轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战

前言

我们知道在项目开发中,后台开发权限认证是非常重要的,springboot 中常用熟悉的权限认证框架有,shiro,还有就是springboot 全家桶的 security当然他们各有各的好处,但是我比较喜欢springboot自带的权限认证框架


      <dependency>
          <groupId>org.springframework.bootgroupId>
          <artifactId>spring-boot-starter-securityartifactId>
      dependency>

与springboot天然集成,功能强大

快速上手

主要实现 Spring Security 的安全认证,结合 RESTful API 的风格,使用无状态的环境。

主要实现是通过请求的 URL ,通过过滤器来做不同的授权策略操作,为该请求提供某个认证的方法,然后进行认证,授权成功返回授权实例信息,供服务调用。

基于Token的身份验证的过程如下:

用户通过用户名和密码发送请求。
程序验证。
程序返回一个签名的token 给客户端。
客户端储存token,并且每次用于每次发送请求。
服务端验证token并返回数据。
每一次请求都需要token,所以每次请求都会去验证用户身份,所以这里必须要使用缓存,

流程图

JWT JSON Web Token 验证流程图

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战_第1张图片

添加Spring Security和JWT依赖项

       
          <dependency>
              <groupId>org.springframework.bootgroupId>
              <artifactId>spring-boot-starter-securityartifactId>
          dependency>
         
         <dependency>
             <groupId>io.jsonwebtokengroupId>
             <artifactId>jjwtartifactId>
         dependency>

生成JWT toke

因为要生成JWT toke 所以就写了一个工具类JwtTokenUtil

package cn.soboys.kmall.security.utils;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import java.io.Serializable;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/5 22:28
 * @webSite https://www.soboys.cn/
 */
@Component
public class JwtTokenUtil implements Serializable {

    private static final long serialVersionUID = -2550185165626007488L;

    public static final long JWT_TOKEN_VALIDITY = 7*24*60*60;

    private String secret="TcUF7CC8T3txmfQ38pYsQ3KY";

    public String getUsernameFromToken(String token) {
        return getClaimFromToken(token, Claims::getSubject);
    }


    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return doGenerateToken(claims, username);
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = getUsernameFromToken(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }


    public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = getAllClaimsFromToken(token);
        return claimsResolver.apply(claims);
    }

    private Claims getAllClaimsFromToken(String token) {
        return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
    }


    private Boolean isTokenExpired(String token) {
        final Date expiration = getExpirationDateFromToken(token);
        return expiration.before(new Date());
    }

    public Date getExpirationDateFromToken(String token) {
        return getClaimFromToken(token, Claims::getExpiration);
    }

    private String doGenerateToken(Map<String, Object> claims, String subject) {
        return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + JWT_TOKEN_VALIDITY*1000)).signWith(SignatureAlgorithm.HS512, secret).compact();
    }
}

注入数据源

这里我们使用数据库作为权限控制数据保存,所以就要注入数据源,进行权限认证
Spring Security提供了 UserDetailsService接口 用于用户身份认证,和UserDetails实体类,用于保存用户信息,(用户凭证,权限等)

看源码

package org.springframework.security.core.userdetails;

public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}
package org.springframework.security.core.userdetails;
public interface UserDetails extends Serializable {
    Collection<? extends GrantedAuthority> getAuthorities();

    String getPassword();

    String getUsername();

    boolean isAccountNonExpired();

    boolean isAccountNonLocked();

    boolean isCredentialsNonExpired();

    boolean isEnabled();
}

所以我们分为两步走:

  1. 自己的User实体类继承Spring SecurityUserDetails 保存相关权限信息
package cn.soboys.kmall.security.entity;

import com.baomidou.mybatisplus.annotation.IdType;
import com.baomidou.mybatisplus.annotation.TableField;
import com.baomidou.mybatisplus.annotation.TableId;
import com.baomidou.mybatisplus.annotation.TableName;
import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.Data;
import lombok.EqualsAndHashCode;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.io.Serializable;
import java.time.LocalDateTime;
import java.util.*;

