spring-security登录流程和集成JWT功能

准备工作

要想让权限控制生效，需要在启动类上添加注解

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

// 开启全局权限控制
@EnableGlobalMethodSecurity(securedEnabled=true)
@SpringBootApplication
public class AppApplication {
    public static void main(String[] args) {
        SpringApplication.run(AppApplication.class, args);
    }
}

一、基本登录流程

1. 编写一个配置文件 SecurityConfig.java

   package com.wesdata.com.config;
   import com.wesdata.com.filter.JwtAuthenticationTokenFilter;
   import com.wesdata.com.handler.MyAccessDeniedHandler;
   import com.wesdata.com.handler.MyAuthenticationEntryPoint;
   import org.springframework.beans.factory.annotation.Autowired;
   import org.springframework.context.annotation.Bean;
   import org.springframework.context.annotation.Configuration;
   import org.springframework.security.authentication.AuthenticationManager;
   import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
   import org.springframework.security.config.annotation.web.builders.HttpSecurity;
   import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
   import org.springframework.security.config.http.SessionCreationPolicy;
   import org.springframework.security.core.userdetails.UserDetailsService;
   import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
   import org.springframework.security.crypto.password.PasswordEncoder;
   import org.springframework.security.web.AuthenticationEntryPoint;
   import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
   
   @Configuration
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
   
   }
   

2. 配置登录访问路由

   spring-boot默认路径为/login,可以根据需要自己设置，当访问www.xxx.com/login的时候，即为进行登录

   @Configuration
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
   	// 配置自定义登录页面
       @Override
       protected void configure(HttpSecurity http) throws Exception {
           http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 
       }
   }
   
   
   

3. 配置处理登录的逻辑

   @Configuration
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       /*
       // 配置自定义登录页面
       @Override
       protected void configure(HttpSecurity http) throws Exception {
           http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 
       }
       */
       
       @Autowired
       UserDetailsService userDetailsService;
       
       // 当进行登录时，spring会调用这里设置的userDetailsService的某个方法，这个方法名称是约定好的
       protected void configure(AuthenticationManagerBuilder auth) throws Exception {
           
           auth.userDetailsService(userDetailsService)   // 指定使用 userDetailsService 服务来获取用户信息
               .passwordEncoder(passwordEncoder());	// 设置加密方式
       }
       
       @Bean
       public PasswordEncoder passwordEncoder() {
           return new BCryptPasswordEncoder();
       }
   }
   

4. 编写userDetailsService

   大致思路就是，spring调用loadUserByUsername方法，然后返回一个User实例提供给spring进行认证比较用。在loadUserByUsername方法中，根据传递的name字段到数据库查询用户信息，如果查不到用户，直接抛出错误，如果查询到用户信息，则把用户名，密码，权限包装到User中。

   package com.wesdata.com.service;
   
   import com.wesdata.com.bean.Employee;
   import com.wesdata.com.mapper.EmployeeMapper;
   import org.springframework.beans.factory.annotation.Autowired;
   import org.springframework.security.core.GrantedAuthority;
   import org.springframework.security.core.authority.AuthorityUtils;
   import org.springframework.security.core.userdetails.User;
   import org.springframework.security.core.userdetails.UserDetails;
   import org.springframework.security.core.userdetails.UserDetailsService;
   import org.springframework.security.core.userdetails.UsernameNotFoundException;
   import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
   import org.springframework.stereotype.Service;
   
   import java.util.*;
   
   // 注册一个service
   @Service("userDetailsService")
   public class MyUserDetailService implements UserDetailsService {
   
       @Autowired
       EmployeeMapper employeeMapper;
       
       // 主要作用就是根据名字获取用户信息，然后构建一个User对象，提供给调用者
       @Override
       public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
   
           // 从数据库根据name查询用户信息
           Employee employee = employeeMapper.findEmpByName(name);
           if (employee == null) {
               throw new UsernameNotFoundException("用户名" + name + "不存在");
           }
   
           // 设置加密方式
           BCryptPasswordEncoder passwordEncoder =  new BCryptPasswordEncoder();
           String password = passwordEncoder.encode(employee.getPassword());
   
           // 权限是一个集合
           List<GrantedAuthority> auths = AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_admin");
   
           // 把用户名、密码、权限返给调用者，系统会自己对密码进行比较，注意，系统只会对密码进行比较，所以这里name传任何值都能通过
           return new User(employee.getName(), password, auths);
       }
   }
   
   

二、集成JWT

集成jwt就不能走spring的自动登录流程了，整体思路就是，手动调用系统的认证功能，认证成功，生成token返回给前端，前端对token进行缓存，当请求其他api时，将token通过请求头携带上。在过滤器中，对token进行检查。

1. 配置

   • 对登录路径设置无需授权即可访问
   • 禁用session
   • 将token过滤器插入到过滤器链中
   • 将登录管理器注入到IOC容器中

   @Configuration
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
       JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
       
