├── .gitignore ├── LICENSE ├── README.md ├── auth-server ├── .gitignore ├── pom.xml ├── src │ ├── .gitignore │ └── main │ │ ├── java │ │ └── cn │ │ │ └── poile │ │ │ └── ucs │ │ │ └── auth │ │ │ ├── AuthServerApplication.java │ │ │ ├── Token │ │ │ └── MobileCodeAuthenticationToken.java │ │ │ ├── config │ │ │ ├── AuthorizationConfig.java │ │ │ ├── IgnoreLogoutFilter.java │ │ │ ├── RedisAuthorizationCodeServices.java │ │ │ ├── RedisConfig.java │ │ │ ├── ResourceServerConfig.java │ │ │ └── SecurityConfigurerAdapter.java │ │ │ ├── constant │ │ │ └── RedisConstant.java │ │ │ ├── controller │ │ │ └── AuthenticationController.java │ │ │ ├── entity │ │ │ ├── SysAuthority.java │ │ │ └── SysUser.java │ │ │ ├── granter │ │ │ └── MobileCodeTokenGranter.java │ │ │ ├── provider │ │ │ └── MobileCodeAuthenticationProvider.java │ │ │ ├── service │ │ │ ├── ClientDetailsServiceImpl.java │ │ │ ├── SysClientDetailService.java │ │ │ ├── SysUserService.java │ │ │ └── UserDetailsServiceImpl.java │ │ │ └── vo │ │ │ └── UserDetailImpl.java │ │ └── resources │ │ ├── application-dev.yml │ │ ├── application.yml │ │ ├── static │ │ └── css │ │ │ ├── bootstrap.min.css │ │ │ └── signin.css │ │ └── templates │ │ └── ftl │ │ └── login.ftl └── target │ └── classes │ ├── application-dev.yml │ └── application.yml ├── eureka-server ├── .gitignore ├── pom.xml └── src │ └── main │ ├── java │ └── cn │ │ └── poile │ │ └── ucs │ │ └── eureka │ │ ├── EurekaServerApplication.java │ │ └── config │ │ └── WebSecurityConfig.java │ └── resources │ ├── application-dev.yml │ └── application.yml ├── images ├── Basic-2.png ├── Basic.png ├── FixedPrincipalExtractior_01.png ├── OAuth2AuthenticationManager_01.png ├── OAuth2AuthenticationProcessingFilter_01.png ├── RemoteTokenService_01.png ├── RemoteTokenService_config_01.png ├── TokenEnhancer_enhance_01.png ├── UserInfoTokenServices_02.png ├── UserInfoTokenServices_03.png ├── cache.png ├── code-1.png ├── code-2.png ├── code-3.png ├── code-4.png ├── flow.png ├── implicit-2.png ├── implicit2.png ├── mobile.png ├── password.png └── refresh-token.png ├── pom.xml ├── resource-server ├── .gitignore ├── pom.xml ├── src │ └── main │ │ ├── java │ │ └── cn │ │ │ └── poile │ │ │ └── ucs │ │ │ └── resources │ │ │ ├── ResourceServerApplication.java │ │ │ ├── config │ │ │ ├── CustomizePrincipalExtractor.java │ │ │ └── ResourceServerConfig.java │ │ │ └── controller │ │ │ └── TestRestController.java │ │ └── resources │ │ ├── application-dev.yml │ │ └── application.yml └── target │ └── classes │ ├── application-dev.yml │ └── application.yml └── source_note ├── OAuth2ClientAuthenticationProcessingFilter.java ├── RoleVoter.java └── TokenEndpoint_source_note.java /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | ### Java template 3 | # Compiled class file 4 | *.class 5 | 6 | # Log file 7 | *.log 8 | 9 | # BlueJ files 10 | *.ctxt 11 | 12 | # Mobile Tools for Java (J2ME) 13 | .mtj.tmp/ 14 | 15 | # Package Files # 16 | *.jar 17 | *.war 18 | *.nar 19 | *.ear 20 | *.zip 21 | *.tar.gz 22 | *.rar 23 | 24 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 25 | hs_err_pid* 26 | 27 | /.idea/ 28 | *.iml 29 | /auth-server/target/ 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019-present Yaohw 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 简介 2 | 3 | 本项目基于spring-cloud-starter-oauth2搭建的认证中心和资源服务器的微服务项目,项目不仅仅简单的demo,项目的出发点在于实战应用。本项目为笔者花了不少时间和精力整理出来的,只需要稍微调整就可应用于实际项目当中,并且项目包含大量注释,不仅可以让你会用,也可让你了解到一些流程、一些原理上的东西。认证中心完成密码模式、授权码模式、刷新token模式、简化模式、以及自定义的手机号验证码模式。 4 | 5 | 国内Gitee:[https://gitee.com/copoile/springcloud-oauth2.git](https://gitee.com/copoile/springcloud-oauth2.git) 6 | 7 | > 如果大家有什么疑问或不懂的地方可以[issue](https://github.com/copoile/springcloud-oauth2/issues/new) 里提问。 8 | 有什么说得不对或不合理的地方也欢迎指出。希望对你有所帮助呦~ ^_^ 9 | 10 | # 分支说明 11 | 12 | 目前分支有master和prod,master分支为快速上手,未配置数据库,内容偏教程流程理解,prod分支新建数据库相关表,并实现认证相关数据查询,同时实现统一异常处理,统一Api。 13 | prod分支-用户名:admin/123456,客户端:web/123456 14 | 15 | # 功能 16 | 17 | ``` 18 | - 密码模式 19 | - 自定义手机验证码模式 20 | - 授权码模式 21 | - 简化模式 22 | - 刷token模式 23 | - 退出测试接口 24 | - 简单授权页面 25 | - 不需要accessToken测试接口 26 | - 需要accessToken测试接口 27 | - 需要特定权限测试接口 28 | - scope测试接口 29 | ``` 30 | 31 | 32 | 33 | 34 | 35 | ## 开发环境 36 | 37 | - **JDK 1.8 +** 38 | - **Maven 3.5 +** 39 | - **IntelliJ IDEA ULTIMATE 2018.2 +** (*注意:建议使用 IDEA 开发,同时保证安装 `lombok` 插件,如果是eclipse也要确保安装了`lombok` 插件*) 40 | - **Redis 3.0 +** 41 | 42 | 43 | 44 | ## 运行方式 45 | 46 | 1. `git clone https://github.com/copoile/springcloud-oauth2.git` 47 | 2. 使用 IDEA 打开 clone 下来的项目 48 | 3. 项目启动顺序: eureka-server > auth-server > resource-server 49 | > 注意:auth-server依赖redis服务,记得先启动redis服务哦~ 50 | 51 | 52 | 53 | # 认证验证流程 54 | 55 | 这里简单做下密码模式的认证和accessToken验证流程,手机号模式跟这个类型,授权码模式和简化模式稍微有点不一样,授权码模式和简化模式都是先跳到认证中心的授权页面,授权成功后回调回调地址,并且携带参数code或accessToken。 56 | 57 | ![](./images/flow.png) 58 | 59 | 60 | 61 | ## 认证中心核心代码 62 | 63 | ### AuthorizationConfig.java 64 | ```java 65 | /** 66 | * 认证配置 67 | * @author: yaohw 68 | * @create: 2019-09-30 16:12 69 | **/ 70 | @Configuration 71 | @EnableAuthorizationServer 72 | public class AuthorizationConfig extends AuthorizationServerConfigurerAdapter { 73 | 74 | @Autowired 75 | private AuthenticationManager authenticationManager; 76 | 77 | @Autowired 78 | private UserDetailsServiceImpl userDetailsService; 79 | 80 | @Autowired 81 | private ClientDetailsServiceImpl clientDetailsService; 82 | 83 | @Autowired 84 | private RedisConnectionFactory redisConnectionFactory; 85 | 86 | 87 | @Autowired 88 | private RedisTemplate redisTemplate; 89 | 90 | 91 | 92 | 93 | /** 94 | * 配置token存储,这个配置token存到redis中,还有一种常用的是JwkTokenStore 95 | * jwt的缺点已发布令牌不可控 96 | * @return 97 | */ 98 | @Bean 99 | public TokenStore tokenStore() { 100 | return new RedisTokenStore(redisConnectionFactory); 101 | } 102 | 103 | /** 104 | * 配置授权码模式授权码服务(存授权码和删除授权码),不配置默认为内存模式 105 | * @return 106 | */ 107 | @Primary 108 | @Bean 109 | public AuthorizationCodeServices authorizationCodeServices() { 110 | return new RedisAuthorizationCodeServices(redisConnectionFactory); 111 | } 112 | 113 | /** 114 | * 配置客户端详情(根据客户的id查询客户端) 115 | * @param clients 116 | * @throws Exception 117 | */ 118 | @Override 119 | public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 120 | clients.withClientDetails(clientDetailsService); 121 | } 122 | 123 | @Override 124 | public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 125 | // 采用token转jwt,并添加一些自定义信息(token增强) 126 | // 默认使用随机UUID生成的token 127 | TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain(); 128 | tokenEnhancerChain.setTokenEnhancers( 129 | Arrays.asList(jwtAccessTokenConverter(),tokenEnhancer())); 130 | endpoints.tokenEnhancer(tokenEnhancerChain) 131 | // 配置token存储,一般配置redis存储 132 | .tokenStore(tokenStore()) 133 | // 配置认证管理器 134 | .authenticationManager(authenticationManager) 135 | // 配置用户详情server,密码模式必须 136 | .userDetailsService(userDetailsService) 137 | // 配置授权码模式授权码服务,不配置默认为内存模式 138 | .authorizationCodeServices(authorizationCodeServices()) 139 | // 配置grant_type模式,如果不配置则默认使用密码模式、简化模式、验证码模式以及刷新token模式,如果配置了只使用配置中,默认配置失效 140 | // 具体可以查询AuthorizationServerEndpointsConfigurer中的getDefaultTokenGranters方法 141 | .tokenGranter(tokenGranter(endpoints)); 142 | // 配置TokenServices参数 143 | DefaultTokenServices tokenServices = new DefaultTokenServices(); 144 | tokenServices.setTokenStore(endpoints.getTokenStore()); 145 | // 是否支持刷新Token 146 | tokenServices.setSupportRefreshToken(true); 147 | tokenServices.setReuseRefreshToken(true); 148 | tokenServices.setClientDetailsService(endpoints.getClientDetailsService()); 149 | tokenServices.setTokenEnhancer(endpoints.getTokenEnhancer()); 150 | // 设置accessToken和refreshToken的默认超时时间(如果clientDetails的为null就取默认的,如果clientDetails的不为null取clientDetails中的) 151 | tokenServices.setAccessTokenValiditySeconds((int) TimeUnit.HOURS.toSeconds(2)); 152 | tokenServices.setRefreshTokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(30)); 153 | endpoints.tokenServices(tokenServices); 154 | 155 | } 156 | 157 | 158 | 159 | /** 160 | * jwt格式封装token 161 | * @return 162 | */ 163 | @Bean 164 | public JwtAccessTokenConverter jwtAccessTokenConverter() { 165 | JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter(); 166 | // 设置jwt加解密秘钥,不设置会随机一个 167 | jwtAccessTokenConverter.setSigningKey("yaohw"); 168 | return jwtAccessTokenConverter; 169 | } 170 | 171 | /** 172 | * token增强,添加一些元信息 173 | * 174 | * @return TokenEnhancer 175 | */ 176 | @Bean 177 | public TokenEnhancer tokenEnhancer() { 178 | return (accessToken, authentication) -> { 179 | final Map additionalInfo = new HashMap<>(2); 180 | additionalInfo.put("license", "yaohw"); 181 | UserDetailImpl user = (UserDetailImpl) authentication.getUserAuthentication().getPrincipal(); 182 | if (user != null) { 183 | additionalInfo.put("username", user.getUsername()); 184 | } 185 | ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo); 186 | return accessToken; 187 | }; 188 | } 189 | 190 | 191 | @Override 192 | public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { 193 | security 194 | .allowFormAuthenticationForClients() 195 | .tokenKeyAccess("isAuthenticated()") 196 | .checkTokenAccess("permitAll()"); 197 | } 198 | 199 | /** 200 | * 创建grant_type列表 201 | * @param endpoints 202 | * @return 203 | */ 204 | private TokenGranter tokenGranter(AuthorizationServerEndpointsConfigurer endpoints) { 205 | List list = new ArrayList<>(); 206 | // 这里配置密码模式、刷新token模式、自定义手机号验证码模式、授权码模式、简化模式 207 | list.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); 208 | list.add(new RefreshTokenGranter(endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); 209 | list.add(new MobileCodeTokenGranter(authenticationManager,endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); 210 | list.add(new AuthorizationCodeTokenGranter(endpoints.getTokenServices(),endpoints.getAuthorizationCodeServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); 211 | list.add(new ImplicitTokenGranter(endpoints.getTokenServices(),endpoints.getClientDetailsService(),endpoints.getOAuth2RequestFactory())); 212 | return new CompositeTokenGranter(list); 213 | } 214 | } 215 | ``` 216 | ### SecurityConfigurerAdapter.java 217 | ```java 218 | 219 | /** 220 | * security web安全配置,spring-cloud-starter-oauth2依赖于security 221 | * 默认情况下SecurityConfigurerAdapter执行比ResourceServerConfig先 222 | * @author: yaohw 223 | * @create: 2019-09-25 16:49 224 | */ 225 | @Configuration 226 | @EnableWebSecurity 227 | public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { 228 | 229 | @Autowired 230 | private UserDetailsServiceImpl userDetailsService; 231 | 232 | @Autowired 233 | private StringRedisTemplate stringRedisTemplate; 234 | 235 | 236 | /** 237 | * 配置认证管理器 238 | * 239 | * @return 240 | * @throws Exception 241 | */ 242 | @Bean 243 | @Override 244 | public AuthenticationManager authenticationManagerBean() throws Exception { 245 | return super.authenticationManagerBean(); 246 | } 247 | 248 | 249 | /** 250 | * 配置密码加密对象(解密时会用到PasswordEncoder的matches判断是否正确) 251 | * 用户的password和客户端clientSecret用到,所以存的时候存该bean encode过的密码 252 | * 253 | * @return 254 | */ 255 | @Bean 256 | public PasswordEncoder passwordEncoder() { 257 | return new BCryptPasswordEncoder(); 258 | } 259 | 260 | /** 261 | * 这里是对认证管理器的添加配置 262 | * 263 | * @param auth 264 | * @throws Exception 265 | */ 266 | @Override 267 | protected void configure(AuthenticationManagerBuilder auth) throws Exception { 268 | auth.authenticationProvider(provider()) 269 | .userDetailsService(userDetailsService) 270 | .passwordEncoder(new BCryptPasswordEncoder()); 271 | } 272 | 273 | @Override 274 | public void configure(WebSecurity web) throws Exception { 275 | web.ignoring().antMatchers("/css/**","/static/**"); 276 | } 277 | 278 | /** 279 | * 安全请求配置,这里配置的是security的部分,这里配置全部通过,安全拦截在资源服务的配置文件中配置, 280 | * 要不然访问未验证的接口将重定向到登录页面,前后端分离的情况下这样并不友好,无权访问接口返回相关错误信息即可 281 | * @param http 282 | * @return void 283 | */ 284 | @Override 285 | protected void configure(HttpSecurity http) throws Exception { 286 | http 287 | .formLogin().loginPage("/login") 288 | .permitAll() 289 | .and().authorizeRequests().anyRequest().permitAll() 290 | .and().csrf().disable().cors(); 291 | } 292 | 293 | 294 | /** 295 | * 自定义手机验证码认证提供者 296 | * 297 | * @return 298 | */ 299 | @Bean 300 | public MobileCodeAuthenticationProvider provider() { 301 | MobileCodeAuthenticationProvider provider = new MobileCodeAuthenticationProvider(); 302 | provider.setStringRedisTemplate(stringRedisTemplate); 303 | provider.setHideUserNotFoundExceptions(false); 304 | provider.setUserDetailsService(userDetailsService); 305 | return provider; 306 | } 307 | 308 | } 309 | ``` 310 | ### ResourceServerConfig.java 311 | ```java 312 | /** 313 | * 资源服务配置 314 | * @author: yaohw 315 | * @create: 2019-10-08 10:04 316 | **/ 317 | @Configuration 318 | // 启用资源服务 319 | @EnableResourceServer 320 | // 启用方法级权限控制 321 | @EnableGlobalMethodSecurity(prePostEnabled = true) 322 | @Log4j2 323 | public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 324 | 325 | private static final String RESOURCE_ID = "auth-server"; 326 | 327 | 328 | /** 329 | * 配置资源接口安全,http.authorizeRequests()针对的所有url,但是由于登录页面url包含在其中,这么配置会进行token校验,校验不通过返回错误json, 330 | * 而授权码模式获取code时需要重定向登录页面,重定向过程并不能携带token,所有不能用http.authorizeRequests(), 331 | * 而是用requestMatchers().antMatchers(""),这里配置的是需要资源接口拦截的url数组 332 | * @param http 333 | * @return void 334 | */ 335 | @Override 336 | public void configure(HttpSecurity http) throws Exception { 337 | http //配置需要保护的资源接口 338 | .requestMatchers().antMatchers("/user","/test/need_token","/update","/logout","/test/need_admin","/test/scope") 339 | .and().authorizeRequests().anyRequest().authenticated(); 340 | } 341 | 342 | 343 | @Override 344 | public void configure(ResourceServerSecurityConfigurer resources) throws Exception { 345 | resources.resourceId(RESOURCE_ID).stateless(true); 346 | } 347 | } 348 | ``` 349 | 350 | 351 | ## 资源服务配置文件 352 | 353 | ```yml 354 | spring: 355 | application: 356 | name: resource-server 357 | 358 | server: 359 | port: 8003 360 | 361 | #服务器发现注册配置 362 | eureka: 363 | client: 364 | serviceUrl: 365 | #配置服务中心(可配置多个,用逗号隔开) 366 | defaultZone: http://admin:admin@localhost:9000/eureka/ 367 | 368 | ##安全配置## 369 | security: 370 | oauth2: 371 | resource: 372 | id: resource-server 373 | ## user-info-uri和token-info-uri二选择即可 374 | ## 如果配置了user-info-uri,该资源服务器使用userInfoTokenServices远程调用认证中心接口,通过认证中心的OAuth2AuthenticationProcessingFilter完成验证工作,一般设置user-info-uri即可 375 | user-info-uri: http://127.0.0.1:8001/user 376 | prefer-token-info: false 377 | ## 该资源服务器使用RemoteTokenServices远程调用认证中心接口,注意一点就是如果使用token-info-uri那么就必须设置上clientId和clientSecret,通过CheckTokenEndpoint完成验证工作 378 | #token-info-uri: http://127.0.0.1:8001/oauth/check_token 379 | #client: 380 | #client-secret: yaohw 381 | #client-id: yaohw 382 | ``` 383 | 384 | 385 | 386 | ## 部分源代码讲解 387 | 388 | ### 认证(获取token)TokenEndpoint.java 389 | ```java 390 | 391 | @RequestMapping(value = "/oauth/token", method=RequestMethod.POST) 392 | public ResponseEntity postAccessToken(Principal principal, @RequestParam 393 | Map parameters) throws HttpRequestMethodNotSupportedException { 394 | 395 | if (!(principal instanceof Authentication)) { 396 | throw new InsufficientAuthenticationException( 397 | "There is no client authentication. Try adding an appropriate authentication filter."); 398 | } 399 | 400 | // 根据当前请求获取到clientId 401 | String clientId = getClientId(principal); 402 | 403 | // 获取当前ClientDetailsService(就是我们在AuthorizationConfig中配置)然后根据clientId去数据库查询客户端详情 404 | ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId); 405 | 406 | // 将请求参数封装成TokenRequest 407 | TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient); 408 | // 请求的clientId与查出来的匹配 409 | if (clientId != null && !clientId.equals("")) { 410 | // Only validate the client details if a client authenticated during this 411 | // request. 