Spring Boot與Spring Security的OAuth2客戶端憑證流

Spring Boot和Spring Security集成OAuth2客戶端憑證流可以幫助您輕松地在應(yīng)用程序中實現(xiàn)安全的API訪問。以下是配置Spring Boot應(yīng)用程序以使用OAuth2客戶端憑證流的步驟：

1. 添加依賴項

在您的pom.xml文件中添加以下依賴項：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

2. 配置OAuth2客戶端

在application.yml或application.properties文件中配置OAuth2客戶端的詳細信息，例如客戶端ID、客戶端密鑰和授權(quán)服務(wù)器URL：

spring:
  security:
    oauth2:
      client:
        registration:
          my-client:
            client-id: your-client-id
            client-secret: your-client-secret
            authorization-grant-type: client_credentials
            scope: read,write
        provider:
          my-provider:
            issuer-uri: https://your-auth-server.com/auth

3. 配置Spring Security

創(chuàng)建一個配置類來設(shè)置Spring Security以使用OAuth2客戶端憑證流。在這個類中，您需要配置WebSecurityConfigurerAdapter的子類，并覆蓋configure(HttpSecurity http)方法：

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http, ClientRegistrationRepository clientRegistrations,
                                                  OAuth2AuthorizedClientRepository authorizedClients) throws Exception {
        http
            .authorizeRequests(authorizeRequests ->
                authorizeRequests
                    .antMatchers("/api/**").authenticated()
            )
            .oauth2Login(oauth2Login ->
                oauth2Login
                    .clientRegistrationRepository(clientRegistrations)
                    .authorizedClientRepository(authorizedClients)
            );
        return http.build();
    }
}

4. 使用OAuth2客戶端憑證流

現(xiàn)在您可以在應(yīng)用程序中使用OAuth2客戶端憑證流訪問受保護的資源。例如，您可以使用RestTemplate或WebClient發(fā)起請求：

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.web.reactive.function.client.WebClient;

@Service
public class ApiClientService {

    @Autowired
    private WebClient.Builder webClientBuilder;

    public String callApi() {
        WebClient webClient = webClientBuilder
                .clientRegistrationRepository(clientRegistrations)
                .authorizedClientRepository(authorizedClients)
                .build();

        return webClient.get()
                .uri("https://your-api-server.com/api/data")
                .attributes(clientRegistrationId("my-client"))
                .retrieve()
                .bodyToMono(String.class)
                .block();
    }
}

在這個例子中，我們首先創(chuàng)建了一個WebClient實例，并使用clientRegistrationRepository和authorizedClientRepository配置了OAuth2客戶端憑證流。然后，我們使用WebClient發(fā)起一個請求到受保護的API資源，并通過attributes方法傳遞了客戶端注冊ID。最后，我們使用retrieve()方法獲取響應(yīng)并將其轉(zhuǎn)換為字符串。