From 052b07e967dbcd3938f24518256db2c0adb22610 Mon Sep 17 00:00:00 2001 From: tanqidi <1330884822@qq.com> Date: Mon, 2 Jun 2025 01:26:35 +0800 Subject: [PATCH] init --- .gitattributes | 2 + .gitignore | 26 ++ README.md | 75 ++++- mvnw | 259 ++++++++++++++++++ mvnw.cmd | 149 ++++++++++ pom.xml | 93 +++++++ .../survey/SurveyServiceApplication.java | 13 + .../config/OAuth2LoginSecurityConfig.java | 177 ++++++++++++ .../survey/controller/AdminController.java | 26 ++ .../survey/controller/IndexController.java | 42 +++ .../survey/controller/PublicController.java | 21 ++ .../survey/controller/UserController.java | 36 +++ .../com/tanqidi/survey/dto/UserInfoDTO.java | 40 +++ src/main/resources/application.properties | 27 ++ .../survey/SurveyServiceApplicationTests.java | 13 + 15 files changed, 998 insertions(+), 1 deletion(-) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 mvnw create mode 100644 mvnw.cmd create mode 100644 pom.xml create mode 100644 src/main/java/com/tanqidi/survey/SurveyServiceApplication.java create mode 100644 src/main/java/com/tanqidi/survey/config/OAuth2LoginSecurityConfig.java create mode 100644 src/main/java/com/tanqidi/survey/controller/AdminController.java create mode 100644 src/main/java/com/tanqidi/survey/controller/IndexController.java create mode 100644 src/main/java/com/tanqidi/survey/controller/PublicController.java create mode 100644 src/main/java/com/tanqidi/survey/controller/UserController.java create mode 100644 src/main/java/com/tanqidi/survey/dto/UserInfoDTO.java create mode 100644 src/main/resources/application.properties create mode 100644 src/test/java/com/tanqidi/survey/SurveyServiceApplicationTests.java diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..3b41682 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +/mvnw text eol=lf +*.cmd text eol=crlf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9154f4c --- /dev/null +++ b/.gitignore @@ -0,0 +1,26 @@ +# ---> Java +# Compiled class file +*.class + +# Log file +*.log + +# BlueJ files +*.ctxt + +# Mobile Tools for Java (J2ME) +.mtj.tmp/ + +# Package Files # +*.jar +*.war +*.nar +*.ear +*.zip +*.tar.gz +*.rar + +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml +hs_err_pid* +replay_pid* + diff --git a/README.md b/README.md index ff11056..99f474c 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,75 @@ -# spring-boot-3.5.0-keycloak-24 +# 项目简介 +本项目基于 Spring Boot 3.5.0 和 Keycloak 24,提供 OAuth2/OIDC 认证与权限管理的问卷服务系统。 + +## 主要技术栈 + +- **Spring Boot 3.5.0**:简化 Java Web 应用开发,提供自动配置和生产级特性。 +- **Keycloak 24**:开源身份与访问管理,支持 OAuth2/OIDC 协议。 +- **Maven**:依赖与构建管理。 + +## 关键依赖(pom.xml 摘录) + +```xml + + org.springframework.boot + spring-boot-starter-parent + 3.5.0 + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-oauth2-client + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-starter-oauth2-resource-server + + + org.projectlombok + lombok + true + + +``` + +## 认证与安全配置 + +- 认证方式:采用 Keycloak 作为 OAuth2/OIDC 认证服务器。 +- 主要配置文件:`src/main/resources/application.properties`,配置了 keycloak 的 client-id、client-secret、issuer-uri 等。 +- 主要安全配置类:`config/OAuth2LoginSecurityConfig.java`,实现了 Spring Security 的 OAuth2 登录与权限控制。 + +## Keycloak 与 Spring Boot 3 的兼容性说明 + +Keycloak 官方适配的 keycloak-spring-boot-starter 目前仅支持到 Spring Boot 2.x,尚未完全支持 Spring Boot 3.x 及其 Spring Security 6 体系。因此在 Spring Boot 3 项目中,推荐直接采用 Spring Security 官方的 OAuth2/OIDC 客户端能力对接 Keycloak,而不是依赖 keycloak-spring-boot-starter。 + +## 为什么采用 OAuth2/OIDC + +- OAuth2/OIDC 是业界主流的认证与授权协议,安全性高、扩展性强。 +- Spring Security 原生支持 OAuth2/OIDC,易于与 Keycloak 等身份服务集成。 +- 采用 OAuth2/OIDC 可实现单点登录、细粒度权限控制、第三方登录等高级特性。 +- 避免与 Keycloak 版本强绑定,提升系统可维护性和兼容性。 + +## 目录结构 + +``` +├── pom.xml +├── src/ +│ ├── main/ +│ │ ├── java/com/tanqidi/survey/ +│ │ │ ├── SurveyServiceApplication.java +│ │ │ ├── config/OAuth2LoginSecurityConfig.java +│ │ │ ├── controller/ +│ │ │ └── dto/ +│ │ └── resources/application.properties +│ └── test/ +└── ... +``` diff --git a/mvnw b/mvnw new file mode 100644 index 0000000..19529dd --- /dev/null +++ b/mvnw @@ -0,0 +1,259 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Apache Maven Wrapper startup batch script, version 3.3.2 +# +# Optional ENV vars +# ----------------- +# JAVA_HOME - location of a JDK home dir, required when download maven via java source +# MVNW_REPOURL - repo url base for downloading maven distribution +# MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven +# MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output +# ---------------------------------------------------------------------------- + +set -euf +[ "${MVNW_VERBOSE-}" != debug ] || set -x + +# OS specific support. +native_path() { printf %s\\n "$1"; } +case "$(uname)" in +CYGWIN* | MINGW*) + [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")" + native_path() { cygpath --path --windows "$1"; } + ;; +esac + +# set JAVACMD and JAVACCMD +set_java_home() { + # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched + if [ -n "${JAVA_HOME-}" ]; then + if [ -x "$JAVA_HOME/jre/sh/java" ]; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACCMD="$JAVA_HOME/jre/sh/javac" + else + JAVACMD="$JAVA_HOME/bin/java" + JAVACCMD="$JAVA_HOME/bin/javac" + + if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then + echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2 + echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2 + return 1 + fi + fi + else + JAVACMD="$( + 'set' +e + 'unset' -f command 2>/dev/null + 'command' -v java + )" || : + JAVACCMD="$( + 'set' +e + 'unset' -f command 2>/dev/null + 'command' -v javac + )" || : + + if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then + echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2 + return 1 + fi + fi +} + +# hash string like Java String::hashCode +hash_string() { + str="${1:-}" h=0 + while [ -n "$str" ]; do + char="${str%"${str#?}"}" + h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296)) + str="${str#?}" + done + printf %x\\n $h +} + +verbose() { :; } +[ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; } + +die() { + printf %s\\n "$1" >&2 + exit 1 +} + +trim() { + # MWRAPPER-139: + # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds. + # Needed for removing poorly interpreted newline sequences when running in more + # exotic environments such as mingw bash on Windows. + printf "%s" "${1}" | tr -d '[:space:]' +} + +# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties +while IFS="=" read -r key value; do + case "${key-}" in + distributionUrl) distributionUrl=$(trim "${value-}") ;; + distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; + esac +done <"${0%/*}/.mvn/wrapper/maven-wrapper.properties" +[ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in ${0%/*}/.mvn/wrapper/maven-wrapper.properties" + +case "${distributionUrl##*/}" in +maven-mvnd-*bin.*) + MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ + case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in + *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;; + :Darwin*x86_64) distributionPlatform=darwin-amd64 ;; + :Darwin*arm64) distributionPlatform=darwin-aarch64 ;; + :Linux*x86_64*) distributionPlatform=linux-amd64 ;; + *) + echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2 + distributionPlatform=linux-amd64 + ;; + esac + distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip" + ;; +maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;; +*) MVN_CMD="mvn${0##*/mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;; +esac + +# apply MVNW_REPOURL and calculate MAVEN_HOME +# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ +[ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}" +distributionUrlName="${distributionUrl##*/}" +distributionUrlNameMain="${distributionUrlName%.*}" +distributionUrlNameMain="${distributionUrlNameMain%-bin}" +MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}" +MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" + +exec_maven() { + unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : + exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD" +} + +if [ -d "$MAVEN_HOME" ]; then + verbose "found existing MAVEN_HOME at $MAVEN_HOME" + exec_maven "$@" +fi + +case "${distributionUrl-}" in +*?-bin.zip | *?maven-mvnd-?*-?*.zip) ;; +*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;; +esac + +# prepare tmp dir +if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then + clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; } + trap clean HUP INT TERM EXIT +else + die "cannot create temp dir" +fi + +mkdir -p -- "${MAVEN_HOME%/*}" + +# Download and Install Apache Maven +verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +verbose "Downloading from: $distributionUrl" +verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + +# select .zip or .tar.gz +if ! command -v unzip >/dev/null; then + distributionUrl="${distributionUrl%.zip}.tar.gz" + distributionUrlName="${distributionUrl##*/}" +fi + +# verbose opt +__MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' +[ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v + +# normalize http auth +case "${MVNW_PASSWORD:+has-password}" in +'') MVNW_USERNAME='' MVNW_PASSWORD='' ;; +has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;; +esac + +if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then + verbose "Found wget ... using wget" + wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl" +elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then + verbose "Found curl ... using curl" + curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl" +elif set_java_home; then + verbose "Falling back to use Java to download" + javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" + targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" + cat >"$javaSource" <<-END + public class Downloader extends java.net.Authenticator + { + protected java.net.PasswordAuthentication getPasswordAuthentication() + { + return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); + } + public static void main( String[] args ) throws Exception + { + setDefault( new Downloader() ); + java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); + } + } + END + # For Cygwin/MinGW, switch paths to Windows format before running javac and java + verbose " - Compiling Downloader.java ..." + "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java" + verbose " - Running Downloader.java ..." + "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")" +fi + +# If specified, validate the SHA-256 sum of the Maven distribution zip file +if [ -n "${distributionSha256Sum-}" ]; then + distributionSha256Result=false + if [ "$MVN_CMD" = mvnd.sh ]; then + echo "Checksum validation is not supported for maven-mvnd." >&2 + echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 + exit 1 + elif command -v sha256sum >/dev/null; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c >/dev/null 2>&1; then + distributionSha256Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then + distributionSha256Result=true + fi + else + echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $distributionSha256Result = false ]; then + echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2 + echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2 + exit 1 + fi +fi + +# unzip and move +if command -v unzip >/dev/null; then + unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip" +else + tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar" +fi +printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/mvnw.url" +mv -- "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME" + +clean || : +exec_maven "$@" diff --git a/mvnw.cmd b/mvnw.cmd new file mode 100644 index 0000000..249bdf3 --- /dev/null +++ b/mvnw.cmd @@ -0,0 +1,149 @@ +<# : batch portion +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM http://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Apache Maven Wrapper startup batch script, version 3.3.2 +@REM +@REM Optional ENV vars +@REM MVNW_REPOURL - repo url base for downloading maven distribution +@REM MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven +@REM MVNW_VERBOSE - true: enable verbose log; others: silence the output +@REM ---------------------------------------------------------------------------- + +@IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0) +@SET __MVNW_CMD__= +@SET __MVNW_ERROR__= +@SET __MVNW_PSMODULEP_SAVE=%PSModulePath% +@SET PSModulePath= +@FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @( + IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B) +) +@SET PSModulePath=%__MVNW_PSMODULEP_SAVE% +@SET __MVNW_PSMODULEP_SAVE= +@SET __MVNW_ARG0_NAME__= +@SET MVNW_USERNAME= +@SET MVNW_PASSWORD= +@IF NOT "%__MVNW_CMD__%"=="" (%__MVNW_CMD__% %*) +@echo Cannot start maven from wrapper >&2 && exit /b 1 +@GOTO :EOF +: end batch / begin powershell #> + +$ErrorActionPreference = "Stop" +if ($env:MVNW_VERBOSE -eq "true") { + $VerbosePreference = "Continue" +} + +# calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties +$distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl +if (!$distributionUrl) { + Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" +} + +switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) { + "maven-mvnd-*" { + $USE_MVND = $true + $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip" + $MVN_CMD = "mvnd.cmd" + break + } + default { + $USE_MVND = $false + $MVN_CMD = $script -replace '^mvnw','mvn' + break + } +} + +# apply MVNW_REPOURL and calculate MAVEN_HOME +# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ +if ($env:MVNW_REPOURL) { + $MVNW_REPO_PATTERN = if ($USE_MVND) { "/org/apache/maven/" } else { "/maven/mvnd/" } + $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace '^.