412 | if (!clientId.equals(tokenRequest.getClientId())) { 413 | // double check to make sure that the client ID in the token request is the same as that in the 414 | // authenticated client 415 | throw new InvalidClientException("Given client ID does not match authenticated client"); 416 | } 417 | } 418 | // 校验客户端范围 419 | if (authenticatedClient != null) { 420 | oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient); 421 | } 422 | if (!StringUtils.hasText(tokenRequest.getGrantType())) { 423 | throw new InvalidRequestException("Missing grant type"); 424 | } 425 | // 判断是否是简化模式(简化模式不是这个接口,走的是AuthorizationEndpoint类下的/oauth/authorize) 426 | if (tokenRequest.getGrantType().equals("implicit")) { 427 | throw new InvalidGrantException("Implicit grant type not supported from token endpoint"); 428 | } 429 | // 判断是否授权码模式,如果是,清空返回,因为授权码模式在第一步获取code的时候就将client信息缓存起来的,后面检验的是从缓存取出来补充完整 430 | if (isAuthCodeRequest(parameters)) { 431 | // The scope was requested or determined during the authorization step 432 | if (!tokenRequest.getScope().isEmpty()) { 433 | logger.debug("Clearing scope of incoming token request"); 434 | tokenRequest.setScope(Collections. emptySet()); 435 | } 436 | } 437 | // 是否刷新token模式 438 | if (isRefreshTokenRequest(parameters)) { 439 | // A refresh token has its own default scopes, so we should ignore any added by the factory here. 440 | tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE))); 441 | } 442 | // 这步是整个认证的关键,这里简单说下流程,首先她会根据当前请求的grantType找到对应的认证模式, 443 | // 比如密码模式的ResourceOwnerPasswordTokenGranter, 444 | // 然后对应的AbstractTokenGranter调用对应的grant方法,grant方法中又调用经过一系列调用, 445 | // 在getOAuth2Authentication方法中生成对应的AbstractAuthenticationToken,比如UsernamePasswordAuthenticationToken, 446 | // 然后认证管理器(就是我们在AuthorizationConfig中配置的AuthenticationManager)调用认证方法authenticationManager.authenticate(abstractAuthenticationToken) 447 | // AbstractAuthenticationToken和AuthenticationProvider是存在一一对应的关系 448 | // 比如UsernamePasswordAuthenticationToken和DaoAuthenticationProvider, 449 | // authenticationManager.authenticate()会根据传入的 450 | // AbstractAuthenticationToken找到对应的AuthenticationProvider, 451 | // 真正认证逻辑通过AuthenticationProvider来完成的,比如密码模式的DaoAuthenticationProvider, 452 | // 会去根据用户名查询出对应的用户, 453 | // 然后校验用户密码是否匹配,用户是否锁定过期等 454 | // 具体可查看DaoAuthenticationProvider和她继承的AbstractUserDetailsAuthenticationProvider 455 | // 理清上面的思路后,我们就可以自定义grantType 456 | // 就是定义一个继承AbstractTokenGranter的类重写getOAuth2Authentication方法 457 | // 该方法里面会用到AbstractAuthenticationToken和AuthenticationProvider 458 | // 我们再分别定义一个类分别继承对应的类即可(大概思路,具体查看代码) 459 | OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest); 460 | if (token == null) { 461 | throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType()); 462 | } 463 | //这个没什么好说的,就是http请求响应体封装 464 | return getResponse(token); 465 | 466 | } 467 | ``` 468 | ### 验证token 469 | 了解过OAuth2的同学应该知道它有资源服务和认证中心服务,那么它怎么保护资源服务接口的呢?实际上不管认证中服务还是资源服务,当请求的接口需要安全校验时都会被OAuth2ClientAuthenticationProcessingFilter所拦截,只是拦截后做了不同的处理(取决于ResourceServerTokenServices的实例)。资源服务:拦截请求后会远程调用认证服务器的`http://127.0.0.1:8001/user`或`http://127.0.0.1:8001/oauth/check_token`,至于调用哪个取决于配置文件,如配置如下配置将远程调用`http://127.0.0.1:8001/user`(资源服务端我们也一般这么配置即可) 470 | 471 | ```yml 472 | ##安全配置## 473 | security: 474 | oauth2: 475 | resource: 476 | id: resource-server 477 | user-info-uri: http://127.0.0.1:8001/user 478 | prefer-token-info: false 479 | ``` 480 | 481 | #### (拦截token校验)OAuth2AuthenticationProcessingFilter.java 482 | ```java 483 | public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, 484 | ServletException { 485 | final boolean debug = logger.isDebugEnabled(); 486 | final HttpServletRequest request = (HttpServletRequest) req; 487 | final HttpServletResponse response = (HttpServletResponse) res; 488 | try { 489 | 490 | Authentication authentication = tokenExtractor.extract(request); 491 | Authentication authResult = authenticationManager.authenticate(authentication); 492 | ....略 493 | // 这步是校验token的关键,这里tokenServices是ResourceServerTokenServices实例,这里做怎么样的操作取决于注入的 494 | // ResourceServerTokenServices实例 495 | // 默认情况下ResourceServerTokenServices的实例是DefaultTokenServices 496 | // 认证中心使用的就是DefaultTokenServices,这个类做的就是tokenStore.readAccessToken(accessTokenValue) 497 | // 我们配置中心配置的tokenStore的是RedisTokenStore,所以实际上她做的就是从redis中读取出accessToken相关信息 498 | 499 | // 上面说的DefaultTokenServices是认证中心token的处理,资源服务下: 500 | // 如果配置文件中配置的user-info-uri则ResourceServerTokenServices注入的实例将是UserInfoTokenServices的实例 501 | // 如果配置token-info-uri则ResourceServerTokenServices注入的实例将是RemoteTokenServices 502 | // 如果两者都配置了,优先UserInfoTokenServices 503 | // UserInfoTokenServices和RemoteTokenServices做的事都是远程调度认证中心相应的接口完成token的校验 504 | // 两者主要区别在于RemoteTokenServices需要配置clientId和clientSecret 505 | // RemoteTokenServices中有这么一句话:Null Client ID or Client Secret detected. Endpoint that requires authentication will reject // request with 401 error. // 具体请查看RemoteTokenServices和UserInfoTokenServices 506 | // OAuth2AuthenticationManager.java 507 | String token = (String) authentication.getPrincipal(); 508 | OAuth2Authentication auth = tokenServices.loadAuthentication(token); 509 | } 510 | } 511 | ``` 512 | 513 | 514 | ## postman接口测试截图 515 | 516 | ### 客户端Basic请求头 517 | 518 | 这里两种方式都是一样的,eWFvaHc6eWFvaHc=其实就是yaohw:yaohw,经过base64加密了一下 519 | 520 | ![image](./images/Basic.png) 521 | 522 | 523 | 524 | ![](./images/Basic-2.png) 525 | 526 | ### 密码模式 527 | 528 | ![image](./images/password.png) 529 | 530 | ### 自定义手机号验证码模式 531 | 532 | > 注意:需要在redis中设置一个缓存,String类型,key为sms:code:你的手机号,值为短信验证码 533 | 534 | ![image](./images/cache.png) 535 | 536 | 537 | 538 | ![image](./images/mobile.png) 539 | 540 | ### 授权码模式 541 | ##### 授权码模式步骤一 542 | 授权码模式步骤一 会跳转到认证中心的授权页面,这里为方便展示参数才用postman,get请求,应在浏览器直接打开(带对应参数),授权成功后会回调回调地址,并且会携带code。 543 | ![image](./images/code-1.png) 544 | 545 | ##### 授权码模式步骤二(授权页面授权) 546 | 547 | ![image](./images/code-2.png) 548 | 549 | ### 授权码模式步骤三(获取code) 550 | 551 | ![](./images/code-3.png) 552 | 553 | 554 | 555 | ### 授权码模式步骤四(根据code获取token) 556 | 557 | ![](./images/code-4.png) 558 | 559 | ### 简化模式 560 | 与授权码模式类似,不过回调后携带的参数不是code,还是access_token,比授权码模式少了一步. 561 | 562 | ### 步骤一 563 | 564 | 简化模式步骤一会跳转到认证中心的授权页面,这里为方便展示参数才用postman,get请求,应在浏览器直接打开(带对应参数),授权成功后会回调回调地址,并且会携带accessToken。 565 | 566 | ![](./images/implicit2.png) 567 | 568 | ##### 步骤二(授权页面授权) 569 | 570 | ![image](./images/code-2.png) 571 | 572 | ### 步骤三 573 | 574 | ![](./images/implicit-2.png) 575 | 576 | ### 刷新token模式 577 | 578 | ![image](./images/refresh-token.png) 579 | 580 | 581 | 582 | # License 583 | 584 | [MIT](./LICENSE) 585 | 586 | Copyright (c) 2019-present Yaohw 587 | -------------------------------------------------------------------------------- /auth-server/.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | -------------------------------------------------------------------------------- /auth-server/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | springcloud-oauth2 7 | cn.poile.ucs 8 | 1.0 9 | 10 | 4.0.0 11 | 12 | auth-server 13 | 14 | 15 | 16 | org.springframework.boot 17 | spring-boot-starter-web 18 | 19 | 20 | 21 | 22 | org.springframework.cloud 23 | spring-cloud-starter-oauth2 24 | 25 | 26 | 27 | 28 | org.springframework.boot 29 | spring-boot-starter-freemarker 30 | 31 | 32 | 33 | org.springframework.boot 34 | spring-boot-starter-data-redis 35 | 36 | 37 | 38 | org.apache.commons 39 | commons-pool2 40 | 2.7.0 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | org.springframework.boot 49 | spring-boot-maven-plugin 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /auth-server/src/.gitignore: -------------------------------------------------------------------------------- 1 | /test/ 2 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/AuthServerApplication.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth; 2 | import org.springframework.boot.SpringApplication; 3 | import org.springframework.boot.autoconfigure.SpringBootApplication; 4 | 5 | import org.springframework.boot.web.servlet.ServletComponentScan; 6 | import org.springframework.cloud.client.discovery.EnableDiscoveryClient; 7 | 8 | 9 | 10 | /** 11 | * 认证中心服务 12 | * @author: yaohw 13 | * @create: 2019-09-25 16:48 14 | **/ 15 | @SpringBootApplication 16 | @EnableDiscoveryClient 17 | @ServletComponentScan 18 | public class AuthServerApplication { 19 | 20 | public static void main(String[] args) { 21 | SpringApplication.run(AuthServerApplication.class,args); 22 | } 23 | 24 | 25 | 26 | 27 | } 28 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/Token/MobileCodeAuthenticationToken.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.Token; 2 | 3 | import org.springframework.security.authentication.AbstractAuthenticationToken; 4 | import org.springframework.security.core.GrantedAuthority; 5 | 6 | import java.util.Collection; 7 | 8 | /** 9 | * 手机号短信认证Token 10 | * @author: yaohw 11 | * @create: 2019-09-29 19:56 12 | **/ 13 | public class MobileCodeAuthenticationToken extends AbstractAuthenticationToken { 14 | 15 | private final Object principal; 16 | private Object credentials; 17 | 18 | public MobileCodeAuthenticationToken(Object principal, Object credentials) { 19 | super(null); 20 | this.principal = principal; 21 | this.credentials = credentials; 22 | this.setAuthenticated(false); 23 | } 24 | 25 | public MobileCodeAuthenticationToken(Object principal, Object credentials, Collection authorities) { 26 | super(authorities); 27 | this.principal = principal; 28 | this.credentials = credentials; 29 | super.setAuthenticated(true); 30 | } 31 | 32 | @Override 33 | public Object getCredentials() { 34 | return this.credentials; 35 | } 36 | 37 | @Override 38 | public Object getPrincipal() { 39 | return this.principal; 40 | } 41 | 42 | @Override 43 | public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException { 44 | if (isAuthenticated) { 45 | throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead"); 46 | } else { 47 | super.setAuthenticated(false); 48 | } 49 | } 50 | 51 | @Override 52 | public void eraseCredentials() { 53 | super.eraseCredentials(); 54 | } 55 | 56 | 57 | 58 | 59 | } 60 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/config/AuthorizationConfig.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.config; import cn.poile.ucs.auth.granter.MobileCodeTokenGranter; import cn.poile.ucs.auth.service.ClientDetailsServiceImpl; import cn.poile.ucs.auth.service.UserDetailsServiceImpl; import cn.poile.ucs.auth.vo.UserDetailImpl; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Primary; import org.springframework.data.redis.connection.RedisConnectionFactory; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer; import org.springframework.security.oauth2.provider.CompositeTokenGranter; import org.springframework.security.oauth2.provider.TokenGranter; import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices; import org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter; import org.springframework.security.oauth2.provider.implicit.ImplicitTokenGranter; import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter; import org.springframework.security.oauth2.provider.refresh.RefreshTokenGranter; import org.springframework.security.oauth2.provider.token.DefaultTokenServices; import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.security.oauth2.provider.token.TokenEnhancerChain; import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter; import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore; import java.util.*; import java.util.concurrent.TimeUnit; /** * 认证配置 * @author: yaohw * @create: 2019-09-30 16:12 **/ @Configuration @EnableAuthorizationServer public class AuthorizationConfig extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private ClientDetailsServiceImpl clientDetailsService; @Autowired private RedisConnectionFactory redisConnectionFactory; @Autowired private RedisTemplate redisTemplate; /** * 配置token存储,这个配置token存到redis中 * @return */ @Bean public TokenStore tokenStore() { return new RedisTokenStore(redisConnectionFactory); } /** * 配置授权码模式授权码服务,不配置默认为内存模式 * @return */ @Primary @Bean public AuthorizationCodeServices authorizationCodeServices() { return new RedisAuthorizationCodeServices(redisConnectionFactory); } /** * 配置客户端详情 * @param clients * @throws Exception */ @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.withClientDetails(clientDetailsService); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { // 采用token转jwt,并添加一些自定义信息(token增强)(有默认非必须) TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain(); tokenEnhancerChain.setTokenEnhancers( Arrays.asList(jwtAccessTokenConverter(),tokenEnhancer())); endpoints.tokenEnhancer(tokenEnhancerChain) // 配置token存储,一般配置redis存储 .tokenStore(tokenStore()) // 配置认证管理器 .authenticationManager(authenticationManager) // 配置用户详情server,密码模式必须 .userDetailsService(userDetailsService) // 配置授权码模式授权码服务,不配置默认为内存模式 .authorizationCodeServices(authorizationCodeServices()) // 配置grant_type模式,如果不配置则默认使用密码模式、简化模式、验证码模式以及刷新token模式,如果配置了只使用配置中,默认配置失效 // 具体可以查询AuthorizationServerEndpointsConfigurer中的getDefaultTokenGranters方法 .tokenGranter(tokenGranter(endpoints)); // 配置TokenServices参数 DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setTokenStore(endpoints.getTokenStore()); // 是否支持刷新Token tokenServices.setSupportRefreshToken(true); tokenServices.setReuseRefreshToken(true); tokenServices.setClientDetailsService(endpoints.getClientDetailsService()); tokenServices.setTokenEnhancer(endpoints.getTokenEnhancer()); // 设置accessToken和refreshToken的默认超时时间(如果clientDetails的为null就取默认的,如果clientDetails的不为null取clientDetails中的) tokenServices.setAccessTokenValiditySeconds((int) TimeUnit.HOURS.toSeconds(2)); tokenServices.setRefreshTokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(30)); endpoints.tokenServices(tokenServices); } /** * jwt格式封装token * @return */ @Bean public JwtAccessTokenConverter jwtAccessTokenConverter() { JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter(); // 设置jwt加解密秘钥,不设置会随机一个 jwtAccessTokenConverter.setSigningKey("yaohw"); return jwtAccessTokenConverter; } /** * token增强,添加一些元信息 * * @return TokenEnhancer */ @Bean public TokenEnhancer tokenEnhancer() { return (accessToken, authentication) -> { final Map additionalInfo = new HashMap<>(2); additionalInfo.put("license", "yaohw"); UserDetailImpl user = (UserDetailImpl) authentication.getUserAuthentication().getPrincipal(); if (user != null) { additionalInfo.put("username", user.getUsername()); } ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo); return accessToken; }; } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security .allowFormAuthenticationForClients() .tokenKeyAccess("isAuthenticated()") .checkTokenAccess("permitAll()"); } /** * 创建grant_type列表 * @param endpoints * @return */ private TokenGranter tokenGranter(AuthorizationServerEndpointsConfigurer endpoints) { List list = new ArrayList<>(); // 这里配置密码模式、刷新token模式、自定义手机号验证码模式、授权码模式、简化模式 list.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); list.add(new RefreshTokenGranter(endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); list.add(new MobileCodeTokenGranter(authenticationManager,endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); list.add(new AuthorizationCodeTokenGranter(endpoints.getTokenServices(),endpoints.getAuthorizationCodeServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory())); list.add(new ImplicitTokenGranter(endpoints.getTokenServices(),endpoints.getClientDetailsService(),endpoints.getOAuth2RequestFactory())); return new CompositeTokenGranter(list); } } -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/config/IgnoreLogoutFilter.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.config; 2 | 3 | import org.springframework.core.Ordered; 4 | import org.springframework.core.annotation.Order; 5 | import org.springframework.security.web.util.matcher.AntPathRequestMatcher; 6 | import org.springframework.security.web.util.matcher.RequestMatcher; 7 | import org.springframework.stereotype.Component; 8 | 9 | import javax.servlet.*; 10 | import javax.servlet.http.HttpServletRequest; 11 | import javax.servlet.http.HttpServletResponse; 12 | import java.io.IOException; 13 | 14 | /** 15 | * LogoutFilter过滤器会对/logout路径进行过滤 16 | * 这里直接转发到remove请求下 17 | * @author: yaohw 18 | * @create: 2020/8/8 8:58 下午 19 | */ 20 | @Component 21 | @Order(Ordered.HIGHEST_PRECEDENCE) 22 | public class IgnoreLogoutFilter implements Filter { 23 | 24 | private RequestMatcher requestMatcher; 25 | 26 | public IgnoreLogoutFilter() { 27 | this.setFilterProcessesUrl("/logout"); 28 | 29 | } 30 | 31 | @Override 32 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 33 | HttpServletRequest request = (HttpServletRequest)servletRequest; 34 | HttpServletResponse response = (HttpServletResponse)servletResponse; 35 | if (requiresLogout(request,response)) { 36 | RequestDispatcher requestDispatcher = request.getRequestDispatcher("remove"); 37 | requestDispatcher.forward(request,response); 38 | } else { 39 | filterChain.doFilter(request,response); 40 | } 41 | 42 | } 43 | 44 | protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) { 45 | return this.requestMatcher.matches(request); 46 | } 47 | 48 | public void setFilterProcessesUrl(String filterProcessesUrl) { 49 | this.requestMatcher = new AntPathRequestMatcher(filterProcessesUrl); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/config/RedisAuthorizationCodeServices.