Springboot+SpringSecurity+JWT +Vue实现前后端分离的登录 权限管理以及token管理

Springboot+SpringSecurity+JWT +Vue实现前后端分离的登录 权限管理以及token管理

前言
使用SpringSecurity+jwt组合对用户的权限以及token进行管理,用户在成功登陆后,会分发一个token令牌,如果没有将某个接口进行权限设置,那么访问该页面时需要带着token令牌进行访问,后端将会对token令牌进行校验,如果校验通过则可以对该接口进行请求。

整体思路
1.导入springSecurity跟jwt的maven依赖
2.用户登录的实体类(这里就不详细说明mapper和service)
3.实现UserDetailsService接口
4.JwtUser实现UserDetails接口
5.JwtTokenUtils工具类
6.验证用户登录信息的拦截器(JWTAuthenticationFilter)
7.验证用户权限的拦截器(JWTAuthorizationFilter)
8.springSecurity配置
9.认证的Controller
10.前端vue进行测试(跨域可以在博主的其他文章中查看)

1.导入springSecurity跟jwt的maven依赖

	<!--springSecuriy-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        
	<!--jwt-->
	<dependency>
    		<groupId>io.jsonwebtoken</groupId>
    		<artifactId>jjwt</artifactId>
    		<version>0.9.1</version>
	</dependency>

2.用户登录的实体类

@Data
@EqualsAndHashCode(callSuper = false)
@Accessors(chain = true)
@ApiModel(value="User对象", description="")
public class User  {

    private static final long serialVersionUID = 1L;

    @TableId(value = "uid", type = IdType.AUTO)
    private Long uid;

    private String username;

    private String password;

    private String role;
}

3.实现UserDetailsService接口
这里使用的是mybatisplus对数据库进行访问,在博主其他文章中也有笔记

@Service
public class UserServiceImpl  implements  UserDetailsService {

    @Autowired
    private UserMapper userMapper;
    // 用户登录逻辑和验证处理
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        //将用户传来的名字进行后缀判断角色
        JwtUser jwtUser = null;
        QueryWrapper<Student> wrapper = new QueryWrapper<>();
        wrapper.eq("username",s);
        User user = studentMapper.selectOne(wrapper);
	return new JwtUser(user);
    }
}

4.JwtUser实现UserDetails接口

public class JwtUser implements UserDetails {

    private Long id;
    private String username;
    private String password;
    private Collection<? extends GrantedAuthority> authorities;

    public JwtUser() {
    }

    public JwtUser(User user) {
        id = user.getUid();
        username = user.getUsername();
        password = user.getPassword();
        //这里说明一下,必须要加上ROLE_开头,或者在数据库直接以这个开头
        authorities = Collections.singleton(new SimpleGrantedAuthority("ROLE_"+user.getRole()));
    }

    // 获取权限信息
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return authorities;
    }

    @Override
    public String getPassword() {
        return password;
    }

    @Override
    public String getUsername() {
        return username;
    }

    // 账号是否未过期,默认是false,记得要改一下
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    // 账号是否未锁定,默认是false,记得也要改一下
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    // 账号凭证是否未过期,默认是false,记得还要改一下
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }

 }

5.JwtTokenUtils工具类
用于设置token过期时间,以及token的前缀等

public class JwtTokenUtils {
    public static final String TOKEN_HEADER = "Authorization";
    public static final String TOKEN_PREFIX = "Bearer ";
    private static final String SECRET = "jwtsecretdemo";
    private static final String ISS = "echisan";

    // 角色的key
    private static final String ROLE_CLAIMS = "rol";

    // 过期时间是3600秒,既是1个小时
    private static final long EXPIRATION = 3600L;

  
    // 创建token
    public static String createToken(String username,String role) {

        long expiration =EXPIRATION;
        HashMap<String, Object> map = new HashMap<>();
        map.put(ROLE_CLAIMS, role);
        return Jwts.builder()
                .signWith(SignatureAlgorithm.HS512, SECRET)
                .setClaims(map)
                .setIssuer(ISS)
                .setSubject(username)
                .setIssuedAt(new Date())
                .setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
                .compact();

    }

    // 从token中获取用户名
    public static String getUsername(String token){
        return getTokenBody(token).getSubject();
    }

    // 获取用户角色
    public static String getUserRole(String token){
        return (String) getTokenBody(token).get(ROLE_CLAIMS);
    }

