-demo-oauth/spring-boot-demo-oauth-resource-server/pom.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>spring-boot-demo-oauth</artifactId>
+    <groupId>com.xkcoding</groupId>
+    <version>1.0.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>spring-boot-demo-oauth-resource-server</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.security.oauth.boot</groupId>
+      <artifactId>spring-security-oauth2-autoconfigure</artifactId>
+      <version>${spring.boot.version}</version>
+    </dependency>
+  </dependencies>
+</project>

spring-boot-demo-oauth/spring-boot-demo-oauth-resource-server/src/main/java/com/xkcoding/oauth/SpringBootDemoResourceApplication.java

@@ -0,0 +1,21 @@
+package com.xkcoding.oauth;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
+
+/**
+ * 启动器.
+ *
+ * @author <a href="https://echocow.cn">EchoCow</a>
+ * @date 2020/1/9 上午11:38
+ * @version V1.0
+ */
+@EnableResourceServer
+@SpringBootApplication
+public class SpringBootDemoResourceApplication {
+    public static void main(String[] args) {
+        SpringApplication.run(SpringBootDemoResourceApplication.class, args);
+    }
+
+}

spring-boot-demo-oauth/spring-boot-demo-oauth-resource-server/src/main/java/com/xkcoding/oauth/config/OauthResourceServerConfig.java

@@ -0,0 +1,43 @@
+package com.xkcoding.oauth.config;
+
+import lombok.AllArgsConstructor;
+import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
+import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
+import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+
+/**
+ * 资源服务器配置.
+ * 我们自己实现了它的配置，所以它的自动装配不会生效
+ *
+ * @author <a href="https://echocow.cn">EchoCow</a>
+ * @date 2020/1/9 下午2:20
+ */
+@Configuration
+@AllArgsConstructor
+@EnableResourceServer
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class OauthResourceServerConfig extends ResourceServerConfigurerAdapter {
+
+    private final ResourceServerProperties resourceServerProperties;
+    private final TokenStore tokenStore;
+
+    @Override
+    public void configure(ResourceServerSecurityConfigurer resources) {
+        resources
+            .tokenStore(tokenStore)
+            .resourceId(resourceServerProperties.getResourceId());
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        super.configure(http);
+        // 前后端分离下，可以关闭 csrf
+        http.csrf().disable();
+    }
+
+}

spring-boot-demo-oauth/spring-boot-demo-oauth-resource-server/src/main/java/com/xkcoding/oauth/config/OauthResourceTokenConfig.java

@@ -0,0 +1,102 @@
+package com.xkcoding.oauth.config;
+
+import cn.hutool.json.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
+import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
+import org.springframework.util.StringUtils;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.util.Base64;
+
+/**
+ * token 相关配置，jwt 相关.
+ *
+ * @author <a href="https://echocow.cn">EchoCow</a>
+ * @date 2020/1/9 下午2:39
+ */
+@Slf4j
+@Configuration
+@AllArgsConstructor
+public class OauthResourceTokenConfig {
+
+    private final ResourceServerProperties resourceServerProperties;
+
+    /**
+     * 这里并不是对令牌的存储,他将访问令牌与身份验证进行转换
+     * 在需要 {@link TokenStore} 的任何地方可以使用此方法
+     *
+     * @return TokenStore
+     */
+    @Bean
+    public TokenStore tokenStore() {
+        return new JwtTokenStore(jwtAccessTokenConverter());
+    }
+
+    /**
+     * jwt 令牌转换
+     *
+     * @return jwt
+     */
+    @Bean
+    public JwtAccessTokenConverter jwtAccessTokenConverter() {
+        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
+        converter.setVerifierKey(getPubKey());
+        return converter;
+    }
+
+    /**
+     * 非对称密钥加密，获取 public key。
+     * 自动选择加载方式。
+     *
+     * @return public key
+     */
+    private String getPubKey() {
+        // 如果本地没有密钥，就从授权服务器中获取
+        return StringUtils.isEmpty(resourceServerProperties.getJwt().getKeyValue())
+            ? getKeyFromAuthorizationServer()
+            : resourceServerProperties.getJwt().getKeyValue();
+    }
+
+    /**
+     * 本地没有公钥的时候，从服务器上获取
+     * 需要进行 Basic 认证
+     *
+     * @return public key
+     */
+    private String getKeyFromAuthorizationServer() {
+        ObjectMapper objectMapper = new ObjectMapper();
+        HttpHeaders httpHeaders = new HttpHeaders();
+        httpHeaders.add(HttpHeaders.AUTHORIZATION, encodeClient());
+        HttpEntity<String> requestEntity = new HttpEntity<>(null, httpHeaders);
+        String pubKey = new RestTemplate()
+            .getForObject(resourceServerProperties.getJwt().getKeyUri(), String.class, requestEntity);
+        try {
+            JSONObject body = objectMapper.readValue(pubKey, JSONObject.class);
+            log.info("Get Key From Authorization Server.");
+            return body.getStr("value");
+        } catch (IOException e) {
+            log.error("Get public key error: {}", e.getMessage());
+        }
+        return null;
+    }
+
+    /**
+     * 客户端信息
+     *
+     * @return basic
+     */
+    private String encodeClient() {
+        return "Basic " + Base64.getEncoder().encodeToString((resourceServerProperties.getClientId()
+            + ":" + resourceServerProperties.getClientSecret()).getBytes());
+    }
+}