*'+$MVNW_REPO_PATTERN,'')" +} +$distributionUrlName = $distributionUrl -replace '^.*/','' +$distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$','' +$MAVEN_HOME_PARENT = "$HOME/.m2/wrapper/dists/$distributionUrlNameMain" +if ($env:MAVEN_USER_HOME) { + $MAVEN_HOME_PARENT = "$env:MAVEN_USER_HOME/wrapper/dists/$distributionUrlNameMain" +} +$MAVEN_HOME_NAME = ([System.Security.Cryptography.MD5]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join '' +$MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME" + +if (Test-Path -Path "$MAVEN_HOME" -PathType Container) { + Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME" + Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" + exit $? +} + +if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) { + Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl" +} + +# prepare tmp dir +$TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile +$TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir" +$TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null +trap { + if ($TMP_DOWNLOAD_DIR.Exists) { + try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } + catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } + } +} + +New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null + +# Download and Install Apache Maven +Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +Write-Verbose "Downloading from: $distributionUrl" +Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + +$webclient = New-Object System.Net.WebClient +if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) { + $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD) +} +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +$webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null + +# If specified, validate the SHA-256 sum of the Maven distribution zip file +$distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum +if ($distributionSha256Sum) { + if ($USE_MVND) { + Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." + } + Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash + if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) { + Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property." + } +} + +# unzip and move +Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null +Rename-Item -Path "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" -NewName $MAVEN_HOME_NAME | Out-Null +try { + Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null +} catch { + if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) { + Write-Error "fail to move MAVEN_HOME" + } +} finally { + try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } + catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } +} + +Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..ae5329b --- /dev/null +++ b/pom.xml @@ -0,0 +1,93 @@ + + + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 3.5.0 + + + com.tanqidi + survey + 0.0.1-SNAPSHOT + survey-service + survey-service + + + + + + + + + + + + + + + 21 + + + + org.springframework.boot + spring-boot-starter-web + + + + org.springframework.boot + spring-boot-starter-oauth2-client + + + org.springframework.boot + spring-boot-starter-security + + + + org.springframework.boot + spring-boot-starter-oauth2-resource-server + + + + org.projectlombok + lombok + true + + + org.springframework.boot + spring-boot-starter-test + test + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + + + org.projectlombok + lombok + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + org.projectlombok + lombok + + + + + + + + diff --git a/src/main/java/com/tanqidi/survey/SurveyServiceApplication.java b/src/main/java/com/tanqidi/survey/SurveyServiceApplication.java new file mode 100644 index 0000000..2fd5bb6 --- /dev/null +++ b/src/main/java/com/tanqidi/survey/SurveyServiceApplication.java @@ -0,0 +1,13 @@ +package com.tanqidi.survey; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class SurveyServiceApplication { + + public static void main(String[] args) { + SpringApplication.run(SurveyServiceApplication.class, args); + } + +} diff --git a/src/main/java/com/tanqidi/survey/config/OAuth2LoginSecurityConfig.java b/src/main/java/com/tanqidi/survey/config/OAuth2LoginSecurityConfig.java new file mode 100644 index 0000000..40fd8c9 --- /dev/null +++ b/src/main/java/com/tanqidi/survey/config/OAuth2LoginSecurityConfig.java @@ -0,0 +1,177 @@ +package com.tanqidi.survey.config; + +import