📄 单点登录整合 ruoyi
内部资料,请扫码登录
pigcloud
本章文档对应视频 📺 12.单点登录整合 ruoyi
# 整体设计思路
- 依赖于
OAuth2的授权码模式, pigx 作为 SSO 的认证中心- pigx 用户 包含 ruoyi 用户表的全部
- pigx 负责
shirorealm的认证过程,ruoyi 负责鉴权过程
# 基础环境
基于pigx 4.4.0 & ruoyi 4.7.0 实现 sso 效果
整合视频参考 视频页面> pigx 单点登录模块整合 ruoyi
# pigx 增加客户端
sys_oauth_client_details 表直接增加即可
INSERT INTO `sys_oauth_client_details`(`id`,`client_id`, `resource_ids`, `client_secret`, `scope`, `authorized_grant_types`, `web_server_redirect_uri`, `authorities`, `access_token_validity`, `refresh_token_validity`, `additional_information`, `autoapprove`, `tenant_id`) VALUES (1000,'ruoyi', NULL, 'ruoyi', 'server', 'refresh_token,authorization_code', 'http://localhost:8089/sso/login', NULL, 43200, 2592001, NULL, 'true', 1);
# 客户端 SDK
ruoyi-framework/pom.xml 添加依赖
<dependency>
<groupId>com.pig4cloud.shiro</groupId>
<artifactId>sso-sdk</artifactId>
<version>0.0.9</version>
</dependency>
ruoyi-admin/application.yml 配置认证信息
oauth2:
client:
client-id: ruoyi
client-secret: ruoyi
target-uri: http://localhost:${server.port}/ #登录后跳转到首页的地址
logout-uri: ${oauth2.client.target-uri} # 退出后跳转的地址
sso-server-uri: http://127.0.0.1:3000 #pigx认证中心的地址
scope: server
# ruoyi 代码调整
com.ruoyi.framework.shiro.realm 目录新增OAuth2Realm逻辑
@Component
public class OAuth2Realm extends UserRealm {
@Autowired
private ISysUserService userService;
@Autowired
private OAuth2SsoKit auth2SsoKit;
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
OAuth2SsoAuthenticationToken oAuth2SsoAuthenticationToken = (OAuth2SsoAuthenticationToken) token;
String username = auth2SsoKit.getUser(oAuth2SsoAuthenticationToken.getCode());
SysUser sysUser = userService.selectUserByLoginName(username);
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(sysUser, sysUser.getPassword(), ByteSource.Util.bytes(sysUser.getSalt()), getName());
oAuth2SsoAuthenticationToken.setUsername(sysUser.getUserName());
oAuth2SsoAuthenticationToken.setPassword(sysUser.getPassword().toCharArray());
return info;
}
@Override
public CredentialsMatcher getCredentialsMatcher() {
return (token, info) -> true;
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof OAuth2SsoAuthenticationToken;
}
}
ShiroConfig 配置
/**
* 安全管理器 配置OAuth2Realm
*/
@Bean
public SecurityManager securityManager(OAuth2Realm oAuth2Realm, UserRealm userRealm)
{
securityManager.setRealms(Arrays.asList(oAuth2Realm, userRealm));
...
return securityManager;
}
/**
* Shiro过滤器配置
*/
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager)
{
....
filterChainDefinitionMap.put("/sso/login", "anon"); # 开放sso/login endpoint
}
# 退出逻辑
ShiroConfig
@Autowired
OAuth2SsoKit auth2SsoKit;
public LogoutFilter logoutFilter()
{
LogoutFilter logoutFilter = new LogoutFilter();
logoutFilter.setLoginUrl(loginUrl);
logoutFilter.setAuth2SsoKit(auth2SsoKit);
return logoutFilter;
}
public class LogoutFilter extends LogoutFilter {
/**
* 退出后重定向的地址
*/
private String loginUrl;
private OAuth2SsoKit auth2SsoKit;
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
...
auth2SsoKit.logout();
}
}
# SSO 登录地址
不建议服务端应用使用 80 端口部署, 因为浏览器默认隐藏 80 导致 OAuth2 框架校验失败
- 问题参考: https://git.pig4cloud.com/pig/pigx/issues/4168
http://localhost:8089/sso/login