參考文章
【全網最細致】SpringBoot整合Spring Security + JWT實現用戶認證
需求
- 結合jwt實現登錄功能,采用自帶/login接口
- 實現權限控制
熟悉下SpringSecurity
SpringSecurity 采用的是責任鏈的設計模式,是一堆過濾器鏈的組合,它有一條很長的過濾器鏈
集成過程中主要重寫過濾器、處理器和配置文件
ps:流程圖可以去其他博客看
以下是實現過濾器和處理器
- LogoutSuccessHandler–登出處理器
- AuthenticationSuccessHandler–登錄認證成功處理器
- AuthenticationFailureHandler–登錄認證失敗處理器
- UserDetailsService–接口十分重要,用于從數據庫中驗證用戶名密碼
- AccessDeniedHandler–用戶發起無權限訪問請求的處理器 PasswordEncoder–密碼驗證器
- OncePerRequestFilter–認證一次請求只通過一次filter,而不需要重復執行
集成開始
引入依賴包
SpringSecurity
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>
jwt
<dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.1</version></dependency>
kaptcha制作驗證碼
<dependency><groupId>com.github.penggle</groupId><artifactId>kaptcha</artifactId><version>2.3.2</version></dependency>
另外還有一些工具類,reids等依賴包
數據庫準備(簡單實現,后續根據實際情況設計結構)
準備
user用戶表
role角色表
menu菜單表
role_menu角色菜單關系表
user_role用戶角色關系表
kaptcha驗證類
DefaultKaptcha 是驗證碼配置類
KaptchaTextCreator是驗證碼生成邏輯類,配置在DefaultKaptcha
@Configuration
public class KaptchaConfig {/*** @Title: CaptchaConfig* @Description: 文字驗證碼* @Parameters:* @Return*/@Bean(name = "captchaProducer")public DefaultKaptcha getKaptchaBean(){DefaultKaptcha defaultKaptcha = new DefaultKaptcha();Properties properties = new Properties();// 是否有邊框 默認為true 我們可以自己設置yes,noproperties.setProperty(KAPTCHA_BORDER, "yes");// 驗證碼文本字符顏色 默認為Color.BLACKproperties.setProperty(KAPTCHA_TEXTPRODUCER_FONT_COLOR, "black");// 驗證碼圖片寬度 默認為200properties.setProperty(KAPTCHA_IMAGE_WIDTH, "160");// 驗證碼圖片高度 默認為50properties.setProperty(KAPTCHA_IMAGE_HEIGHT, "60");// 驗證碼文本字符大小 默認為40properties.setProperty(KAPTCHA_TEXTPRODUCER_FONT_SIZE, "38");// KAPTCHA_SESSION_KEYproperties.setProperty(KAPTCHA_SESSION_CONFIG_KEY, "kaptchaCode");// 驗證碼文本字符長度 默認為5properties.setProperty(KAPTCHA_TEXTPRODUCER_CHAR_LENGTH, "4");// 驗證碼文本字體樣式 默認為new Font("Arial", 1, fontSize), new Font("Courier", 1, fontSize)properties.setProperty(KAPTCHA_TEXTPRODUCER_FONT_NAMES, "Arial,Courier");// 圖片樣式 水紋com.google.code.kaptcha.impl.WaterRipple 魚眼com.google.code.kaptcha.impl.FishEyeGimpy 陰影com.google.code.kaptcha.impl.ShadowGimpyproperties.setProperty(KAPTCHA_OBSCURIFICATOR_IMPL, "com.google.code.kaptcha.impl.ShadowGimpy");Config config = new Config(properties);defaultKaptcha.setConfig(config);return defaultKaptcha;}/*** @Title: CaptchaConfig* @Description: 加法驗證碼* @Parameters:* @Return*/@Bean(name = "captchaProducerMath")public DefaultKaptcha getKaptchaBeanMath(){DefaultKaptcha defaultKaptcha = new DefaultKaptcha();Properties properties = new Properties();// 是否有邊框 默認為true 我們可以自己設置yes,noproperties.setProperty(KAPTCHA_BORDER, "yes");// 邊框顏色 默認為Color.BLACKproperties.setProperty(KAPTCHA_BORDER_COLOR, "105,179,90");// 驗證碼文本字符顏色 默認為Color.BLACKproperties.setProperty(KAPTCHA_TEXTPRODUCER_FONT_COLOR, "blue");// 驗證碼圖片寬度 默認為200properties.setProperty(KAPTCHA_IMAGE_WIDTH, "160");// 驗證碼圖片高度 默認為50properties.setProperty(KAPTCHA_IMAGE_HEIGHT, "60");// 驗證碼文本字符大小 默認為40properties.setProperty(KAPTCHA_TEXTPRODUCER_FONT_SIZE, "35");// KAPTCHA_SESSION_KEYproperties.setProperty(KAPTCHA_SESSION_CONFIG_KEY, "kaptchaCodeMath");// 驗證碼文本生成器properties.setProperty(KAPTCHA_TEXTPRODUCER_IMPL, "com.gpd.security.config.KaptchaTextCreator");// 驗證碼文本字符間距 默認為2properties.setProperty(KAPTCHA_TEXTPRODUCER_CHAR_SPACE, "3");// 驗證碼文本字符長度 默認為5properties.setProperty(KAPTCHA_TEXTPRODUCER_CHAR_LENGTH, "6");// 驗證碼文本字體樣式 默認為new Font("Arial", 1, fontSize), new Font("Courier", 1, fontSize)properties.setProperty(KAPTCHA_TEXTPRODUCER_FONT_NAMES, "Arial,Courier");// 驗證碼噪點顏色 默認為Color.BLACKproperties.setProperty(KAPTCHA_NOISE_COLOR, "white");// 干擾實現類properties.setProperty(KAPTCHA_NOISE_IMPL, "com.google.code.kaptcha.impl.NoNoise");// 圖片樣式 水紋com.google.code.kaptcha.impl.WaterRipple 魚眼com.google.code.kaptcha.impl.FishEyeGimpy 陰影com.google.code.kaptcha.impl.ShadowGimpyproperties.setProperty(KAPTCHA_OBSCURIFICATOR_IMPL, "com.google.code.kaptcha.impl.ShadowGimpy");Config config = new Config(properties);defaultKaptcha.setConfig(config);return defaultKaptcha;}
