Swagger整合Jwt授权配置
欢迎关注博主公众号「Java大师」, 专注于分享Java领域干货文章http://www.javaman.cn/sb2/swagger-jwt
一、Swagger入门
1、什么是Swagger
Swagger 是一个规范和完整的框架,用于生成、描述、调用和可视化 RESTful 风格的 Web 服务,它有着如下的优点:
1)及时性 (接口变更后,能够及时准确地通知相关前后端开发人员)
2)规范性 (并且保证接口的规范性,如接口的地址,请求方式,参数及响应格式和错误信息)
3)一致性 (接口信息一致,不会出现因开发人员拿到的文档版本不一致,而出现分歧)
4)可测性 (直接在接口文档上进行测试,以方便理解业务)
2、Swagger生成文档
1)添加pom.xml依赖
io.springfox
springfox-swagger2
2.7.0
io.springfox
springfox-swagger-ui
2.7.0
2)创建swagger配置文件
@Configuration
@EnableSwagger2
public class Swagger2Config {
@Bean
public Docket apiConfig() {
//创建基于Swagger2的配置文件
return new Docket(DocumentationType.SWAGGER_2)
// 调用apiInfo方法,创建一个ApiInfo实例,里面是展示在文档页面信息内容
.apiInfo(apiInfo());
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder()
//标题
.title("接口文档")
//描述
.description("接口文档")
//版本
.version("1.0")
//作者信息
.contact(new Contact("java大师", "http://localhost:8081", "[email protected]"))
.build();
}
}
3)启动程序
访问路径:http://localhost:8081/swagger-ui.html ,出现生成的文档页面。
此为原生界面,很难看,所以我们需要引入swagger-bootstrap-ui,也就是Knife4j的前身
4)使用Knife4j
a)添加pom.xml依赖
com.github.xiaoymin
knife4j-spring-boot-starter
2.0.7
b)开启Swagger2配置
import java.util.ArrayList;
import java.util.List;
@Configuration
@EnableSwagger2
public class Swagger2Config {
@Bean
public Docket createRestApi() {
return new Docket(DocumentationType.SWAGGER_2)
.pathMapping("/")
.apiInfo(apiInfo())
.select()
//swagger要扫描的包路径
.apis(RequestHandlerSelectors.basePackage("com.dsblog.server.controller"))
.paths(PathSelectors.any())
.build()
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder().title("dsblog接口文档")
.contact(new Contact("java大师","http://localhost:8081/doc.html","[email protected]"))
.version("1.0").description("dsblog接口文档").build();
}
b)重启服务
访问地址:http://localhost:8081/doc.html,这个ui界面看起来就更美观,更符合国人的使用习惯
二、Swagger整合Jwt
1、添加pom.xml依赖
4.0.0
com.dsblog
dsblog
0.0.1-SNAPSHOT
com.dsblog
dsblog-server
0.0.1-SNAPSHOT
UTF-8
1.8
1.8
org.springframework.boot
spring-boot-starter-web
org.projectlombok
lombok
true
mysql
mysql-connector-java
runtime
com.baomidou
mybatis-plus-boot-starter
3.4.0
org.freemarker
freemarker
2.3.31
com.baomidou
mybatis-plus-generator
3.3.2
io.swagger
swagger-annotations
1.5.20
io.springfox
springfox-swagger2
2.7.0
io.springfox
springfox-swagger-ui
2.7.0
com.github.xiaoymin
knife4j-spring-boot-starter
2.0.7
org.springframework.boot
spring-boot-starter-security
2.3.6.RELEASE
io.jsonwebtoken
jjwt
0.9.1
2、创建Swagger2Config配置文件
package com.dsblog.server.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import springfox.documentation.builders.ApiInfoBuilder;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.service.*;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spi.service.contexts.SecurityContext;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;
import java.util.ArrayList;
import java.util.List;
@Configuration
@EnableSwagger2
public class Swagger2Config {
@Bean
public Docket createRestApi() {
return new Docket(DocumentationType.SWAGGER_2)
.pathMapping("/")
.apiInfo(apiInfo())
.select()
//swagger要扫描的包路径
.apis(RequestHandlerSelectors.basePackage("com.dsblog.server.controller"))
.paths(PathSelectors.any())
.build()
.securityContexts(securityContexts())
.securitySchemes(securitySchemes());
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder().title("dsblog接口文档")
.contact(new Contact("java大师","http://localhost:8081/doc.html","[email protected]"))
.version("1.0").description("dsblog接口文档").build();
}
private List securityContexts() {
//设置需要登录认证的路径
List result = new ArrayList<>();