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.config; 2 | /** 3 | * 注意一点,这里存的redis的序列表用默认的JdkSerializationStrategy,跟RedisTokenStore类似 4 | * 不能用json的,使用json时反序列成token的时候会报错,非要用json的需要同时修改token序列化方式 5 | */ 6 | 7 | import org.springframework.data.redis.connection.RedisConnection; 8 | import org.springframework.data.redis.connection.RedisConnectionFactory; 9 | import org.springframework.security.oauth2.provider.OAuth2Authentication; 10 | import org.springframework.security.oauth2.provider.code.RandomValueAuthorizationCodeServices; 11 | import org.springframework.security.oauth2.provider.token.store.redis.JdkSerializationStrategy; 12 | import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStoreSerializationStrategy; 13 | 14 | /** 15 | * redis授权码模式授权码服务-操作授权码生成、存储、删除 16 | * 17 | * @author: yaohw 18 | * @create: 2019-10-10 18:21 19 | **/ 20 | public class RedisAuthorizationCodeServices extends RandomValueAuthorizationCodeServices { 21 | 22 | 23 | private static final String AUTHORIZATION_CODE = "authorization:code:"; 24 | 25 | /** 26 | * 授权码有效时长 27 | */ 28 | private long expiration = 300L; 29 | 30 | /** 31 | * key 前缀 32 | */ 33 | private String prefix = ""; 34 | 35 | 36 | private final RedisConnectionFactory connectionFactory; 37 | private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy(); 38 | 39 | 40 | public RedisAuthorizationCodeServices(RedisConnectionFactory connectionFactory) { 41 | this.connectionFactory = connectionFactory; 42 | 43 | } 44 | 45 | 46 | public void setExpiration(long expiration) { 47 | this.expiration = expiration; 48 | } 49 | 50 | 51 | public void setPrefix(String prefix) { 52 | this.prefix = prefix; 53 | } 54 | 55 | private RedisConnection getConnection() { 56 | return connectionFactory.getConnection(); 57 | } 58 | 59 | /** 60 | * value序列化 61 | * @param object 62 | * @return 63 | */ 64 | private byte[] serialize(Object object) { 65 | return serializationStrategy.serialize(object); 66 | } 67 | 68 | /** 69 | * key序列化 70 | * @param string 71 | * @return 72 | */ 73 | private byte[] serialize(String string) { 74 | return serializationStrategy.serialize(string); 75 | } 76 | 77 | /** 78 | * key序列化 79 | * @param object 80 | * @return 81 | */ 82 | private byte[] serializeKey(Object object) { 83 | return serialize(prefix + object); 84 | } 85 | 86 | 87 | /** 88 | * 反序列化 89 | * @param bytes 90 | * @return 91 | */ 92 | private OAuth2Authentication deserializeAuthentication(byte[] bytes) { 93 | return serializationStrategy.deserialize(bytes, OAuth2Authentication.class); 94 | } 95 | 96 | 97 | 98 | 99 | 100 | /** 101 | * 将随机生成的授权码存到redis中 102 | * 103 | * @param code 104 | * @param authentication 105 | * @return void 106 | */ 107 | @Override 108 | protected void store(String code, OAuth2Authentication authentication) { 109 | byte[] serializedKey = serializeKey(AUTHORIZATION_CODE + code); 110 | byte[] serializedAuthentication = serialize(authentication); 111 | RedisConnection conn = getConnection(); 112 | try { 113 | conn.openPipeline(); 114 | conn.set(serializedKey, serializedAuthentication); 115 | conn.expire(serializedKey,expiration); 116 | conn.closePipeline(); 117 | } finally { 118 | conn.close(); 119 | } 120 | 121 | } 122 | 123 | /** 124 | * 取出授权码并删除授权码(权限码只能用一次,调试时可不删除,code就可多次使用) 125 | * 126 | * @param code 127 | * @return org.springframework.security.oauth2.provider.OAuth2Authentication 128 | */ 129 | @Override 130 | protected OAuth2Authentication remove(String code) { 131 | byte[] serializedKey = serializeKey(AUTHORIZATION_CODE + code); 132 | RedisConnection conn = getConnection(); 133 | byte[] bytes; 134 | try { 135 | bytes = conn.get(serializedKey); 136 | if (bytes != null) { 137 | conn.del(serializedKey); 138 | } 139 | } finally { 140 | conn.close(); 141 | } 142 | return deserializeAuthentication(bytes); 143 | } 144 | 145 | 146 | } 147 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/config/RedisConfig.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.config; 2 | 3 | import org.springframework.context.annotation.Bean; 4 | import org.springframework.context.annotation.Configuration; 5 | import org.springframework.data.redis.connection.RedisConnectionFactory; 6 | import org.springframework.data.redis.core.*; 7 | import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer; 8 | import org.springframework.data.redis.serializer.StringRedisSerializer; 9 | 10 | /** 11 | * redis配置 12 | * @author: yaohw 13 | * @create: 2019-09-25 16:49 14 | **/ 15 | @Configuration 16 | public class RedisConfig { 17 | 18 | 19 | /** 20 | * 对象模板自定义存储序列化 21 | * 22 | * @param redisConnectionFactory 23 | * @return RedisTemplate 24 | */ 25 | @Bean 26 | public RedisTemplate redisTemplate(RedisConnectionFactory redisConnectionFactory) { 27 | RedisTemplate template = new RedisTemplate<>(); 28 | template.setConnectionFactory(redisConnectionFactory); 29 | template.setValueSerializer(new GenericJackson2JsonRedisSerializer()); 30 | template.setKeySerializer(new StringRedisSerializer()); 31 | template.afterPropertiesSet(); 32 | return template; 33 | } 34 | 35 | 36 | /** 37 | * 对hash类型的数据操作 38 | * 39 | * @param redisTemplate 40 | * @return 41 | */ 42 | @Bean 43 | public HashOperations hashOperations(RedisTemplate redisTemplate) { 44 | return redisTemplate.opsForHash(); 45 | } 46 | 47 | /** 48 | * 对redis字符串类型数据操作 49 | * 50 | * @param redisTemplate 51 | * @return 52 | */ 53 | @Bean 54 | public ValueOperations valueOperations(RedisTemplate redisTemplate) { 55 | return redisTemplate.opsForValue(); 56 | } 57 | 58 | /** 59 | * 对链表类型的数据操作 60 | * 61 | * @param redisTemplate 62 | * @return 63 | */ 64 | @Bean 65 | public ListOperations listOperations(RedisTemplate redisTemplate) { 66 | return redisTemplate.opsForList(); 67 | } 68 | 69 | /** 70 | * 对无序集合类型的数据操作 71 | * 72 | * @param redisTemplate 73 | * @return 74 | */ 75 | @Bean 76 | public SetOperations setOperations(RedisTemplate redisTemplate) { 77 | return redisTemplate.opsForSet(); 78 | } 79 | 80 | /** 81 | * 对有序集合类型的数据操作 82 | * 83 | * @param redisTemplate 84 | * @return 85 | */ 86 | @Bean 87 | public ZSetOperations zSetOperations(RedisTemplate redisTemplate) { 88 | return redisTemplate.opsForZSet(); 89 | } 90 | 91 | /** 92 | * 字符串模板 93 | * 94 | * @param redisConnectionFactory 95 | * @return 96 | */ 97 | @Bean 98 | public StringRedisTemplate stringRedisTemplate(RedisConnectionFactory redisConnectionFactory) { 99 | StringRedisTemplate template = new StringRedisTemplate(); 100 | template.setConnectionFactory(redisConnectionFactory); 101 | template.setKeySerializer(new StringRedisSerializer()); 102 | return template; 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/config/ResourceServerConfig.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.config; 2 | 3 | import lombok.extern.log4j.Log4j2; 4 | import org.springframework.context.annotation.Configuration; 5 | import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 6 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 7 | import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; 8 | import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; 9 | import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; 10 | 11 | /** 12 | * 资源服务配置 13 | * @author: yaohw 14 | * @create: 2019-10-08 10:04 15 | **/ 16 | @Configuration 17 | // 启用资源服务 18 | @EnableResourceServer 19 | // 启用方法级权限控制 20 | @EnableGlobalMethodSecurity(prePostEnabled = true) 21 | @Log4j2 22 | public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 23 | 24 | private static final String RESOURCE_ID = "auth-server"; 25 | 26 | 27 | /** 28 | * 配置资源接口安全,http.authorizeRequests()针对的所有url,但是由于登录页面url包含在其中,这里配置会进行token校验,校验不通过返回错误json, 29 | * 而授权码模式获取code时需要重定向登录页面,重定向过程并不能携带token,所有不能用http.authorizeRequests(), 30 | * 而是用requestMatchers().antMatchers(""),这里配置的是需要资源接口拦截的url数组 31 | * @param http 32 | * @return void 33 | */ 34 | @Override 35 | public void configure(HttpSecurity http) throws Exception { 36 | http //配置需要保护的资源接口 37 | .requestMatchers().antMatchers("/user","/test/need_token","/logout","/remove","/update","/test/need_admin","/test/scope") 38 | .and().authorizeRequests().anyRequest().authenticated(); 39 | } 40 | 41 | /** 42 | * 这个是跟服务绑定的,注意要跟client配置一致,如果客户端没有,则不能访问 43 | * @param resources 44 | * @throws Exception 45 | */ 46 | @Override 47 | public void configure(ResourceServerSecurityConfigurer resources) throws Exception { 48 | resources.resourceId(RESOURCE_ID).stateless(true); 49 | } 50 | 51 | 52 | } 53 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/config/SecurityConfigurerAdapter.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.config; import cn.poile.ucs.auth.provider.MobileCodeAuthenticationProvider; import cn.poile.ucs.auth.service.UserDetailsServiceImpl; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.logout.LogoutFilter; /** * security web安全配置,spring-cloud-starter-oauth2依赖于security * 默认情况下SecurityConfigurerAdapter执行比ResourceServerConfig先 * @author: yaohw * @create: 2019-09-25 16:49 */ @Configuration @EnableWebSecurity() public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private StringRedisTemplate stringRedisTemplate; @Autowired private IgnoreLogoutFilter ignoreLogoutFilter; /** * 配置认证管理器 * * @return * @throws Exception */ @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * 配置密码加密对象(解密时会用到PasswordEncoder的matches判断是否正确) * 用户的password和客户端clientSecret用到,所以存的时候存该bean encode过的密码 * * @return */ @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } /** * 这里是对认证管理器的添加配置 * * @param auth * @throws Exception */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(provider()) .userDetailsService(userDetailsService) .passwordEncoder(new BCryptPasswordEncoder()); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/css/**","/static/**"); } /** * 安全请求配置,这里配置的是security的部分,这里配置全部通过,安全拦截在资源服务的配置文件中配置, * 要不然访问未验证的接口将重定向到登录页面,前后端分离的情况下这样并不友好,无权访问接口返回相关错误信息即可 * @param http * @return void */ @Override protected void configure(HttpSecurity http) throws Exception { http .formLogin().loginPage("/login") .permitAll() .and().authorizeRequests().anyRequest().permitAll() .and().csrf().disable().cors() .and().addFilterAt(ignoreLogoutFilter, LogoutFilter.class); } /** * 自定义手机验证码认证提供者 * * @return */ @Bean public MobileCodeAuthenticationProvider provider() { MobileCodeAuthenticationProvider provider = new MobileCodeAuthenticationProvider(); provider.setStringRedisTemplate(stringRedisTemplate); provider.setHideUserNotFoundExceptions(false); provider.setUserDetailsService(userDetailsService); return provider; } } -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/constant/RedisConstant.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.constant; 2 | 3 | /** 4 | * redis常量 5 | * @author: yaohw 6 | * @create: 2019-09-30 16:12 7 | **/ 8 | public class RedisConstant { 9 | 10 | public final static String SMS_CODE_PREFIX = "sms:code:"; 11 | 12 | } 13 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/controller/AuthenticationController.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.controller; 2 | 3 | import cn.poile.ucs.auth.service.ClientDetailsServiceImpl; 4 | import cn.poile.ucs.auth.vo.UserDetailImpl; 5 | import lombok.extern.log4j.Log4j2; 6 | import org.springframework.beans.factory.annotation.Autowired; 7 | import org.springframework.security.access.prepost.PreAuthorize; 8 | import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; 9 | import org.springframework.security.core.Authentication; 10 | import org.springframework.security.core.userdetails.UserDetailsService; 11 | import org.springframework.security.oauth2.common.OAuth2AccessToken; 12 | import org.springframework.security.oauth2.provider.ClientDetails; 13 | import org.springframework.security.oauth2.provider.OAuth2Authentication; 14 | import org.springframework.security.oauth2.provider.OAuth2Request; 15 | import org.springframework.security.oauth2.provider.token.ConsumerTokenServices; 16 | import org.springframework.security.oauth2.provider.token.TokenStore; 17 | import org.springframework.stereotype.Controller; 18 | import org.springframework.web.bind.annotation.*; 19 | import org.springframework.web.servlet.ModelAndView; 20 | 21 | import java.security.Principal; 22 | import java.util.*; 23 | 24 | /** 25 | * @author: yaohw 26 | * @create: 2019-09-25 16:49 27 | **/ 28 | @Controller 29 | @Log4j2 30 | public class AuthenticationController { 31 | 32 | @Autowired 33 | private ConsumerTokenServices consumerTokenServices; 34 | 35 | @Autowired 36 | private ClientDetailsServiceImpl clientDetailsService; 37 | 38 | @Autowired 39 | private TokenStore tokenStore; 40 | 41 | @Autowired 42 | private UserDetailsService userDetailsService; 43 | 44 | /** 45 | * 更新用户信息时更新redis中的用户信息 46 | * @param authentication 47 | * @return java.lang.String 48 | */ 49 | @GetMapping("/update") 50 | public @ResponseBody String updateCacheUserInfo(Authentication authentication) { 51 | if (authentication instanceof OAuth2Authentication) { 52 | OAuth2Authentication auth2Authentication = (OAuth2Authentication) authentication; 53 | Authentication userAuthentication = auth2Authentication.getUserAuthentication(); 54 | OAuth2Authentication newOAuth2Authentication = null; 55 | if (userAuthentication instanceof UsernamePasswordAuthenticationToken) { 56 | UserDetailImpl userDetails = (UserDetailImpl)userDetailsService.loadUserByUsername("yaohw"); 57 | userDetails.setUsername("yaohw2"); 58 | userDetails.setTest("test333"); 59 | UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails.getUsername(), userDetails.getPassword(), userDetails.getAuthorities()); 60 | newOAuth2Authentication= new OAuth2Authentication(auth2Authentication.getOAuth2Request(),usernamePasswordAuthenticationToken); 61 | } 62 | OAuth2AccessToken accessToken = tokenStore.getAccessToken(auth2Authentication); 63 | if (newOAuth2Authentication != null) { 64 | tokenStore.storeAccessToken(accessToken,newOAuth2Authentication); 65 | } 66 | } 67 | return "ok"; 68 | } 69 | 70 | /** 71 | * 根据用户名和客户端id移除token 72 | * @return 73 | */ 74 | @GetMapping("/update2") 75 | public @ResponseBody String updateUserInfo() { 76 | Collection tokensByClientIdAndUserName = tokenStore.findTokensByClientIdAndUserName("yaohw", "yaohw"); 77 | if (tokensByClientIdAndUserName != null) { 78 | tokensByClientIdAndUserName.forEach(t -> consumerTokenServices.revokeToken(t.getValue())); 79 | } 80 | return "ok"; 81 | } 82 | 83 | @GetMapping("/user") 84 | public @ResponseBody Object userInfo(Principal user,Authentication authentication) { 85 | log.info("user:{}",user); 86 | log.info("auth:{}", authentication); 87 | return user; 88 | } 89 | 90 | /** 91 | * 退出时将token清空(使用RedisStore时就是删除掉对应缓存 92 | * 注: 这里的路径不能使用/logout,因为这个路径被LogoutFilter占用,配置文件配置了访问logout会转发到这里 93 | * 所以/logout和remove都能登出 94 | * @param authorization 95 | * @return 96 | */ 97 | @DeleteMapping("/remove") 98 | public @ResponseBody String logout(@RequestHeader(value = "Authorization") String authorization) { 99 | String accessToken = authorization.substring(OAuth2AccessToken.BEARER_TYPE.length()).trim(); 100 | consumerTokenServices.revokeToken(accessToken); 101 | return "ok"; 102 | } 103 | 104 | /** 105 | * 不需要token访问测试 106 | * @return 107 | */ 108 | @GetMapping("/test/no_need_token") 109 | public @ResponseBody String test() { 110 | return "no_need_token"; 111 | } 112 | 113 | /** 114 | * 需要token访问接口测试 115 | * @return 116 | */ 117 | @GetMapping("/test/need_token") 118 | public @ResponseBody String test2() { 119 | return "need_token"; 120 | } 121 | 122 | /** 123 | * 需要需要管理员权限 124 | * @return 125 | */ 126 | @PreAuthorize("hasAuthority('admin')") 127 | @GetMapping("/test/need_admin") 128 | public @ResponseBody String admin() { 129 | return "need_admin"; 130 | } 131 | 132 | /** 133 | * 认证页面 134 | * @return ModelAndView 135 | */ 136 | @GetMapping("/login") 137 | public ModelAndView require() { 138 | log.info("---认证页面---"); 139 | return new ModelAndView("ftl/login"); 140 | } 141 | 142 | /** 143 | * scope 控制测试,该方法只有配置有scope为sever2的客户端能访问,针对的是客户端 144 | * @return 145 | */ 146 | @GetMapping("/test/scope") 147 | @PreAuthorize("#oauth2.hasScope('sever2')") 148 | public @ResponseBody String test3() { 149 | return "scope-test"; 150 | } 151 | 152 | } 153 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/entity/SysAuthority.