一、使用security默认登录接口登录成功、生成token、返回前段
项目的结构如下:
1.引入jar包
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<!-- alibaba json -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.41</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- JWT -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.7.0</version>
</dependency>
<!--swagger相关-start-->
<dependency>
<groupId>io.swagger</groupId>
<artifactId>swagger-annotations</artifactId>
<version>1.5.19</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<!--swagger相关-end-->测试的用户实体
@Data
public class User {
private String id;
private String name;
private String password;
private boolean dev;
private boolean channel;
public User() {
}
public User(String id, String name, String password) {
this.id = id;
this.name = name;
this.password = password;
}
}Jwt生成token,拦截和验证token的合法性
package com.example.security.Jwt;
import com.example.security.token.TokenManager;
import com.example.security.util.SpringContextUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
/**
* Created by zhicheng.zhao on 2020/9/4.
*/
public class JwtAuthFilter extends BasicAuthenticationFilter {
private TokenManager tokenManager;
public JwtAuthFilter(AuthenticationManager authenticationManager, TokenManager tokenManager) {
super(authenticationManager);
this.tokenManager = tokenManager;
}
/**
* 过滤器
*
* @param request
* @param response
* @param chain
* @throws IOException
* @throws ServletException
*/
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
// 设置请求权限
response.setHeader("Access-Control-Allow-Origin", request.getHeader("origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "PUT,POST,GET,OPTIONS,DELETE,PATCH");
response.setHeader("Access-Control-Allow-Headers", "tokenId,userType,token,Origin,X-Requested-With,Content-Type,Accept,appKey,hszCookie");
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json,charset=utf-8");
String url = request.getRequestURI();
// 鉴权判断:本地环境模拟管理员权限,其他环境需要根据url鉴权 zzc
System.out.println(SpringContextUtil.getProp("authVerify"));
if (SpringContextUtil.getProp("authVerify")==null?false:SpringContextUtil.getProp("authVerify").equalsIgnoreCase("false1")) {
// 本地环境,存储用户认证信息
String tokenTmp = tokenManager.createTokenAll("test");
UsernamePasswordAuthenticationToken authenticationToken = getAuthentication(tokenTmp);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request, response);
return;
} else if (urlFilter(url)) {
chain.doFilter(request, response);
return;
}
// 过滤token为空
String token = request.getHeader("token");
if (token == null || "".equals(token)) {
response.setHeader("Content-Type", "application/json");
response.getWriter().print("token为空!");
return;
}
// 从token获取用户认证信息
UsernamePasswordAuthenticationToken authenticationToken = getAuthentication(token);
if (authenticationToken == null) {
response.setHeader("Content-Type", "application/json");
response.getWriter().print("token信息错误!");
return;
}
// 存储用户认证信息
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request, response);
}
/**
* 不需要token的地址:
* 用户名登录/手机登录/第三方登录/微信登录
* 注册
* 登录前(authFree)
*
* @param url
* @return
*/
private boolean urlFilter(String url) {
return url.contains("/login")
|| url.contains("Login")
|| url.contains("/regist")
|| url.contains("Regist")
|| url.contains("/authFree");
}
/**
* 从token获取用户认证信息
*
* @param token
* @return
*/
private UsernamePasswordAuthenticationToken getAuthentication(String token) {
try {
Claims claims = Jwts.parser()
.setSigningKey("JwtSecret")
.parseClaimsJws(token)
.getBody();
String user = claims.getSubject();
String role = claims.get("roles").toString();
List<SimpleGrantedAuthority> userRolesByToken = Arrays.stream(role.split(","))
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
if (!user.isEmpty()) {