/**
 * 

* 用户表 *

* * @author kenx * @since 2021-08-06 */
@Data @EqualsAndHashCode(callSuper = false) @TableName("t_user") public class User implements Serializable, UserDetails { private static final long serialVersionUID = 1L; /** * 用户ID */ @TableId(value = "USER_ID", type = IdType.AUTO) private Long userId; /** * 用户名 */ @TableField("USERNAME") private String username; /** * 密码 */ @TableField("PASSWORD") private String password; /** * 部门ID */ @TableField("DEPT_ID") private Long deptId; /** * 邮箱 */ @TableField("EMAIL") private String email; /** * 联系电话 */ @TableField("MOBILE") private String mobile; /** * 状态 0锁定 1有效 */ @TableField("STATUS") private String status; /** * 创建时间 */ @TableField("CREATE_TIME") private Date createTime; /** * 修改时间 */ @TableField("MODIFY_TIME") private Date modifyTime; /** * 最近访问时间 */ @TableField("LAST_LOGIN_TIME") private Date lastLoginTime; /** * 性别 0男 1女 2保密 */ @TableField("SSEX") private String ssex; /** * 是否开启tab,0关闭 1开启 */ @TableField("IS_TAB") private String isTab; /** * 主题 */ @TableField("THEME") private String theme; /** * 头像 */ @TableField("AVATAR") private String avatar; /** * 描述 */ @TableField("DESCRIPTION") private String description; @TableField(exist = false) private List<Role> roles; @TableField(exist = false) private Set<String> perms; /** * 用户权限 * * @return */ /*@Override public Collection getAuthorities() { List auths = new ArrayList<>(); List roles = this.getRoles(); for (Role role : roles) { auths.add(new SimpleGrantedAuthority(role.getRolePerms())); } return auths; }*/ @Override @JsonIgnore public Collection<? extends GrantedAuthority> getAuthorities() { List<GrantedAuthority> auths = new ArrayList<>(); Set<String> perms = this.getPerms(); for (String perm : perms) { //这里perms值如果为空或空字符会报错 auths.add(new SimpleGrantedAuthority(perm)); } return auths; } @Override @JsonIgnore public boolean isAccountNonExpired() { return true; } @Override @JsonIgnore public boolean isAccountNonLocked() { return true; } @Override @JsonIgnore public boolean isCredentialsNonExpired() { return true; } @Override @JsonIgnore public boolean isEnabled() { return true; } }

注意这里有一个问题 登录用户时,总提示 User account is locked

是因为用户实体类实现UserDetails这个接口时,我默认把所有抽象方法给自动实现了,而自动生成下面这四个方法,默认返回false,

    @Override
    public boolean isAccountNonExpired() {
        return false;
    }
 
    @Override
    public boolean isAccountNonLocked() {
        return false;
    }
 
    @Override
    public boolean isCredentialsNonExpired() {
        return false;
    }
 
    @Override
    public boolean isEnabled() {
        return false;
    }

问题原因就在这里,只要把它们的返回值改成true就行。

UserDetails 中几个字段的解释:

//返回验证用户密码,无法返回则NULL

String getPassword();
String getUsername();

账户是否过期,过期无法验证

boolean isAccountNonExpired();

指定用户是否被锁定或者解锁,锁定的用户无法进行身份验证

boolean isAccountNonLocked();

指示是否已过期的用户的凭据(密码),过期的凭据防止认证

boolean isCredentialsNonExpired();

是否被禁用,禁用的用户不能身份验证

boolean isEnabled();
  1. 实现接口中loadUserByUsername方法注入数据验证就可以了

自己IUserService用户接口类继承Spring Security提供了 UserDetailsService接口

public interface IUserService  extends IService<User>, UserDetailsService {

    User getUserByUsername(String username);

   /* *//**
     * 获取用户所有权限
     *
     * @param username
     * @return
     *//*
    Set<String> getUserPerms(String username);*/

}

并且加以实现

@Service
@RequiredArgsConstructor
@Slf4j
public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements IUserService {
    private final RoleMapper roleMapper;

    @Override
    public User getUserByUsername(String username) {
        return this.baseMapper.selectOne(new QueryWrapper<User>().lambda()
                .eq(User::getUsername, username));
    }


    /**
     * 对用户提供的用户详细信息进行身份验证时
     *
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = this.getUserByUsername(username);

        if (StrUtil.isBlankIfStr(user)) {
            throw new UsernameNotFoundException("User not found with username: " + username);
        }

        //获取用户角色信息
        List<Role> roles = roleMapper.findUserRolePermsByUserName(username);
        user.setRoles(roles);

        List<String> permList = this.baseMapper.findUserPerms(username);

        //java8 stream 便利
        Set<String> perms = permList.stream().filter(o->StrUtil.isNotBlank(o)).collect(Collectors.toSet());
        user.setPerms(perms);

        //用于添加用户的权限。只要把用户权限添加到authorities 就万事大吉。
        // List authorities = new ArrayList<>();


        //用于添加用户的权限。只要把用户权限添加到authorities 就万事大吉。
        /*for (Role role : roles) {
            authorities.add(new SimpleGrantedAuthority(role.getRolePerms()));
            log.info("loadUserByUsername: " + user);
        }*/
        //user.setAuthorities(authorities);//用于登录时 @AuthenticationPrincipal 标签取值
        return user;
    }


