24、OAuth2FeignRequestInterceptor、BasicAuthRequestInterceptor拦截器解析

BasicAuthRequestInterceptor

BasicAuthRequestInterceptor翻译过来就是 Basic 认证请求拦截器。

Basic 认证

Basic认证是一种较为简单的HTTP认证方式,客户端通过明文(Base64编码格式)传输用户名和密码到服务端进行认证,通常需要配合HTTPS来保证信息传输的安全。

比如Security 就支持这种方式,在发送认证请求时,按照以下格式:

// 请求头Authorization 添加Basic 认证信息
Authorization: Basic 用户名:密码Base64编码格式

使用案例

首先注入一个BasicAuthRequestInterceptor

    @Bean
    BasicAuthRequestInterceptor basicAuthRequestInterceptor(){

        return new BasicAuthRequestInterceptor("zhangsan","123456");
    }

然后使用Feign调用远程服务,可以在日志中看到在消息头中添加了Basic认证信息:

 

源码

源码也很简单,就是将用户名密码,经过编码后放入到消息头中:

public class BasicAuthRequestInterceptor implements RequestInterceptor {

    private final String headerValue;

    public BasicAuthRequestInterceptor(String username, String password) {

        this(username, password, Util.ISO_8859_1);
    }

    public BasicAuthRequestInterceptor(String username, String password, Charset charset) {

        Util.checkNotNull(username, "username", new Object[0]);
        Util.checkNotNull(password, "password", new Object[0]);
        this.headerValue = "Basic " + base64Encode((username + ":" + password).getBytes(charset));
    }

    private static String base64Encode(byte[] bytes) {

        return Base64.encode(bytes);
    }

    public void apply(RequestTemplate template) {

        template.header("Authorization", new String[]{

     this.headerValue});
    }
}

OAuth2FeignRequestInterceptor

OAuth2FeignRequestInterceptor属于spring-cloud-security包,可以看到都标记为了过时,这是因为security-oauth2已经快停止维护,换了新的项目,已经正式发布。
 

源码分析

先按照顺序看下这个拦截器的处理逻辑,可以看到就是使用一个OAuth2 客户端上下文对象来存储令牌信息,每次请求时,会去校验当前上下文中令牌是否过期或不存在,不可用时,调用配置的认证中心获取令牌,然后将令牌放入到请求头中。

public class OAuth2FeignRequestInterceptor implements RequestInterceptor {

    public static final String BEARER = "Bearer";
    public static final String AUTHORIZATION = "Authorization";
    private final OAuth2ClientContext oAuth2ClientContext;
    private final OAuth2ProtectedResourceDetails resource;
    private final String tokenType;
    private final String header;
    private AccessTokenProvider accessTokenProvider;

    public OAuth2FeignRequestInterceptor(OAuth2ClientContext oAuth2ClientContext, OAuth2ProtectedResourceDetails resource) {

        this(oAuth2ClientContext, resource, "Bearer", "Authorization");
    }

    public OAuth2FeignRequestInterceptor(OAuth2ClientContext oAuth2ClientContext, OAuth2ProtectedResourceDetails resource, String tokenType, String header) {

        this.accessTokenProvider = new AccessTokenProviderChain(Arrays.asList(new AuthorizationCodeAccessTokenProvider(), new ImplicitAccessTokenProvider(), new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider()));
        this.oAuth2ClientContext = oAuth2ClientContext;
        this.resource = resource;
        this.tokenType = tokenType;
        this.header = header;
    }

    public void apply(RequestTemplate template) {

        // 5. 将Oauth2 令牌放入到消息头中。
        template.header(this.header, new String[0]);
        template.header(this.header, new String[]{

     this.extract(this.tokenType)});
    }

    protected String extract(String tokenType) {

        OAuth2AccessToken accessToken = this.getToken();
        return String.format("%s %s", tokenType, accessToken.getValue());
    }

    public OAuth2AccessToken getToken() {

        // 1. 获取 OAuth2令牌 
        OAuth2AccessToken accessToken = this.oAuth2ClientContext.getAccessToken();
        if (accessToken == null || accessToken.isExpired()) {