}
package com.gpd.security.config;
import com.google.code.kaptcha.text.impl.DefaultTextCreator;
import java.util.Random;
public class KaptchaTextCreator extends DefaultTextCreator {private static final String[] CNUMBERS = "0,1,2,3,4,5,6,7,8,9,10".split(",");@Overridepublic String getText() {Integer result = 0;/*** @Title: KaptchaTextCreator* @Description: 生成0-10隨機數* @Parameters:* @Return*/Random random = new Random();int x = random.nextInt(10);int y = random.nextInt(10);/*** @Title: KaptchaTextCreator* @Description: StringBuilder 用于字符串拼接,但效率更高* @Parameters:* @Return*/StringBuilder suChinese = new StringBuilder();/*** @Title: KaptchaTextCreator* @Description: 生成0-2隨機數,用來生成加減乘除* @Parameters:* @Return*/int randomoperands = (int) Math.round(Math.random() * 2);if (randomoperands == 0){result = x * y;suChinese.append(CNUMBERS[x]);suChinese.append("*");suChinese.append(CNUMBERS[y]);}else if (randomoperands == 1){if (!(x == 0) && y % x == 0){result = y / x;suChinese.append(CNUMBERS[y]);suChinese.append("/");suChinese.append(CNUMBERS[x]);}else{result = x + y;suChinese.append(CNUMBERS[x]);suChinese.append("+");suChinese.append(CNUMBERS[y]);}}else if (randomoperands == 2){if (x >= y){result = x - y;suChinese.append(CNUMBERS[x]);suChinese.append("-");suChinese.append(CNUMBERS[y]);}else{result = y - x;suChinese.append(CNUMBERS[y]);suChinese.append("-");suChinese.append(CNUMBERS[x]);}}else{result = x + y;suChinese.append(CNUMBERS[x]);suChinese.append("+");suChinese.append(CNUMBERS[y]);}suChinese.append("=?@" + result);return suChinese.toString();}
}
獲取驗證碼Controller
有2中驗證碼返回方式:圖片和base64編碼,結果是存儲在redis上
驗證碼類型:數字、文字字符串
@Slf4j
@RestController
@RequestMapping("/auth")
@Api(tags = "系統:系統授權接口")
public class AuthenticationController {@Resource(name = "captchaProducer")private Producer captchaProducer;@Resource(name = "captchaProducerMath")private Producer captchaProducerMath;// 驗證碼類型@Value("${kaptche.captchaType}")private String captchaType;// 驗證碼有效時間@Value("${kaptche.expiration}")private Long captchaExpiration;@Autowiredprivate RedisUtils redisUtil;@ApiOperation("獲取驗證碼")@GetMapping(value = "/captcha")public ResponseEntity Captcha() throws IOException {String code = null;BufferedImage image = null;// 生成驗證碼Map<String, Object> bufferedImage = getBufferedImage(captchaType);image = (BufferedImage) bufferedImage.get("image");code = (String) bufferedImage.get("code");// 轉換流信息寫出FastByteArrayOutputStream os = new FastByteArrayOutputStream();ImageIO.write(image, "jpg", os);String str = "data:image/jpeg;base64,";String base64Img = str + Base64.encode(os.toByteArray());String key = UUID.randomUUID().toString();Map<Object, Object> result = MapUtil.builder().put("userKey", key).put("captcherImg", base64Img).build();redisUtil.set("captcha:"+key, code, captchaExpiration);return new ResponseEntity(result, HttpStatus.OK);}@ApiOperation("獲取驗證碼圖片")@GetMapping("/getCaptImg")public void getCaptImg(HttpServletResponse response, HttpSession session) throws IOException {String code = null;BufferedImage image = null;// 生成驗證碼Map<String, Object> bufferedImage = getBufferedImage(captchaType);image = (BufferedImage)bufferedImage.get("image");code = (String) bufferedImage.get("code");response.setContentType("image/png");OutputStream os = response.getOutputStream();ImageIO.write(image,"png",os);}private Map<String, Object> getBufferedImage(String captchaType) {String capStr = null, code = null;BufferedImage image = null;if ("math".equals(captchaType)) {String capText = captchaProducerMath.createText();capStr = capText.substring(0, capText.lastIndexOf("@"));code = capText.substring(capText.lastIndexOf("@") + 1);image = captchaProducerMath.createImage(capStr);} else if ("char".equals(captchaType)) {capStr = code = captchaProducer.createText();image = captchaProducer.createImage(capStr);}Map<String, Object> result = new HashMap<>();result.put("code", code);result.put("image", image);return result;}
}
利用postman調用,返回結果去轉碼,這個校驗步驟不要缺,因為有可能生成的base64不能用
準備一個jwt工具類
有3個功能:生成jwt、解析jwt、判斷jwt是否過期
jwt配置
jwt:header: Authorization# 密鑰secret: mySecret# token 過期時間/毫秒,6小時 1小時 = 3600000 毫秒expiration: 21600000# 在線用戶keyonline: online-token# 驗證碼codeKey: code-key
import com.gpd.security.model.JwtUser;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Clock;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.DefaultClock;
import lombok.Data;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;import javax.servlet.http.HttpServletRequest;
import java.io.Serializable;
import java.util.Date;
import java.util.Map;
import java.util.UUID;
import java.util.function.Function;@Data
@Component
public class JwtUtils implements Serializable {@Value("${jwt.secret}")private String secret; // @Value("${jwt.expiration}")private Long expiration;@Value("${jwt.header}")private String tokenHeader;private Clock clock = DefaultClock.INSTANCE;/***創建token* @return*/public String generateToken(Map<String, Object> claims, String subject) {return Jwts.builder()//鏈式編程 添加頭.setHeaderParam("typ","JWT").setHeaderParam("alg","HS512")//payload 載荷.setClaims(claims)//主題.setSubject(subject)//有效期.setExpiration(new Date(clock.now().getTime() + expiration))//設置id.setId(UUID.randomUUID().toString())//signature簽名.signWith(SignatureAlgorithm.HS512, secret)//拼接前面三個.compact();}public String generateToken(String username) {Date nowDate = new Date();return Jwts.builder().setHeaderParam("typ", "JWT").setSubject(username).setIssuedAt(nowDate).setExpiration(new Date(clock.now().getTime() + expiration)).signWith(SignatureAlgorithm.HS512, secret).compact();}/*** 校驗token* @return*/public Boolean validateToken(String token,UserDetails userDetails){JwtUser user = (JwtUser) userDetails;final Date created = getIssuedAtDateFromToken(token);return (!isTokenExpired(token)&& !isCreatedBeforeLastPasswordReset(created, user.getLastPasswordResetDate()));}/*** 獲取token* @param request* @return*/public String getToken(HttpServletRequest request){final String requestHeader = request.getHeader(tokenHeader);if (requestHeader != null && requestHeader.startsWith("Bearer ")) {return requestHeader.substring(7);}return null;}// 判斷JWT是否過期public boolean isTokenExpired(Claims claims) {return claims.getExpiration().before(new Date());}private Date getIssuedAtDateFromToken(String token) {return getClaimFromToken(token, Claims::getIssuedAt);}private <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {final Claims claims = getAllClaimsFromToken(token);return claimsResolver.apply(claims);}public Claims getAllClaimsFromToken(String token) {return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();}private Boolean isTokenExpired(String token) {final Date expiration = getExpirationDateFromToken(token);return expiration.before(clock.now());}private Date getExpirationDateFromToken(String token) {return getClaimFromToken(token, Claims::getExpiration);}private Boolean isCreatedBeforeLastPasswordReset(Date created, Date lastPasswordReset) {return (lastPasswordReset != null && created.before(lastPasswordReset));}
