spring security与gateway结合进行网关鉴权和授权
在Spring Cloud Gateway中集成Spring Security 6以实现鉴权和认证工作,可以在网关代理层完成权限校验和认证。这种架构通常被称为“边缘安全”或“API网关安全”,它允许你在请求到达后端服务之前进行集中式的安全控制。
以下是如何配置Spring Cloud Gateway与Spring Security 6来实现这一目标的详细步骤:
1. 添加依赖
首先,确保你的项目中包含必要的依赖。你需要Spring Security、Spring Cloud Gateway以及JWT相关的依赖。
<dependencies><!-- Spring Boot Starter Security --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><!-- Spring Cloud Gateway --><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-gateway</artifactId></dependency><!-- JWT Support --><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-api</artifactId><version>0.11.5</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-impl</artifactId><version>0.11.5</version><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-jackson</artifactId><version>0.11.5</version><scope>runtime</scope></dependency><!-- Spring Cloud Dependencies Management --><dependencyManagement><dependencies><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-dependencies</artifactId><version>2022.0.0</version><type>pom</type><scope>import</scope></dependency></dependencies></dependencyManagement>
</dependencies>
2. 配置SecurityFilterChain
在Spring Security配置类中设置SecurityFilterChain,以支持基于Token的认证机制,并应用到Gateway路由上。
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import reactor.core.publisher.Mono;@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {@Beanpublic SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http, JwtAuthenticationManager jwtAuthenticationManager) {http.csrf().disable() // 禁用CSRF保护.authorizeExchange(exchanges -> exchanges.pathMatchers("/login").permitAll() // 公开路径,例如登录.anyExchange().authenticated() // 其他所有请求都需要认证).addFilterAt(jwtAuthenticationFilter(jwtAuthenticationManager), AuthenticationWebFilter.class);return http.build();}@Beanpublic MapReactiveUserDetailsService userDetailsService() {UserDetails userDetails = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();return new MapReactiveUserDetailsService(userDetails);}private AuthenticationWebFilter jwtAuthenticationFilter(JwtAuthenticationManager jwtAuthenticationManager) {AuthenticationWebFilter filter = new AuthenticationWebFilter(jwtAuthenticationManager);filter.setServerAuthenticationConverter(new BearerTokenServerAuthenticationConverter());return filter;}
}
3. 实现JWT工具类
创建一个工具类来生成和解析JWT令牌。
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;@Component
public class JwtUtil {private String secret = "yourSecretKey"; // 应该存储在一个安全的地方,并且不要硬编码public Mono<String> extractUsername(String token) {return Mono.just(extractClaim(token, Claims::getSubject));}public Date extractExpiration(String token) {return extractClaim(token, Claims::getExpiration);}public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {final Claims claims = extractAllClaims(token);return claimsResolver.apply(claims);}private Claims extractAllClaims(String token) {return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();}private Boolean isTokenExpired(String token) {return extractExpiration(token).before(new Date());}public Mono<String> generateToken(UserDetails userDetails) {Map<String, Object> claims = new HashMap<>();return Mono.just(createToken(claims, userDetails.getUsername()));}private String createToken(Map<String, Object> claims, String subject) {return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis())).setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10小时过期.signWith(SignatureAlgorithm.HS256, secret).compact();}public Mono<Boolean> validateToken(String token, UserDetails userDetails) {final String username = extractUsername(token).block();return Mono.just(username.equals(userDetails.getUsername()) && !isTokenExpired(token));}
}
4. 实现JWT认证管理器
创建一个自定义的认证管理器来处理JWT验证逻辑。
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;@Component
public class JwtAuthenticationManager implements ReactiveAuthenticationManager {private final JwtUtil jwtUtil;private final UserDetailsService userDetailsService;public JwtAuthenticationManager(JwtUtil jwtUtil, UserDetailsService userDetailsService) {this.jwtUtil = jwtUtil;this.userDetailsService = userDetailsService;}@Overridepublic Mono<Authentication> authenticate(Authentication authentication) {String token = (String) authentication.getCredentials();return jwtUtil.extractUsername(token).flatMap(username -> {if (jwtUtil.validateToken(token, userDetailsService.loadUserByUsername(username)).block()) {UserDetails userDetails = userDetailsService.loadUserByUsername(username);return Mono.just(new UsernamePasswordAuthenticationToken(userDetails, token, userDetails.getAuthorities()));} else {return Mono.empty();}});}
}
5. 实现Bearer Token转换器
创建一个转换器来从请求头中提取Bearer Token。
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;public class BearerTokenServerAuthenticationConverter implements ServerAuthenticationConverter {@Overridepublic Mono<org.springframework.security.oauth2.server.resource.authentication.ServerAuthenticationToken> convert(ServerWebExchange exchange) {String authHeader = exchange.getRequest().getHeaders().getFirst("Authorization");if (authHeader != null && authHeader.startsWith("Bearer ")) {String token = authHeader.substring(7);return Mono.just(new org.springframework.security.oauth2.server.resource.authentication.ServerAuthenticationToken(token, token));}return Mono.empty();}
}
6. 配置Gateway路由
最后,在你的网关配置文件中定义路由。
spring:cloud:gateway:routes:- id: service_routeuri: lb://your-backend-servicepredicates:- Path=/api/**filters:- RewritePath=/api/(?<segment>.*), /$\{segment}
总结
通过上述步骤,你可以在Spring Cloud Gateway中集成Spring Security 6,从而实现在网关代理层进行鉴权和认证的功能。主要步骤包括:
- 添加依赖:引入必要的依赖。
- 配置SecurityFilterChain:禁用CSRF保护并设置为无状态会话。
- 实现JWT工具类:用于生成和解析JWT令牌。
- 实现JWT认证管理器:处理JWT验证逻辑。
- 实现Bearer Token转换器:从请求头中提取Bearer Token。
- 配置Gateway路由:定义路由规则。
这样,你的应用程序就可以使用JWT在网关层进行安全认证和授权了。