目錄
一、權限控制
二、相關框架
1、shiro
2、springsecurity
三、springsecurity使用流程
1、搭建環境實現默認用戶名和密碼登錄
2、使用數據庫表中定義好的用戶名和密碼訪問實現等值密碼匹配
1)sql文件
2)搭建jdbc或者mybatis或者mybatis-plus環境
3)配置mybatis-plus環境
4)使用mybatisX 生成基本的service和mapper
5)創建一個類實現UserDetailsService接口 ,重寫方法(根據用戶名到數據庫中查找用戶對象)
6)創建一個LoginUser實現UserDetails接口,封裝用戶信息
3、加密機制 自定義密碼匹配器
1)創建加密對象
2)使用測試類,生成臨時密碼,測試匹配方法
4、自定義登錄接口
5、token字符串的生成
一、權限控制
1、認證:是否登錄成功。
2、授權:權限控制,授予權限、校驗權限。
二、相關框架
1、shiro
Shiro 是 apache權限框架,較之 JAAS 和 Spring Security,Shiro 在保持強大功能的同時,還在簡單性和靈活性方面擁有巨大優勢。 Shiro 是一個強大而靈活的開源安全框架,能夠非常清晰的處理認證、授權、管理會話以及密碼加密。
2、springsecurity
Spring Security 是 Spring家族中的一個安全管理框架。相比與另外一個安全框架Shiro,它提供了更豐富的功能,社區資源也比Shiro豐富。
一般來說中大型的項目都是使用SpringSecurity來做安全框架。
小項目用Shiro的比較多,因為相比與SpringSecurity,Shiro的上手更加的簡單。
springsecurity 和 其他組件的簡單交互
前后端分離場景下,登錄校驗流程的核心思路:token。 Token是服務端生成的一串字符串,以作客戶端進行請求的一個令牌,當第一次登錄后,服務器生 成一個Token便將此Token返回給客戶端,以后客戶端只需帶上這個Token前來請求數據即可,無需再次帶上用戶名和密碼。
使用token機制的身份驗證方法,在服務器端不需要存儲用戶的登錄記錄。
JWT:JWT全面解讀、詳細使用步驟 - 簡書
三、springsecurity使用流程
1、搭建環境實現默認用戶名和密碼登錄
springboot環境+springweb+springsecurity權限jar包
訪問目標方法時,自動跳轉到/login接口,輸入用戶名user和默認密碼,登錄成功后,自動跳轉到目標方法。
2、使用數據庫表中定義好的用戶名和密碼訪問實現等值密碼匹配
1)sql文件
DROP TABLE IF EXISTS `sys_user`;
CREATE TABLE `sys_user` (`id` bigint(20) NOT NULL AUTO_INCREMENT COMMENT '主鍵',`user_name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL DEFAULT 'NULL' COMMENT '用戶名',`nick_name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL DEFAULT 'NULL' COMMENT '昵稱',`password` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL DEFAULT 'NULL' COMMENT '密碼',`status` char(1) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT '0' COMMENT '賬號狀態(0正常 1停用)',`email` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '郵箱',`phonenumber` varchar(32) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '手機號',`sex` char(1) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '用戶性別(0男,1女,2未知)',`avatar` varchar(128) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '頭像',`user_type` char(1) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL DEFAULT '1' COMMENT '用戶類型(0管理員,1普通用戶)',`create_by` bigint(20) NULL DEFAULT NULL COMMENT '創建人的用戶id',`create_time` datetime NULL DEFAULT NULL COMMENT '創建時間',`update_by` bigint(20) NULL DEFAULT NULL COMMENT '更新人',`update_time` datetime NULL DEFAULT NULL COMMENT '更新時間',`del_flag` int(11) NULL DEFAULT 0 COMMENT '刪除標志(0代表未刪除,1代表已刪除)',PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '用戶表' ROW_FORMAT = Dynamic;
?INSERT INTO `sys_user` VALUES (1, '張三', '張三', '{noop}1234', '0', NULL, NULL, NULL, NULL, '1', NULL, NULL, NULL, NULL, 0);2)搭建jdbc或者mybatis或者mybatis-plus環境
<dependency><groupId>com.mysql</groupId><artifactId>mysql-connector-j</artifactId>
</dependency>
<dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.5.3</version>
</dependency>3)配置mybatis-plus環境
server:port: 8080
spring:datasource:driver-class-name: com.mysql.cj.jdbc.Driverurl: jdbc:mysql://localhost:3306/springsecurityusername: rootpassword: 123456
mybatis-plus:configuration:map-underscore-to-camel-case: truetype-aliases-package: com.hl.springsecurity01.domainmapper-locations: classpath:/mapper/*.xml4)使用mybatisX 生成基本的service和mapper
5)創建一個類實現UserDetailsService接口 ,重寫方法(根據用戶名到數據庫中查找用戶對象)
package com.hl.springsecurity01.security;
?
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.hl.springsecurity01.domain.SysUser;
import com.hl.springsecurity01.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
?
import java.util.List;
?