return new UsernamePasswordAuthenticationToken(user, null, userRolesByToken);
}
} catch (Exception e) {
logger.info(e.getMessage());
}
return null;
}
}查询数据库用户信息的服务
@Service
public class UserService {
/**
* @Description: 这里应该写的是调用Dao层,根据主键查询出用户,由于我没有配置直接返回用户,注意,密码是经过加密的
* @author: YunZhao.Wang
* @date: 2020/10/21 10:26
* @version:
*/
public User getUser(String name){
User user = new User("1","test", new BCryptPasswordEncoder().encode("123")) ;
if (user.getName().equals(name)){
return user;
}else {
return new User();
}
}
}实现security底层查询用户信息的接口,让security的底层查询数据的用户信息
@Service
public class CustomUserService implements UserDetailsService {
@Autowired
private UserService userService;
@Override
public UserDetails loadUserByUsername(String account) throws UsernameNotFoundException {
//账号信息
com.example.security.model.User accountInfo = userService.getUser(account);
if (accountInfo == null)
throw new UsernameNotFoundException("Account[" + account + "]not found");
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
//对应的权限添加
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User(accountInfo.getName(), accountInfo.getPassword(), authorities);
}
}集成 WebSecurityConfigurerAdapter,重写configure接口
package com.example.security.security;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.example.security.Jwt.JwtAuthFilter;
import com.example.security.model.User;
import com.example.security.token.TokenManager;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @program: security进行登录
* @description: Security
* @author: YunZhao.Wang
* @create: 2020-10-21 10:29
**/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserService customUserService;
@Autowired
private TokenManager tokenManager;
@Override
public void configure(HttpSecurity http) throws Exception {
//关闭csrf保护
http.csrf().disable();
// 无状态
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 添加filter
http.addFilterBefore(new JwtAuthFilter(authenticationManager(), tokenManager), UsernamePasswordAuthenticationFilter.class);
//登陆
http.formLogin().successHandler(loginSuccessHandler()).failureHandler(loginFailureHandler())
.permitAll();
// 无拦截
http.authorizeRequests().anyRequest().permitAll();
//退出
http.logout().logoutSuccessUrl("/login")
.permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserService).passwordEncoder(passwordEncoder());
}
/**
* 密码加密
*
* @return
*/
@Bean
public BCryptPasswordEncoder passwordEncoder() {
//密码加密
return new BCryptPasswordEncoder(4);
}
/**
* 登录成功
*
* @return
*/
@Bean
AuthenticationSuccessHandler loginSuccessHandler() {
return new AuthenticationSuccessHandler() {
@Autowired
private UserService userService;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException {
String account = request.getParameter("username");
String token = tokenManager.createTokenBusiness(account);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json,charset=utf-8");
response.getWriter().print("登录成功!token:" + token);
}
};
}
/**
* 登录失败
*
* @return
*/
@Bean
AuthenticationFailureHandler loginFailureHandler() {
return new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// Result result = new Result(ExceptionEnum.LOGIN_ERROR.getErrorCode(), ExceptionEnum.LOGIN_ERROR.getErrorMsg());
// response.setHeader("Content-Type", "application/json");
response.getWriter().print("登录失败!");
}
};
}
/**
* 静态资源配置
*
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/swagger-ui.html")
.antMatchers("/webjars/**")
.antMatchers("/v2/**")
.antMatchers("/swagger-resources/**");
}
}token工具类
package com.example.security.token;
import com.example.security.model.User;
import com.example.security.security.UserService;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
/**
* Created by zhangnianzhong on 2019/8/27.