       
       // 配置自定义登录页面
       @Override
       protected void configure(HttpSecurity http) throws Exception {
           http
                   .authorizeRequests()
                   // ==1.权限设置==
                   .antMatchers(
                           "/user/login"
                   )
                   /**
                    * 对前面路由设置 访问权限
                    * anonymous：仅限匿名用户访问
                    * authenticated: 仅限认证的用户才能访问
                    * permitAll: 所有用户都可以方位
                    * */
                   .permitAll()
                   .and().csrf().disable() // 开启跨域访问
                   // ==2.禁用session==
                   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 
   
           // ==3.配置过滤日==
           // 配置jwtAuthenticationTokenFilter 过滤器插入到 UsernamePasswordAuthenticationFilter 前面
           http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
       }
       
       // == 4.将登录管理器 注入IOC容器中 ==
       @Bean
       @Override
       public AuthenticationManager authenticationManagerBean() throws Exception{
           return super.authenticationManagerBean();
       }
   }
   

   2. 编写登录控制器

      package com.wesdata.com.controller;
      
      import com.wesdata.com.bean.User;
      import com.wesdata.com.domain.ResponseResult;
      import com.wesdata.com.mapper.UserMapper;
      import com.wesdata.com.utils.JwtUtil;
      import org.springframework.beans.factory.annotation.Autowired;
      import org.springframework.security.access.annotation.Secured;
      import org.springframework.security.authentication.AuthenticationManager;
      import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
      import org.springframework.security.core.Authentication;
      import org.springframework.security.core.annotation.AuthenticationPrincipal;
      import org.springframework.security.core.context.SecurityContextHolder;
      import org.springframework.stereotype.Controller;
      import org.springframework.web.bind.annotation.*;
      
      import java.util.HashMap;
      import java.util.Map;
      import java.util.Objects;
      
      import com.alibaba.fastjson.JSONObject;
      
      @RequestMapping("user")
      @RestController
      public class UserController {
      
          @Autowired
          AuthenticationManager authenticationManager;
      
          @Autowired
          UserMapper userMapper;
      
          @RequestMapping("login")
          public ResponseResult login(@RequestParam("name") String name, @RequestParam("password") String password) {
              
              // 在这里进行主动登录 *** 作
              UsernamePasswordAuthenticationToken usernamePasswordToken = new UsernamePasswordAuthenticationToken(name, password);
              Authentication authentication = authenticationManager.authenticate(usernamePasswordToken);
              if (Objects.isNull(authentication)) {
                  return new ResponseResult("登录失败");
              } else {
                  // "登录成功";
                  String token = JwtUtil.createJwt(name , "15");
                  System.out.println(token);
                  Map<String, String> data = new HashMap<>();
                  data.put("token", token);
                  return ResponseResult.success(data);
              }
          }
      
          @RequestMapping("logout")
          public String logout() {
              Authentication auth = SecurityContextHolder.getContext().getAuthentication();
              // UsernamePasswordAuthenticationToken的第一个参数
              auth.getPrincipal();
              return "logout success";
          }
      }
      
      

   3. 编写token过滤器

      package com.wesdata.com.filter;
      
      import com.wesdata.com.utils.JwtUtil;
      import io.jsonwebtoken.Claims;
      import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
      import org.springframework.security.core.authority.SimpleGrantedAuthority;
      import org.springframework.security.core.context.SecurityContextHolder;
      import org.springframework.stereotype.Component;
      import org.springframework.web.filter.OncePerRequestFilter;
      
      import javax.servlet.FilterChain;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      import java.io.IOException;
      import java.util.ArrayList;
      import java.util.List;
      import java.util.Objects;
      
      @Component
      public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
      
          @Override
          protected void doFilterInternal(HttpServletRequest request,
                                          HttpServletResponse response,
                                          FilterChain filterChain)
          {
              String token = request.getHeader("token");
      
              // 对于不带token的请求，直接进入下一个过滤器
              if (Objects.isNull(token)) {
                  try {
                      filterChain.doFilter(request, response);
                  } catch (Exception e) {
                      System.out.println(e.getMessage());
                  }
                  return;
              }
      
              Claims body = JwtUtil.parseToken(token);
              String name = body.get("userName").toString();
              String id = body.get("userId").toString();
              System.out.println(name);
              System.out.println(id);
      
              // 权限列表
              List<SimpleGrantedAuthority> authorities = new ArrayList<>();
              authorities.add( new SimpleGrantedAuthority("student"));
      
              // 这里非常关键
              UsernamePasswordAuthenticationToken authenticationToken =
                      new UsernamePasswordAuthenticationToken(name, null, authorities);
      
              SecurityContextHolder
                      .getContext()
                      .setAuthentication(authenticationToken);
              
              try {
                  filterChain.doFilter(request, response);
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }
      }
      
      

本文由博客一文多发平台 OpenWrite 发布！