com.nimbusds.jose.util.JSONObjectUtils; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.core.convert.converter.Converter; +import org.springframework.http.ResponseEntity; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; +import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService; +import org.springframework.security.oauth2.client.userinfo.OAuth2UserService; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; +import org.springframework.security.oauth2.core.oidc.user.OidcUser; +import org.springframework.security.oauth2.jwt.Jwt; +import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutHandler; +import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter; +import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive; +import org.springframework.web.client.RestTemplate; +import org.springframework.web.util.UriComponentsBuilder; + +import java.util.*; + +@Configuration +@EnableWebSecurity +@EnableMethodSecurity +public class OAuth2LoginSecurityConfig { + private final Logger log = LoggerFactory.getLogger(this.getClass()); + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http // + .sessionManagement( + // https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html + // https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#appendix.application-properties.server + Customizer.withDefaults()) + .authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests // + .requestMatchers("/login", "/logout").permitAll() // + .requestMatchers("/api/admin/**").hasRole("test-service-admin") // + .requestMatchers("/api/user/**").hasRole("test-service-user") // + .anyRequest().authenticated()) // + .oauth2Login(oauth2 -> oauth2 // + .userInfoEndpoint(userInfo -> userInfo // + .oidcUserService(this.oidcUserService()))) + .csrf(csrf -> csrf // + // https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-token-repository-cookie + .ignoringRequestMatchers("/logout", "/api")) + .logout(logout -> logout // + .addLogoutHandler(new KeycloakLogoutHandler(restTemplateBuilder.build())) // + // https://docs.spring.io/spring-security/reference/servlet/authentication/logout.html#clear-all-site-data + .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(Directive.ALL)))); + return http.build(); + } + + @Autowired + private RestTemplateBuilder restTemplateBuilder; + + // OpenID Connect 1.0 Logout Does Not work for Angular app, since redirect will violate CORS (Reason: CORS header + // ‘Access-Control-Allow-Origin’ missing) and OidcClientInitiatedLogoutSuccessHandler ignores Spring Security CORS + // https://docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html#oauth2login-advanced-oidc-logout + // https://github.com/simasch/vaadin-keycloak/blob/main/src/main/java/ch/martinelli/demo/keycloak/security/KeycloakLogoutHandler.java + private class KeycloakLogoutHandler implements LogoutHandler { + private final RestTemplate restTemplate; + + public KeycloakLogoutHandler(RestTemplate restTemplate) { + this.restTemplate = restTemplate; + } + + @Override + public void logout(HttpServletRequest request, HttpServletResponse response, Authentication auth) { + logoutFromKeycloak((OidcUser) auth.getPrincipal()); + } + + private void logoutFromKeycloak(OidcUser user) { + // https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/securing_applications_and_services_guide/index#logout + String endSessionEndpoint = user.getIssuer() + "/protocol/openid-connect/logout"; + UriComponentsBuilder builder = UriComponentsBuilder // + .fromUriString(endSessionEndpoint) // + .queryParam("id_token_hint", user.getIdToken().getTokenValue()); + + ResponseEntity logoutResponse = restTemplate.getForEntity(builder.toUriString(), String.class); + if (logoutResponse.getStatusCode().is2xxSuccessful()) { + log.info("Successfully logged out from Keycloak"); + } else { + log.error("Could not propagate logout to Keycloak"); + } + } + } + + // https://docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html#oauth2login-advanced-map-authorities-oauth2userservice + private OAuth2UserService oidcUserService() { + final OidcUserService delegate = new OidcUserService(); + + return (userRequest) -> { + // Delegate to the default implementation for loading a user + OidcUser oidcUser = delegate.loadUser(userRequest); + + OAuth2AccessToken accessToken = userRequest.getAccessToken(); + Collection mappedAuthorities = new HashSet<>(); + + // 1) Fetch the authority information from the protected resource using accessToken + // 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities + try { + String[] chunks = accessToken.getTokenValue().split("\\."); + Base64.Decoder decoder = Base64.getUrlDecoder(); + String header = new String(decoder.decode(chunks[0])); + String payload = new String(decoder.decode(chunks[1])); + + Map claims = JSONObjectUtils.parse(payload); + mappedAuthorities = new KeycloakAuthoritiesConverter().convert(claims); + } catch (Exception e) { + log.error("Failed to map Authorities", e); + } + + // 3) Create a copy of oidcUser but use the mappedAuthorities instead + oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo(), + "preferred_username"); + + return oidcUser; + }; + } + + // Spring OAuth2 uses default Scopes Not Roles for Authorization + // org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter + private class KeycloakAuthoritiesConverter implements Converter> { + + @Override + public Collection convert(Jwt jwt) { + return convert(jwt.getClaims()); + } + + public Collection convert(Map claims) { + Collection grantedAuthorities = new ArrayList<>(); + for (String authority : getAuthorities(claims)) { + grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + authority)); + } + return grantedAuthorities; + } + + private Collection getAuthorities(Map claims) { + Object realm_access = claims.get("realm_access"); + log.info("Retrieved realm_access {}", realm_access); + if (realm_access instanceof Map) { + Map map = castAuthoritiesToMap(realm_access); + Object roles = map.get("roles"); + if (roles instanceof Collection) { + return castAuthoritiesToCollection(roles); + } + } + return Collections.emptyList(); + } + + @SuppressWarnings("unchecked") + private Map castAuthoritiesToMap(Object authorities) { + return (Map) authorities; + } + + @SuppressWarnings("unchecked") + private Collection castAuthoritiesToCollection(Object authorities) { + return (Collection) authorities; + } + } +} diff --git a/src/main/java/com/tanqidi/survey/controller/AdminController.java b/src/main/java/com/tanqidi/survey/controller/AdminController.java new file mode 100644 index 0000000..f06caa9 --- /dev/null +++ b/src/main/java/com/tanqidi/survey/controller/AdminController.java @@ -0,0 +1,26 @@ +package com.tanqidi.survey.controller; + +import org.springframework.http.ResponseEntity; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("/api/admin") +public class AdminController { + + @GetMapping("/dashboard") + public ResponseEntity getAdminDashboard() { + return ResponseEntity.ok("这是管理员仪表盘接口"); + } + + @GetMapping("/users") + public ResponseEntity getAllUsers() { + return ResponseEntity.ok("这是获取所有用户的接口"); + } + + @GetMapping("/system") + public ResponseEntity getSystemInfo() { + return ResponseEntity.ok("这是系统信息接口"); + } +} \ No newline at end of file diff --git a/src/main/java/com/tanqidi/survey/controller/IndexController.java b/src/main/java/com/tanqidi/survey/controller/IndexController.java new file mode 100644 index 0000000..f10fe92 --- /dev/null +++ b/src/main/java/com/tanqidi/survey/controller/IndexController.java @@ -0,0 +1,42 @@ +package com.tanqidi.survey.controller; + +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.oauth2.core.user.OAuth2User; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +import java.util.HashMap; +import java.util.Map; + +/** + * 
+ *     com.edw.controller.IndexController
+ *
+ * + * @author Muhammad Edwin < edwin at redhat dot com > + * 21 Mar 2023 20:09 + */ +@RestController +public class IndexController { + + @GetMapping(path = "/") + public Map index() { + OAuth2User user = (OAuth2User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); + return new HashMap() {{ + put("name", user.getAttribute("name")); + put("email", user.getAttribute("email")); + put("allAttributes", user.getAttributes()); // 👈 打印所有属性 + }}; + } + + + + @GetMapping(path = "/unauthenticated") + public HashMap unauthenticatedRequests() { + return new HashMap(){{ + put("this is", "unauthenticated endpoint"); + }}; + } + +} diff --git a/src/main/java/com/tanqidi/survey/controller/PublicController.java b/src/main/java/com/tanqidi/survey/controller/PublicController.java new file mode 100644 index 0000000..e4fd538 --- /dev/null +++ b/src/main/java/com/tanqidi/survey/controller/PublicController.java @@ -0,0 +1,21 @@ +package com.tanqidi.survey.controller; + +import org.springframework.http.ResponseEntity; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("/api/public") +public class PublicController { + + @GetMapping("/info") + public ResponseEntity getPublicInfo() { + return ResponseEntity.ok("这是一个公开接口,任何人都可以访问"); + } + + @GetMapping("/health") + public