@Service
public class UserDetailsServiceImpl implements UserDetailsService {@Autowiredprivate SysUserService sysUserService;/*根據用戶名查找用戶對象*/@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {//根據用戶名,到數據庫表中,查找用戶對象QueryWrapper queryWrapper = new QueryWrapper();queryWrapper.eq("user_name", username);List<SysUser> list = sysUserService.list(queryWrapper);//判斷用戶是否存在LoginUser user = null;if(list != null && list.size() > 0){SysUser sysUser = list.get(0);//封裝數據到UserDetails接口實現類對象中user = new LoginUser(sysUser);}return user;}
}6)創建一個LoginUser實現UserDetails接口,封裝用戶信息
package com.hl.springsecurity01.security;
?
import com.hl.springsecurity01.domain.SysUser;
import lombok.Data;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
?
import java.util.Collection;
import java.util.Collections;
/*
創建類實現UsersDetail接口,存儲當前登錄成功的用戶信息*/
@Data
public class LoginUser implements UserDetails {
?private SysUser sysUser;
?public LoginUser() {}public LoginUser(SysUser sysUser) {this.sysUser = sysUser;}
?//返回用戶權限信息,返回權限列表@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return Collections.emptyList();}
?@Overridepublic String getPassword() {return sysUser.getPassword();}
?@Overridepublic String getUsername() {return sysUser.getUserName();}
?@Overridepublic boolean isAccountNonExpired() {return true;}
?@Overridepublic boolean isAccountNonLocked() {return true;}
?@Overridepublic boolean isCredentialsNonExpired() {return true;}
?@Overridepublic boolean isEnabled() {return true;}
}3、加密機制 自定義密碼匹配器
1)創建加密對象
@Configuration
public class MySecurityConfig extends WebSecurityConfigurerAdapter {/*創建加密對象(密碼匹配器對象)*/@Beanpublic PasswordEncoder passwordEncoder(){return new BCryptPasswordEncoder();}
}2)使用測試類,生成臨時密碼,測試匹配方法
@SpringBootTest
class Springsecurity01ApplicationTests {@Autowiredprivate PasswordEncoder passwordEncoder;
?@Testvoid contextLoads() {String pwd = passwordEncoder.encode("1234");System.out.println(pwd);//$2a$10$DpNgEn0fiYStJJ/EoYxf7uhBOMnuqK/UdBKmexX5KrEVPLuGQ0LsS//$2a$10$sLUel1CyTVY1kDWM5BwlNu1WMLMqlys00NIir0SiEgR0A5ItM1Vda//比對密碼boolean flag1 = passwordEncoder.matches("1234", "$2a$10$DpNgEn0fiYStJJ/EoYxf7uhBOMnuqK/UdBKmexX5KrEVPLuGQ0LsS");boolean flag2 = passwordEncoder.matches("1234", "$2a$10$sLUel1CyTVY1kDWM5BwlNu1WMLMqlys00NIir0SiEgR0A5ItM1Vda");System.out.println(flag1);System.out.println(flag2);}
?
}$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
├─┬─┼──┬─┼──────────────┼───────────────────────────────────
? │ │? │? │ ? ?? │ ? ? ? ? ? ? ? ? ? ?
? │ │? │? │ ? ?? └─ 哈希值(31字節)
? │ │? │? └─ 鹽值(22字符,16字節)
? │ │? └─ cost參數(12 → 2^12=4096輪迭代)
? │ └─ 算法版本(2a)
? └─ 固定前綴
$<算法版本>$<cost>$<salt><hash>
修改數據庫的密碼為加密后的密碼再進行測試?,填寫用戶名張三,密碼1234
4、自定義登錄接口
@RestController
public class LoginController {@Autowiredprivate LoginService loginService;@RequestMapping("/login")public R login(String username, String password) throws AuthenticationException {//調用servicereturn loginService.login(username, password);}
}public interface LoginService {public R login(String username, String password) throws AuthenticationException;
}@Service
public class LoginServiceImpl implements LoginService {@Autowiredprivate AuthenticationManager authenticationManager;@Overridepublic R login(String username, String password) throws AuthenticationException {UsernamePasswordAuthenticationToken token =new UsernamePasswordAuthenticationToken(username, password);//調用認證提供器的認證方法,進行用戶名,密碼認證Authentication authentication = authenticationManager.authenticate(token);//根據返回值判斷是否認證成功if(authentication == null){//認證失敗throw new AuthenticationException("用戶名或者密碼錯誤");}if(authentication.isAuthenticated()){//認證成功//返回 code ,msg,tokenreturn R.ok("token.............","認證成功");}return null;}
}package com.hl.springsecurity01.security;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class MySecurityConfig extends WebSecurityConfigurerAdapter {/*創建加密對象(密碼匹配器對象)*/@Beanpublic PasswordEncoder passwordEncoder(){return new BCryptPasswordEncoder();}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()// 對于登錄接口 允許匿名訪問.antMatchers("/login").anonymous()// 除上面外的所有請求全部需要鑒權認證.anyRequest().authenticated();}@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}