}

自己实现loadUserByUsername从数据库中验证用户名密码,获取用户角色权限信息

拦截器配置

Spring Security的AuthenticationEntryPoint类,它拒绝每个未经身份验证的请求并发送错误代码401

package cn.soboys.kmall.security.config;

import cn.soboys.kmall.common.ret.Result;
import cn.soboys.kmall.common.ret.ResultCode;
import cn.soboys.kmall.common.ret.ResultResponse;
import cn.soboys.kmall.common.utils.ResponseUtil;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.Serializable;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/5 22:30
 * @webSite https://www.soboys.cn/
 * 此类继承Spring Security的AuthenticationEntryPoint类,
 * 并重写其commence。它拒绝每个未经身份验证的请求并发送错误代码401。
 */
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {

    /**
     * 此类继承Spring Security的AuthenticationEntryPoint类,并重写其commence。
     * 它拒绝每个未经身份验证的请求并发送错误代码401
     *
     * @param httpServletRequest
     * @param httpServletResponse
     * @param e
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        Result result = ResultResponse.failure(ResultCode.UNAUTHORIZED, "请先登录");
        ResponseUtil.responseJson(httpServletResponse, result);
    }
}

JwtRequestFilter 任何请求都会执行此类检查请求是否具有有效的JWT令牌。如果它具有有效的JWT令牌,则它将在上下文中设置Authentication,以指定当前用户已通过身份验证。

package cn.soboys.kmall.security.config;

import cn.soboys.kmall.common.utils.ConstantFiledUtil;
import cn.soboys.kmall.security.service.IUserService;
import cn.soboys.kmall.security.utils.JwtTokenUtil;
import io.jsonwebtoken.ExpiredJwtException;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/5 22:27
 * @webSite https://www.soboys.cn/
 * 任何请求都会执行此类
 * 检查请求是否具有有效的JWT令牌。如果它具有有效的JWT令牌,
 * 则它将在上下文中设置Authentication,以指定当前用户已通过身份验证。
 */
@Component
@Slf4j
public class JwtRequestFilter extends OncePerRequestFilter {

    //用户数据源
    private IUserService userService;
    //生成jwt 的token
    private  JwtTokenUtil jwtTokenUtil;

    public JwtRequestFilter(IUserService userService,JwtTokenUtil jwtTokenUtil) {
        this.userService = userService;
        this.jwtTokenUtil = jwtTokenUtil;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        final String requestTokenHeader = request.getHeader(ConstantFiledUtil.AUTHORIZATION_TOKEN);

        String username = null;
        String jwtToken = null;
        // JWT Token is in the form "Bearer token". Remove Bearer word and get only the Token
        if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
            jwtToken = requestTokenHeader.substring(7);
            try {
                username = jwtTokenUtil.getUsernameFromToken(jwtToken);
            } catch (IllegalArgumentException e) {
                log.error("Unable to get JWT Token");
            } catch (ExpiredJwtException e) {
                log.error("JWT Token has expired");
            }
        } else {
            //logger.warn("JWT Token does not begin with Bearer String");
        }

        //Once we get the token validate it.
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

            UserDetails userDetails = this.userService.loadUserByUsername(username);

            // if token is valid configure Spring Security to manually set authentication
            if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {

                //保存用户信息和权限信息
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken
                        .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                // After setting the Authentication in the context, we specify
                // that the current user is authenticated. So it passes the Spring Security Configurations successfully.
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        filterChain.doFilter(request, response);
    }
}

配置Spring Security 配置类SecurityConfig

  1. 自定义Spring Security的时候我们需要继承自WebSecurityConfigurerAdapter来完成,相关配置重写对应 方法

  2. 此处使用了 BCryptPasswordEncoder 密码加密

  3. 通过重写configure方法添加我们自定义的认证方式。

package cn.soboys.kmall.security.config;


import cn.soboys.kmall.security.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import java.util.Set;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/6 17:27
 * @webSite https://www.soboys.cn/
 */
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true) // 控制权限注解
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
    private IUserService userService;
    private JwtRequestFilter jwtRequestFilter;


    public SecurityConfig(JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint,
                          IUserService userService,
                          JwtRequestFilter jwtRequestFilter) {
        this.jwtAuthenticationEntryPoint = jwtAuthenticationEntryPoint;
        this.userService = userService;
        this.jwtRequestFilter = jwtRequestFilter;
    }


