client_id:cheetah_one //客戶端名稱，必須唯一
resource_ids:product_api //客戶端所能訪問的資源id集合,多個資源時用逗號(,)分隔
client_secret:$2a$10$h/TmLPvXozJJHXDyJEN22ensJgaciomfpOc9js9OonwWIdAnRQeoi //客戶端的訪問密碼
scope:read,write //客戶端申請的權限范圍,可選值包括read,write,trust。若有多個權限范圍用逗號(,)分隔
authorized_grant_types:client_credentials,implicit,authorization_code,refresh_token,password //指定客戶端支持的grant_type,可選值包括authorization_code,password,refresh_token,implicit,client_credentials, 若支持多個grant_type用逗號(,)分隔
web_server_redirect_uri:http://www.baidu.com //客戶端的重定向URI,可為空, 當grant_type為authorization_code或implicit時, 在Oauth的流程中會使用并檢查與注冊時填寫的redirect_uri是否一致
access_token_validity:43200 //設定客戶端的access_token的有效時間值(單位:秒),可選, 若不設定值則使用默認的有效時間值(60 * 60 * 12, 12小時)
autoapprove:false //設置用戶是否自動Approval操作, 默認值為 'false', 可選值包括 'true','false', 'read','write'

<dependency>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
 <groupId>org.springframework.cloud</groupId>
 <artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
 <groupId>org.springframework.cloud</groupId>
 <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-jwt</artifactId>
</dependency>

@RestController
@RequestMapping("/product")
public class ProductController {

    @GetMapping("/findAll")
    public String findAll(){
        return "產品列表查詢成功";
    }
}

/**
 * 指定token的持久化策略
 * InMemoryTokenStore 表示將token存儲在內存中
 * RedisTokenStore 表示將token存儲在redis中
 * JdbcTokenStore 表示將token存儲在數據庫中
 * @return
 */
@Bean
public TokenStore jdbcTokenStore(){
    return new JdbcTokenStore(dataSource);
}

/**
 * 指定當前資源的id和token的存儲策略
 * @param resources
 * @throws Exception
 */
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    //此處的id可以寫在配置文件中，這里我們先寫死
 resources.resourceId("product_api").tokenStore(jdbcTokenStore());
}


/**
 * 設置請求權限和header處理
 * @param http
 * @throws Exception
 */
@Override
public void configure(HttpSecurity http) throws Exception {
 //固定寫法
 http.authorizeRequests()
   //指定不同請求方式訪問資源所需的權限，一般查詢是read，其余都是write
   .antMatchers(HttpMethod.GET,"/**").access("#oauth2.hasScope('read')")
   .antMatchers(HttpMethod.POST,"/**").access("#oauth2.hasScope('write')")
   .antMatchers(HttpMethod.PATCH,"/**").access("#oauth2.hasScope('write')")
   .antMatchers(HttpMethod.PUT,"/**").access("#oauth2.hasScope('write')")
   .antMatchers(HttpMethod.DELETE,"/**").access("#oauth2.hasScope('write')")
   .and()
   .headers().addHeaderWriter((request,response) -> {
    //域名不同或者子域名不一樣并且是ajax請求就會出現跨域問題
    //允許跨域
    response.addHeader("Access-Control-Allow-Origin","*");
    //跨域中會出現預檢請求，如果不能通過，則真正請求也不會發出
    //如果是跨域的預檢請求，則原封不動向下傳遞請求頭信息，否則預檢請求會丟失請求頭信息（主要是token信息）
    if(request.getMethod().equals("OPTIONS")){
     response.setHeader("Access-Control-Allow-Methods",request.getHeader("Access-Control-Allow-Methods"));
     response.setHeader("Access-Control-Allow-Headers",request.getHeader("Access-Control-Allow-Headers"));
    }
 });
}