}
統一封裝結果Result
我是采用了org.springframework.http自帶的ResponseEntity,更簡易自己封裝一個更好的。以下的代碼是用了ResponseEntity來封裝結果。
這個是參考的Result統一類
import lombok.Data;
import java.io.Serializable;
@Data
public class Result implements Serializable {private int code;private String msg;private Object data;public static Result succ(Object data) {return succ(200, "操作成功", data);}public static Result fail(String msg) {return fail(400, msg, null);}public static Result succ (int code, String msg, Object data) {Result result = new Result();result.setCode(code);result.setMsg(msg);result.setData(data);return result;}public static Result fail (int code, String msg, Object data) {Result result = new Result();result.setCode(code);result.setMsg(msg);result.setData(data);return result;}
}
寫登錄認證成功、失敗處理器LoginSuccessHandler、LoginFailureHandler
自定義一個驗證碼錯誤異常
public class CaptchaException extends AuthenticationException {public CaptchaException(String msg) {super(msg);}
}
LoginSuccessHandler 登錄成功處理邏輯
onAuthenticationSuccess是登錄成功后:更新用戶最后登錄時間和把用戶登錄信息寫入redis
OnlineUser是獨立出來的線上用戶實體類
redisUtils工具類網上很多
/*** 登錄成功處理邏輯*/
@Component
public class LoginSuccessHandler implements AuthenticationSuccessHandler {@Autowiredprivate JwtUtils jwtUtils;@Autowiredprivate RedisUtils redisUtils;@Value("${jwt.online}")private String onlineKey;@Value("${jwt.expiration}")private Long expiration;@Autowiredprivate UserMapper userMapper;@Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException {AuthenticationSuccessHandler.super.onAuthenticationSuccess(request, response, chain, authentication);}@Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {httpServletResponse.setContentType("application/json;charset=UTF-8");ServletOutputStream outputStream = httpServletResponse.getOutputStream();// 生成JWT,并放置到請求頭中Map<String, Object> claims = new HashMap<>();AccountUser accountUser = (AccountUser) authentication.getPrincipal();String subject = accountUser.getUsername();Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();claims.put("username", subject);claims.put("id", accountUser.getUserId());claims.put("permissionsJson", JsonUtils.objectToJson(authorities));String jwt = jwtUtils.generateToken(claims, subject);User user = new User();user.setId(accountUser.getUserId());user.setLastPasswordResetTime(new Date());userMapper.updateById(user);redisUtils.set(onlineKey + ":" + subject, saveOnlineUser(subject, jwt), TimeUnit.MILLISECONDS, expiration);httpServletResponse.setHeader(jwtUtils.getTokenHeader(), jwt);ResponseEntity responseEntity = new ResponseEntity("SuccessLogin", HttpStatus.OK);outputStream.write(JsonUtils.objectToJson(responseEntity).getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}private OnlineUser saveOnlineUser(String username, String jwt) {OnlineUser onlineUser = new OnlineUser();onlineUser.setUserName(username);onlineUser.setToken(jwt);return onlineUser;}
}
LoginFailureHandler 登錄失敗處理邏輯
/*** 登錄失敗處理邏輯*/
@Component
