devbox
小丑西瓜9
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

利用SpringSecurity和JWT实现mymes认证和授权(二)_if (username != null && securitycontextholder.getc

作者:小丑西瓜9 | 2024-03-18 12:10:08

if (username != null && securitycontextholder.getcontext().getauthentication

SpringBoot整合SpringSecurity和JWT实现mymes认证和授权(二)

接上一篇接上一篇,SpringSecurity的配置类相关依赖以及方法说明

  • configure(HttpSecurity httpSecurity):用于拦截url路径、JWT过滤和异常处理

  • configure(AuthenticationManagerBuilder auth):用于配置userDetailsService和PasswordEncoder

  • JwtAuthenticationTokenFilter:在用户名和密码前添加过滤器,若有token,会根据token自行登录

  • RestfulAccessDeniedHandler:在用户没有访问权限的时候,返回JSON格式的处理结果

  • RestAuthenticationEntryPoint:在token失效或者没有登录情况下,返回JSON格式处理结果

  • PasswordEncoder:SpringSecurity定义的用于对密码进行编码及比对的接口,目前使用的是BCryptPasswordEncoder;

  • IgnoreUrlsConfig:用于从application.yml中获取不需要安全保护的资源路径

  • UserDetailsService:SpringSecurity核心接口,获取用户信息

添加IgnoreUrlsConfig

  1. package com.cn.mymes.utils.config;/*
  2.  *Created by zbb on 2021/1/6
  3.  **/
  4.  
  5. import lombok.Getter;
  6. import lombok.Setter;
  7. import org.springframework.boot.context.properties.ConfigurationProperties;
  8.  
  9. import java.util.ArrayList;
  10. import java.util.List;
  11.  
  12. /**
  13.  * 用于配置不需要保护的资源路径
  14.  *
  15.  */
  16. @Getter
  17. @Setter
  18. @ConfigurationProperties(prefix = "secure.ignored")
  19. public class IgnoreUrlsConfig {
  20.  
  21.     private List<String> urls = new ArrayList<>();
  22.  
  23. }
  24.

在application.yml中配置下不需要安全保护的资源路径

  1. secure:
  2.   ignored:
  3.     urls: #安全路径白名单
  4.       - /swagger-ui.html
  5.       - /swagger-resources/**
  6.       - /swagger/**
  7.       - /**/v2/api-docs
  8.       - /**/*.js
  9.       - /**/*.css
  10.       - /**/*.png
  11.       - /**/*.ico
  12.       - /webjars/springfox-swagger-ui/**
  13.       - /actuator/**
  14.       - /druid/**
  15.       - /admin/login
  16.       - /admin/register
  17.       - /admin/info
  18.       - /admin/logout

添加Token过滤器JwtAuthenticationTokenFilter

  1. package com.cn.mymes.component;
  2.  
  3. import com.cn.mymes.utils.JwtTokenUtil;
  4. import org.slf4j.Logger;
  5. import org.slf4j.LoggerFactory;
  6. import org.springframework.beans.factory.annotation.Autowired;
  7. import org.springframework.beans.factory.annotation.Value;
  8. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  9. import org.springframework.security.core.context.SecurityContextHolder;
  10. import org.springframework.security.core.userdetails.UserDetails;
  11. import org.springframework.security.core.userdetails.UserDetailsService;
  12. import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
  13. import org.springframework.web.filter.OncePerRequestFilter;
  14.  
  15. import javax.servlet.FilterChain;
  16. import javax.servlet.ServletException;
  17. import javax.servlet.http.HttpServletRequest;
  18. import javax.servlet.http.HttpServletResponse;
  19. import java.io.IOException;
  20. /**
  21.  *token登录过滤器
  22.  *
  23.  */
  24. public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
  25.     private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
  26.     @Autowired
  27.     private UserDetailsService userDetailsService;
  28.     @Autowired
  29.     private JwtTokenUtil jwtTokenUtil;
  30.     @Value("${jwt.tokenHeader}")
  31.     private String tokenHeader;
  32.     @Value("${jwt.tokenHead}")
  33.     private String tokenHead;
  34.  
  35.     @Override
  36.     protected void doFilterInternal(HttpServletRequest request,
  37.                                     HttpServletResponse response,
  38.                                     FilterChain chain) throws ServletException, IOException {
  39.         String authHeader = request.getHeader(this.tokenHeader);
  40.         if (authHeader != null && authHeader.startsWith(this.tokenHead)) {
  41.             String authToken = authHeader.substring(this.tokenHead.length());// The part after "Bearer "
  42.             String username = jwtTokenUtil.getUserNameFromToken(authToken);
  43.             LOGGER.info("checking username:{}", username);
  44.             if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
  45.                 UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
  46.                 if (jwtTokenUtil.validateToken(authToken, userDetails)) {
  47.                     UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
  48.                     authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
  49.                     LOGGER.info("authenticated user:{}", username);
  50.                     SecurityContextHolder.getContext().setAuthentication(authentication);
  51.                 }
  52.             }
  53.         }
  54.         chain.doFilter(request, response);
  55.     }
  56. }

