随着有些jar包的升级,JDK1.8已经不是最稳定的版本了。
前段时间接触到Web3相关,jar包的编译最低要JDK13了,碰巧另一个使用Kotlin写的jar包依赖需要17了,那就直接上17吧,同时Springboot也上到3.0。
Springboot3.0 + SpringSecurity + Swagger,数据库Jpa和mybatis都可,缓存使用redis。
先看主pom.xml依赖
<parent>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-parentartifactId>
<version>3.0.0version>
<relativePath/>
parent>
依赖项
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-securityartifactId>
dependency>
<dependency>
<groupId>org.springdocgroupId>
<artifactId>springdoc-openapi-starter-webmvc-uiartifactId>
<version>2.2.0version>
dependency>
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-validationartifactId>
dependency>
服务之间调用采用openfeign,
<dependency>
<groupId>io.github.openfeigngroupId>
<artifactId>feign-coreartifactId>
<version>${openfeign.version}version>
dependency>
<dependency>
<groupId>io.github.openfeigngroupId>
<artifactId>feign-okhttpartifactId>
<version>${openfeign.version}version>
dependency>
<dependency>
<groupId>io.github.openfeigngroupId>
<artifactId>feign-jacksonartifactId>
<version>${openfeign.version}version>
dependency>
<dependency>
<groupId>io.github.openfeigngroupId>
<artifactId>feign-spring4artifactId>
<version>${openfeign.version}version>
dependency>
至于其他的依赖JWT,Redis,Jpa,Mybatis就不贴了
和2.x版本的变化的还是挺大的,3.0采用的是是流式写法。
public class SpringSecurityConf {
@Autowired
ApplicationContext applicationContext;
@Bean
public PasswordEncoder passwordEncoder() {
// 密码加密方式
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
@Bean
public JwtTokenOncePerRequestFilter authenticationJwtTokenFilter() {
return new JwtTokenOncePerRequestFilter();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// 获取匿名标记
Map<String, Set<String>> anonymousUrls = this.getAnonymousUrl();
http
//禁言basic明文
.httpBasic().disable()
//前后端分离不用卡跨域
.csrf().disable()
//禁用默认登录页
.formLogin().disable()
//授权异常
.exceptionHandling(exceptions -> {
//403处理类 无法访问 401处理类 身份信息验证错误
exceptions.authenticationEntryPoint(getAuthenticationEntryPoint()).accessDeniedHandler(getAccessDeniedHandler());
})
//http请求
.authorizeHttpRequests(registry -> {
registry.requestMatchers(HttpMethod.GET, anonymousUrls.get(RequestMethodEnum.GET.getType()).toArray(new String[0])).permitAll()
.requestMatchers(HttpMethod.POST, anonymousUrls.get(RequestMethodEnum.POST.getType()).toArray(new String[0])).permitAll()
.requestMatchers(HttpMethod.DELETE, anonymousUrls.get(RequestMethodEnum.DELETE.getType()).toArray(new String[0])).permitAll()
.requestMatchers(HttpMethod.PUT, anonymousUrls.get(RequestMethodEnum.PUT.getType()).toArray(new String[0])).permitAll()
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
;
//添加白名单的
this.addWhiteListAuthorize(registry);
//添加自定义的
this.addCustomAuthorize(registry);
//默认全部放行
// registry.requestMatchers("/**").permitAll();
// 所有请求都需要认证
registry.anyRequest().authenticated();
})
//验证service类
// .authenticationProvider()
.addFilterBefore(this.getDefaultFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
//可重写该
public void addWhiteListAuthorize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
String[] PASS_PATH_GROUP = new String[]{
"/*.html",
"/webSocket/**",
"/swagger-ui/*",
"/*/api-docs/*",
"/*/api-docs*",
"/actuator/*",
"/error",
};
for (String str : PASS_PATH_GROUP) {
registry.requestMatchers(str).permitAll();
}
}
//例如system有不同的处理 可重写该方法
public void addCustomAuthorize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
//hasRole 需要在权限面前加上ROLE_ hasAuthority/则不需要
registry.requestMatchers("/api/**").hasAuthority(SecurityConstant.AUTH_USER)
.requestMatchers("/admin/**").hasAuthority(SecurityConstant.AUTH_MANAGER);
}
public AccessDeniedHandler getAccessDeniedHandler() {
return (request, response, e) -> {
log.error("403 Forbidden,URI:{}", request.getRequestURI());
//当用户在没有授权的情况下访问受保护的REST资源时,将调用此方法发送403 Forbidden响应
response.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
};
}
public AuthenticationEntryPoint getAuthenticationEntryPoint() {