            // 2. 如果令牌不存在或者过期,重新获取一个令牌
            try {

                accessToken = this.acquireAccessToken();
            } catch (UserRedirectRequiredException var5) {

                this.oAuth2ClientContext.setAccessToken((OAuth2AccessToken)null);
                String stateKey = var5.getStateKey();
                if (stateKey != null) {

                    Object stateToPreserve = var5.getStateToPreserve();
                    if (stateToPreserve == null) {

                        stateToPreserve = "NONE";
                    }

                    this.oAuth2ClientContext.setPreservedState(stateKey, stateToPreserve);
                }

                throw var5;
            }
        }

        return accessToken;
    }

    protected OAuth2AccessToken acquireAccessToken() throws UserRedirectRequiredException {

        // 3. 创建一个获取令牌的请求对象
        AccessTokenRequest tokenRequest = this.oAuth2ClientContext.getAccessTokenRequest();
        if (tokenRequest == null) {

            throw new AccessTokenRequiredException("Cannot find valid context on request for resource '" + this.resource.getId() + "'.", this.resource);
        } else {

            String stateKey = tokenRequest.getStateKey();
            if (stateKey != null) {

                tokenRequest.setPreservedState(this.oAuth2ClientContext.removePreservedState(stateKey));
            }

            OAuth2AccessToken existingToken = this.oAuth2ClientContext.getAccessToken();
            if (existingToken != null) {

                this.oAuth2ClientContext.setAccessToken(existingToken);
            }
            // 4. 使用令牌提供者获取一个令牌
            OAuth2AccessToken obtainableAccessToken = this.accessTokenProvider.obtainAccessToken(this.resource, tokenRequest);
            if (obtainableAccessToken != null && obtainableAccessToken.getValue() != null) {

                this.oAuth2ClientContext.setAccessToken(obtainableAccessToken);
                return obtainableAccessToken;
            } else {

                throw new IllegalStateException(" Access token provider returned a null token, which is illegal according to the contract.");
            }
        }
    }

    public void setAccessTokenProvider(AccessTokenProvider accessTokenProvider) {

        this.accessTokenProvider = accessTokenProvider;
    }
}

应用场景

当某个服务是Oauth 2的资源服务器,第三方使用Feign 去访问时,需要携带Oauth 2令牌去访问,这个时候就可以使用当前拦截器添加Oauth 2认证。

使用案例

场景:现在我们有一个微服务项目,采用Oauth 2认证方式,这个时候有个第三方,想通过Feign 调用我们的资源服务器,这个时候就可以让第三方集成我们的 Oauth 2客户端。
 
首先需要引入依赖:

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-security</artifactId>
        </dependency>

然后注入 一个 Oauth 2客户端,这里演示使用密码模式。

    @Bean
    OAuth2ClientContext oAuth2ClientContext(){

        return new DefaultOAuth2ClientContext();
    }
    @Bean
    OAuth2FeignRequestInterceptor oAuth2FeignRequestInterceptor(OAuth2ClientContext oAuth2ClientContext, ResourceOwnerPasswordResourceDetails resourceOwnerPasswordResourceDetails){

        return new OAuth2FeignRequestInterceptor(oAuth2ClientContext,resourceOwnerPasswordResourceDetails);
    }
    @Bean
    ResourceOwnerPasswordResourceDetails resourceOwnerPasswordResourceDetails(){

        ResourceOwnerPasswordResourceDetails resourceOwnerPasswordResourceDetails = new ResourceOwnerPasswordResourceDetails();
        resourceOwnerPasswordResourceDetails.setUsername("hnmqet");
        resourceOwnerPasswordResourceDetails.setPassword("123456");
        resourceOwnerPasswordResourceDetails.setClientId("ZD");
        resourceOwnerPasswordResourceDetails.setClientSecret("123456");
        resourceOwnerPasswordResourceDetails.setAccessTokenUri("http://192.168.58.1:21101/oauth/token");
        return resourceOwnerPasswordResourceDetails;
    }

测试,可以看到该拦截器,最终会调用OAuth2AccessTokenSupport去远程获取令牌,然后放在消息头中去发送Feign 请求。

&nbsp;