個性化token 背景
上一篇文章
《Spring Security OAuth 個性化token(一)》有提到,oauth2.0 接口預設傳回的封包格式如下:
{
"access_token": "e6669cdf-b6cd-43fe-af5c-f91a65041382",
"token_type": "bearer",
"refresh_token": "da91294d-446c-4a89-bdcf-88aee15a75e8",
"expires_in": 43199,
"scope": "server"
} 通過上篇文章我們已經可以擴充增加部分業務字段。
{
"access_token":"a6f3b6d6-93e6-4eb8-a97d-3ae72240a7b0",
"token_type":"bearer",
"refresh_token":"710ab162-a482-41cd-8bad-26456af38e4f",
"expires_in":42396,
"scope":"server",
"tenant_id":1,
"license":"made by pigx",
"dept_id":1,
"user_id":1,
"username":"admin"
} 「在一些場景下我們需要自定義一下傳回封包的格式,例如pig 使用R 對象傳回,全部包含code業務碼資訊」
{
"code":1,
"msg":"",
"data":{
"access_token":"e6669cdf-b6cd-43fe-af5c-f91a65041382",
"token_type":"bearer",
"refresh_token":"da91294d-446c-4a89-bdcf-88aee15a75e8",
"expires_in":43199,
"scope":"server"
}
} 方法一:HandlerMethodReturnValueHandler
- 顧名思義這是 Spring MVC 提供給我們修改方法傳回值的接口
public class FormatterToken implements HandlerMethodReturnValueHandler {
private static final String POST_ACCESS_TOKEN = "postAccessToken";
@Override
public boolean supportsReturnType(MethodParameter returnType) {
// 判斷方法名是否是 oauth2 的token 接口,是就處理
return POST_ACCESS_TOKEN.equals(Objects
.requireNonNull(returnType.getMethod()).getName());
}
// 擷取到傳回值然後使用 R對象統一包裝
@Override
public void handleReturnValue(Object returnValue, MethodParameter returnType, ModelAndViewContainer container, NativeWebRequest request) throws Exception {
ResponseEntity<OAuth2AccessToken> responseEntity = (ResponseEntity) returnValue;
OAuth2AccessToken body = responseEntity.getBody();
HttpServletResponse response = request.getNativeResponse(HttpServletResponse.class);
assert response != null;
WebUtils.renderJson(response, R.ok(body));
}
} - 注入FormatterToken,一定要這麼處理,不要直接使用 MVCconfig 注入,保證此Handler比 SpringMVC 預設的提前執行。
public class FormatterTokenAutoConfiguration implements ApplicationContextAware, InitializingBean {
private ApplicationContext applicationContext;
@Override
public void afterPropertiesSet() {
RequestMappingHandlerAdapter handlerAdapter = applicationContext.getBean(RequestMappingHandlerAdapter.class);
List<HandlerMethodReturnValueHandler> returnValueHandlers = handlerAdapter.getReturnValueHandlers();
List<HandlerMethodReturnValueHandler> newHandlers = new ArrayList<>();
newHandlers.add(new FormatterToken());
assert returnValueHandlers != null;
newHandlers.addAll(returnValueHandlers);
handlerAdapter.setReturnValueHandlers(newHandlers);
}
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
this.applicationContext = applicationContext;
}
} 方法二:aop 攔截增強 /oauth/token 接口
@Around("execution(* org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(..))")
public Object handlePostAccessTokenMethod(ProceedingJoinPoint joinPoint) throws Throwable {
// 擷取原有值,進行包裝傳回
Object proceed = joinPoint.proceed();
ResponseEntity<OAuth2AccessToken> responseEntity = (ResponseEntity<OAuth2AccessToken>) proceed;
OAuth2AccessToken body = responseEntity.getBody();
return ResponseEntity
.status(HttpStatus.OK)
.body(R.ok(body));
}
} 總結
實際項目中不建議修改此接口的通路格式,不相容oauth2協定 導緻其他元件不能正常使用 例如
- swagger 自帶的認證授權
- 其他網關元件自帶的oauth2
- spring security oauth2 自帶的 sso 功能
都将失效總體來權衡 弊大于利