}登錄成功,看到json返回,失敗,沒有任何提示。
5、token字符串的生成
<!--生成token-->
<dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.1</version>
</dependency>JwtUtil工具類
package com.hl.springsecurity01.util;import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import java.util.Date;
import java.util.UUID;/*** JWT工具類*/
public class JwtUtil {//有效期為public static final Long JWT_TTL = 60 * 60 *1000L;// 60 * 60 *1000 一個小時//設置秘鑰明文public static final String JWT_KEY = "test";public static String getUUID(){String token = UUID.randomUUID().toString().replaceAll("-", "");return token;}/*** 生成jtw字符串* @param subject token中要存放的數據(json格式)* @return*/public static String createJWT(String subject) {JwtBuilder builder = getJwtBuilder(subject, null, getUUID());// 設置過期時間return builder.compact();}/*** 生成jtw字符串* @param subject token中要存放的數據(json格式)* @param ttlMillis token超時時間* @return*/public static String createJWT(String subject, Long ttlMillis) {JwtBuilder builder = getJwtBuilder(subject, ttlMillis, getUUID());// 設置過期時間return builder.compact();}private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;SecretKey secretKey = generalKey();long nowMillis = System.currentTimeMillis();Date now = new Date(nowMillis);if(ttlMillis==null){ttlMillis=JwtUtil.JWT_TTL;}long expMillis = nowMillis + ttlMillis;Date expDate = new Date(expMillis);return Jwts.builder().setId(uuid) //唯一的ID.setSubject(subject) // 主題 可以是JSON數據.setIssuer("sg") // 簽發者.setIssuedAt(now) // 簽發時間.signWith(signatureAlgorithm, secretKey) //使用HS256對稱加密算法簽名, 第二個參數為秘鑰.setExpiration(expDate);}/*** 創建token* @param id* @param subject* @param ttlMillis* @return*/public static String createJWT(String id, String subject, Long ttlMillis) {JwtBuilder builder = getJwtBuilder(subject, ttlMillis, id);// 設置過期時間return builder.compact();}/*** 生成加密后的秘鑰 secretKey* @return*/public static SecretKey generalKey() {byte[] encodedKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");return key;}/*** 解析jwt** @param jwt* @return* @throws Exception*/public static Claims parseJWT(String jwt) throws Exception {SecretKey secretKey = generalKey();return Jwts.parser().setSigningKey(secretKey).parseClaimsJws(jwt).getBody();}/*** 用于測試*/public static void main(String[] args) throws Exception {
// String token = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJjYWM2ZDVhZi1mNjVlLTQ0MDAtYjcxMi0zYWEwOGIyOTIwYjQiLCJzdWIiOiJzZyIsImlzcyI6InNnIiwiaWF0IjoxNjM4MTA2NzEyLCJleHAiOjE2MzgxMTAzMTJ9.JVsSbkP94wuczb4QryQbAke3ysBDIL5ou8fWsbt_ebg";
// Claims claims = parseJWT(token);
// System.out.println(claims);String token = createJWT("1");String token1 = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJlM2UzMGE0ZjhhMGE0OTQ1ODNjMzZlZmNjMWQ3YzQ4YiIsInN1YiI6IjEiLCJpc3MiOiJzZyIsImlhdCI6MTc1MTUzMjI0MiwiZXhwIjoxNzUxNTM1ODQyfQ.ALfU833lUe1bCRlsAwcDd_mwD5j3sCtFCO3Ue1E-WWw";System.out.println(token);Claims claims = parseJWT(token1);System.out.println(claims);}}package com.hl.springsecurity01.service.impl;import com.hl.springsecurity01.domain.R;
import com.hl.springsecurity01.security.LoginUser;
import com.hl.springsecurity01.service.LoginService;
import com.hl.springsecurity01.util.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Service;import javax.security.sasl.AuthenticationException;@Service
public class LoginServiceImpl implements LoginService {@Autowiredprivate AuthenticationManager authenticationManager;@Overridepublic R login(String username, String password) throws AuthenticationException {UsernamePasswordAuthenticationToken token =new UsernamePasswordAuthenticationToken(username, password);//調用認證提供器的認證方法,進行用戶名,密碼認證Authentication authentication = authenticationManager.authenticate(token);//根據返回值判斷是否認證成功if(authentication == null){//認證失敗throw new AuthenticationException("用戶名或者密碼錯誤");}if(authentication.isAuthenticated()){//認證成功//獲取用戶身份 LoginUserLoginUser user = (LoginUser) authentication.getPrincipal();//獲取用戶idLong id = user.getSysUser().getId();//根據用戶id,生成tokenString token2 = JwtUtil.createJWT(id+"");//返回 code ,msg,tokenreturn R.ok(token2,"認證成功");}return null;}
}
)
)
- 數據解析模塊 BeautifulSoup)