result.add(getContextByPath("/.*"));
return result;
}
//通过pathRegex获取SecurityContext对象
private SecurityContext getContextByPath(String pathRegex) {
return SecurityContext.builder()
.securityReferences(defaultAuth())
.forPaths(PathSelectors.regex(pathRegex))
.build();
}
//默认为全局的SecurityReference对象
private List defaultAuth() {
List result = new ArrayList<>();
AuthorizationScope authorizationScope = new AuthorizationScope("global",
"accessEverything");
AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
authorizationScopes[0] = authorizationScope;
result.add(new SecurityReference("Authorization", authorizationScopes));
return result;
}
private List securitySchemes() {
//设置请求头信息
List result = new ArrayList<>();
ApiKey apiKey = new ApiKey("Authorization", "Authorization", "header");
result.add(apiKey);
return result;
}
}
3、创建SecurityConfig配置文件
package com.dsblog.server.config.security;
import com.dsblog.server.model.User;
import com.dsblog.server.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private IUserService userService;
@Autowired
private RestAuthorizationEntryPoint restAuthorizationEntryPoint;
@Autowired
private RestAccessDeniedHandler restAccessDeniedHandler;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
}
//主要的配置文件,antMatchers匹配的路径,全部忽略,不进行JwtToken的认证
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/login",
"/logout",
"/css/**",
"/js/**",
"/index.html",
"favicon.ico",
"/doc.html",
"/webjars/**",
"/swagger-resources/**",
"/v2/api-docs/**"
);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.headers()
.cacheControl();
//添加Jwt登录授权拦截器
http.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
//添加未登录和未授权结果返回
http.exceptionHandling()
.accessDeniedHandler(restAccessDeniedHandler)
.authenticationEntryPoint(restAuthorizationEntryPoint);
}
@Override
@Bean
public UserDetailsService userDetailsService(){
return username -> {
User user = userService.getUserByUsername(username);
if(null!=user){
return user;
}
return null;
};
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean
public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){
return new JwtAuthenticationTokenFilter();
}
}
4、创建测试Controller,其中/login登录和/logout退出方法不需要Authorize验证,和上面的重写方法configure(WebSecurity web)匹配,user/info方法需要Authorize验证才能进行访问
package com.dsblog.server.controller;
import com.dsblog.server.model.ResultBean;
import com.dsblog.server.model.User;
import com.dsblog.server.model.UserLoginParam;
import com.dsblog.server.service.IUserService;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
@Api(tags = "LoginController")
@RestController
public class LoginController {
@Autowired
private IUserService userService;
@ApiOperation("登录")
@PostMapping("/login")
public ResultBean login(@RequestBody UserLoginParam userLoginParam, HttpServletRequest request){
return userService.login(userLoginParam.getUsername(),userLoginParam.getPassword(),request);
}
@ApiOperation("退出")
@PostMapping("/logout")
public ResultBean logout(){
return ResultBean.success("退出成功!");
}
@ApiOperation("获取当前登录用户")
@GetMapping("/user/info")
public User getUserInfo(Principal principal){
if(null == principal){
return null;
}
String username = principal.getName();
User user = userService.getUserByUsername(username);
user.setPassword(null);
return user;
}
}
5、重启程序,输入http://localhost:8081/doc.html
6、测试
1)首先调用/user/info,会看到提示未登录,请先登录。需要登录授权才能够进行方法的测试
2)接着调用登录请求,输入用户名和密码获取JwtToken
3)获取token后,监测网络,发现会将Authorization放入请求头部发送到后台
4)Authorize加入Bearer和JwtToken
5)携带token发送到后台获取用户信息,验证通过