*/
@Component("tokenManager")
public class TokenManager {
private static Logger logger = LoggerFactory.getLogger(TokenManager.class);
@Autowired
private UserService accountService;
public String createToken(String userId) {
long expire_time = 1000 * 60 * 60 * 12;
String token = Jwts.builder()
.setSubject(userId)
.setExpiration(new Date(System.currentTimeMillis() + expire_time))
.signWith(SignatureAlgorithm.HS512, "JwtSecret")
.compact();
return token;
}
/**
* B端用户权限
*
* @param userName
* @return
*/
public String createTokenBusiness(String userName) {
long expireTime = 1000 * 60 * 60 * 12; //过期时间为12小时
User account = accountService.getUser(userName);
List<String> list= new ArrayList<>();
//因为用户没有设置管理权限,故默认都是ROLE_00权限,在接口加注解包含00,即是管理员权限的接口
if (account.isDev()) {
list.add("ROLE_01");
}
if (account.isChannel()) {
list.add("ROLE_02");
}
if (!account.isChannel() && !account.isDev()) {
list.add("ROLE_00");
}
String token = Jwts.builder()
.signWith(SignatureAlgorithm.HS512, "JwtSecret")
.claim("roles", String.join(",", list))
.setSubject(userName)
.setExpiration(new Date(System.currentTimeMillis() + expireTime))
.compact();
return token;
}
/**
* 模拟所有用户权限
*
* @param userName
* @return
*/
public String createTokenAll(String userName) {
long expireTime = 1000 * 60 * 60 * 12;
List<String> list= new ArrayList<>();
list.add("ROLE_00");
list.add("ROLE_01");
list.add("ROLE_02");
list.add("ROLE_10");
list.add("ROLE_11");
String token = Jwts.builder()
.signWith(SignatureAlgorithm.HS512,"JwtSecret")
.claim("roles", String.join(",", list))
.setSubject(userName)
.setExpiration(new Date(System.currentTimeMillis() + expireTime))
.compact();
return token;
}
public String getRoles(String token) {
try {
Claims claims = Jwts.parser()
.setSigningKey("JwtSecret")
.parseClaimsJws(token)
.getBody();
String roles = claims.get("roles").toString();
return roles;
} catch (Exception e) {
logger.info(e.getMessage());
}
return null;
}
}获取当前的环境
@Component
public class SpringContextUtil implements ApplicationContextAware {
private static ApplicationContext context = null;
@Override
public void setApplicationContext(ApplicationContext applicationContext)
throws BeansException {
this.context = applicationContext;
}
// 传入线程中
public static <T> T getBean(String beanName) {
return (T) context.getBean(beanName);
}
// 国际化使用
public static String getMessage(String key) {
return context.getMessage(key, null, Locale.getDefault());
}
/// 获取当前环境
public static String getActiveProfile() {
return context.getEnvironment().getActiveProfiles()[0];
}
/// 获取当前环境
public static String getProp(String prop) {
return context.getEnvironment().getProperty(prop);
}
}swagger配置文件
@Configuration
@EnableSwagger2
//@Profile({"test","dev","prod"})
public class Swagger2 {
@Bean
public Docket createRestApi() {
return new Docket(DocumentationType.SWAGGER_2)
.apiInfo(apiInfo())
.select()
.apis(RequestHandlerSelectors.basePackage("com.example.security.provider.controller"))
.paths(PathSelectors.any())
.build()
.globalOperationParameters(setHeaderToken());
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder()
.title("权限版本二-V1-APIs")
.description("")
.termsOfServiceUrl("")
.version("1.0")
.build();
}
// 添加token验证
private List<Parameter> setHeaderToken() {
ParameterBuilder tokenPar = new ParameterBuilder();
List<Parameter> pars = new ArrayList<>();
tokenPar.name("token").description("token").modelRef(new ModelRef("string")).parameterType("header").required(false).build();
pars.add(tokenPar.build());
return pars;
}
}controller接口
@RestController
@Api(tags = {"用户管理"},description = "带接口鉴权的用户管理接口")
public class UserController {
@PreAuthorize("hasAnyRole('00')")
@GetMapping("getUser")
@ApiOperation(value = "获取用户",notes = "获取用户")
public User getUser(){
return new User("3","ceshi","789");
}
}配置文件
server.port= 10010之后我们可以使用postman进行测试,使用security自带的login接口,是psot请求
二、请求头带上token访问后端接口
之后我们使用返回的token访问获取用户的接口,打开swagger接口(http://localhost:10010/swagger-ui.html),
因为默认都是00的权限,登录我是写死的,返回的一定也是00的权限,为了测试,我们修改获取用户借口中的注解参数
再次访问,出现403错误,无权限访问,现在的token是非00生成的,所以只能权限为非00的访问,这个返回结果我没有定义全局的异常处理,大家可以对异常进行再一次的封装
实例的连接
链接: https://pan.baidu.com/s/10ibBRxHEWakoENNBsvRALA 提取码: cd7u 复制这段内容后打开百度网盘手机App,操作更方便哦
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
