spring-security登录流程和集成JWT功能

准备工作 要想让权限控制生效,需要在启动类上添加注解

import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; // 开启全局权限控制 @EnableGlobalMethodSecurity(securedEnabled=true) @SpringBootApplication public class AppApplication { public static void main(String[] args) { SpringApplication.run(AppApplication.class, args); } }

一、基本登录流程
  1. 编写一个配置文件 SecurityConfig.java
    package com.wesdata.com.config; import com.wesdata.com.filter.JwtAuthenticationTokenFilter; import com.wesdata.com.handler.MyAccessDeniedHandler; import com.wesdata.com.handler.MyAuthenticationEntryPoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter {}

  2. 配置登录访问路由
    spring-boot默认路径为/login,可以根据需要自己设置,当访问www.xxx.com/login的时候,即为进行登录
    @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { // 配置自定义登录页面 @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 } }

  3. 配置处理登录的逻辑
    @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { /* // 配置自定义登录页面 @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 } */@Autowired UserDetailsService userDetailsService; // 当进行登录时,spring会调用这里设置的userDetailsService的某个方法,这个方法名称是约定好的 protected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService)// 指定使用 userDetailsService 服务来获取用户信息 .passwordEncoder(passwordEncoder()); // 设置加密方式 }@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }

  4. 编写userDetailsService
    【spring-security登录流程和集成JWT功能】大致思路就是,spring调用loadUserByUsername方法,然后返回一个User实例提供给spring进行认证比较用。在loadUserByUsername方法中,根据传递的name字段到数据库查询用户信息,如果查不到用户,直接抛出错误,如果查询到用户信息,则把用户名,密码,权限包装到User中。
    package com.wesdata.com.service; import com.wesdata.com.bean.Employee; import com.wesdata.com.mapper.EmployeeMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.stereotype.Service; import java.util.*; // 注册一个service @Service("userDetailsService") public class MyUserDetailService implements UserDetailsService {@Autowired EmployeeMapper employeeMapper; // 主要作用就是根据名字获取用户信息,然后构建一个User对象,提供给调用者 @Override public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {// 从数据库根据name查询用户信息 Employee employee = employeeMapper.findEmpByName(name); if (employee == null) { throw new UsernameNotFoundException("用户名" + name + "不存在"); }// 设置加密方式 BCryptPasswordEncoder passwordEncoder =new BCryptPasswordEncoder(); String password = passwordEncoder.encode(employee.getPassword()); // 权限是一个集合 List auths = AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_admin"); // 把用户名、密码、权限返给调用者,系统会自己对密码进行比较,注意,系统只会对密码进行比较,所以这里name传任何值都能通过 return new User(employee.getName(), password, auths); } }

二、集成JWT 集成jwt就不能走spring的自动登录流程了,整体思路就是,手动调用系统的认证功能,认证成功,生成token返回给前端,前端对token进行缓存,当请求其他api时,将token通过请求头携带上。在过滤器中,对token进行检查。
  1. 配置
    • 对登录路径设置无需授权即可访问
    • 禁用session
    • 将token过滤器插入到过滤器链中
    • 将登录管理器注入到IOC容器中
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter; // 配置自定义登录页面 @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() // ==1.权限设置== .antMatchers( "/user/login" ) /** * 对前面路由设置 访问权限 * anonymous:仅限匿名用户访问 * authenticated: 仅限认证的用户才能访问 * permitAll: 所有用户都可以方位 * */ .permitAll() .and().csrf().disable() // 开启跨域访问 // ==2.禁用session== .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // ==3.配置过滤日== // 配置jwtAuthenticationTokenFilter 过滤器插入到 UsernamePasswordAuthenticationFilter 前面 http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); }// == 4.将登录管理器 注入IOC容器中 == @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception{ return super.authenticationManagerBean(); } }

  1. 编写登录控制器
    package com.wesdata.com.controller; import com.wesdata.com.bean.User; import com.wesdata.com.domain.ResponseResult; import com.wesdata.com.mapper.UserMapper; import com.wesdata.com.utils.JwtUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.annotation.Secured; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.*; import java.util.HashMap; import java.util.Map; import java.util.Objects; import com.alibaba.fastjson.JSONObject; @RequestMapping("user") @RestController public class UserController {@Autowired AuthenticationManager authenticationManager; @Autowired UserMapper userMapper; @RequestMapping("login") public ResponseResult login(@RequestParam("name") String name, @RequestParam("password") String password) {// 在这里进行主动登录操作 UsernamePasswordAuthenticationToken usernamePasswordToken = new UsernamePasswordAuthenticationToken(name, password); Authentication authentication = authenticationManager.authenticate(usernamePasswordToken); if (Objects.isNull(authentication)) { return new ResponseResult("登录失败"); } else { // "登录成功"; String token = JwtUtil.createJwt(name , "15"); System.out.println(token); Map data = https://www.it610.com/article/new HashMap<>(); data.put("token", token); return ResponseResult.success(data); } }@RequestMapping("logout") public String logout() { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // UsernamePasswordAuthenticationToken的第一个参数 auth.getPrincipal(); return "logout success"; } }

  2. 编写token过滤器
    package com.wesdata.com.filter; import com.wesdata.com.utils.JwtUtil; import io.jsonwebtoken.Claims; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Objects; @Component public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { String token = request.getHeader("token"); // 对于不带token的请求,直接进入下一个过滤器 if (Objects.isNull(token)) { try { filterChain.doFilter(request, response); } catch (Exception e) { System.out.println(e.getMessage()); } return; }Claims body = JwtUtil.parseToken(token); String name = body.get("userName").toString(); String id = body.get("userId").toString(); System.out.println(name); System.out.println(id); // 权限列表 List authorities = new ArrayList<>(); authorities.add( new SimpleGrantedAuthority("student")); // 这里非常关键 UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(name, null, authorities); SecurityContextHolder .getContext() .setAuthentication(authenticationToken); try { filterChain.doFilter(request, response); } catch (Exception e) { System.out.println(e.getMessage()); } } }

    推荐阅读