return (request, response, e) -> {
log.error("401 无凭据,{},URI:{}", request.getMethod(), request.getRequestURI());
// 当用户尝试访问安全的REST资源而不提供任何凭据时,将调用此方法发送401 响应
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, e == null ? "Unauthorized" : e.getMessage());
};
}
//默认的jwt校验器
public JwtTokenOncePerRequestFilter getDefaultFilter() throws Exception {
return new JwtTokenOncePerRequestFilter();
}
//自定义授权开放的注解 例如AnonymousGetMapping 注解了的方法放开权限
public Map<String, Set<String>> getAnonymousUrl() {
// 搜寻匿名标记 url: @AnonymousAccess
RequestMappingHandlerMapping requestMappingHandlerMapping =
(RequestMappingHandlerMapping) applicationContext.getBean("requestMappingHandlerMapping");
Map<RequestMappingInfo, HandlerMethod> handlerMethodMap = requestMappingHandlerMapping.getHandlerMethods();
// 获取匿名标记
Map<String, Set<String>> anonymousUrls = new HashMap<>(6);
Set<String> get = new HashSet<>();
Set<String> post = new HashSet<>();
Set<String> put = new HashSet<>();
Set<String> patch = new HashSet<>();
Set<String> delete = new HashSet<>();
Set<String> all = new HashSet<>();
for (Map.Entry<RequestMappingInfo, HandlerMethod> infoEntry : handlerMethodMap.entrySet()) {
HandlerMethod handlerMethod = infoEntry.getValue();
AnonymousAccess anonymousAccess = handlerMethod.getMethodAnnotation(AnonymousAccess.class);
if (null != anonymousAccess) {
List<RequestMethod> requestMethods = new ArrayList<>(infoEntry.getKey().getMethodsCondition().getMethods());
RequestMethodEnum request = RequestMethodEnum.find(requestMethods.size() == 0 ? RequestMethodEnum.ALL.getType() : requestMethods.get(0).name());
Set<PathPattern> pathPatterns = infoEntry.getKey().getPathPatternsCondition().getPatterns();
for (PathPattern pattern : pathPatterns) {
switch (Objects.requireNonNull(request)) {
case GET:
get.add(pattern.getPatternString());
break;
case POST:
post.add(pattern.getPatternString());
break;
case PUT:
put.add(pattern.getPatternString());
break;
case PATCH:
patch.add(pattern.getPatternString());
break;
case DELETE:
delete.add(pattern.getPatternString());
break;
default:
all.add(pattern.getPatternString());
break;
}
}
}
}
anonymousUrls.put(RequestMethodEnum.GET.getType(), get);
anonymousUrls.put(RequestMethodEnum.POST.getType(), post);
anonymousUrls.put(RequestMethodEnum.PUT.getType(), put);
anonymousUrls.put(RequestMethodEnum.PATCH.getType(), patch);
anonymousUrls.put(RequestMethodEnum.DELETE.getType(), delete);
anonymousUrls.put(RequestMethodEnum.ALL.getType(), all);
return anonymousUrls;
}
}
每个请求在满足权限之后都会走的入口类
public class JwtTokenOncePerRequestFilter extends OncePerRequestFilter {
RedisConf redisConf;
public JwtTokenOncePerRequestFilter() {
}
//如果有自定义拦截请求处理
//则重写验证规则中的getDefaultFilter方法 传入自定义拦截器
public JwtTokenOncePerRequestFilter(RedisConf redisConf) {
this.redisConf = redisConf;
}
@Override
protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res,
FilterChain chain) throws ServletException, IOException {
String token = JwtUtils.getToken(req);
if (token == null) {
//可能会存在前端session缓存问题
SecurityContextHolder.getContext().setAuthentication(null);
chain.doFilter(req, res);
return;
}
try {
//验证token 并取出对应信息
Authentication authentication = JwtUtils.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
//子类自定义操作 例如 存储,redis过期/续期
this.handler(token, authentication);
chain.doFilter(req, res);
} catch (Exception e) {
GlobalExceptionEnum ex = GlobalExceptionEnum.TOKEN_IS_ERROR;
logger.error(e.getMessage());
res.setContentType("application/json; charset=utf-8");
res.setStatus(HttpStatus.UNAUTHORIZED.value());
res.getWriter().write("{\"code\": " + HttpStatus.UNAUTHORIZED.value() + ", \"message\": \"" + ex.getText() + "\"}");
res.getWriter().close();
}
}
public void handler(String token, Authentication authentication) {
if (redisConf != null && JwtUtils.containsRole(SecurityConstant.AUTH_USER)) {