public class LoginFailureHandler implements AuthenticationFailureHandler {@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse httpServletResponse, AuthenticationException exception) throws IOException, ServletException {httpServletResponse.setContentType("application/json;charset=UTF-8");ServletOutputStream outputStream = httpServletResponse.getOutputStream();String errorMessage = "用戶名或密碼錯誤";ResponseEntity responseEntity;if (exception instanceof CaptchaException) {errorMessage = "驗證碼錯誤";responseEntity = new ResponseEntity(errorMessage, HttpStatus.BAD_REQUEST);} else {responseEntity = new ResponseEntity(errorMessage, HttpStatus.BAD_REQUEST);}outputStream.write(JsonUtils.objectToJson(responseEntity).getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}
JWT認證失敗處理器JwtAuthenticationEntryPoint
處理匿名用戶訪問無權限資源時的異常(即未登錄,或者登錄狀態過期失效)
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request, HttpServletResponse httpServletResponse, AuthenticationException authException) throws IOException, ServletException {httpServletResponse.setContentType("application/json;charset=UTF-8");httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);ServletOutputStream outputStream = httpServletResponse.getOutputStream();Map<Object, Object> result = MapUtil.builder().put("msg", "請先登錄").build();ResponseEntity responseEntity = new ResponseEntity(result, HttpStatus.BAD_REQUEST);outputStream.write(JSONUtil.toJsonStr(responseEntity).getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}
無權限訪問的處理:AccessDenieHandler
@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {httpServletResponse.setContentType("application/json;charset=UTF-8");httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);ServletOutputStream outputStream = httpServletResponse.getOutputStream();Map<Object, Object> result = MapUtil.builder().put("msg", accessDeniedException.getMessage()).build();ResponseEntity responseEntity = new ResponseEntity(result, HttpStatus.BAD_REQUEST);outputStream.write(JSONUtil.toJsonStr(responseEntity).getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}
登出處理器LogoutSuccessHandler
@Component
public class JwtLogoutSuccessHandler implements LogoutSuccessHandler {@AutowiredJwtUtils jwtUtils;@Overridepublic void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {if (authentication != null) {new SecurityContextLogoutHandler().logout(httpServletRequest, httpServletResponse, authentication);}httpServletResponse.setContentType("application/json;charset=UTF-8");ServletOutputStream outputStream = httpServletResponse.getOutputStream();httpServletResponse.setHeader(jwtUtils.getTokenHeader(), "");Map<Object, Object> dataMap = MapUtil.builder().put("msg","SuccessLogout").build();ResponseEntity responseEntity = new ResponseEntity(dataMap, HttpStatus.BAD_REQUEST);outputStream.write(JSONUtil.toJsonStr(responseEntity).getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}
密碼加密解密:PasswordEncoder
PasswordEncoder 根絕實際的加密情況進行校驗
@NoArgsConstructor //生成無參構造方法
public class PasswordEncoder extends BCryptPasswordEncoder {// 密碼解密加密校驗邏輯@Overridepublic boolean matches(CharSequence rawPassword, String encodedPassword) {// 對前端的密碼進行加密再跟數據庫密碼校驗(比較簡單 建議采取更好的方案)String pwd = EncryptUtils.encryptPassword(rawPassword.toString());if (pwd.equals(encodedPassword)){return true;}return false;}
}
實現UserDetailsService
從數據庫中驗證用戶名、密碼是否正確這種認證方式
創建實體類實現UserDetails
Spring Security在拿到UserDetails之后,會去對比Authentication,Authentication是表單提交的數據