ResponseEntity healthCheck() { + return ResponseEntity.ok("服务正常运行中"); + } +} \ No newline at end of file diff --git a/src/main/java/com/tanqidi/survey/controller/UserController.java b/src/main/java/com/tanqidi/survey/controller/UserController.java new file mode 100644 index 0000000..f4fa884 --- /dev/null +++ b/src/main/java/com/tanqidi/survey/controller/UserController.java @@ -0,0 +1,36 @@ +package com.tanqidi.survey.controller; + +import com.tanqidi.survey.dto.UserInfoDTO; +import org.springframework.http.ResponseEntity; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("/api/user") +public class UserController { + + @GetMapping("/profile") + public ResponseEntity getUserProfile() { + return ResponseEntity.ok("这是用户个人资料接口"); + } + + @GetMapping("/dashboard") + public ResponseEntity getUserDashboard() { + return ResponseEntity.ok("这是用户仪表盘接口"); + } + + @GetMapping("/me") + public ResponseEntity getCurrentUser() { + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + UserInfoDTO userInfo = new UserInfoDTO(); + userInfo.setUsername(authentication.getName()); + userInfo.setRoles(authentication.getAuthorities().stream() + .map(authority -> authority.getAuthority()) + .toArray(String[]::new)); + + return ResponseEntity.ok(userInfo); + } +} \ No newline at end of file diff --git a/src/main/java/com/tanqidi/survey/dto/UserInfoDTO.java b/src/main/java/com/tanqidi/survey/dto/UserInfoDTO.java new file mode 100644 index 0000000..538808d --- /dev/null +++ b/src/main/java/com/tanqidi/survey/dto/UserInfoDTO.java @@ -0,0 +1,40 @@ +package com.tanqidi.survey.dto; + +public class UserInfoDTO { + private String username; + private String email; + private String[] roles; + private String accessToken; + + public String getUsername() { + return username; + } + + public void setUsername(String username) { + this.username = username; + } + + public String getEmail() { + return email; + } + + public void setEmail(String email) { + this.email = email; + } + + public String[] getRoles() { + return roles; + } + + public void setRoles(String[] roles) { + this.roles = roles; + } + + public String getAccessToken() { + return accessToken; + } + + public void setAccessToken(String accessToken) { + this.accessToken = accessToken; + } +} \ No newline at end of file diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties new file mode 100644 index 0000000..d386d6a --- /dev/null +++ b/src/main/resources/application.properties @@ -0,0 +1,27 @@ +spring.application.name=survey-service +server.port=8080 + +## logging +logging.level.org.springframework.security=INFO +logging.pattern.console=%d{dd-MM-yyyy HH:mm:ss} %magenta([%thread]) %highlight(%-5level) %logger.%M - %msg%n + +## keycloak +# OAuth2 Log In Spring Boot 2.x Property Mappings +# https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-boot-property-mappings +spring.security.oauth2.client.registration.keycloak.client-id=test-service +spring.security.oauth2.client.registration.keycloak.client-secret=e6LMQn67PmoaeXDxCvxiLIfmypjIIygi +#spring.security.oauth2.client.registration.keycloak.client-authentication-method = +# org.springframework.security.oauth2.core.AuthorizationGrantType +spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code +#spring.security.oauth2.client.registration.keycloak.authorization-grant-type=urn:ietf:params:oauth:grant-type:jwt-bearer +#spring.security.oauth2.client.registration.keycloak.redirect-uri = +spring.security.oauth2.client.registration.keycloak.scope=openid +#spring.security.oauth2.client.registration.keycloak.client-name = + +#spring.security.oauth2.client.provider.keycloak.authorization-uri +#spring.security.oauth2.client.provider.keycloak.token-uri +#spring.security.oauth2.client.provider.keycloak.jwk-set-uri +spring.security.oauth2.client.provider.keycloak.issuer-uri=http://172.31.0.233:31364/realms/tanqidi +#spring.security.oauth2.client.provider.keycloak.user-info-uri +#spring.security.oauth2.client.provider.keycloak.user-info-authentication-method +spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username diff --git a/src/test/java/com/tanqidi/survey/SurveyServiceApplicationTests.java b/src/test/java/com/tanqidi/survey/SurveyServiceApplicationTests.java new file mode 100644 index 0000000..119007b --- /dev/null +++ b/src/test/java/com/tanqidi/survey/SurveyServiceApplicationTests.java @@ -0,0 +1,13 @@ +package com.tanqidi.survey; + +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; + +@SpringBootTest +class SurveyServiceApplicationTests { + + @Test + void contextLoads() { + } + +}