spring-security登录流程和集成JWT功能

准备工作

要想让权限控制生效,需要在启动类上添加注解

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

// 开启全局权限控制
@EnableGlobalMethodSecurity(securedEnabled=true)
@SpringBootApplication
public class AppApplication {
    public static void main(String[] args) {
        SpringApplication.run(AppApplication.class, args);
    }
}

一、基本登录流程

  1. 编写一个配置文件 SecurityConfig.java

    package com.wesdata.com.config;
    import com.wesdata.com.filter.JwtAuthenticationTokenFilter;
    import com.wesdata.com.handler.MyAccessDeniedHandler;
    import com.wesdata.com.handler.MyAuthenticationEntryPoint;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.authentication.AuthenticationManager;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.config.http.SessionCreationPolicy;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.security.crypto.password.PasswordEncoder;
    import org.springframework.security.web.AuthenticationEntryPoint;
    import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
    
    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    }
  2. 配置登录访问路由

    spring-boot默认路径为/login,可以根据需要自己设置,当访问www.xxx.com/login的时候,即为进行登录

    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
        // 配置自定义登录页面
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 
        }
    }
    
    
  3. 配置处理登录的逻辑

    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
        /*
        // 配置自定义登录页面
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 
        }
        */
        
        @Autowired
        UserDetailsService userDetailsService;
        
        // 当进行登录时,spring会调用这里设置的userDetailsService的某个方法,这个方法名称是约定好的
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            
            auth.userDetailsService(userDetailsService)   // 指定使用 userDetailsService 服务来获取用户信息
                .passwordEncoder(passwordEncoder());    // 设置加密方式
        }
        
        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    }
  4. 编写userDetailsService

    大致思路就是,spring调用loadUserByUsername方法,然后返回一个User实例提供给spring进行认证比较用。在loadUserByUsername方法中,根据传递的name字段到数据库查询用户信息,如果查不到用户,直接抛出错误,如果查询到用户信息,则把用户名,密码,权限包装到User中。

    package com.wesdata.com.service;
    
    import com.wesdata.com.bean.Employee;
    import com.wesdata.com.mapper.EmployeeMapper;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.core.GrantedAuthority;
    import org.springframework.security.core.authority.AuthorityUtils;
    import org.springframework.security.core.userdetails.User;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.stereotype.Service;
    
    import java.util.*;
    
    // 注册一个service
    @Service("userDetailsService")
    public class MyUserDetailService implements UserDetailsService {
    
        @Autowired
        EmployeeMapper employeeMapper;
        
        // 主要作用就是根据名字获取用户信息,然后构建一个User对象,提供给调用者
        @Override
        public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
    
            // 从数据库根据name查询用户信息
            Employee employee = employeeMapper.findEmpByName(name);
            if (employee == null) {
                throw new UsernameNotFoundException("用户名" + name + "不存在");
            }
    
            // 设置加密方式
            BCryptPasswordEncoder passwordEncoder =  new BCryptPasswordEncoder();
            String password = passwordEncoder.encode(employee.getPassword());
    
            // 权限是一个集合
            List auths = AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_admin");
    
            // 把用户名、密码、权限返给调用者,系统会自己对密码进行比较,注意,系统只会对密码进行比较,所以这里name传任何值都能通过
            return new User(employee.getName(), password, auths);
        }
    }
    

二、集成JWT

集成jwt就不能走spring的自动登录流程了,整体思路就是,手动调用系统的认证功能,认证成功,生成token返回给前端,前端对token进行缓存,当请求其他api时,将token通过请求头携带上。在过滤器中,对token进行检查。

  1. 配置

    • 对登录路径设置无需授权即可访问
    • 禁用session
    • 将token过滤器插入到过滤器链中
    • 将登录管理器注入到IOC容器中
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
     @Autowired
    JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
    
    
    // 配置自定义登录页面
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                // ==1.权限设置==
                .antMatchers(
                        "/user/login"
                )
                /**
                 * 对前面路由设置 访问权限
                 * anonymous:仅限匿名用户访问
                 * authenticated: 仅限认证的用户才能访问
                 * permitAll: 所有用户都可以方位
                 * */
                .permitAll()
                .and().csrf().disable() // 开启跨域访问
                // ==2.禁用session==
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 