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.entity; 2 | 3 | import lombok.AllArgsConstructor; 4 | import lombok.Data; 5 | import lombok.EqualsAndHashCode; 6 | import lombok.NoArgsConstructor; 7 | import org.springframework.security.core.GrantedAuthority; 8 | 9 | /** 10 | * @author: yaohw 11 | * @create: 2019-10-12 16:36 12 | **/ 13 | @Data 14 | @AllArgsConstructor 15 | @NoArgsConstructor 16 | @EqualsAndHashCode(of = "authority") 17 | public class SysAuthority implements GrantedAuthority { 18 | 19 | /** 20 | * 权限 21 | */ 22 | private String authority; 23 | 24 | /** 25 | * 权限描述 26 | */ 27 | private String desc; 28 | } 29 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/entity/SysUser.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.entity; 2 | 3 | import lombok.AllArgsConstructor; 4 | import lombok.Data; 5 | import lombok.NoArgsConstructor; 6 | 7 | /** 8 | * 这里可以看作数据库实体 9 | * @author: yaohw 10 | * @create: 2019-10-12 16:15 11 | **/ 12 | @Data 13 | @AllArgsConstructor 14 | @NoArgsConstructor 15 | public class SysUser { 16 | 17 | private String id; 18 | 19 | private String username; 20 | 21 | private String password; 22 | 23 | private String test; 24 | } 25 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/granter/MobileCodeTokenGranter.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.granter; 2 | 3 | import cn.poile.ucs.auth.Token.MobileCodeAuthenticationToken; 4 | import org.springframework.security.authentication.*; 5 | import org.springframework.security.core.Authentication; 6 | import org.springframework.security.oauth2.common.exceptions.InvalidGrantException; 7 | import org.springframework.security.oauth2.provider.*; 8 | import org.springframework.security.oauth2.provider.token.AbstractTokenGranter; 9 | import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices; 10 | 11 | import java.util.LinkedHashMap; 12 | import java.util.Map; 13 | 14 | /** 15 | * 自定义grant_type模式-手机号短信验证模式 16 | * @author: yaohw 17 | * @create: 2019-09-29 18:29 18 | **/ 19 | public class MobileCodeTokenGranter extends AbstractTokenGranter { 20 | 21 | private static final String GRANT_TYPE = "mobile"; 22 | 23 | private final AuthenticationManager authenticationManager; 24 | 25 | public MobileCodeTokenGranter(AuthenticationManager authenticationManager, 26 | AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) { 27 | this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE); 28 | } 29 | 30 | private MobileCodeTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, 31 | ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) { 32 | super(tokenServices, clientDetailsService, requestFactory, grantType); 33 | this.authenticationManager = authenticationManager; 34 | } 35 | 36 | @Override 37 | protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { 38 | Map parameters = new LinkedHashMap(tokenRequest.getRequestParameters()); 39 | String mobile = parameters.get("mobile"); 40 | String code = parameters.get("code"); 41 | Authentication userAuth = new MobileCodeAuthenticationToken(mobile,code); 42 | ((AbstractAuthenticationToken) userAuth).setDetails(parameters); 43 | try { 44 | userAuth = authenticationManager.authenticate(userAuth); 45 | } 46 | catch (AccountStatusException ase) { 47 | //covers expired, locked, disabled cases (mentioned in section 5.2, draft 31) 48 | throw new InvalidGrantException(ase.getMessage()); 49 | } 50 | catch (BadCredentialsException e) { 51 | // If the username/password are wrong the spec says we should send 400/invalid grant 52 | throw new InvalidGrantException(e.getMessage()); 53 | } 54 | if (userAuth == null || !userAuth.isAuthenticated()) { 55 | throw new InvalidGrantException("Could not authenticate mobile: " + mobile); 56 | } 57 | 58 | OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest); 59 | return new OAuth2Authentication(storedOAuth2Request, userAuth); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/provider/MobileCodeAuthenticationProvider.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.provider; 2 | 3 | import cn.poile.ucs.auth.Token.MobileCodeAuthenticationToken; 4 | import cn.poile.ucs.auth.constant.RedisConstant; 5 | import cn.poile.ucs.auth.service.UserDetailsServiceImpl; 6 | import lombok.extern.log4j.Log4j2; 7 | import org.springframework.context.MessageSource; 8 | import org.springframework.context.MessageSourceAware; 9 | import org.springframework.context.support.MessageSourceAccessor; 10 | import org.springframework.data.redis.core.StringRedisTemplate; 11 | import org.springframework.security.authentication.*; 12 | import org.springframework.security.core.Authentication; 13 | import org.springframework.security.core.AuthenticationException; 14 | import org.springframework.security.core.SpringSecurityMessageSource; 15 | import org.springframework.security.core.userdetails.UserDetails; 16 | import org.springframework.security.core.userdetails.UsernameNotFoundException; 17 | 18 | /** 19 | * 手机模式认证提供者,手机验证码模式认证工作通过该类完成 20 | * @author: yaohw 21 | * @create: 2019-09-29 20:00 22 | **/ 23 | @Log4j2 24 | public class MobileCodeAuthenticationProvider implements AuthenticationProvider, MessageSourceAware { 25 | 26 | private StringRedisTemplate stringRedisTemplate; 27 | 28 | private UserDetailsServiceImpl userDetailsService; 29 | 30 | private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor(); 31 | 32 | /** 33 | * 是否隐藏用户未发现异常,默认为true,为true返回的异常信息为BadCredentialsException 34 | */ 35 | private boolean hideUserNotFoundExceptions = true; 36 | 37 | @Override 38 | public void setMessageSource(MessageSource messageSource) { 39 | this.messages = new MessageSourceAccessor(messageSource); 40 | } 41 | 42 | @Override 43 | public Authentication authenticate(Authentication authentication) throws AuthenticationException { 44 | 45 | String mobile = (String) authentication.getPrincipal(); 46 | if (mobile == null) { 47 | throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Missing mobile")); 48 | } 49 | String code = (String) authentication.getCredentials(); 50 | if (code == null) { 51 | log.error("缺失code参数"); 52 | throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Missing code")); 53 | } 54 | String cacheCode = stringRedisTemplate.opsForValue().get(RedisConstant.SMS_CODE_PREFIX + mobile); 55 | if (cacheCode == null || !cacheCode.equals(code)) { 56 | log.error("短信验证码错误"); 57 | throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Invalid code")); 58 | } 59 | //清除redis中的短信验证码 60 | //stringRedisTemplate.delete(RedisConstant.SMS_CODE_PREFIX + mobile); 61 | UserDetails user; 62 | try { 63 | user = userDetailsService.loadUserByMobile(mobile); 64 | } catch (UsernameNotFoundException var6) { 65 | log.info("手机号:" + mobile + "未查到用户信息"); 66 | if (this.hideUserNotFoundExceptions) { 67 | throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); 68 | } 69 | throw var6; 70 | } 71 | check(user); 72 | MobileCodeAuthenticationToken authenticationToken = new MobileCodeAuthenticationToken(user, code, user.getAuthorities()); 73 | authenticationToken.setDetails(authenticationToken.getDetails()); 74 | return authenticationToken; 75 | } 76 | 77 | /** 78 | * 指定该认证提供者验证Token对象 79 | * @param aClass 80 | * @return 81 | */ 82 | @Override 83 | public boolean supports(Class aClass) { 84 | return MobileCodeAuthenticationToken.class.isAssignableFrom(aClass); 85 | } 86 | 87 | /** 88 | * 账号禁用、锁定、超时校验 89 | * 90 | * @param user 91 | */ 92 | private void check(UserDetails user) { 93 | if (!user.isAccountNonLocked()) { 94 | throw new LockedException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked")); 95 | } else if (!user.isEnabled()) { 96 | throw new DisabledException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled", "User is disabled")); 97 | } else if (!user.isAccountNonExpired()) { 98 | throw new AccountExpiredException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired", "User account has expired")); 99 | } 100 | } 101 | 102 | public void setStringRedisTemplate(StringRedisTemplate stringRedisTemplate) { 103 | this.stringRedisTemplate = stringRedisTemplate; 104 | } 105 | 106 | public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions) { 107 | this.hideUserNotFoundExceptions = hideUserNotFoundExceptions; 108 | } 109 | 110 | public void setUserDetailsService(UserDetailsServiceImpl userDetailsService) { 111 | this.userDetailsService = userDetailsService; 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/service/ClientDetailsServiceImpl.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.service; 2 | 3 | import lombok.extern.log4j.Log4j2; 4 | import org.springframework.beans.factory.annotation.Autowired; 5 | import org.springframework.security.oauth2.provider.ClientDetails; 6 | import org.springframework.security.oauth2.provider.ClientDetailsService; 7 | import org.springframework.security.oauth2.provider.ClientRegistrationException; 8 | import org.springframework.security.oauth2.provider.NoSuchClientException; 9 | import org.springframework.security.oauth2.provider.client.BaseClientDetails; 10 | import org.springframework.stereotype.Service; 11 | 12 | /** 13 | * @author: yaohw 14 | * @create: 2019-10-12 16:12 15 | **/ 16 | @Service 17 | @Log4j2 18 | public class ClientDetailsServiceImpl implements ClientDetailsService { 19 | 20 | @Autowired 21 | private SysClientDetailService clientDetailService; 22 | 23 | /** 24 | * Load a client by the client id. This method must not return null. 25 | * 26 | * @param clientId The client id. 27 | * @return The client details (never null). 28 | * @throws ClientRegistrationException If the client account is locked, expired, disabled, or invalid for any other reason. 29 | */ 30 | @Override 31 | public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException { 32 | log.info("客户端查询:" + clientId); 33 | BaseClientDetails baseClientDetails = clientDetailService.selectById(clientId); 34 | if (baseClientDetails == null) { 35 | throw new NoSuchClientException("not found clientId:" + clientId); 36 | } 37 | return baseClientDetails; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/service/SysClientDetailService.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.service; 2 | 3 | import org.springframework.security.oauth2.provider.client.BaseClientDetails; 4 | import org.springframework.stereotype.Service; 5 | 6 | import java.util.ArrayList; 7 | import java.util.HashSet; 8 | import java.util.List; 9 | import java.util.Set; 10 | import java.util.concurrent.TimeUnit; 11 | 12 | /** 13 | * Oauth客户端服务 14 | * @author: yaohw 15 | * @create: 2019-10-12 17:33 16 | **/ 17 | @Service 18 | public class SysClientDetailService { 19 | 20 | /** 21 | * 根据客户端id查询 22 | * @param clientId 23 | * @return org.springframework.security.oauth2.provider.client.BaseClientDetails 24 | */ 25 | public BaseClientDetails selectById(String clientId) { 26 | BaseClientDetails clientDetails = new BaseClientDetails(); 27 | clientDetails.setAuthorities(new ArrayList<>()); 28 | clientDetails.setClientId("yaohw"); 29 | // 这个客户端秘钥和密码一样存BCryptPasswordEncoder加密后的接口,具体看定义的加密器 30 | clientDetails.setClientSecret("$2a$10$CwIutywnbs9bifHaY3Ezu.gYkWi4Zano8gVPq08hXjal6.uj.Yzuy"); 31 | // 设置accessToken和refreshToken的时效,如果不设置则使tokenServices的配置的 32 | clientDetails.setAccessTokenValiditySeconds((int) TimeUnit.HOURS.toSeconds(2)); 33 | clientDetails.setRefreshTokenValiditySeconds((int)TimeUnit.DAYS.toSeconds(30)); 34 | // 资源id列表,需要注意的是这里配置的需要与ResourceServerConfig中配置的相匹配 35 | List resourceIds = new ArrayList<>(); 36 | resourceIds.add("auth-server"); 37 | resourceIds.add("resource-server"); 38 | clientDetails.setResourceIds(resourceIds); 39 | List scopes = new ArrayList<>(1); 40 | scopes.add("sever"); 41 | clientDetails.setScope(scopes); 42 | List grantTypes = new ArrayList<>(5); 43 | grantTypes.add("password"); 44 | grantTypes.add("refresh_token"); 45 | grantTypes.add("authorization_code"); 46 | grantTypes.add("implicit"); 47 | grantTypes.add("mobile"); 48 | clientDetails.setAuthorizedGrantTypes(grantTypes); 49 | Set sets = new HashSet<>(1); 50 | sets.add("http://www.baidu.com"); 51 | clientDetails.setRegisteredRedirectUri(sets); 52 | List autoApproveScopes = new ArrayList<>(1); 53 | autoApproveScopes.add("sever"); 54 | // 自动批准作用于,授权码模式时使用,登录验证后直接返回code,不再需要下一步点击授权 55 | clientDetails.setAutoApproveScopes(autoApproveScopes); 56 | return clientDetails; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/service/SysUserService.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.service; 2 | 3 | import cn.poile.ucs.auth.entity.SysUser; 4 | import org.springframework.stereotype.Service; 5 | 6 | /** 7 | * @author: yaohw 8 | * @create: 2019-10-12 16:21 9 | **/ 10 | @Service 11 | public class SysUserService { 12 | 13 | /** 14 | * 根据用户名查询用户 15 | * @param username 16 | * @return cn.poile.ucs.auth.entity.SysUser 17 | */ 18 | public SysUser selectByUsername(String username) { 19 | return new SysUser("1","yaohw","$2a$10$CwIutywnbs9bifHaY3Ezu.gYkWi4Zano8gVPq08hXjal6.uj.Yzuy","测试字段,根据用户名查询"); 20 | } 21 | 22 | /** 23 | * 根据手机号查询用户 24 | * @param mobile 25 | * @return cn.poile.ucs.auth.entity.SysUser 26 | */ 27 | public SysUser selectByMobile(String mobile) { 28 | return new SysUser("2","yaohw2","$2a$10$CwIutywnbs9bifHaY3Ezu.gYkWi4Zano8gVPq08hXjal6.uj.Yzuy","测试字段,根据手机号查询"); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/service/UserDetailsServiceImpl.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.service; import cn.poile.ucs.auth.entity.SysAuthority; import cn.poile.ucs.auth.entity.SysUser; import cn.poile.ucs.auth.vo.UserDetailImpl; import lombok.extern.log4j.Log4j2; import org.springframework.beans.BeanUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import java.util.ArrayList; import java.util.HashSet; import java.util.Set; /** * @author yaohw * @date 2019-09-25 15:25 */ @Service @Log4j2 public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private SysUserService userService; @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { log.info("密码模式查询用户信息"); SysUser sysUser = userService.selectByUsername(s); if (sysUser == null) { throw new UsernameNotFoundException("not found user:" + s); } UserDetailImpl userDetail = new UserDetailImpl(); userDetail.setEnable(true); BeanUtils.copyProperties(sysUser,userDetail); //这里权限列表,这个为方便直接下(实际开发中查询用户时连表查询出权限) Set authoritySet = new HashSet<>(); authoritySet.add(new SysAuthority("admin","管理员权限")); userDetail.setAuthorities(authoritySet); return userDetail; } /** * 这里模拟根据手机号查询用户 * @param mobile * @return * @throws UsernameNotFoundException */ public UserDetails loadUserByMobile(String mobile) throws UsernameNotFoundException { log.info("手机号模式查询用户信息"); SysUser sysUser = userService.selectByMobile(mobile); if (sysUser == null) { throw new UsernameNotFoundException("not found mobile user:" + mobile); } UserDetailImpl userDetail = new UserDetailImpl(); BeanUtils.copyProperties(sysUser,userDetail); userDetail.setAuthorities(new ArrayList<>()); userDetail.setEnable(true); return userDetail; } } -------------------------------------------------------------------------------- /auth-server/src/main/java/cn/poile/ucs/auth/vo/UserDetailImpl.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.auth.vo; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import java.util.ArrayList; import java.util.Collection; import java.util.List; /** * @author yaohw * @date 2019-09-25 16:12 */ public class UserDetailImpl implements UserDetails { private String id; private String username; private String password; private String test; private boolean isEnable; private Collection authorities; @Override public Collection getAuthorities() { return this.authorities; } @Override public String getPassword() { return this.password; } @Override public String getUsername() { return this.username; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return this.isEnable; } public void setEnable(boolean enable) { isEnable = enable; } public void setUsername(String username) { this.username = username; } public void setPassword(String password) { this.password = password; } public void setTest(String test) { this.test = test; } public String getTest() { return test; } public String getId() { return id; } public void setId(String id) { this.id = id; } public void setAuthorities(Collection authorities) { this.authorities = authorities; } } -------------------------------------------------------------------------------- /auth-server/src/main/resources/application-dev.