//仅针对用户服务做拦截 减少redis访问 对于 Token 为空的不需要去查Redis
if (StringUtils.isNotEmptyObj(token)) {
Long uid = JwtUtils.getLoginUid();
String oldToken = redisConf.get(String.format(RedisKey.MEMBER_UID_TOKEN, uid));
if (oldToken != null && !token.equals(oldToken)) {
logger.error("token不一致:token:" + token + ",oldToken:" + oldToken);
throw new BadRequestException(GlobalExceptionEnum.TOKEN_IS_ERROR.getText());
}
}
}
}
}
从验证规则来看,上面的验证器我是注释掉了的,因为登录注册是由自己实现,不是走的SpringSecurity的密码验证。这里也贴一下代码
//用账户密码登录的 会传入的明文密码 根据验证规则里面设置的加密算法进行加密
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(authUser.getUsername(), password);
经过框架内部加密密码后,会回调到UserDetailsService#loadUserByUsername
方法,该方法需要自己实现
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {
private final UserService userService;
private final RoleService roleService;
private final DataService dataService;
private final LoginProperties loginProperties;
@Override
public JwtUserDto loadUserByUsername(String username) {
boolean searchDb = true;
JwtUserDto jwtUserDto = null;
if (searchDb) {
UserDto user;
try {
user = userService.findByName(username);
} catch (EntityNotFoundException e) {
// SpringSecurity会自动转换UsernameNotFoundException为BadCredentialsException
throw new UsernameNotFoundException("", e);
}
if (user == null) {
throw new UsernameNotFoundException("");
} else {
if (!user.getEnabled()) {
throw new BadRequestException("账号未激活!");
}
jwtUserDto = new JwtUserDto(
user,
dataService.getDeptIds(user),
roleService.mapToGrantedAuthorities(user)
);
userDtoCache.put(username, jwtUserDto);
}
}
return jwtUserDto;
}
}
在这里面验证状态等,同时补齐权限,然后返回对应的dto,框架会根据dto里面的password来校验密码是否正确。
在Springboot3中,原来的swagger-ui包已经不支持了,需要更改为springdoc
在最开始使用的2.0.4版本中,会出现@RequestParam(required = false)
在swagger界面中不生效的问题。
<dependency>
<groupId>org.springdocgroupId>
<artifactId>springdoc-openapi-starter-webmvc-uiartifactId>
<version>2.2.0version>
dependency>
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-validationartifactId>
dependency>
和2版本相比,如果想添加Authorization
,需要在类上添加如下注解
@Configuration
@SecurityScheme(name = "Authorization", type = SecuritySchemeType.HTTP, scheme = "bearer", in = SecuritySchemeIn.HEADER)
public abstract class SwaggerConf {
@Bean
public OpenAPI createOpenApi() {
return new OpenAPI()
.info(apiInfo())
//设置授权信息
.security(List.of(new SecurityRequirement().addList("Authorization")))
//引入其他文档
// .externalDocs(new ExternalDocumentation().description("百度一下")
// .url("http://www.baido.com"))
;
}
public Info apiInfo() {
return new Info()
.title("一款 web3.0 业务接口文档")
.description("web3业务处理")
.version("1.0");
}
//分组
@Bean
public GroupedOpenApi publicApi() {
return GroupedOpenApi.builder()
.group("api")
.pathsToMatch("/api/**")
.build();
}
@Bean
public GroupedOpenApi adminApi() {
return GroupedOpenApi.builder()
.group("admin")
.pathsToMatch("/admin/**")
.build();
}
}
其他的配置大同小异。
原来的版本的注解我就不贴了,先看类上和方式上的注解
@Tag(name = "APP:FTMO数据相关接口")
@RestController
@RequestMapping("/api/app")
public class CmsController {
//get参数的注解自行查询
@Operation(summary = "test测试", description = "test接口说明")
@AnonymousGetMapping("/test")
public UserInfo test(@RequestBody UserInfoVO vo) {
}
}
在实体类上的注解
@Schema(title = "用户数据VO")
@Data
public class UserInfoVO extends UserInfo {
@Schema(title = "页码查询")
Integer page;
@Schema(title = "条数")
Integer pageSize;
}
需要注意的是在同一规范返回的实体类上不用注解
@NoArgsConstructor
@Data
//加了这个注解回导致无法显示泛型的实体类
//@Schema(name = "ApiResult", description = "REST接口标准返回值 View Model")
public class ApiResultVO<T> implements Serializable {
/**
* 返回码
*/
@Schema(title ="REST接口返回码")
private Integer code;
/**
* 返回描述
*/
@Schema(title ="REST接口返回消息")
private String message;
/**
* 返回数据
*/
//这个DataVO类上不影响
private DataVO<T, Object> content;
}
配置文件redis,移动多了一层data目录
data:
redis:
database: 0
#数据库索引
host: 192.168.0.100
port: 6379
password:
#连接超时时间
timeout: 5000
过去有一段时间了,今天才抽时间记录一下,还有其他问题会继续更新。
以上就是本文的全部内容了!
上一篇:随手记录第九话 – Java框架整合篇
下一篇:随手记录第十一话 – xxx
非学无以广才,非志无以成学。