devbox
盐析白兔
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

SpringBoot 集成 SpringSecurity+JWT_springboot security jwt

作者:盐析白兔 | 2024-05-06 23:16:21

springboot security jwt

SpringSecurity,JWT简介

1.什么是SpringSecurity

SpringSecurity是一个功能强大且高度可定制的身份验证和访问控制框架,提供了完善的认证机制和方法级的授权功能,是一款非常优秀的权限管理框架,他的核心是一组过滤链,不同的功能经由不同的过滤器

2.什么是JWT

Json Web Token(JWT) 是为了在网络应用环境间传递声明而执行的一种基于json的开放标准(RFC 7519),token设计为紧凑且安全,特别适用于分布式站点的单点登录(SSO)场景

jwt实际是一个字符串,由头部,载荷,签名组成,用[.]分隔,在服务器直接根据token取出保存的用户信息,即可对token的可用性进行校验,使得单点登录更简单

SpringBoot 集成 SpringSecurity+JWT步骤

1.项目结构

 2.数据库和实体类以及准备【注意:】为了方便只用了两张表,实体类省略

users表:

  1. DROP TABLE IF EXISTS `users`;
  2. CREATE TABLE `users`  (
  3.   `user_id` int NOT NULL AUTO_INCREMENT,
  4.   `user_name` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NULL DEFAULT NULL,
  5.   `user_pwd` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NULL DEFAULT NULL,
  6.   PRIMARY KEY (`user_id`) USING BTREE
  7. ) ENGINE = InnoDB CHARACTER SET = utf8 COLLATE = utf8_bin ROW_FORMAT = Dynamic;

role表:

  1. DROP TABLE IF EXISTS `role`;
  2. CREATE TABLE `role`  (
  3.   `id` int NOT NULL AUTO_INCREMENT,
  4.   `user_id` int NULL DEFAULT NULL,
  5.   `name` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NULL DEFAULT NULL,
  6.   PRIMARY KEY (`id`) USING BTREE
  7. ) ENGINE = InnoDB CHARACTER SET = utf8 COLLATE = utf8_bin ROW_FORMAT = Dynamic;

3.创建UserDetailsServiceImpl,编写登录操作

  1. package cn.zb.security.service.impl;
  2.  
  3. import cn.zb.security.entity.Role;
  4. import cn.zb.security.entity.Users;
  5. import cn.zb.security.service.RoleService;
  6. import cn.zb.security.service.UsersService;
  7. import org.springframework.beans.factory.annotation.Autowired;
  8. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  9. import org.springframework.security.core.userdetails.User;
  10. import org.springframework.security.core.userdetails.UserDetails;
  11. import org.springframework.security.core.userdetails.UserDetailsService;
  12. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  13. import org.springframework.stereotype.Service;
  14.  
  15. import java.util.ArrayList;
  16. import java.util.List;
  17.  
  18. @Service
  19. public class UserDetailsServiceImpl implements UserDetailsService {
  20.     @Autowired
  21.     private UsersService usersService;
  22.  
  23.     @Autowired
  24.     private RoleService roleService;
  25.  
  26.     /**
  27.      * 用户登录
  28.      * @param s 获取到的UserName,
  29.      * @return user 返回的是org.springframework.security.core.userdetails.User;
  30.      * @throws UsernameNotFoundException
  31.      */
  32.     @Override
  33.     public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
  34.         if (s==null || "".equals("s")){
  35.             throw new RuntimeException("用户不能为空");
  36.         }
  37.         //根据用户名查询对象
  38.         Users user = usersService.findUserByUserName(s);
  39.         if (user==null){
  40.             throw new RuntimeException("用户不存在");
  41.         }
  42.         List<SimpleGrantedAuthority> authorities=new ArrayList<>();
  43.         //根据userId获取Role对象
  44.         List<Role> roles = roleService.findRoleByUserId(user.getUserId());
  45.         for (Role role:roles) {
  46.             authorities.add(new SimpleGrantedAuthority("ROLE_"+role.getName()));
  47.         }
  48.         //这里没有对用户密码进行判断,将数据库中查到的密码封装到了对象中,在WebSecurityConfig中configure()方法中,User进行了验证,
  49.         //前端传递的密码是明文,数据中存的是暗文,需要对前端传递的密码加密,进行验证,加密方法是new BCryptPasswordEncoder().encode("pwd")
  50.         return new User(user.getUserName(),user.getUserPwd(),authorities);
  51.     }
  52. }