    // 是否已过期
    public static boolean isExpiration(String token) {
        try {
            return getTokenBody(token).getExpiration().before(new Date());
        } catch (ExpiredJwtException e) {
            return true;
        }
    }

    private static Claims getTokenBody(String token){
        return Jwts.parser()
                .setSigningKey(SECRET)
                .parseClaimsJws(token)
                .getBody();
    }

}

6.验证用户登录信息的拦截器(JWTAuthenticationFilter)

//进行用户账号的验证
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    private AuthenticationManager authenticationManager;

    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
        //设置登录请求的url
        super.setFilterProcessesUrl("/login");
    }

    @SneakyThrows
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request,

          HttpServletResponse response) throws AuthenticationException{

        // 从输入流中获取到登录的信息
        try {
            LoginUser loginUser = new ObjectMapper().readValue(request.getInputStream(), LoginUser.class);
            return authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(loginUser.getUsername(), loginUser.getPassword(), new ArrayList<>()));

	//密码错误时抛出异常		
        }catch (BadCredentialsException b){
            System.out.println("密码错误");
            try {
                response.setCharacterEncoding("UTF-8");
                response.setContentType("application/json; charset=utf-8");
                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                response.getWriter().write("密码错误");
            } catch (IOException e) {
                e.printStackTrace();
            }
            return null;
        //无此用户时抛出异常
        }catch (InternalAuthenticationServiceException i){
            System.out.println("没有此用户");
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json; charset=utf-8");
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            response.getWriter().write("xxx");
            return null;
        }

        catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    // 成功验证后调用的方法
    // 如果验证成功,就生成token并返回
    @Override
    protected void successfulAuthentication(HttpServletRequest request,
                                            HttpServletResponse response,
                                            FilterChain chain,
                                            Authentication authResult) throws IOException, ServletException {
        System.out.println("登录成功");
        JwtUser jwtUser = (JwtUser) authResult.getPrincipal();
        System.out.println("jwtUser:" + jwtUser.toString());
        String role = "";
        Collection<? extends GrantedAuthority> authorities = jwtUser.getAuthorities();
        for (GrantedAuthority authority : authorities) {
            role = authority.getAuthority();
        }
        String token = JwtTokenUt)ils.createToken(jwtUser.getUsername(), role);
        // 返回创建成功的token
        // 但是这里创建的token只是单纯的token
        // 按照jwt的规定,最后请求的时候应该是 `Bearer token`
        System.out.println(token);
        response.setHeader("token", JwtTokenUtils.TOKEN_PREFIX + token);
	//这里我还将该用户的id进行返回了
        response.setIntHeader("uid",jwtUser.getUid().intValue());
    }
    //配置失败返回的信息,当然成功的也可以返回思路一样,重写successful,这里我就不写了
    @Override
    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
	    System.out.println("用户登陆失败  AjaxAuthFailHandler");
	    response.setContentType("application/json;charset=utf-8");
	    response.setStatus(HttpStatus.UNAUTHORIZED.value());
	    PrintWriter out = response.getWriter();
	    out.write("{\"status\":\"error\",\"msg\":\"请检查用户名、密码或验证码是否正确\"}");
	    out.flush();
	    out.close();
    }
	
	
}

7.验证用户权限的拦截器(JWTAuthorizationFilter)
进行用户账号的验证(查看是否有token,token是否正确,token是否过时)

//进行用户账号的验证
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
    public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain) throws IOException, ServletException {
        String tokenHeader = request.getHeader(JwtTokenUtils.TOKEN_HEADER);
        // 如果请求头中没有Authorization信息则直接放行了
        if (tokenHeader == null || !tokenHeader.startsWith(JwtTokenUtils.TOKEN_PREFIX)) {
            chain.doFilter(request, response);
            return;
        }
        // 如果请求头中有token,则进行解析,并且设置认证信息
        try {
            SecurityContextHolder.getContext().setAuthentication(getAuthentication(tokenHeader));
        } catch (TokenIsExpiredException e) {
            //返回json形式的错误信息
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json; charset=utf-8");
            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
            String reason = "统一处理,原因:" + e.getMessage();
            response.getWriter().write(new ObjectMapper().writeValueAsString(reason));
            response.getWriter().flush();
            return;
        }
        super.doFilterInternal(request, response, chain);
    }