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | application: 3 | name: auth-server 4 | redis: 5 | host: 127.0.0.1 6 | password: 7 | port: 6379 8 | timeout: 3000 9 | lettuce: 10 | pool: 11 | max-idle: 8 12 | max-active: 8 13 | max-wait: -1ms 14 | min-idle: 0 15 | 16 | 17 | server: 18 | port: 8001 19 | 20 | #服务器发现注册配置 21 | eureka: 22 | client: 23 | serviceUrl: 24 | #配置服务中心(可配置多个,用逗号隔开) 25 | defaultZone: http://admin:admin@localhost:9000/eureka/ 26 | 27 | ##开启日志DEBUG级别,便于查看调试信息 28 | logging.level.org.springframework.security: DEBUG 29 | -------------------------------------------------------------------------------- /auth-server/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | profiles: 3 | active: 4 | - dev -------------------------------------------------------------------------------- /auth-server/src/main/resources/static/css/bootstrap.min.css: -------------------------------------------------------------------------------- 1 | /*! 2 | * Bootstrap v3.3.7 (http://getbootstrap.com) 3 | * Copyright 2011-2016 Twitter, Inc. 4 | * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) 5 | *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,:after,:before{color:#000!important;text-shadow:none!important;background:0 0!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}blockquote,pre{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}img,tr{page-break-inside:avoid}img{max-width:100%!important}h2,h3,p{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table td,.table th{background-color:#fff!important}.table-bordered td,.table-bordered th{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff2) format('woff2'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\002a"}.glyphicon-plus:before{content:"\002b"}.glyphicon-eur:before,.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}.glyphicon-cd:before{content:"\e201"}.glyphicon-save-file:before{content:"\e202"}.glyphicon-open-file:before{content:"\e203"}.glyphicon-level-up:before{content:"\e204"}.glyphicon-copy:before{content:"\e205"}.glyphicon-paste:before{content:"\e206"}.glyphicon-alert:before{content:"\e209"}.glyphicon-equalizer:before{content:"\e210"}.glyphicon-king:before{content:"\e211"}.glyphicon-queen:before{content:"\e212"}.glyphicon-pawn:before{content:"\e213"}.glyphicon-bishop:before{content:"\e214"}.glyphicon-knight:before{content:"\e215"}.glyphicon-baby-formula:before{content:"\e216"}.glyphicon-tent:before{content:"\26fa"}.glyphicon-blackboard:before{content:"\e218"}.glyphicon-bed:before{content:"\e219"}.glyphicon-apple:before{content:"\f8ff"}.glyphicon-erase:before{content:"\e221"}.glyphicon-hourglass:before{content:"\231b"}.glyphicon-lamp:before{content:"\e223"}.glyphicon-duplicate:before{content:"\e224"}.glyphicon-piggy-bank:before{content:"\e225"}.glyphicon-scissors:before{content:"\e226"}.glyphicon-bitcoin:before{content:"\e227"}.glyphicon-btc:before{content:"\e227"}.glyphicon-xbt:before{content:"\e227"}.glyphicon-yen:before{content:"\00a5"}.glyphicon-jpy:before{content:"\00a5"}.glyphicon-ruble:before{content:"\20bd"}.glyphicon-rub:before{content:"\20bd"}.glyphicon-scale:before{content:"\e230"}.glyphicon-ice-lolly:before{content:"\e231"}.glyphicon-ice-lolly-tasted:before{content:"\e232"}.glyphicon-education:before{content:"\e233"}.glyphicon-option-horizontal:before{content:"\e234"}.glyphicon-option-vertical:before{content:"\e235"}.glyphicon-menu-hamburger:before{content:"\e236"}.glyphicon-modal-window:before{content:"\e237"}.glyphicon-oil:before{content:"\e238"}.glyphicon-grain:before{content:"\e239"}.glyphicon-sunglasses:before{content:"\e240"}.glyphicon-text-size:before{content:"\e241"}.glyphicon-text-color:before{content:"\e242"}.glyphicon-text-background:before{content:"\e243"}.glyphicon-object-align-top:before{content:"\e244"}.glyphicon-object-align-bottom:before{content:"\e245"}.glyphicon-object-align-horizontal:before{content:"\e246"}.glyphicon-object-align-left:before{content:"\e247"}.glyphicon-object-align-vertical:before{content:"\e248"}.glyphicon-object-align-right:before{content:"\e249"}.glyphicon-triangle-right:before{content:"\e250"}.glyphicon-triangle-left:before{content:"\e251"}.glyphicon-triangle-bottom:before{content:"\e252"}.glyphicon-triangle-top:before{content:"\e253"}.glyphicon-console:before{content:"\e254"}.glyphicon-superscript:before{content:"\e255"}.glyphicon-subscript:before{content:"\e256"}.glyphicon-menu-left:before{content:"\e257"}.glyphicon-menu-right:before{content:"\e258"}.glyphicon-menu-down:before{content:"\e259"}.glyphicon-menu-up:before{content:"\e260"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:after,:before{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}button,input,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#337ab7;text-decoration:none}a:focus,a:hover{color:#23527c;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.carousel-inner>.item>a>img,.carousel-inner>.item>img,.img-responsive,.thumbnail a>img,.thumbnail>img{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role=button]{cursor:pointer}.h1,.h2,.h3,.h4,.h5,.h6,h1,h2,h3,h4,h5,h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}.h1 .small,.h1 small,.h2 .small,.h2 small,.h3 .small,.h3 small,.h4 .small,.h4 small,.h5 .small,.h5 small,.h6 .small,.h6 small,h1 .small,h1 small,h2 .small,h2 small,h3 .small,h3 small,h4 .small,h4 small,h5 .small,h5 small,h6 .small,h6 small{font-weight:400;line-height:1;color:#777}.h1,.h2,.h3,h1,h2,h3{margin-top:20px;margin-bottom:10px}.h1 .small,.h1 small,.h2 .small,.h2 small,.h3 .small,.h3 small,h1 .small,h1 small,h2 .small,h2 small,h3 .small,h3 small{font-size:65%}.h4,.h5,.h6,h4,h5,h6{margin-top:10px;margin-bottom:10px}.h4 .small,.h4 small,.h5 .small,.h5 small,.h6 .small,.h6 small,h4 .small,h4 small,h5 .small,h5 small,h6 .small,h6 small{font-size:75%}.h1,h1{font-size:36px}.h2,h2{font-size:30px}.h3,h3{font-size:24px}.h4,h4{font-size:18px}.h5,h5{font-size:14px}.h6,h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}.small,small{font-size:85%}.mark,mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#337ab7}a.text-primary:focus,a.text-primary:hover{color:#286090}.text-success{color:#3c763d}a.text-success:focus,a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:focus,a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:focus,a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:focus,a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#337ab7}a.bg-primary:focus,a.bg-primary:hover{background-color:#286090}.bg-success{background-color:#dff0d8}a.bg-success:focus,a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:focus,a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:focus,a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:focus,a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ol,ul{margin-top:0;margin-bottom:10px}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dd,dt{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[data-original-title],abbr[title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote ol:last-child,blockquote p:last-child,blockquote ul:last-child{margin-bottom:0}blockquote .small,blockquote footer,blockquote small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote .small:before,blockquote footer:before,blockquote small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse .small:before,.blockquote-reverse footer:before,.blockquote-reverse small:before,blockquote.pull-right .small:before,blockquote.pull-right footer:before,blockquote.pull-right small:before{content:''}.blockquote-reverse .small:after,.blockquote-reverse footer:after,.blockquote-reverse small:after,blockquote.pull-right .small:after,blockquote.pull-right footer:after,blockquote.pull-right small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;font-weight:700;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-lg-1,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-md-1,.col-md-10,.col-md-11,.col-md-12,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-sm-1,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-xs-1,.col-xs-10,.col-xs-11,.col-xs-12,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-10,.col-xs-11,.col-xs-12,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-10,.col-md-11,.col-md-12,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>td,.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>td,.table>thead:first-child>tr:first-child>th{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>tbody>tr>td,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>td,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>thead>tr>th{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #ddd}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>tbody>tr.active>td,.table>tbody>tr.active>th,.table>tbody>tr>td.active,.table>tbody>tr>th.active,.table>tfoot>tr.active>td,.table>tfoot>tr.active>th,.table>tfoot>tr>td.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>thead>tr.active>th,.table>thead>tr>td.active,.table>thead>tr>th.active{background-color:#f5f5f5}.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr.active:hover>th,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover{background-color:#e8e8e8}.table>tbody>tr.success>td,.table>tbody>tr.success>th,.table>tbody>tr>td.success,.table>tbody>tr>th.success,.table>tfoot>tr.success>td,.table>tfoot>tr.success>th,.table>tfoot>tr>td.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>thead>tr.success>th,.table>thead>tr>td.success,.table>thead>tr>th.success{background-color:#dff0d8}.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr.success:hover>th,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover{background-color:#d0e9c6}.table>tbody>tr.info>td,.table>tbody>tr.info>th,.table>tbody>tr>td.info,.table>tbody>tr>th.info,.table>tfoot>tr.info>td,.table>tfoot>tr.info>th,.table>tfoot>tr>td.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>thead>tr.info>th,.table>thead>tr>td.info,.table>thead>tr>th.info{background-color:#d9edf7}.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr.info:hover>th,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover{background-color:#c4e3f3}.table>tbody>tr.warning>td,.table>tbody>tr.warning>th,.table>tbody>tr>td.warning,.table>tbody>tr>th.warning,.table>tfoot>tr.warning>td,.table>tfoot>tr.warning>th,.table>tfoot>tr>td.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>thead>tr.warning>th,.table>thead>tr>td.warning,.table>thead>tr>th.warning{background-color:#fcf8e3}.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr.warning:hover>th,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover{background-color:#faf2cc}.table>tbody>tr.danger>td,.table>tbody>tr.danger>th,.table>tbody>tr>td.danger,.table>tbody>tr>th.danger,.table>tfoot>tr.danger>td,.table>tfoot>tr.danger>th,.table>tfoot>tr>td.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>thead>tr.danger>th,.table>thead>tr>td.danger,.table>thead>tr>th.danger{background-color:#f2dede}.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr.danger:hover>th,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover{background-color:#ebcccc}.table-responsive{min-height:.01%;overflow-x:auto}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>thead>tr>th{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>thead>tr>th:first-child{border-left:0}.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>thead>tr>th:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=checkbox],input[type=radio]{margin:4px 0 0;margin-top:1px\9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=checkbox]:focus,input[type=radio]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#999;opacity:1}.form-control:-ms-input-placeholder{color:#999}.form-control::-webkit-input-placeholder{color:#999}.form-control::-ms-expand{background-color:transparent;border:0}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type=date].form-control,input[type=time].form-control,input[type=datetime-local].form-control,input[type=month].form-control{line-height:34px}.input-group-sm input[type=date],.input-group-sm input[type=time],.input-group-sm input[type=datetime-local],.input-group-sm input[type=month],input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}.input-group-lg input[type=date],.input-group-lg input[type=time],.input-group-lg input[type=datetime-local],.input-group-lg input[type=month],input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}}.form-group{margin-bottom:15px}.checkbox,.radio{position:relative;display:block;margin-top:10px;margin-bottom:10px}.checkbox label,.radio label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox],.radio input[type=radio],.radio-inline input[type=radio]{position:absolute;margin-top:4px\9;margin-left:-20px}.checkbox+.checkbox,.radio+.radio{margin-top:-5px}.checkbox-inline,.radio-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.checkbox-inline+.checkbox-inline,.radio-inline+.radio-inline{margin-top:0;margin-left:10px}fieldset[disabled] input[type=checkbox],fieldset[disabled] input[type=radio],input[type=checkbox].disabled,input[type=checkbox][disabled],input[type=radio].disabled,input[type=radio][disabled]{cursor:not-allowed}.checkbox-inline.disabled,.radio-inline.disabled,fieldset[disabled] .checkbox-inline,fieldset[disabled] .radio-inline{cursor:not-allowed}.checkbox.disabled label,.radio.disabled label,fieldset[disabled] .checkbox label,fieldset[disabled] .radio label{cursor:not-allowed}.form-control-static{min-height:34px;padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}select[multiple].input-sm,textarea.input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm select[multiple].form-control,.form-group-sm textarea.form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-lg{height:46px;line-height:46px}select[multiple].input-lg,textarea.input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg select[multiple].form-control,.form-group-lg textarea.form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.3333333}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.form-group-lg .form-control+.form-control-feedback,.input-group-lg+.form-control-feedback,.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.form-group-sm .form-control+.form-control-feedback,.input-group-sm+.form-control-feedback,.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .help-block,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .help-block,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .help-block,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .form-control,.