4.创建JwtUtils工具类,做token的生成和校验

  1. package cn.zb.security.util;
  2.  
  3. import io.jsonwebtoken.Claims;
  4. import io.jsonwebtoken.Jwts;
  5. import io.jsonwebtoken.SignatureAlgorithm;
  6.  
  7. import java.util.Date;
  8. import java.util.HashMap;
  9.  
  10. public class JwtUtils {
  11.     public static final String TOKEN_HEADER="Authorization"; //token请求头
  12.     public static final String TOKEN_PREFIX="Bearer";//token前缀
  13.     public static final long EXPIRATION=60*60*1000; //token有效期
  14.     public static final String SUBJECT="piconjo"; //签名主题
  15.     public static final String HEADER_STRING="Passport"; //配置token在http heads中的键值
  16.     public static final String APPSECRET_KEY="piconjo_secret"; //应用密钥
  17.     public static final String ROLE_CLAIMS="role"; //角色权限声明
  18.  
  19.     //生成token
  20.     public static String createToken(String username,String role){
  21.         HashMap<String, Object> map = new HashMap<>();
  22.         map.put(ROLE_CLAIMS,role);
  23.         String token=Jwts.builder()
  24.                         .setSubject(username)
  25.                         .setClaims(map)
  26.                         .claim("username",username)
  27.                         .setIssuedAt(new Date())
  28.                         .setExpiration(new Date(System.currentTimeMillis()+EXPIRATION))
  29.                         .signWith(SignatureAlgorithm.HS512,APPSECRET_KEY)
  30.                         .compact();
  31.         return token;
  32.     }
  33.  
  34.     //校验token
  35.     public static Claims checkJWT(String token){
  36.        try{
  37.            Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
  38.            return claims;
  39.        }catch (Exception e){
  40.            e.printStackTrace();
  41.            return null;
  42.        }
  43.     }
  44.  
  45.     //从Token中获取username
  46.     public static String getUsername(String token){
  47.         Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
  48.         return claims.get("username").toString();
  49.     }
  50.  
  51.     //从Token中获取用户角色
  52.     public static String getUserRole(String token){
  53.         Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
  54.         return claims.get("role").toString();
  55.     }
  56.  
  57.     //校验Token是否过期
  58.     public static boolean isExpiration(String token){
  59.         Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
  60.         return claims.getExpiration().before(new Date());
  61.     }
  62. }

5.创建拦截器JWTAuthenticationFilter

springsercurity对UserDetailsServiceImpl返回的user进行验证,验证成功则生成token,失败则返回失败信息

  1. package cn.zb.security.util;
  2. import com.alibaba.fastjson.JSON;
  3. import org.springframework.security.authentication.*;
  4. import org.springframework.security.core.Authentication;
  5. import org.springframework.security.core.AuthenticationException;
  6. import org.springframework.security.core.GrantedAuthority;
  7. import org.springframework.security.core.userdetails.User;
  8. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
  9.  
  10. import javax.servlet.FilterChain;
  11. import javax.servlet.ServletException;
  12. import javax.servlet.http.HttpServletRequest;
  13. import javax.servlet.http.HttpServletResponse;
  14. import java.io.IOException;
  15. import java.util.Collection;
  16.  
  17.  
  18. public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
  19.     private AuthenticationManager authenticationManager;
  20.  
  21.     public JWTAuthenticationFilter (AuthenticationManager authenticationManager) {
  22.         this.authenticationManager = authenticationManager;
  23.         //默认的登录路径是/login,post请求
  24.         super.setFilterProcessesUrl("/api/login");
  25.     }
  26.  
  27.     //验证操作, 接受并解析用户凭证
  28.     @Override
  29.     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  30.         //从输入流中获取到登录的信息
  31.         //创建一个token并条用authenticationManager.authenticate 让Spring Security进行验证
  32.         return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(
  33.                 request.getParameter("username"),request.getParameter("password")));
  34.     }
  35.  
  36.     /**
  37.      * 验证【成功】后调用的方法
  38.      * 若验证成功 生成token并返回
  39.      */
  40.     @Override
  41.     protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException {
  42.         User user= (User) authResult.getPrincipal();
  43.         System.out.println(user.toString());
  44.         // 从User中获取权限信息
  45.         Collection<? extends GrantedAuthority> authorities = user.getAuthorities();
  46.         // 创建Token
  47.         String token = JwtUtils.createToken(user.getUsername(), authorities.toString());
  48.  
  49.         // 设置编码 防止乱码问题
  50.         response.setCharacterEncoding("UTF-8");
  51.         response.setContentType("application/json; charset=utf-8");
  52.         // 在请求头里返回创建成功的token
  53.         // 设置请求头为带有"Bearer "前缀的token字符串
  54.         response.setHeader("token", JwtUtils.TOKEN_PREFIX + token);
  55.         // 处理编码方式 防止中文乱码
  56.         response.setContentType("text/json;charset=utf-8");
  57.         // 将反馈塞到HttpServletResponse中返回给前台
  58.         response.getWriter().write(JSON.toJSONString("登录成功"));
  59.     }
  60.     /**
  61.      * 验证【失败】调用的方法
  62.      */
  63.     @Override
  64.     protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
  65.         String returnData="";
  66.         // 账号过期
  67.         if (failed instanceof AccountExpiredException) {
  68.             returnData="账号过期";
  69.         }
  70.         // 密码错误
  71.         else if (failed instanceof BadCredentialsException) {
  72.             returnData="密码错误";
  73.         }
  74.         // 密码过期
  75.         else if (failed instanceof CredentialsExpiredException) {
  76.             returnData="密码过期";
  77.         }
  78.         // 账号不可用
  79.         else if (failed instanceof DisabledException) {
  80.             returnData="账号不可用";
  81.         }
  82.         //账号锁定
  83.         else if (failed instanceof LockedException) {
  84.             returnData="账号锁定";
  85.         }
  86.         // 用户不存在
  87.         else if (failed instanceof InternalAuthenticationServiceException) {
  88.             returnData="用户不存在";
  89.         }
  90.         // 其他错误
  91.         else{
  92.             returnData="未知异常";
  93.         }
  94.  
  95.         // 处理编码方式 防止中文乱码
  96.         response.setContentType("text/json;charset=utf-8");
  97.         // 将反馈塞到HttpServletResponse中返回给前台
  98.         response.getWriter().write(JSON.toJSONString(returnData));
  99.     }
  100. }