public class AccountUser implements UserDetails {private Long userId;private static final long serialVersionUID = 540L;private String password;private final String username;private final Collection<? extends GrantedAuthority> authorities;private final boolean accountNonExpired; //賬號是否過期private final boolean accountNonLocked; // 賬號是否鎖定private final boolean credentialsNonExpired; // 密碼是否過期private final boolean enabled; // 系統是否啟用public AccountUser(Long userId, String username, String password,Collection<? extends GrantedAuthority> authorities) {this(userId, username, password, true, true, true, true,authorities);}public AccountUser(Long userId, String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {Assert.isTrue(username != null && !"".equals(username) && password != null, "Cannot pass null or empty values to constructor");this.userId = userId;this.username = username;this.password = password;this.enabled = enabled;this.accountNonExpired = accountNonExpired;this.credentialsNonExpired = credentialsNonExpired;this.accountNonLocked = accountNonLocked;this.authorities = authorities;}@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return this.authorities;}@Overridepublic String getPassword() {return this.password;}@Overridepublic String getUsername() {return this.username;}public Long getUserId() {return this.userId;}@Overridepublic boolean isAccountNonExpired() {return this.accountNonExpired;}@Overridepublic boolean isAccountNonLocked() {return accountNonLocked;}@Overridepublic boolean isCredentialsNonExpired() {return credentialsNonExpired;}@Overridepublic boolean isEnabled() {return enabled;}
}
自定義一個UserService,UserServiceImpl,UserMapper
實現數據庫查詢用戶信息和權限接口,這里配合了mybatis-plus
用戶信息和權限是分開查詢了,建議重新封裝
UserService
public interface UserService {User getByUsername(String userName);List<String> getPermissionsById(Long id);
}
UserServiceImpl
@Service
public class UserServiceImpl implements UserService {@Autowiredprivate UserMapper userMapper;/*** 根據名稱獲取用戶信息* @param userName* @return*/@Overridepublic User getByUsername(String userName) {return userMapper.findByRealname(userName);}/*** 根據id獲取用戶權限* @param id* @return*/@Overridepublic List<String> getPermissionsById(Long id){return userMapper.getPermissionsById(id);}
}
UserMapper
@Mapper
public interface UserMapper extends BaseMapper<User> {@Select("select * from user where user_name = #{realname}")User findByRealname(String realname);@Select("SELECT DISTINCT m.permission FROM menu m LEFT JOIN role_menu rm ON rm.menu_id=m.id LEFT JOIN user_role ur ON ur.role_id=rm.role_id LEFT JOIN USER u ON u.id=ur.user_id WHERE u.id= #{id}")List<String> getPermissionsById(Long id);
}
實現UserDetailServiceImpl
重寫loadUserByUsername,從數據庫獲取用戶信息和權限
這里的權限其實只是一個字符串,比如查詢權限(tOrder:list),修改權限(tOrder:update)
設計的權限是菜單的權限,根據用戶對應的角色,獲取所有菜單權限,前端根據權限展示
當然也可以修改成按角色的權限
菜單權限數據例子
@Service
public class UserDetailServiceImpl implements UserDetailsService {@Autowiredprivate UserService userService;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userService.getByUsername(username);if (user == null) {throw new UsernameNotFoundException("用戶名或密碼錯誤");}// 查詢權限List<String> permissions = userService.getPermissionsById(user.getId());List<GrantedAuthority> grantedAuthoritys = new ArrayList<>();if (CollectionUtil.isNotEmpty(permissions)){for (String permission:permissions) {grantedAuthoritys.add(new SimpleGrantedAuthority(permission));}}AccountUser accountUser = new AccountUser(user.getId(), user.getUsername(), user.getPassword(),grantedAuthoritys);return accountUser;}
}
實現了上述幾個接口,從數據庫中驗證用戶名、密碼的過程將由框架幫我們完成,是封裝隱藏了,所以不懂Spring Security的人可能會對登錄過程有點懵,不知道是怎么判定用戶名密碼是否正確的
重寫OncePerRequestFilter
認證一次請求只通過一次filter,而不需要重復執行。邏輯是登錄接口則校驗驗證碼是否正確,然后刪除驗證碼,其他接口則校驗jwt
@Component