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .checkbox,.form-inline .radio{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .checkbox label,.form-inline .radio label{padding-left:0}.form-inline .checkbox input[type=checkbox],.form-inline .radio input[type=radio]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .checkbox,.form-horizontal .checkbox-inline,.form-horizontal .radio,.form-horizontal .radio-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .checkbox,.form-horizontal .radio{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn.active.focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn:active:focus,.btn:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn.focus,.btn:focus,.btn:hover{color:#333;text-decoration:none}.btn.active,.btn:active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default.focus,.btn-default:focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default.active,.btn-default:active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open>.dropdown-toggle.btn-default.focus,.open>.dropdown-toggle.btn-default:focus,.open>.dropdown-toggle.btn-default:hover{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default.active,.btn-default:active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled.focus,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled].focus,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default.focus,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#337ab7;border-color:#2e6da4}.btn-primary.focus,.btn-primary:focus{color:#fff;background-color:#286090;border-color:#122b40}.btn-primary:hover{color:#fff;background-color:#286090;border-color:#204d74}.btn-primary.active,.btn-primary:active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#286090;border-color:#204d74}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open>.dropdown-toggle.btn-primary.focus,.open>.dropdown-toggle.btn-primary:focus,.open>.dropdown-toggle.btn-primary:hover{color:#fff;background-color:#204d74;border-color:#122b40}.btn-primary.active,.btn-primary:active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled.focus,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled].focus,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary.focus,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#337ab7;border-color:#2e6da4}.btn-primary .badge{color:#337ab7;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success.focus,.btn-success:focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success.active,.btn-success:active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success.active.focus,.btn-success.active:focus,.btn-success.active:hover,.btn-success:active.focus,.btn-success:active:focus,.btn-success:active:hover,.open>.dropdown-toggle.btn-success.focus,.open>.dropdown-toggle.btn-success:focus,.open>.dropdown-toggle.btn-success:hover{color:#fff;background-color:#398439;border-color:#255625}.btn-success.active,.btn-success:active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled.focus,.btn-success.disabled:focus,.btn-success.disabled:hover,.btn-success[disabled].focus,.btn-success[disabled]:focus,.btn-success[disabled]:hover,fieldset[disabled] .btn-success.focus,fieldset[disabled] .btn-success:focus,fieldset[disabled] .btn-success:hover{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info.focus,.btn-info:focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info.active,.btn-info:active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info.active.focus,.btn-info.active:focus,.btn-info.active:hover,.btn-info:active.focus,.btn-info:active:focus,.btn-info:active:hover,.open>.dropdown-toggle.btn-info.focus,.open>.dropdown-toggle.btn-info:focus,.open>.dropdown-toggle.btn-info:hover{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info.active,.btn-info:active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled.focus,.btn-info.disabled:focus,.btn-info.disabled:hover,.btn-info[disabled].focus,.btn-info[disabled]:focus,.btn-info[disabled]:hover,fieldset[disabled] .btn-info.focus,fieldset[disabled] .btn-info:focus,fieldset[disabled] .btn-info:hover{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning.focus,.btn-warning:focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning.active,.btn-warning:active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning.active.focus,.btn-warning.active:focus,.btn-warning.active:hover,.btn-warning:active.focus,.btn-warning:active:focus,.btn-warning:active:hover,.open>.dropdown-toggle.btn-warning.focus,.open>.dropdown-toggle.btn-warning:focus,.open>.dropdown-toggle.btn-warning:hover{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning.active,.btn-warning:active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled.focus,.btn-warning.disabled:focus,.btn-warning.disabled:hover,.btn-warning[disabled].focus,.btn-warning[disabled]:focus,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning.focus,fieldset[disabled] .btn-warning:focus,fieldset[disabled] .btn-warning:hover{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger.focus,.btn-danger:focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger.active,.btn-danger:active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open>.dropdown-toggle.btn-danger.focus,.open>.dropdown-toggle.btn-danger:focus,.open>.dropdown-toggle.btn-danger:hover{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger.active,.btn-danger:active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled.focus,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled].focus,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger.focus,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#337ab7;border-radius:0}.btn-link,.btn-link.active,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:active,.btn-link:focus,.btn-link:hover{border-color:transparent}.btn-link:focus,.btn-link:hover{color:#23527c;text-decoration:underline;background-color:transparent}.btn-link[disabled]:focus,.btn-link[disabled]:hover,fieldset[disabled] .btn-link:focus,fieldset[disabled] .btn-link:hover{color:#777;text-decoration:none}.btn-group-lg>.btn,.btn-lg{padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}.btn-group-sm>.btn,.btn-sm{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-group-xs>.btn,.btn-xs{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=button].btn-block,input[type=reset].btn-block,input[type=submit].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-property:height,visibility;-o-transition-property:height,visibility;transition-property:height,visibility}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px dashed;border-top:4px solid\9;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown,.dropup{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{color:#fff;text-decoration:none;background-color:#337ab7;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{color:#777}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px dashed;border-bottom:4px solid\9}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:2px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group-vertical>.btn,.btn-group>.btn{position:relative;float:left}.btn-group-vertical>.btn.active,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:hover,.btn-group>.btn.active,.btn-group>.btn:active,.btn-group>.btn:focus,.btn-group>.btn:hover{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn input[type=checkbox],[data-toggle=buttons]>.btn input[type=radio],[data-toggle=buttons]>.btn-group>.btn input[type=checkbox],[data-toggle=buttons]>.btn-group>.btn input[type=radio]{position:absolute;clip:rect(0,0,0,0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn,textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn,textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group .form-control,.input-group-addon,.input-group-btn{display:table-cell}.input-group .form-control:not(:first-child):not(:last-child),.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=checkbox],.input-group-addon input[type=radio]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn-group:not(:last-child)>.btn,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:first-child>.btn-group:not(:first-child)>.btn,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:active,.input-group-btn>.btn:focus,.input-group-btn>.btn:hover{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:focus,.nav>li>a:hover{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:focus,.nav>li.disabled>a:hover{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:focus,.nav .open>a:hover{background-color:#eee;border-color:#337ab7}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:focus,.nav-tabs>li.active>a:hover{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified>.active>a:hover{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified>.active>a:hover{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:focus,.nav-pills>li.active>a:hover{color:#fff;background-color:#337ab7}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:focus,.nav-tabs-justified>.active>a:hover{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:focus,.nav-tabs-justified>.active>a:hover{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-bottom .navbar-collapse,.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-bottom .navbar-collapse,.navbar-fixed-top .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-bottom .navbar-collapse,.navbar-fixed-top .navbar-collapse{max-height:200px}}.container-fluid>.navbar-collapse,.container-fluid>.navbar-header,.container>.navbar-collapse,.container>.navbar-header{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container-fluid>.navbar-collapse,.container-fluid>.navbar-header,.container>.navbar-collapse,.container>.navbar-header{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-bottom,.navbar-fixed-top{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-bottom,.navbar-fixed-top{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:focus,.navbar-brand:hover{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu .dropdown-header,.navbar-nav .open .dropdown-menu>li>a{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:focus,.navbar-nav .open .dropdown-menu>li>a:hover{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .form-control,.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .checkbox,.navbar-form .radio{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .checkbox label,.navbar-form .radio label{padding-left:0}.navbar-form .checkbox input[type=checkbox],.navbar-form .radio input[type=radio]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:focus,.navbar-default .navbar-brand:hover{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:focus,.navbar-default .navbar-nav>li>a:hover{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:focus,.navbar-default .navbar-nav>.active>a:hover{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:focus,.navbar-default .navbar-nav>.disabled>a:hover{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:focus,.navbar-default .navbar-toggle:hover{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:focus,.navbar-default .navbar-nav>.open>a:hover{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus,.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:focus,.navbar-default .btn-link:hover{color:#333}.navbar-default .btn-link[disabled]:focus,.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:focus,fieldset[disabled] .navbar-default .btn-link:hover{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#9d9d9d}.navbar-inverse .navbar-brand:focus,.navbar-inverse .navbar-brand:hover{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#9d9d9d}.navbar-inverse .navbar-nav>li>a{color:#9d9d9d}.navbar-inverse .navbar-nav>li>a:focus,.navbar-inverse .navbar-nav>li>a:hover{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:focus,.navbar-inverse .navbar-nav>.active>a:hover{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:focus,.navbar-inverse .navbar-nav>.disabled>a:hover{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:focus,.navbar-inverse .navbar-toggle:hover{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:focus,.navbar-inverse .navbar-nav>.open>a:hover{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#9d9d9d}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#9d9d9d}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#9d9d9d}.navbar-inverse .btn-link:focus,.navbar-inverse .btn-link:hover{color:#fff}.navbar-inverse .btn-link[disabled]:focus,.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:focus,fieldset[disabled] .navbar-inverse .btn-link:hover{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#337ab7;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span:focus,.pagination>li>span:hover{z-index:2;color:#23527c;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{z-index:3;color:#fff;cursor:default;background-color:#337ab7;border-color:#337ab7}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px;line-height:1.3333333}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:focus,.pager li>a:hover{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:focus,a.label:hover{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:focus,.label-default[href]:hover{background-color:#5e5e5e}.label-primary{background-color:#337ab7}.label-primary[href]:focus,.label-primary[href]:hover{background-color:#286090}.label-success{background-color:#5cb85c}.label-success[href]:focus,.label-success[href]:hover{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:focus,.label-info[href]:hover{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:focus,.label-warning[href]:hover{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:focus,.label-danger[href]:hover{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:middle;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-group-xs>.btn .badge,.btn-xs .badge{top:0;padding:1px 5px}a.badge:focus,a.badge:hover{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#337ab7;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding-top:30px;padding-bottom:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron .h1,.jumbotron h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron,.container-fluid .jumbotron{padding-right:15px;padding-left:15px;border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron,.container-fluid .jumbotron{padding-right:60px;padding-left:60px}.jumbotron .h1,.jumbotron h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:border .2s ease-in-out;-o-transition:border .2s ease-in-out;transition:border .2s ease-in-out}.thumbnail a>img,.thumbnail>img{margin-right:auto;margin-left:auto}a.thumbnail.active,a.thumbnail:focus,a.thumbnail:hover{border-color:#337ab7}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#337ab7;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-bar-striped,.progress-striped .progress-bar{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress-bar.active,.progress.active .progress-bar{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media{margin-top:15px}.media:first-child{margin-top:0}.media,.media-body{overflow:hidden;zoom:1}.media-body{width:10000px}.media-object{display:block}.media-object.img-thumbnail{max-width:none}.media-right,.media>.pull-right{padding-left:10px}.media-left,.media>.pull-left{padding-right:10px}.media-body,.media-left,.media-right{display:table-cell;vertical-align:top}.media-middle{vertical-align:middle}.media-bottom{vertical-align:bottom}.media-heading{margin-top:0;margin-bottom:5px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}a.list-group-item,button.list-group-item{color:#555}a.list-group-item .list-group-item-heading,button.list-group-item .list-group-item-heading{color:#333}a.list-group-item:focus,a.list-group-item:hover,button.list-group-item:focus,button.list-group-item:hover{color:#555;text-decoration:none;background-color:#f5f5f5}button.list-group-item{width:100%;text-align:left}.list-group-item.disabled,.list-group-item.disabled:focus,.list-group-item.disabled:hover{color:#777;cursor:not-allowed;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{z-index:2;color:#fff;background-color:#337ab7;border-color:#337ab7}.list-group-item.active .list-group-item-heading,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:focus .list-group-item-text,.list-group-item.active:hover .list-group-item-text{color:#c7ddef}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success,button.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading,button.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:focus,a.list-group-item-success:hover,button.list-group-item-success:focus,button.list-group-item-success:hover{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:focus,a.list-group-item-success.active:hover,button.list-group-item-success.active,button.list-group-item-success.active:focus,button.list-group-item-success.active:hover{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info,button.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading,button.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:focus,a.list-group-item-info:hover,button.list-group-item-info:focus,button.list-group-item-info:hover{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:focus,a.list-group-item-info.active:hover,button.list-group-item-info.active,button.list-group-item-info.active:focus,button.list-group-item-info.active:hover{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning,button.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading,button.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:focus,a.list-group-item-warning:hover,button.list-group-item-warning:focus,button.list-group-item-warning:hover{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:focus,a.list-group-item-warning.active:hover,button.list-group-item-warning.active,button.list-group-item-warning.active:focus,button.list-group-item-warning.active:hover{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger,button.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading,button.