利用Spring Boot实现微服务的API网关统一认证与授权

大家好,我是微赚淘客返利系统3.0的小编,是个冬天不穿秋裤,天冷也要风度的程序猿!

微服务架构中的安全需求

在微服务架构中,服务被拆分成多个独立的、可独立部署的单元。这种架构虽然带来了灵活性,但也增加了安全性的挑战。API网关作为所有服务的统一入口,承担着认证与授权的重要职责。

API网关的角色

API网关不仅仅是请求的路由,它还负责处理认证、授权、限流、监控等任务。在微服务架构中,API网关是实现统一认证与授权的关键组件。

使用Spring Security实现认证

Spring Security是一个功能强大且高度可定制的Java安全框架,它可以与Spring Boot和Spring Cloud Gateway集成,提供认证与授权功能。

1. 添加Spring Security依赖

在项目的pom.xml文件中添加Spring Security的依赖:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
2. 配置WebSecurityConfigurerAdapter

创建一个配置类,继承WebSecurityConfigurerAdapter并重写相应的方法:

package cn.juwatech.security;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/public/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .httpBasic();
    }
}
3. 配置用户详情服务

实现UserDetailsService接口来定义用户认证逻辑:

package cn.juwatech.security;

import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Override
    public User loadUserByUsername(String username) throws UsernameNotFoundException {
        // 假设用户存储在内存中
        if ("admin".equals(username)) {
            return User.withUsername(username)
                    .password("{noop}password") // 明文密码,实际应用中应使用加密
                    .roles("USER").build();
        }
        throw new UsernameNotFoundException("User not found");
    }
}
4. 配置密码编码器

配置密码编码器以确保密码的安全性:

package cn.juwatech.security;

import org.springframework.context.annotation.Bean;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class PasswordConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

使用OAuth2实现授权

OAuth2是一个行业标准的协议,用于授权。Spring Security OAuth2提供了一套实现OAuth2的框架。

1. 添加Spring Security OAuth2依赖

pom.xml中添加Spring Security OAuth2的依赖:

<dependency>
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth2</artifactId>
</dependency>
2. 配置资源服务器

在API网关上配置资源服务器,使用ResourceServerConfigurerAdapter

package cn.juwatech.security;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().authenticated();
    }
}
3. 配置授权服务器

在授权服务上配置授权服务器,使用AuthorizationServerConfigurerAdapter

package cn.juwatech.security;

import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
            .userDetailsService(userService) // 指定用户详情服务
            .passwordEncoder(passwordEncoder()); // 指定密码编码器
    }
}

结合Spring Cloud Gateway使用

Spring Cloud Gateway可以与Spring Security集成,实现基于网关的认证与授权。

1. 添加Spring Cloud Gateway依赖

pom.xml中添加Spring Cloud Gateway的依赖:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
2. 配置路由规则

在Spring Cloud Gateway中配置路由规则,结合Spring Security实现认证与授权:

package cn.juwatech.gateway;

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.header.XFrameOptionsServerHttpStrategies;
import org.springframework.cloud.gateway.route.RouteLocator;
import org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder;
import org.springframework.context.annotation.Configuration;

@Configuration
public class GatewayConfig {

    @Bean
    public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
        return builder.routes()
                .route("user_route", r -> r.path("/user/**")
                        .uri("http://user-service")
                        .filters(f -> f.authorizeRequests(a -> a.anyRequest().hasRole("USER")))
                        .order(-1))
                .build();
    }

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
                .authorizeExchange()
                .anyExchange().authenticated()
                .and()
                .httpBasic()
                .and()
                .headers().contentSecurityPolicy("default-src 'self'")
                .frameOptions(XFrameOptionsServerHttpStrategies.SAMEORIGIN)
                .build();
    }
}

结论

通过Spring Boot和Spring Security的结合,我们可以在微服务架构中实现API网关的统一认证与授权。这不仅提高了系统的安全性,还通过集中管理认证与授权策略简化了开发和维护工作。