准备工作
要想让权限控制生效,需要在启动类上添加注解
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
// 开启全局权限控制
@EnableGlobalMethodSecurity(securedEnabled=true)
@SpringBootApplication
public class AppApplication {
public static void main(String[] args) {
SpringApplication.run(AppApplication.class, args);
}
}
一、基本登录流程
编写一个配置文件 SecurityConfig.java
package com.wesdata.com.config; import com.wesdata.com.filter.JwtAuthenticationTokenFilter; import com.wesdata.com.handler.MyAccessDeniedHandler; import com.wesdata.com.handler.MyAuthenticationEntryPoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { }
配置登录访问路由
spring-boot默认路径为/login,可以根据需要自己设置,当访问www.xxx.com/login的时候,即为进行登录
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { // 配置自定义登录页面 @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 } }
配置处理登录的逻辑
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { /* // 配置自定义登录页面 @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 } */ @Autowired UserDetailsService userDetailsService; // 当进行登录时,spring会调用这里设置的userDetailsService的某个方法,这个方法名称是约定好的 protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService) // 指定使用 userDetailsService 服务来获取用户信息 .passwordEncoder(passwordEncoder()); // 设置加密方式 } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }
编写userDetailsService
大致思路就是,spring调用loadUserByUsername方法,然后返回一个User实例提供给spring进行认证比较用。在loadUserByUsername方法中,根据传递的name字段到数据库查询用户信息,如果查不到用户,直接抛出错误,如果查询到用户信息,则把用户名,密码,权限包装到User中。
package com.wesdata.com.service; import com.wesdata.com.bean.Employee; import com.wesdata.com.mapper.EmployeeMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.stereotype.Service; import java.util.*; // 注册一个service @Service("userDetailsService") public class MyUserDetailService implements UserDetailsService { @Autowired EmployeeMapper employeeMapper; // 主要作用就是根据名字获取用户信息,然后构建一个User对象,提供给调用者 @Override public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException { // 从数据库根据name查询用户信息 Employee employee = employeeMapper.findEmpByName(name); if (employee == null) { throw new UsernameNotFoundException("用户名" + name + "不存在"); } // 设置加密方式 BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String password = passwordEncoder.encode(employee.getPassword()); // 权限是一个集合 List
auths = AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_admin"); // 把用户名、密码、权限返给调用者,系统会自己对密码进行比较,注意,系统只会对密码进行比较,所以这里name传任何值都能通过 return new User(employee.getName(), password, auths); } }
二、集成JWT
集成jwt就不能走spring的自动登录流程了,整体思路就是,手动调用系统的认证功能,认证成功,生成token返回给前端,前端对token进行缓存,当请求其他api时,将token通过请求头携带上。在过滤器中,对token进行检查。
配置
- 对登录路径设置无需授权即可访问
- 禁用session
- 将token过滤器插入到过滤器链中
- 将登录管理器注入到IOC容器中
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
// 配置自定义登录页面
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// ==1.权限设置==
.antMatchers(
"/user/login"
)
/**
* 对前面路由设置 访问权限
* anonymous:仅限匿名用户访问
* authenticated: 仅限认证的用户才能访问
* permitAll: 所有用户都可以方位
* */
.permitAll()
.and().csrf().disable() // 开启跨域访问
// ==2.禁用session==
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// ==3.配置过滤日==
// 配置jwtAuthenticationTokenFilter 过滤器插入到 UsernamePasswordAuthenticationFilter 前面
http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
// == 4.将登录管理器 注入IOC容器中 ==
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
}
编写登录控制器
package com.wesdata.com.controller; import com.wesdata.com.bean.User; import com.wesdata.com.domain.ResponseResult; import com.wesdata.com.mapper.UserMapper; import com.wesdata.com.utils.JwtUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.annotation.Secured; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.*; import java.util.HashMap; import java.util.Map; import java.util.Objects; import com.alibaba.fastjson.JSONObject; @RequestMapping("user") @RestController public class UserController { @Autowired AuthenticationManager authenticationManager; @Autowired UserMapper userMapper; @RequestMapping("login") public ResponseResult login(@RequestParam("name") String name, @RequestParam("password") String password) { // 在这里进行主动登录操作 UsernamePasswordAuthenticationToken usernamePasswordToken = new UsernamePasswordAuthenticationToken(name, password); Authentication authentication = authenticationManager.authenticate(usernamePasswordToken); if (Objects.isNull(authentication)) { return new ResponseResult("登录失败"); } else { // "登录成功"; String token = JwtUtil.createJwt(name , "15"); System.out.println(token); Map
data = new HashMap<>(); data.put("token", token); return ResponseResult.success(data); } } @RequestMapping("logout") public String logout() { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // UsernamePasswordAuthenticationToken的第一个参数 auth.getPrincipal(); return "logout success"; } } 编写token过滤器
package com.wesdata.com.filter; import com.wesdata.com.utils.JwtUtil; import io.jsonwebtoken.Claims; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Objects; @Component public class JwtAuthenticationTokenFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { String token = request.getHeader("token"); // 对于不带token的请求,直接进入下一个过滤器 if (Objects.isNull(token)) { try { filterChain.doFilter(request, response); } catch (Exception e) { System.out.println(e.getMessage()); } return; } Claims body = JwtUtil.parseToken(token); String name = body.get("userName").toString(); String id = body.get("userId").toString(); System.out.println(name); System.out.println(id); // 权限列表 List
authorities = new ArrayList<>(); authorities.add( new SimpleGrantedAuthority("student")); // 这里非常关键 UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(name, null, authorities); SecurityContextHolder .getContext() .setAuthentication(authenticationToken); try { filterChain.doFilter(request, response); } catch (Exception e) { System.out.println(e.getMessage()); } } }