    /**
     * 1)HttpSecurity支持cors。
     * 2)默认会启用CRSF,此处因为没有使用thymeleaf模板(会自动注入_csrf参数),
     * 要先禁用csrf,否则登录时需要_csrf参数,而导致登录失败。
     * 3)antMatchers:匹配 "/" 路径,不需要权限即可访问,匹配 "/user" 及其以下所有路径,
     * 都需要 "USER" 权限
     * 4)配置登录地址和退出地址
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // We don't need CSRF for this example
        http.csrf().disable()
                // dont authenticate this particular request
                .authorizeRequests().antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**",
                "/v3/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**",
                "/statics/**", "/login", "/register").permitAll().
                // all other requests need to be authenticated
                        anyRequest().authenticated().and().
                // make sure we use stateless session; session won't be used to
                // store user's state.
                //覆盖默认登录
                        exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
                // 基于token,所以不需要session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);


        // Add a filter to validate the tokens with every request
        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }


    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    /**
     * 密码校验
     *
     * @param auth
     * @throws Exception
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        // configure AuthenticationManager so that it knows from where to load
        // user for matching credentials
        // Use BCryptPasswordEncoder
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
    }

    /**
     * 密码加密验证
     *
     * @return
     */
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }


}

具体应用

package cn.soboys.kmall.security.controller;

import cn.hutool.core.util.StrUtil;
import cn.soboys.kmall.common.exception.BusinessException;
import cn.soboys.kmall.common.ret.ResponseResult;
import cn.soboys.kmall.common.ret.Result;
import cn.soboys.kmall.common.ret.ResultResponse;
import cn.soboys.kmall.security.entity.User;
import cn.soboys.kmall.security.service.IUserService;
import cn.soboys.kmall.security.utils.EncryptPwdUtil;
import cn.soboys.kmall.security.utils.JwtTokenUtil;
import com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper;
import io.swagger.annotations.*;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import javax.validation.constraints.NotBlank;
import javax.validation.constraints.NotEmpty;
import java.util.Date;
import java.util.Objects;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/6 12:30
 * @webSite https://www.soboys.cn/
 */
@RestController
@ResponseResult
@Validated
@RequiredArgsConstructor
@Api(tags = "登录接口")
public class LoginController {
    private final IUserService userService;
    //认证管理,认证用户省份
    private final AuthenticationManager authenticationManager;
    private final JwtTokenUtil jwtTokenUtil;
    //自己数据源
    private final UserDetailsService jwtInMemoryUserDetailsService;




    @PostMapping("/login")
    @ApiOperation("用户登录")
    @SneakyThrows
    public Result login(@NotBlank @RequestParam String username,
                        @NotBlank @RequestParam String password) {


        Authentication authentication= this.authenticate(username, password);

        String user = authentication.getName();

        final String token = jwtTokenUtil.generateToken(user);
        //更新用户最后登录时间
        User u = new User();
        u.setLastLoginTime(new Date());
        userService.update(u, new UpdateWrapper<User>().lambda().eq(User::getUsername, username));
        return ResultResponse.success("Bearer " + token);
    }

    @PostMapping("/register")
    @ApiOperation("用户注册")
    public Result register(@NotEmpty @RequestParam String username, @NotEmpty @RequestParam String password) {
        User user = userService.getUserByUsername(username);

        if (!StrUtil.isBlankIfStr(user)) {
            throw new BusinessException("用户已存在");
        }
        User u = new User();
        u.setPassword(EncryptPwdUtil.encryptPassword(password));
        u.setUsername(username);
        u.setCreateTime(new Date());
        u.setModifyTime(new Date());
        u.setStatus("1");
        userService.save(u);
        return ResultResponse.success();

    }


    private Authentication authenticate(String username, String password) throws Exception {
        Authentication authentication = null;
        try {
            //security 认证用户身份
            authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        } catch (DisabledException e) {
            throw new BusinessException("用户不存");
        } catch (BadCredentialsException e) {
            throw new BusinessException("用户名密码错误");
        }

        return authentication;
    }
}

深入了解

Spring Security 配置讲解

  1. @EnableWebSecurity 开启权限认证
  2. @EnableGlobalMethodSecurity(prePostEnabled = true) 开启权限注解认证
  3. configure 配置
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // We don't need CSRF for this example
        http.csrf().disable()
                // dont authenticate this particular request
                .authorizeRequests().antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**",
                "/v3/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**",
                "/statics/**", "/login", "/register").permitAll().
                // all other requests need to be authenticated
                        anyRequest().authenticated().and().
                // make sure we use stateless session; session won't be used to
                // store user's state.
                //覆盖默认登录
                        exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
                // 基于token,所以不需要session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);


        // Add a filter to validate the tokens with every request
        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战_第2张图片

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战_第3张图片

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战_第4张图片

参考

  1. Spring Security 权限认证
  2. springSecurity 之 http Basic认证
  3. 轻松上手SpringBoot Security + JWT Hello World示例

你可能感兴趣的:(SpringBoot,spring,boot)