        // ==3.配置过滤日==
        // 配置jwtAuthenticationTokenFilter 过滤器插入到 UsernamePasswordAuthenticationFilter 前面
        http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
    }
    
    // == 4.将登录管理器 注入IOC容器中 ==
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception{
        return super.authenticationManagerBean();
    }
}
  1. 编写登录控制器

    package com.wesdata.com.controller;
    
    import com.wesdata.com.bean.User;
    import com.wesdata.com.domain.ResponseResult;
    import com.wesdata.com.mapper.UserMapper;
    import com.wesdata.com.utils.JwtUtil;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.access.annotation.Secured;
    import org.springframework.security.authentication.AuthenticationManager;
    import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
    import org.springframework.security.core.Authentication;
    import org.springframework.security.core.annotation.AuthenticationPrincipal;
    import org.springframework.security.core.context.SecurityContextHolder;
    import org.springframework.stereotype.Controller;
    import org.springframework.web.bind.annotation.*;
    
    import java.util.HashMap;
    import java.util.Map;
    import java.util.Objects;
    
    import com.alibaba.fastjson.JSONObject;
    
    @RequestMapping("user")
    @RestController
    public class UserController {
    
        @Autowired
        AuthenticationManager authenticationManager;
    
        @Autowired
        UserMapper userMapper;
    
        @RequestMapping("login")
        public ResponseResult login(@RequestParam("name") String name, @RequestParam("password") String password) {
            
            // 在这里进行主动登录操作
            UsernamePasswordAuthenticationToken usernamePasswordToken = new UsernamePasswordAuthenticationToken(name, password);
            Authentication authentication = authenticationManager.authenticate(usernamePasswordToken);
            if (Objects.isNull(authentication)) {
                return new ResponseResult("登录失败");
            } else {
                // "登录成功";
                String token = JwtUtil.createJwt(name , "15");
                System.out.println(token);
                Map data = new HashMap<>();
                data.put("token", token);
                return ResponseResult.success(data);
            }
        }
    
        @RequestMapping("logout")
        public String logout() {
            Authentication auth = SecurityContextHolder.getContext().getAuthentication();
            // UsernamePasswordAuthenticationToken的第一个参数
            auth.getPrincipal();
            return "logout success";
        }
    }
    
  2. 编写token过滤器

    package com.wesdata.com.filter;
    
    import com.wesdata.com.utils.JwtUtil;
    import io.jsonwebtoken.Claims;
    import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
    import org.springframework.security.core.authority.SimpleGrantedAuthority;
    import org.springframework.security.core.context.SecurityContextHolder;
    import org.springframework.stereotype.Component;
    import org.springframework.web.filter.OncePerRequestFilter;
    
    import javax.servlet.FilterChain;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import java.io.IOException;
    import java.util.ArrayList;
    import java.util.List;
    import java.util.Objects;
    
    @Component
    public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
    
        @Override
        protected void doFilterInternal(HttpServletRequest request,
                                        HttpServletResponse response,
                                        FilterChain filterChain)
        {
            String token = request.getHeader("token");
    
            // 对于不带token的请求,直接进入下一个过滤器
            if (Objects.isNull(token)) {
                try {
                    filterChain.doFilter(request, response);
                } catch (Exception e) {
                    System.out.println(e.getMessage());
                }
                return;
            }
    
            Claims body = JwtUtil.parseToken(token);
            String name = body.get("userName").toString();
            String id = body.get("userId").toString();
            System.out.println(name);
            System.out.println(id);
    
            // 权限列表
            List authorities = new ArrayList<>();
            authorities.add( new SimpleGrantedAuthority("student"));
    
            // 这里非常关键
            UsernamePasswordAuthenticationToken authenticationToken =
                    new UsernamePasswordAuthenticationToken(name, null, authorities);
    
            SecurityContextHolder
                    .getContext()
                    .setAuthentication(authenticationToken);
            
            try {
                filterChain.doFilter(request, response);
            } catch (Exception e) {
                System.out.println(e.getMessage());
            }
        }
    }
    

你可能感兴趣的:(javaspringboot)