准备工作
要想让权限控制生效,需要在启动类上添加注解
1 | |
一、基本登录流程
编写一个配置文件 SecurityConfig.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22package com.wesdata.com.config;
import com.wesdata.com.filter.JwtAuthenticationTokenFilter;
import com.wesdata.com.handler.MyAccessDeniedHandler;
import com.wesdata.com.handler.MyAuthenticationEntryPoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}配置登录访问路由
spring-boot默认路径为/login,可以根据需要自己设置,当访问www.xxx.com/login的时候,即为进行登录
1
2
3
4
5
6
7
8
9
10@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// 配置自定义登录页面
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径
}
}配置处理登录的逻辑
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/*
// 配置自定义登录页面
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径
}
*/
@Autowired
UserDetailsService userDetailsService;
// 当进行登录时,spring会调用这里设置的userDetailsService的某个方法,这个方法名称是约定好的
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService) // 指定使用 userDetailsService 服务来获取用户信息
.passwordEncoder(passwordEncoder()); // 设置加密方式
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}编写userDetailsService
大致思路就是,spring调用loadUserByUsername方法,然后返回一个User实例提供给spring进行认证比较用。在loadUserByUsername方法中,根据传递的name字段到数据库查询用户信息,如果查不到用户,直接抛出错误,如果查询到用户信息,则把用户名,密码,权限包装到User中。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45package com.wesdata.com.service;
import com.wesdata.com.bean.Employee;
import com.wesdata.com.mapper.EmployeeMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import java.util.*;
// 注册一个service
@Service("userDetailsService")
public class MyUserDetailService implements UserDetailsService {
@Autowired
EmployeeMapper employeeMapper;
// 主要作用就是根据名字获取用户信息,然后构建一个User对象,提供给调用者
@Override
public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
// 从数据库根据name查询用户信息
Employee employee = employeeMapper.findEmpByName(name);
if (employee == null) {
throw new UsernameNotFoundException("用户名" + name + "不存在");
}
// 设置加密方式
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String password = passwordEncoder.encode(employee.getPassword());
// 权限是一个集合
List<GrantedAuthority> auths = AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_admin");
// 把用户名、密码、权限返给调用者,系统会自己对密码进行比较,注意,系统只会对密码进行比较,所以这里name传任何值都能通过
return new User(employee.getName(), password, auths);
}
}
二、集成JWT
集成jwt就不能走spring的自动登录流程了,整体思路就是,手动调用系统的认证功能,认证成功,生成token返回给前端,前端对token进行缓存,当请求其他api时,将token通过请求头携带上。在过滤器中,对token进行检查。
配置
- 对登录路径设置无需授权即可访问
- 禁用session
- 将token过滤器插入到过滤器链中
- 将登录管理器注入到IOC容器中
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
// 配置自定义登录页面
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// ==1.权限设置==
.antMatchers(
"/user/login"
)
/**
* 对前面路由设置 访问权限
* anonymous:仅限匿名用户访问
* authenticated: 仅限认证的用户才能访问
* permitAll: 所有用户都可以方位
* */
.permitAll()
.and().csrf().disable() // 开启跨域访问
// ==2.禁用session==
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// ==3.配置过滤日==
// 配置jwtAuthenticationTokenFilter 过滤器插入到 UsernamePasswordAuthenticationFilter 前面
http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
// == 4.将登录管理器 注入IOC容器中 ==
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
}编写登录控制器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59package com.wesdata.com.controller;
import com.wesdata.com.bean.User;
import com.wesdata.com.domain.ResponseResult;
import com.wesdata.com.mapper.UserMapper;
import com.wesdata.com.utils.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import com.alibaba.fastjson.JSONObject;
@RequestMapping("user")
@RestController
public class UserController {
@Autowired
AuthenticationManager authenticationManager;
@Autowired
UserMapper userMapper;
@RequestMapping("login")
public ResponseResult login(@RequestParam("name") String name, @RequestParam("password") String password) {
// 在这里进行主动登录操作
UsernamePasswordAuthenticationToken usernamePasswordToken = new UsernamePasswordAuthenticationToken(name, password);
Authentication authentication = authenticationManager.authenticate(usernamePasswordToken);
if (Objects.isNull(authentication)) {
return new ResponseResult("登录失败");
} else {
// "登录成功";
String token = JwtUtil.createJwt(name , "15");
System.out.println(token);
Map<String, String> data = new HashMap<>();
data.put("token", token);
return ResponseResult.success(data);
}
}
@RequestMapping("logout")
public String logout() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
// UsernamePasswordAuthenticationToken的第一个参数
auth.getPrincipal();
return "logout success";
}
}编写token过滤器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64package com.wesdata.com.filter;
import com.wesdata.com.utils.JwtUtil;
import io.jsonwebtoken.Claims;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain)
{
String token = request.getHeader("token");
// 对于不带token的请求,直接进入下一个过滤器
if (Objects.isNull(token)) {
try {
filterChain.doFilter(request, response);
} catch (Exception e) {
System.out.println(e.getMessage());
}
return;
}
Claims body = JwtUtil.parseToken(token);
String name = body.get("userName").toString();
String id = body.get("userId").toString();
System.out.println(name);
System.out.println(id);
// 权限列表
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
authorities.add( new SimpleGrantedAuthority("student"));
// 这里非常关键
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(name, null, authorities);
SecurityContextHolder
.getContext()
.setAuthentication(authenticationToken);
try {
filterChain.doFilter(request, response);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}