ExpressionUrlAuthorizationConfigurer<HttpSecurity>
  .ExpressionInterceptUrlRegistry config = http.requestMatchers().anyRequest()
  .and()
  .authorizeRequests();
properties.getUrls().forEach(e -> {
 config.antMatchers(e).permitAll();
});

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
 return this.baseMapper.selectOne(new LambdaQueryWrapper<SysUser>().eq(SysUser::getUsername, username));
}

/**
 * 指定認證對象的來源和加密方式
 * @param auth
 * @throws Exception
 */
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
 auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}

/**
 * 安全攔截機制（最重要）
 * @param httpSecurity
 * @throws Exception
 */
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
 httpSecurity
   //CSRF禁用，因為不使用session
   .csrf().disable()
   .authorizeRequests()
   //登錄接口和靜態資源不需要認證
   .antMatchers("/login*","/css/*").permitAll()
   //除上面的所有請求全部需要認證通過才能訪問
   .anyRequest().authenticated()
   //返回HttpSecurity以進行進一步的自定義,證明是一次新的配置的開始
   .and()
   .formLogin()
   //如果未指定此頁面，則會跳轉到默認頁面
//                .loginPage("/login.html")
   .loginProcessingUrl("/login")
   .permitAll()
   //認證失敗處理類
   .failureHandler(customAuthenticationFailureHandler);
}

/**
 * AuthenticationManager 對象在OAuth2.0認證服務中要使用，提前放入IOC容器中
 * @return
 * @throws Exception
 */
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
 return super.authenticationManagerBean();
}

/**
 * 數據庫連接池對象
 */
private final DataSource dataSource;

/**
 * 認證業務對象
 */
private final ISysUserService userService;

/**
 * 授權碼模式專用對象
 */
private final AuthenticationManager authenticationManager;

/**
 * 客戶端信息來源
 * @return
 */
@Bean
public JdbcClientDetailsService jdbcClientDetailsService(){
   return new JdbcClientDetailsService(dataSource);
}

/**
 * token保存策略
 * @return
 */
@Bean
public TokenStore tokenStore(){
 return new JdbcTokenStore(dataSource);
}

/**
 * 授權信息保存策略
 * @return
 */
@Bean
public ApprovalStore approvalStore(){
 return new JdbcApprovalStore(dataSource);
}

/**
 * 授權碼模式數據來源
 * @return
 */
@Bean
public AuthorizationCodeServices authorizationCodeServices(){
 return new JdbcAuthorizationCodeServices(dataSource);
}

/**
 * 用來配置客戶端詳情服務（ClientDetailsService）
 * 客戶端詳情信息在這里進行初始化
 * 指定客戶端信息的數據庫來源
 * @param clients
 * @throws Exception
 */
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 clients.withClientDetails(jdbcClientDetailsService());
}

/**
 * 檢測 token 的策略
 * @param security
 * @throws Exception
 */
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
 security
   //允許客戶端以form表單的方式將token傳達給我們
   .allowFormAuthenticationForClients()
   //檢驗token必須需要認證
   .checkTokenAccess("isAuthenticated()");
}


/**
 * OAuth2.0的主配置信息
 * @param endpoints
 * @throws Exception
 */
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
 endpoints
   //刷新token時會驗證當前用戶是否已經通過認證
   .userDetailsService(userService)
   .approvalStore(approvalStore())
   .authenticationManager(authenticationManager)
   .authorizationCodeServices(authorizationCodeServices())
   .tokenStore(tokenStore());
}

{
    "error": "unauthorized",
    "error_description": "Full authentication is required to access this resource"
}

@GetMapping("/findAll")
@Secured("ROLE_PRODUCT")
public String findAll(){
    return "產品列表查詢成功";
}

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
 SysUser sysUser = this.baseMapper.selectOne(new LambdaQueryWrapper<SysUser>().eq(SysUser::getUsername, username));
 sysUser.setRoleList(AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_PRODUCT"));
 return sysUser;
}