    // 这里从token中获取用户信息并新建一个token
    private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader) throws TokenIsExpiredException {
        String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, "");
        boolean expiration = JwtTokenUtils.isExpiration(token);
        if (expiration) {
            throw new TokenIsExpiredException("token超时了");
        } else {
            String username = JwtTokenUtils.getUsername(token);
            String role = JwtTokenUtils.getUserRole(token);
            if (username != null) {
                return new UsernamePasswordAuthenticationToken(username, null,
                        Collections.singleton(new SimpleGrantedAuthority(role))
                );
            }
        }
        return null;
    }
}

8.springSecurity的配置

@Configuration //配置类
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConf extends WebSecurityConfigurerAdapter {
    @Autowired
    UserServiceImpl userService;

    //定义登陆成功返回信息
    private class AjaxAuthSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
            System.out.println("用户[" + SecurityContextHolder.getContext().getAuthentication().getPrincipal() +"]登陆成功!");
            response.setContentType("application/json;charset=utf-8");
            PrintWriter out = response.getWriter();
            out.write("{\"status\":\"ok\",\"msg\":\"登录成功\"}");
            out.flush();
            out.close();

        }
    }
    //定义登陆失败返回信息
    private class AjaxAuthFailHandler extends SimpleUrlAuthenticationFailureHandler {
        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
            System.out.println("用户登陆失败  AjaxAuthFailHandler");
            response.setContentType("application/json;charset=utf-8");
            response.setStatus(HttpStatus.UNAUTHORIZED.value());
            PrintWriter out = response.getWriter();
            out.write("{\"status\":\"error\",\"msg\":\"请检查用户名、密码或验证码是否正确\"}");
            out.flush();
            out.close();
        }
    }

    //请求授权验
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // .denyAll();    //拒绝访问
        // .authenticated();    //需认证通过
        // .permitAll();    //无条件允许访问
        // 跨域一定要加上csrf();
        // 访问权限

        http.cors().and().csrf().disable().authorizeRequests()
                .antMatchers("/tologin","/islogin","/register","/registererr").permitAll()

                //.antMatchers("/User").hasRole("USER")
                // .antMatchers("/Admin").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
                .addFilter(new JWTAuthenticationFilter(authenticationManager()))
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
                 //不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);


         //登录配置
        http.formLogin()
                .successHandler(new AjaxAuthSuccessHandler())
                .failureHandler(new AjaxAuthFailHandler())
                //固定名字,其实默认也是username跟password,这里也可以不写
                .usernameParameter("username")
                .passwordParameter("password")
                //设置自己的登录界面(如果不设置,将会是自带的登录界面这里我们使用自定义的登录界面)
                .loginPage("/tologin")
                //表单提交的url
                .loginProcessingUrl("/login"); 

    }
    // 用户授权验证
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(userService)
                .passwordEncoder(passwordEncoder()
                );

    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }




    // 这里采用雪花加密方式对密码进行加密解密
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}

9.认证的Controller

//单跨域的使用
@CrossOrigin
@Controller
public class PageController {
    @GetMapping("/tologin")
    public String tologin(){
        return "redirect:http://localhost:8001/Login";
    }
}

10.前端vue进行测试
这里需要有一点vue的基础, Vue这里不会详细讲用法了,但是会讲我是如何保存token,携带token发送请求的,这里我发送请求用的是axios,关于vue跨域配置等后期可能会写一篇相关的文章。
Login.vue
只给到了发送请求的地方,这里我将得到的token以及uid都存放到session中

var data = JSON.stringify(that.loginForm);
console.log(that.loginForm.username)           
this.$axios          
.post(url, data)          
.then(function (res) {            
	//登录成功后,将后端给的token以及uid都存在session中            
	window.sessionStorage.setItem("token", res.headers.token);
	window.sessionStorage.setItem("uid",res.headers.uid);
	that.$message.success("登陆成功");                       
}).catch((err) => {            
//账号或密码有误时            
var code = err.response.status;	
	return this.$message.error("登录失败!账号或密码错误");
                   
});

main.js
这里从session中获取token,并放到axios的请求头中,后面使用axios的请求都会自动带上token

//vue 的main.js中配置
//给axios请求设置默认的token请求头
const token = window.sessionStorage.getItem("token");
axios.defaults.headers['Content-Type'] = 'application/json;charset=utf-8';
axios.defaults.headers['Authorization'] = token;
axios.defaults.headers.post['Content-Type'] = 'text/plain';
Vue.prototype.$axios = axios;

记录我的学习笔记

你可能感兴趣的:(jwt,springboot,SpringSecurity,jwt,spring,boot,vue.js,安全,经验分享)