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:focus,a.list-group-item-danger:hover,button.list-group-item-danger:focus,button.list-group-item-danger:hover{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:focus,a.list-group-item-danger.active:hover,button.list-group-item-danger.active,button.list-group-item-danger.active:focus,button.list-group-item-danger.active:hover{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>.small,.panel-title>.small>a,.panel-title>a,.panel-title>small,.panel-title>small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-left-radius:0;border-top-right-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.panel-collapse>.table,.panel>.table,.panel>.table-responsive>.table{margin-bottom:0}.panel>.panel-collapse>.table caption,.panel>.table caption,.panel>.table-responsive>.table caption{padding-right:15px;padding-left:15px}.panel>.table-responsive:first-child>.table:first-child,.panel>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table:first-child>thead:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table-responsive:last-child>.table:last-child,.panel>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child td,.panel>.table>tbody:first-child>tr:first-child th{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child{border-left:0}.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child{border-right:0}.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.list-group,.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#337ab7}.panel-primary>.panel-heading{color:#fff;background-color:#337ab7;border-color:#337ab7}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#337ab7}.panel-primary>.panel-heading .badge{color:#337ab7;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#337ab7}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive embed,.embed-responsive iframe,.embed-responsive object,.embed-responsive video{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:focus,.close:hover{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate(0,-25%);-ms-transform:translate(0,-25%);-o-transform:translate(0,-25%);transform:translate(0,-25%)}.modal.in .modal-dialog{-webkit-transform:translate(0,0);-ms-transform:translate(0,0);-o-transform:translate(0,0);transform:translate(0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12px;font-style:normal;font-weight:400;line-height:1.42857143;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;word-wrap:normal;white-space:normal;filter:alpha(opacity=0);opacity:0;line-break:auto}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{right:5px;bottom:0;margin-bottom:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{bottom:0;left:5px;margin-bottom:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;right:5px;margin-top:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;left:5px;margin-top:-5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-weight:400;line-height:1.42857143;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;word-wrap:normal;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2);line-break:auto}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>a>img,.carousel-inner>.item>img{line-height:1}@media all and (transform-3d),(-webkit-transform-3d){.carousel-inner>.item{-webkit-transition:-webkit-transform .6s ease-in-out;-o-transition:-o-transform .6s ease-in-out;transition:transform .6s ease-in-out;-webkit-backface-visibility:hidden;backface-visibility:hidden;-webkit-perspective:1000px;perspective:1000px}.carousel-inner>.item.active.right,.carousel-inner>.item.next{left:0;-webkit-transform:translate3d(100%,0,0);transform:translate3d(100%,0,0)}.carousel-inner>.item.active.left,.carousel-inner>.item.prev{left:0;-webkit-transform:translate3d(-100%,0,0);transform:translate3d(-100%,0,0)}.carousel-inner>.item.active,.carousel-inner>.item.next.left,.carousel-inner>.item.prev.right{left:0;-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);background-color:rgba(0,0,0,0);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:focus,.carousel-control:hover{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next,.carousel-control .icon-prev{position:absolute;top:50%;z-index:5;display:inline-block;margin-top:-10px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{left:50%;margin-left:-10px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{right:50%;margin-right:-10px}.carousel-control .icon-next,.carousel-control .icon-prev{width:20px;height:20px;font-family:serif;line-height:1}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000\9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next,.carousel-control .icon-prev{width:30px;height:30px;margin-top:-10px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-10px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-10px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.btn-group-vertical>.btn-group:after,.btn-group-vertical>.btn-group:before,.btn-toolbar:after,.btn-toolbar:before,.clearfix:after,.clearfix:before,.container-fluid:after,.container-fluid:before,.container:after,.container:before,.dl-horizontal dd:after,.dl-horizontal dd:before,.form-horizontal .form-group:after,.form-horizontal .form-group:before,.modal-footer:after,.modal-footer:before,.modal-header:after,.modal-header:before,.nav:after,.nav:before,.navbar-collapse:after,.navbar-collapse:before,.navbar-header:after,.navbar-header:before,.navbar:after,.navbar:before,.pager:after,.pager:before,.panel-body:after,.panel-body:before,.row:after,.row:before{display:table;content:" "}.btn-group-vertical>.btn-group:after,.btn-toolbar:after,.clearfix:after,.container-fluid:after,.container:after,.dl-horizontal dd:after,.form-horizontal .form-group:after,.modal-footer:after,.modal-header:after,.nav:after,.navbar-collapse:after,.navbar-header:after,.navbar:after,.pager:after,.panel-body:after,.row:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-lg,.visible-md,.visible-sm,.visible-xs{display:none!important}.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table!important}tr.visible-xs{display:table-row!important}td.visible-xs,th.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table!important}tr.visible-sm{display:table-row!important}td.visible-sm,th.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table!important}tr.visible-md{display:table-row!important}td.visible-md,th.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table!important}tr.visible-lg{display:table-row!important}td.visible-lg,th.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table!important}tr.visible-print{display:table-row!important}td.visible-print,th.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} -------------------------------------------------------------------------------- /auth-server/src/main/resources/static/css/signin.css: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018-2025, lengleng All rights reserved. 3 | * 4 | * Redistribution and use in source and binary forms, with or without 5 | * modification, are permitted provided that the following conditions are met: 6 | * 7 | * Redistributions of source code must retain the above copyright notice, 8 | * this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * Neither the name of the pig4cloud.com developer nor the names of its 13 | * contributors may be used to endorse or promote products derived from 14 | * this software without specific prior written permission. 15 | * Author: lengleng (wangiegie@gmail.com) 16 | */ 17 | 18 | body { 19 | padding-top: 40px; 20 | padding-bottom: 40px; 21 | background-color: #eee; 22 | } 23 | 24 | .form-signin { 25 | max-width: 330px; 26 | padding: 15px; 27 | margin: 0 auto; 28 | } 29 | .form-margin-top { 30 | margin-top: 50px; 31 | } 32 | .form-signin .form-signin-heading, 33 | .form-signin .checkbox { 34 | margin-bottom: 10px; 35 | } 36 | .form-signin .checkbox { 37 | font-weight: normal; 38 | } 39 | .form-signin .form-control { 40 | position: relative; 41 | height: auto; 42 | -webkit-box-sizing: border-box; 43 | -moz-box-sizing: border-box; 44 | box-sizing: border-box; 45 | padding: 10px; 46 | font-size: 16px; 47 | } 48 | .form-signin .form-control:focus { 49 | z-index: 2; 50 | } 51 | .form-signin input[type="email"] { 52 | margin-bottom: -1px; 53 | border-bottom-right-radius: 0; 54 | border-bottom-left-radius: 0; 55 | } 56 | .form-signin input[type="password"] { 57 | margin-bottom: 10px; 58 | border-top-left-radius: 0; 59 | border-top-right-radius: 0; 60 | } 61 | footer{ 62 | text-align: center; 63 | position:absolute; 64 | bottom:0; 65 | width:100%; 66 | height:100px; 67 | } 68 | -------------------------------------------------------------------------------- /auth-server/src/main/resources/templates/ftl/login.ftl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | yaohw微服务统一认证 12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 26 |
27 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /auth-server/target/classes/application-dev.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | application: 3 | name: auth-server 4 | redis: 5 | host: 127.0.0.1 6 | password: 7 | port: 6379 8 | timeout: 3000 9 | lettuce: 10 | pool: 11 | max-idle: 8 12 | max-active: 8 13 | max-wait: -1ms 14 | min-idle: 0 15 | 16 | 17 | server: 18 | port: 8001 19 | 20 | #服务器发现注册配置 21 | eureka: 22 | client: 23 | serviceUrl: 24 | #配置服务中心(可配置多个,用逗号隔开) 25 | defaultZone: http://admin:admin@localhost:9000/eureka/ 26 | 27 | ##开启日志DEBUG级别,便于查看调试信息 28 | logging.level.org.springframework.security: DEBUG 29 | 30 | 31 | ##不需要安全拦截url配置 32 | ignore: 33 | urls: 34 | - /**/*.html 35 | - /require 36 | - /form 37 | - /oauth/** 38 | - /**/*.css 39 | - /social 40 | - /signin 41 | - /signup 42 | - /info 43 | - /health 44 | - /metrics/** 45 | - /loggers/** 46 | - /mobile/token 47 | - /test 48 | -------------------------------------------------------------------------------- /auth-server/target/classes/application.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | profiles: 3 | active: 4 | - dev -------------------------------------------------------------------------------- /eureka-server/.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | -------------------------------------------------------------------------------- /eureka-server/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | springcloud-oauth2 7 | cn.poile.ucs 8 | 1.0 9 | 10 | jar 11 | 4.0.0 12 | eureka-server 13 | eureka-server 14 | 15 | 16 | 17 | org.springframework.cloud 18 | spring-cloud-starter-netflix-eureka-server 19 | 20 | 22 | 23 | org.springframework.cloud 24 | spring-cloud-starter-security 25 | 26 | 27 | 28 | 29 | 30 | 31 | org.springframework.boot 32 | spring-boot-maven-plugin 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /eureka-server/src/main/java/cn/poile/ucs/eureka/EurekaServerApplication.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.eureka; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.cloud.netflix.eureka.server.EnableEurekaServer; 6 | 7 | /** 8 | * 注册中心 9 | * @author: yaohw 10 | * @create: 2019-09-25 16:10 11 | **/ 12 | @EnableEurekaServer 13 | @SpringBootApplication 14 | public class EurekaServerApplication { 15 | 16 | public static void main(String[] args) { 17 | SpringApplication.run(EurekaServerApplication.class,args); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /eureka-server/src/main/java/cn/poile/ucs/eureka/config/WebSecurityConfig.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.eureka.config; 2 | 3 | import org.springframework.context.annotation.Configuration; 4 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 5 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 6 | import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 7 | 8 | /** 9 | * Security 配置 10 | * @author: yaohw 11 | * @create: 2019-09-25 17:27 12 | **/ 13 | @Configuration 14 | @EnableWebSecurity 15 | public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 16 | @Override 17 | protected void configure(HttpSecurity http) throws Exception { 18 | // 默认是开启,所以要关闭,否则其他服务无法注册到注册中心 19 | http.csrf().disable(); 20 | super.configure(http); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /eureka-server/src/main/resources/application-dev.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | security: 3 | user: 4 | name: admin 5 | password: admin 6 | application: 7 | name: eureka-server 8 | server: 9 | port: 9000 10 | 11 | eureka: 12 | client: 13 | registerWithEureka: false 14 | fetchRegistry: false 15 | serviceUrl: 16 | defaultZone: http://admin:admin@localhost:9000/eureka/ -------------------------------------------------------------------------------- /eureka-server/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | profiles: 3 | active: 4 | - dev -------------------------------------------------------------------------------- /images/Basic-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/Basic-2.png -------------------------------------------------------------------------------- /images/Basic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/Basic.png -------------------------------------------------------------------------------- /images/FixedPrincipalExtractior_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/FixedPrincipalExtractior_01.png -------------------------------------------------------------------------------- /images/OAuth2AuthenticationManager_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/OAuth2AuthenticationManager_01.png -------------------------------------------------------------------------------- /images/OAuth2AuthenticationProcessingFilter_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/OAuth2AuthenticationProcessingFilter_01.png -------------------------------------------------------------------------------- /images/RemoteTokenService_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/RemoteTokenService_01.png -------------------------------------------------------------------------------- /images/RemoteTokenService_config_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/RemoteTokenService_config_01.png -------------------------------------------------------------------------------- /images/TokenEnhancer_enhance_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/TokenEnhancer_enhance_01.png -------------------------------------------------------------------------------- /images/UserInfoTokenServices_02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/UserInfoTokenServices_02.png -------------------------------------------------------------------------------- /images/UserInfoTokenServices_03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/UserInfoTokenServices_03.png -------------------------------------------------------------------------------- /images/cache.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/cache.png -------------------------------------------------------------------------------- /images/code-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/code-1.png -------------------------------------------------------------------------------- /images/code-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/code-2.png -------------------------------------------------------------------------------- /images/code-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/code-3.png -------------------------------------------------------------------------------- /images/code-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/code-4.png -------------------------------------------------------------------------------- /images/flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/flow.png -------------------------------------------------------------------------------- /images/implicit-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/implicit-2.png -------------------------------------------------------------------------------- /images/implicit2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/implicit2.png -------------------------------------------------------------------------------- /images/mobile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/mobile.png -------------------------------------------------------------------------------- /images/password.