spring security oauth2的token续期

程序员文章站 2022-07-10 17:30:54

需求描述：如果用户在指定的时间内有操作就给token延长有限期，否则到期后自动过期；我这里是用Redis存储数据的，所以需要重写RedisTokenStore，以下为实现代码：import lombok.extern.slf4j.Slf4j;import org.springframework.data.redis.connection.RedisConnection;import org.springframework.data.redis.connection.RedisConnect....

需求描述：如果用户在指定的时间内有操作就给token延长有限期，否则到期后自动过期；

我这里是用Redis存储数据的，所以需要重写RedisTokenStore，以下为实现代码：

import lombok.extern.slf4j.Slf4j;
import org.springframework.data.redis.connection.RedisConnection;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AuthenticationKeyGenerator;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;

import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Slf4j
public class MyRedisTokenStore extends RedisTokenStore {
	private static Class<?> superClazz = RedisTokenStore.class;
	private static final class KEYS{
		private static final String ACCESS = "access:";
		private static final String AUTH_TO_ACCESS = "auth_to_access:";
		private static final String AUTH = "auth:";
		private static final String ACCESS_TO_REFRESH = "access_to_refresh:";
		private static final String REFRESH_TO_ACCESS = "refresh_to_access:";
		private static final String CLIENT_ID_TO_ACCESS = "client_id_to_access:";
		private static final String UNAME_TO_ACCESS = "uname_to_access:";
	}
	
	//属性值和方法缓存
	private static Map<String, Object> fieldsValCache = new HashMap<>();
	private static Map<String, Method> methodsCache = new HashMap<>();

	public MyRedisTokenStore(RedisConnectionFactory connectionFactory) {
		super(connectionFactory);
	}

	@Override
	public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
		OAuth2Authentication result = readAuthentication(token.getValue());

		if (result != null) {
			log.debug("进入token续签，token---{}, result---{}", token.getValue(), result);

			// 如果token没有失效  更新AccessToken过期时间
			DefaultOAuth2AccessToken oAuth2AccessToken = (DefaultOAuth2AccessToken) token;

			//重新设置过期时间
			User user = (User) result.getPrincipal();
			String userName = user.getUsername();
			String clientId = result.getOAuth2Request().getClientId();

			log.debug("userName---{},clientId---{}", userName, clientId);

			Collection<OAuth2AccessToken> tokensByClientIdAndUserName = findTokensByClientIdAndUserName(clientId, userName);
			OAuth2AccessToken o = (OAuth2AccessToken) tokensByClientIdAndUserName.toArray()[0];
			int expiresIn = o.getExpiresIn();

			if (expiresIn > 0) {
				oAuth2AccessToken.setExpiration(new Date(System.currentTimeMillis() + (3600 * 24 * 2 * 1000L)));
			}

			log.debug("userName---{},clientId---{},expiresIn{}", userName, clientId, expiresIn);

			//续期, 网上有人用storeAccessToken，是有问题的，
			//tokenRenewal相当于重写了storeAccessToken，只是在集合添加数据时，删除了旧数据
			//不然会造成CLIENT_ID_TO_ACCESS和UNAME_TO_ACCESS中的数据一直累计，造成redis大Key的问题
			tokenRenewal(token, result);
		}
		return result;
	}

	/**
	 * token续期
	 */
	private void tokenRenewal(OAuth2AccessToken token, OAuth2Authentication authentication){
		AuthenticationKeyGenerator autKeyGenerator = getSuperFieldVal("authenticationKeyGenerator");
		Method getApprovalKey = getSuperMethod("getApprovalKey", OAuth2Authentication.class);
		Method serializeKey = getSuperMethod("serializeKey", String.class);
		Method serialize = getSuperMethod("serialize", Object.class);
		Method getConnection = getSuperMethod("getConnection");


		String ataKey = KEYS.AUTH_TO_ACCESS + autKeyGenerator.extractKey(authentication);
		String utaKey = KEYS.UNAME_TO_ACCESS + invokeSuperMethod(getApprovalKey, authentication);
		String citaKey = KEYS.CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId();

		byte[] accessKey = invokeSuperMethod(serializeKey, KEYS.ACCESS + token.getValue());
		byte[] authKey = invokeSuperMethod(serializeKey, KEYS.AUTH + token.getValue());
		byte[] authToAccessKey = invokeSuperMethod(serializeKey, ataKey);
		byte[] approvalKey = invokeSuperMethod(serializeKey, utaKey);
		byte[] clientId = invokeSuperMethod(serializeKey, citaKey);

		byte[] serializedAuth = invokeSuperMethod(serialize, authentication);
		byte[] serializedAccessToken = invokeSuperMethod(serialize, token);
		Boolean springRedis_2_0 = getSuperFieldVal("springDataRedis_2_0");
		Method redisConnSet_2_0 = getSuperFieldVal("redisConnectionSet_2_0");