添加无权访问时RestfulAccessDeniedHandler方法

  1. package com.cn.mymes.component;
  2.  
  3. import cn.hutool.json.JSONUtil;
  4. import com.cn.mymes.common.CommonResult;
  5. import org.springframework.security.access.AccessDeniedException;
  6. import org.springframework.security.web.access.AccessDeniedHandler;
  7.  
  8. import javax.servlet.ServletException;
  9. import javax.servlet.http.HttpServletRequest;
  10. import javax.servlet.http.HttpServletResponse;
  11. import java.io.IOException;
  12. /**
  13.  *在没有权限访问时,返回自定义JSON格式结果
  14.  */
  15. public class RestfulAccessDeniedHandler implements AccessDeniedHandler{
  16.     @Override
  17.     public void handle(HttpServletRequest request,
  18.                        HttpServletResponse response,
  19.                        AccessDeniedException e) throws IOException, ServletException {
  20.         response.setHeader("Access-Control-Allow-Origin""*");
  21.         response.setHeader("Cache-Control","no-cache");
  22.         response.setCharacterEncoding("UTF-8");
  23.         response.setContentType("application/json");
  24.         response.getWriter().println(JSONUtil.parse(CommonResult.forbidden(e.getMessage())));
  25.         response.getWriter().flush();
  26.     }
  27. }

添加未登录或者登录过期返回自定义结果的RestAuthenticationEntryPoint方法

  1. package com.cn.mymes.component;
  2.  
  3.  
  4. import cn.hutool.json.JSONUtil;
  5. import com.cn.mymes.common.CommonResult;
  6. import org.springframework.security.core.AuthenticationException;
  7. import org.springframework.security.web.AuthenticationEntryPoint;
  8.  
  9. import javax.servlet.ServletException;
  10. import javax.servlet.http.HttpServletRequest;
  11. import javax.servlet.http.HttpServletResponse;
  12. import java.io.IOException;
  13. /**
  14.  * 未登录或者登录过期时,返回自定义JSON格式
  15.  */
  16. public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
  17.     @Override
  18.     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
  19.         response.setHeader("Access-Control-Allow-Origin""*");
  20.         response.setHeader("Cache-Control","no-cache");
  21.         response.setCharacterEncoding("UTF-8");
  22.         response.setContentType("application/json");
  23.         response.getWriter().println(JSONUtil.parse(CommonResult.unauthorized(authException.getMessage())));
  24.         response.getWriter().flush();
  25.     }
  26. }

添加SpringSecurity核心接口,获取用户信息

  1. package com.cn.mymes.domain;
  2.  
  3.  
  4.  
  5.  
  6. import com.cn.mymes.mgb.model.UmsAdmin;
  7. import com.cn.mymes.mgb.model.UmsResource;
  8. import org.springframework.security.core.GrantedAuthority;
  9. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  10. import org.springframework.security.core.userdetails.UserDetails;
  11.  
  12. import java.util.Collection;
  13. import java.util.List;
  14. import java.util.stream.Collectors;
  15.  
  16. /**
  17.  * SpringSecurity核心,获取用户信息
  18.  *
  19.  */
  20. public class AdminUserDetails implements UserDetails {
  21.     private UmsAdmin umsAdmin;
  22.     private List<UmsResource> resourceList;
  23.     public AdminUserDetails(UmsAdmin umsAdmin, List<UmsResource> resourceList) {
  24.         this.umsAdmin = umsAdmin;
  25.         this.resourceList = resourceList;
  26.     }
  27.  
  28.     @Override
  29.     public Collection<? extends GrantedAuthoritygetAuthorities() {
  30.         //返回当前用户的角色
  31.         return resourceList.stream()
  32.                 .map(role ->new SimpleGrantedAuthority(role.getId()+":"+role.getName()))
  33.                 .collect(Collectors.toList());
  34.     }
  35.  
  36.     @Override
  37.     public String getPassword() {
  38.         return umsAdmin.getPassword();
  39.     }
  40.  
  41.     @Override
  42.     public String getUsername() {
  43.         return umsAdmin.getUsername();
  44.     }
  45.  
  46.     @Override
  47.     public boolean isAccountNonExpired() {
  48.         return true;
  49.     }
  50.  
  51.     @Override
  52.     public boolean isAccountNonLocked() {
  53.         return true;
  54.     }
  55.  
  56.     @Override
  57.     public boolean isCredentialsNonExpired() {
  58.         return true;
  59.     }
  60.  
  61.     @Override
  62.     public boolean isEnabled() {
  63.         return umsAdmin.getStatus().equals(1);
  64.     }
  65. }

明天讲MyMes中SpringSecurity项目权限管理中动态管理部分的实现

公众号https://mp.weixin.qq.com/s/nfat2WWWUXdmfUGFBAVEuA

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小丑西瓜9/article/detail/262948
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号