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/password.png -------------------------------------------------------------------------------- /images/refresh-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/copoile/springcloud-oauth2/45f62fef2ddf83d3cb32bce249b9f9a17025adb4/images/refresh-token.png -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | cn.poile.ucs 8 | springcloud-oauth2 9 | pom 10 | 1.0 11 | 12 | eureka-server 13 | auth-server 14 | 15 | 16 | 17 | org.springframework.boot 18 | spring-boot-starter-parent 19 | 2.1.8.RELEASE 20 | 21 | 22 | UTF-8 23 | UTF-8 24 | 1.8 25 | 2.1.8.RELEASE 26 | Greenwich.SR3 27 | 28 | 29 | 1.18.10 30 | 31 | 32 | 2.6 33 | 34 | 3.0.0 35 | 36 | 37 | 38 | 39 | 40 | org.springframework.cloud 41 | spring-cloud-starter-netflix-eureka-client 42 | 43 | 44 | 45 | org.springframework.boot 46 | spring-boot-configuration-processor 47 | true 48 | 49 | 50 | 51 | org.springframework.boot 52 | spring-boot-starter-actuator 53 | 54 | 55 | 56 | org.projectlombok 57 | lombok 58 | ${lombok.version} 59 | 60 | 61 | 62 | org.springframework.boot 63 | spring-boot-starter-test 64 | test 65 | 66 | 67 | 68 | 69 | 70 | 71 | org.springframework.cloud 72 | spring-cloud-dependencies 73 | ${spring-cloud.version} 74 | pom 75 | import 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /resource-server/.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | -------------------------------------------------------------------------------- /resource-server/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | springcloud-oauth2 7 | cn.poile.ucs 8 | 1.0 9 | 10 | 4.0.0 11 | 12 | resources-server 13 | 14 | 15 | 16 | org.springframework.boot 17 | spring-boot-starter-web 18 | 19 | 20 | 21 | 22 | org.springframework.cloud 23 | spring-cloud-starter-oauth2 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | org.springframework.boot 32 | spring-boot-maven-plugin 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /resource-server/src/main/java/cn/poile/ucs/resources/ResourceServerApplication.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.resources; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.cloud.client.discovery.EnableDiscoveryClient; 6 | 7 | /** 8 | * 资源服务 9 | * @author: yaohw 10 | * @create: 2019-10-08 10:02 11 | **/ 12 | @SpringBootApplication 13 | @EnableDiscoveryClient 14 | public class ResourceServerApplication { 15 | 16 | public static void main(String[] args) { 17 | SpringApplication.run(ResourceServerApplication.class,args); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /resource-server/src/main/java/cn/poile/ucs/resources/config/CustomizePrincipalExtractor.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.resources.config; 2 | 3 | import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor; 4 | 5 | import java.util.Map; 6 | 7 | /** 8 | * 自定义principal提取器 9 | * @author: yaohw 10 | * @create: 2019-10-09 12:01 11 | **/ 12 | public class CustomizePrincipalExtractor implements PrincipalExtractor { 13 | 14 | /** 15 | * Extract the principal that should be used for the token. 16 | * 17 | * @param map the source map 18 | * @return the extracted principal or {@code null} 19 | */ 20 | @Override 21 | public Object extractPrincipal(Map map) { 22 | // 这直接返回map本身,该map包含的认证中心对的principal的所有字段(key为字段名,value为字段值形式) 23 | // 这里也可以new一个user对象,将map对应字段值映射到user对象中返回user对象 24 | return map; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /resource-server/src/main/java/cn/poile/ucs/resources/config/ResourceServerConfig.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.resources.config; 2 | 3 | import lombok.extern.log4j.Log4j2; 4 | import org.springframework.beans.factory.annotation.Autowired; 5 | import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor; 6 | import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoTokenServices; 7 | import org.springframework.context.annotation.Bean; 8 | import org.springframework.context.annotation.Configuration; 9 | import org.springframework.http.HttpMethod; 10 | import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 11 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 12 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 13 | import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; 14 | import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; 15 | import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; 16 | 17 | /** 18 | * @author: yaohw 19 | * @create: 2019-10-08 10:04 20 | **/ 21 | @Configuration 22 | @EnableResourceServer 23 | @EnableWebSecurity 24 | @EnableGlobalMethodSecurity(prePostEnabled = true) 25 | @Log4j2 26 | public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 27 | 28 | private static final String RESOURCE_ID = "resource-server"; 29 | 30 | @Autowired 31 | private UserInfoTokenServices userInfoTokenServices; 32 | 33 | 34 | @Override 35 | public void configure(HttpSecurity http) throws Exception { 36 | http.authorizeRequests() 37 | // 配置不需要安全拦截url 38 | .antMatchers("/test/no_need_token").permitAll() 39 | .antMatchers(HttpMethod.OPTIONS).permitAll() 40 | .anyRequest().authenticated(); 41 | 42 | } 43 | 44 | /** 45 | * 这个是跟服务绑定的,注意要跟client配置一致,如果客户端没有,则不能访问 46 | * @param resources 47 | * @throws Exception 48 | */ 49 | @Override 50 | public void configure(ResourceServerSecurityConfigurer resources) throws Exception { 51 | resources.resourceId(RESOURCE_ID).stateless(true); 52 | userInfoTokenServices.setPrincipalExtractor(principalExtractor()); 53 | // 配置了user-info-uri默认使用的就是userInfoTokenServices,这个这么配置只是为了设置principalExtractor 54 | resources.tokenServices(userInfoTokenServices); 55 | } 56 | 57 | /** 58 | * 自定义Principal提取器,返回的Principal是一个map 59 | * 60 | * @return 61 | */ 62 | @Bean 63 | public PrincipalExtractor principalExtractor() { 64 | return new CustomizePrincipalExtractor(); 65 | } 66 | 67 | } 68 | -------------------------------------------------------------------------------- /resource-server/src/main/java/cn/poile/ucs/resources/controller/TestRestController.java: -------------------------------------------------------------------------------- 1 | package cn.poile.ucs.resources.controller; 2 | 3 | import lombok.extern.log4j.Log4j2; 4 | import org.springframework.security.access.prepost.PreAuthorize; 5 | import org.springframework.security.core.Authentication; 6 | import org.springframework.web.bind.annotation.GetMapping; 7 | import org.springframework.web.bind.annotation.ResponseBody; 8 | import org.springframework.web.bind.annotation.RestController; 9 | 10 | /** 11 | * @author: yaohw 12 | * @create: 2019-10-08 11:37 13 | **/ 14 | @RestController 15 | @Log4j2 16 | public class TestRestController { 17 | 18 | 19 | /** 20 | * 不需要token访问测试 21 | * @return 22 | */ 23 | @GetMapping("/test/no_need_token") 24 | public @ResponseBody String test() { 25 | return "no_need_token"; 26 | } 27 | 28 | /** 29 | * 需要需要token访问接口测试 30 | * @return 31 | */ 32 | @GetMapping("/test/need_token") 33 | public @ResponseBody String test2(Authentication authentication) { 34 | log.info("{}",authentication); 35 | // 由于自定义的principal返回的是包含全部user字段的map 36 | Object principal = authentication.getPrincipal(); 37 | return "need_token"; 38 | } 39 | 40 | /** 41 | * 需要需要管理员权限 42 | * @return 43 | */ 44 | @PreAuthorize("hasAuthority('admin')") 45 | @GetMapping("/test/need_admin") 46 | public @ResponseBody String admin() { 47 | return "need_admin"; 48 | } 49 | 50 | } 51 | -------------------------------------------------------------------------------- /resource-server/src/main/resources/application-dev.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | application: 3 | name: resource-server 4 | 5 | server: 6 | port: 8003 7 | 8 | #服务器发现注册配置 9 | eureka: 10 | client: 11 | serviceUrl: 12 | #配置服务中心(可配置多个,用逗号隔开) 13 | defaultZone: http://admin:admin@localhost:9000/eureka/ 14 | 15 | ##安全配置## 16 | security: 17 | oauth2: 18 | resource: 19 | id: resource-server 20 | ## user-info-uri和token-info-uri二选择即可 21 | ##如果配置了user-info-uri,该资源服务器使用userInfoTokenServices远程调用认证中心接口,通过认证中心的OAuth2AuthenticationProcessingFilter完成验证工作,一般设置user-info-uri即可 22 | user-info-uri: http://127.0.0.1:8001/user 23 | prefer-token-info: false 24 | ## 该资源服务器使用RemoteTokenServices远程调用认证中心接口,注意一点就是如果使用token-info-uri那么就必须设置上clientId和clientSecret,通过CheckTokenEndpoint完成验证工作 25 | #token-info-uri: http://127.0.0.1:8001/oauth/check_token 26 | #client: 27 | #client-secret: yaohw 28 | #client-id: yaohw 29 | 30 | -------------------------------------------------------------------------------- /resource-server/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | profiles: 3 | active: 4 | - dev -------------------------------------------------------------------------------- /resource-server/target/classes/application-dev.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | application: 3 | name: resource-server 4 | 5 | server: 6 | port: 8003 7 | 8 | #服务器发现注册配置 9 | eureka: 10 | client: 11 | serviceUrl: 12 | #配置服务中心(可配置多个,用逗号隔开) 13 | defaultZone: http://admin:admin@localhost:9000/eureka/ 14 | 15 | ##安全配置## 16 | security: 17 | oauth2: 18 | resource: 19 | id: resource-server 20 | ## user-info-uri和token-info-uri二选择即可 21 | ##如果配置了user-info-uri,该资源服务器使用userInfoTokenServices远程调用认证中心接口,通过认证中心的OAuth2AuthenticationProcessingFilter完成验证工作,一般设置user-info-uri即可 22 | user-info-uri: http://127.0.0.1:8001/user 23 | prefer-token-info: false 24 | ## 该资源服务器使用RemoteTokenServices远程调用认证中心接口,注意一点就是如果使用token-info-uri那么就必须设置上clientId和clientSecret,通过CheckTokenEndpoint完成验证工作 25 | #token-info-uri: http://127.0.0.1:8001/oauth/check_token 26 | #client: 27 | #client-secret: yaohw 28 | #client-id: yaohw 29 | 30 | -------------------------------------------------------------------------------- /resource-server/target/classes/application.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | profiles: 3 | active: 4 | - dev -------------------------------------------------------------------------------- /source_note/OAuth2ClientAuthenticationProcessingFilter.java: -------------------------------------------------------------------------------- 1 | @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { OAuth2AccessToken accessToken; try { // 获取当前token,需要注意一点这个虽然用到restTemplate,但实际上这里并没有发起远程调度,这里restTemplate是OAuth2RestTemplate的实例 // 一路点进去你会发现他只是从上下文获取到accessToken accessToken = restTemplate.getAccessToken(); } catch (OAuth2Exception e) { BadCredentialsException bad = new BadCredentialsException("Could not obtain access token", e); publish(new OAuth2AuthenticationFailureEvent(bad)); throw bad; } try { // 这步是校验token的关键,这里tokenServices是ResourceServerTokenServices实例,这里做怎么样的操作取决是注入的ResourceServerTokenServices // 默认情况下ResourceServerTokenServices的实例DefaultTokenServices // 认证中心默认的就是DefaultTokenServices,这个类做的就是从OAuth2AccessToken accessToken = tokenStore.readAccessToken(accessTokenValue) // 我们配置中心配置的tokenStore的是RedisTokenStore,所以实际上她做的就是从redis中读取出accessToken相关信息 // 上面说的DefaultTokenServices是认证中心token的处理,资源服务下: // 如果配置文件中配置的user-info-uri则ResourceServerTokenServices注入的实例将是UserInfoTokenServices的实例 // 如果配置token-info-uri则ResourceServerTokenServices注入的实例将是RemoteTokenServices // 如果两者都配置了,优先UserInfoTokenServices // UserInfoTokenServices和RemoteTokenServices做的事都是远程调度认证中心相应的接口完成token的校验 // 两者主要区别在于RemoteTokenServices需要配置clientId和clientSecret // RemoteTokenServices中有这么一句话:Null Client ID or Client Secret detected. Endpoint that requires authentication will reject request with 401 error. // 具体请查看RemoteTokenServices和UserInfoTokenServices OAuth2Authentication result = tokenServices.loadAuthentication(accessToken.getValue()); if (authenticationDetailsSource!=null) { request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, accessToken.getValue()); request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, accessToken.getTokenType()); result.setDetails(authenticationDetailsSource.buildDetails(request)); } publish(new AuthenticationSuccessEvent(result)); return result; } catch (InvalidTokenException e) { BadCredentialsException bad = new BadCredentialsException("Could not obtain user details from token", e); publish(new OAuth2AuthenticationFailureEvent(bad)); throw bad; } } -------------------------------------------------------------------------------- /source_note/RoleVoter.java: -------------------------------------------------------------------------------- 1 | /*** 2 | * 方法级-权限校验 3 | */ 4 | public int vote(Authentication authentication, Object object, 5 | Collection attributes) { 6 | // 这里的Authentication是经过OAuth2ClientAuthenticationProcessingFilter过滤的Authentication 7 | // 如果等于null 返回拒绝编码 8 | if (authentication == null) { 9 | return ACCESS_DENIED; 10 | } 11 | // 赋值弃用编码,也就是我们方法那里没加有对应的用户权限注解 12 | int result = ACCESS_ABSTAIN; 13 | // 取出token中的权限列表 14 | Collection authorities = extractAuthorities(authentication); 15 | 16 | // 17 | for (ConfigAttribute attribute : attributes) { 18 | if (this.supports(attribute)) { 19 | result = ACCESS_DENIED; 20 | 21 | // Attempt to find a matching granted authority 22 | for (GrantedAuthority authority : authorities) { 23 | if (attribute.getAttribute().equals(authority.getAuthority())) { 24 | return ACCESS_GRANTED; 25 | } 26 | } 27 | } 28 | } 29 | 30 | return result; 31 | } -------------------------------------------------------------------------------- /source_note/TokenEndpoint_source_note.java: -------------------------------------------------------------------------------- 1 | 2 | @RequestMapping(value = "/oauth/token", method=RequestMethod.POST) 3 | public ResponseEntity postAccessToken(Principal principal, @RequestParam 4 | Map parameters) throws HttpRequestMethodNotSupportedException { 5 | 6 | if (!(principal instanceof Authentication)) { 7 | throw new InsufficientAuthenticationException( 8 | "There is no client authentication. Try adding an appropriate authentication filter."); 9 | } 10 | 11 | // 根据当前请求获取到clientId 12 | String clientId = getClientId(principal); 13 | 14 | //获取当前ClientDetailsService(就是我们在AuthorizationConfig中配置)然后根据clientId去数据库查询客户端详情 15 | ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId); 16 | 17 | // 将请求参数封装成TokenRequest 18 | TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient); 19 | // 请求的clientId与查出来的匹配 20 | if (clientId != null && !clientId.equals("")) { 21 | // Only validate the client details if a client authenticated during this 22 | // request. 23 | if (!clientId.equals(tokenRequest.getClientId())) { 24 | // double check to make sure that the client ID in the token request is the same as that in the 25 | // authenticated client 26 | throw new InvalidClientException("Given client ID does not match authenticated client"); 27 | } 28 | } 29 | // 校验客户端范围 30 | if (authenticatedClient != null) { 31 | oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient); 32 | } 33 | if (!StringUtils.hasText(tokenRequest.getGrantType())) { 34 | throw new InvalidRequestException("Missing grant type"); 35 | } 36 | // 判断是否是简化模式(简化模式不是这个接口,走的是AuthorizationEndpoint类下的/oauth/authorize) 37 | if (tokenRequest.getGrantType().equals("implicit")) { 38 | throw new InvalidGrantException("Implicit grant type not supported from token endpoint"); 39 | } 40 | // 判断是否简化模式,如果是,清空返回,因为简化模式在第一步获取code的时候就将client信息缓存起来的,后面检验的是从缓存取出来补充完整 41 | if (isAuthCodeRequest(parameters)) { 42 | // The scope was requested or determined during the authorization step 43 | if (!tokenRequest.getScope().isEmpty()) { 44 | logger.debug("Clearing scope of incoming token request"); 45 | tokenRequest.setScope(Collections. emptySet()); 46 | } 47 | } 48 | // 是否刷新token模式 49 | if (isRefreshTokenRequest(parameters)) { 50 | // A refresh token has its own default scopes, so we should ignore any added by the factory here. 51 | tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE))); 52 | } 53 | // 这步是整个认证的关键,这里简单说下流程,首先她会根据当前请求的grantType找到对应的认证模式,比如密码模式的ResourceOwnerPasswordTokenGranter, 54 | 55 | // 然后对应的AbstractTokenGranter调用对应的grant方法,grant方法中又调用经过一系列调用,在getOAuth2Authentication方法中生成对应的AbstractAuthenticationToken,比如UsernamePasswordAuthenticationToken, 56 | 57 | // 然后认证管理器(就是我们在AuthorizationConfig中配置的AuthenticationManager)调用认证方法authenticationManager.authenticate(abstractAuthenticationToken) 58 | 59 | // AbstractAuthenticationToken和AuthenticationProvider是存在一一对应的关系 60 | 61 | // 比如UsernamePasswordAuthenticationToken和DaoAuthenticationProvider,authenticationManager.authenticate()会根据传入的AbstractAuthenticationToken找到对应的AuthenticationProvider, 62 | 63 | // 真正认证逻辑通过AuthenticationProvider来完成的,比如密码模式的DaoAuthenticationProvider,会去根据用户名查询出对应的用户,然后校验用户密码是否匹配,用户是否锁定过期等 64 | 65 | // 具体可查看DaoAuthenticationProvider和她继承的AbstractUserDetailsAuthenticationProvider 66 | 67 | // 理清上面的思路后,我们就可以自定义grantType,就是定义一个继承AbstractTokenGranter的类,重写getOAuth2Authentication方法,该方法里面会用到AbstractAuthenticationToken和AuthenticationProvider 68 | // 我们再分别一个类分别继承对应的类即可(大概思路,具体查看代码) 69 | OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest); 70 | if (token == null) { 71 | throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType()); 72 | } 73 | //这个没什么好说的,就是http请求响应体封装 74 | return getResponse(token); 75 | 76 | } --------------------------------------------------------------------------------