		RedisConnection conn = invokeSuperMethod(getConnection);

		byte[] access = conn.get(accessKey);

		try {
			conn.openPipeline();
			if (springRedis_2_0) {
				try {
					redisConnSet_2_0.invoke(conn, accessKey, serializedAccessToken);
					redisConnSet_2_0.invoke(conn, authKey, serializedAuth);
					redisConnSet_2_0.invoke(conn, authToAccessKey, serializedAccessToken);
				} catch (Exception ex) {
					throw new RuntimeException(ex);
				}
			} else {
				conn.set(accessKey, serializedAccessToken);
				conn.set(authKey, serializedAuth);
				conn.set(authToAccessKey, serializedAccessToken);
			}

			if (!authentication.isClientOnly()) {
				//先删除原有的
				conn.sRem(approvalKey, access);
				conn.sAdd(approvalKey, serializedAccessToken);
			}
			//先删除原有的
			conn.sRem(clientId, access);
			conn.sAdd(clientId, serializedAccessToken);

			if (token.getExpiration() != null) {
				int seconds = token.getExpiresIn();
				conn.expire(accessKey, seconds);
				conn.expire(authKey, seconds);
				conn.expire(authToAccessKey, seconds);
				conn.expire(clientId, seconds);
				conn.expire(approvalKey, seconds);
			}
			OAuth2RefreshToken refreshToken = token.getRefreshToken();
			if (refreshToken != null && refreshToken.getValue() != null) {
				String rtaKey = KEYS.REFRESH_TO_ACCESS + token.getRefreshToken().getValue();
				String atrKey = KEYS.ACCESS_TO_REFRESH + token.getValue();
				byte[] refreshToAccessKey = invokeSuperMethod(serializeKey, rtaKey);
				byte[] accessToRefreshKey = invokeSuperMethod(serializeKey, atrKey);
				byte[] auth = invokeSuperMethod(serialize, token.getValue());
				byte[] refresh = invokeSuperMethod(serialize, token.getRefreshToken().getValue());

				if (springRedis_2_0) {
					try {
						redisConnSet_2_0.invoke(conn, refreshToAccessKey, auth);
						redisConnSet_2_0.invoke(conn, accessToRefreshKey, refresh);
					} catch (Exception ex) {
						throw new RuntimeException(ex);
					}
				} else {
					conn.set(refreshToAccessKey, auth);
					conn.set(accessToRefreshKey, refresh);
				}

				if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
					ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken) refreshToken;
					Date expiration = expiringRefreshToken.getExpiration();
					if (expiration != null) {
						int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L).intValue();
						conn.expire(refreshToAccessKey, seconds);
						conn.expire(accessToRefreshKey, seconds);
					}
				}
			}
			conn.closePipeline();
		} finally {
			conn.close();
		}
	}

	//以下方法用于协助调用父类的私有属性和方法

	/**
	 * 获取父类私有方法
	 * @param methodName 方法名
	 * @param params 方法参数类型列表
	 * @return 方法
	 */
	private Method getSuperMethod(String methodName, Class<?>... params){
		try{
			Method method;
			if((method=methodsCache.get(methodName)) == null){
				method = superClazz.getDeclaredMethod(methodName, params);
				method.setAccessible(true);
				methodsCache.put(methodName, method);
			}
			return method;
		}catch (NoSuchMethodException e){
			e.printStackTrace();
			return null;
		}
	}

	/**
	 * 调用父类私有方法
	 * @param method 方法
	 * @param args 参数列表
	 * @param <T> 指定返回类型
	 * @return 方法调用结果
	 */
	private <T> T invokeSuperMethod(Method method, Object... args){
		try{
			return (T)method.invoke(this, args);
		}catch (Exception e){
			e.printStackTrace();
			return null;
		}
	}

	/**
	 * 获取父类私有属性的值
	 * @param fieldName 属性名
	 * @param <E> 指定属性类型
	 * @return 属性值
	 */
	private <E> E getSuperFieldVal(String fieldName){
		try{
			Object result;
			if((result=fieldsValCache.get(fieldName)) == null){
				Field field = superClazz.getDeclaredField(fieldName);
				field.setAccessible(true);
				result = field.get(this);
				fieldsValCache.put(fieldName, result);
			}
			return (E)result;
		}catch (Exception e){
			e.printStackTrace();
			return null;
		}
	}
}

tokenRenewal相当于在storeAccessToken内添加了以下三行代码：

byte[] access = conn.get(accessKey);
conn.sRem(approvalKey, access);
conn.sRem(clientId, access);

本文地址：https://blog.csdn.net/xhom_w/article/details/110229681

上一篇：物联网行业，芯片商迎来新机遇

下一篇： LTE双线并进发展，或扩张至物联网各个领域

spring security oauth2的token续期

浅谈Spring Security 对于静态资源的拦截与放行

详解Spring Security的HttpBasic登录验证模式

使用Spring Security OAuth2实现单点登录

Spring Security 解析(七) —— Spring Security Oauth2 源码解析

如何用Spring Security OAuth2 实现登录互踢，面试必学

Spring Security OAuth2 SSO

基于Spring Security前后端分离的权限控制系统问题

基于Spring Security的Oauth2授权实现方法

SpringBoot整合Spring Security的详细教程

Spring微服务使用feign传递Token的简单示例