public class JwtAuthorizationTokenFilter extends OncePerRequestFilter {@Value("${jwt.online}")private String onlineKey;@AutowiredRedisUtils redisUtils;@AutowiredLoginFailureHandler loginFailureHandler;@Autowiredprivate JwtUtils jwtUtils;@Autowiredprivate UserDetailsService userDetailsService;@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {String url = request.getRequestURI();// 如果是登錄接口,則進行驗證碼校驗if ("/admin-api/login".equals(url) && request.getMethod().equals("POST")) {// 校驗驗證碼try {validate(request);} catch (CaptchaException e) {// 交給認證失敗處理器loginFailureHandler.onAuthenticationFailure(request, response, e);}}String jwt = jwtUtils.getToken(request);if (null != jwt){Claims claim = jwtUtils.getAllClaimsFromToken(jwt);if (claim == null) {throw new JwtException("token 異常");}if (jwtUtils.isTokenExpired(claim)) {throw new JwtException("token 已過期");}String username = claim.getSubject(); //用戶名稱OnlineUser onlineUser = (OnlineUser)redisUtils.get(onlineKey+":"+ username);if (null != onlineUser && SecurityContextHolder.getContext().getAuthentication() == null){UserDetails userDetails = userDetailsService.loadUserByUsername(username);UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(authentication);}}filterChain.doFilter(request, response);}// 校驗驗證碼邏輯private void validate(HttpServletRequest httpServletRequest) {String code = httpServletRequest.getParameter("code");String key = httpServletRequest.getParameter("userKey");if (StringUtils.isBlank(code) || StringUtils.isBlank(key)) {throw new CaptchaException("驗證碼錯誤");}if (!code.equals(redisUtils.get("captcha:"+key))) {throw new CaptchaException("驗證碼錯誤");}// 若驗證碼正確,執行以下語句// 一次性使用redisUtils.remove("captcha:"+key);}}
準備工作完成,配置SecurityConfig
這個配置是結合上面的類寫的,設置不攔截登錄接口,驗證碼接口,swagger等接口
@Configuration
@EnableWebSecurity //開啟Spring Security的功能
@RequiredArgsConstructor
//prePostEnabled屬性決定Spring Security在接口前注解是否可用@PreAuthorize,@PostAuthorize等注解,設置為true,會攔截加了這些注解的接口
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {@AutowiredLoginFailureHandler loginFailureHandler;@AutowiredLoginSuccessHandler loginSuccessHandler;@AutowiredJwtAuthorizationTokenFilter jwtAuthorizationTokenFilter;@AutowiredJwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;@AutowiredJwtAccessDeniedHandler jwtAccessDeniedHandler;@AutowiredUserDetailServiceImpl userDetailService;@AutowiredJwtLogoutSuccessHandler jwtLogoutSuccessHandler;/*** 白名單請求*/private static final String[] URL_WHITELIST = {"/login","/logout","/auth/captcha","/swagger-ui/*","/swagger-resources/**","/v3/api-docs"};@BeanPasswordEncoder PasswordEncoder() {return new PasswordEncoder();}@Overrideprotected void configure(HttpSecurity http) throws Exception {http// 支持跨域.cors().and()// CRSF禁用,因為不使用session 可以預防CRSF攻擊.csrf().disable()// 登錄配置.formLogin().successHandler(loginSuccessHandler).failureHandler(loginFailureHandler).and().logout().logoutSuccessHandler(jwtLogoutSuccessHandler)// 禁用session.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)// 配置攔截規則.and().authorizeRequests().antMatchers(URL_WHITELIST).permitAll().anyRequest().authenticated() // 其余請求都需要過濾// 異常處理器.and().exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).accessDeniedHandler(jwtAccessDeniedHandler);// 配置自定義的過濾器http.addFilterBefore(jwtAuthorizationTokenFilter, UsernamePasswordAuthenticationFilter.class);}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailService);}}
測試登錄
目前2個用戶數據
admin 所有權限
pedro 沒有權限
從頭部獲取token
測試一個查詢接口,設置了權限,admin賬號是有全部權限
@Slf4j
@RestController
@RequestMapping("/api/tOrder")
@Api(value = "訂單模塊")
public class TOrderController {@ApiOperation(value = "查詢訂單接口")@PreAuthorize("@pe.check('tOrder:list')")@GetMappingpublic ResponseEntity queryOrder(){log.info("查詢訂單接口");Map<String,Object> result = new HashMap<>();result.put("1",1);return new ResponseEntity(result, HttpStatus.OK);}
}
測試用過,然后測試沒有權限的pedro用戶
應用開發——http的使用)
(結構體))
算法總結)
![LeetCode [中等]矩陣置零](http://pic.xiahunao.cn/LeetCode [中等]矩陣置零)