6.创建拦截器JWTAuthorizationFilter

对前端传递的请求拦截,取出里面的token做token校验,获取UsernamePasswordAuthenticationToken对象返回springsecurity,进行相关的角色判断

  1. package cn.zb.security.util;
  2.  
  3. import org.apache.commons.lang3.StringUtils;
  4. import org.springframework.security.authentication.AuthenticationManager;
  5. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  6. import org.springframework.security.core.Authentication;
  7. import org.springframework.security.core.AuthenticationException;
  8. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  9. import org.springframework.security.core.context.SecurityContextHolder;
  10. import org.springframework.security.web.AuthenticationEntryPoint;
  11. import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
  12.  
  13. import javax.servlet.FilterChain;
  14. import javax.servlet.ServletException;
  15. import javax.servlet.http.HttpServletRequest;
  16. import javax.servlet.http.HttpServletResponse;
  17. import java.io.IOException;
  18. import java.util.ArrayList;
  19. import java.util.List;
  20.  
  21. public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
  22.  
  23.     private AuthenticationManager authenticationManager;
  24.  
  25.     public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
  26.         super(authenticationManager);
  27.     }
  28.  
  29.     @Override
  30.     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
  31.  
  32.         String tokenHeader=request.getHeader(JwtUtils.TOKEN_HEADER);
  33.         //因为设置拦截全部请求,所有这里没有token放行之后是会返回没有登录
  34.         if (tokenHeader==null || !tokenHeader.startsWith(JwtUtils.TOKEN_PREFIX)){
  35.             chain.doFilter(request,response);
  36.             return;
  37.         }
  38.         //若请求头中由token,则调用下面的方法进行解析,并设置认证信息
  39.         SecurityContextHolder.getContext().setAuthentication(getAuthentication(tokenHeader));
  40.         super.doFilterInternal(request,response,chain);
  41.     }
  42.  
  43.     public UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader){
  44.         //去掉前缀,获取token字符串
  45.         String token = tokenHeader.replace(JwtUtils.TOKEN_PREFIX, "");
  46.         //从token中解密获取用户用户名
  47.         String username=JwtUtils.getUsername(token);
  48.         //从token中解密获取用户角色
  49.         String role=JwtUtils.getUserRole(token);
  50.         String[] roles = StringUtils.strip(role, "[]").split(",");
  51.         List<SimpleGrantedAuthority> authorities=new ArrayList<>();
  52.         for (String s : roles) {
  53.             authorities.add(new SimpleGrantedAuthority(s));
  54.         }
  55.         if (username!=null){
  56.             //这里像SpringSecurity声明用户角色,做相关操作放行
  57.             return new UsernamePasswordAuthenticationToken(username,null,authorities);
  58.         }
  59.         return null;
  60.     }
  61. }

7.创建WebSecurityConfig配置类,对springsecurity进行相关配置

  1. package cn.zb.security.config;
  2.  
  3.  
  4. import cn.zb.security.util.JWTAuthenticationEntryPoint;
  5. import cn.zb.security.util.JWTAuthenticationFilter;
  6. import cn.zb.security.util.JWTAuthorizationFilter;
  7. import org.springframework.beans.factory.annotation.Autowired;
  8. import org.springframework.beans.factory.annotation.Qualifier;
  9. import org.springframework.context.annotation.Bean;
  10. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  11. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  12. import org.springframework.security.config.annotation.web.builders.WebSecurity;
  13. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  14. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  15. import org.springframework.security.config.http.SessionCreationPolicy;
  16. import org.springframework.security.core.userdetails.UserDetailsService;
  17. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  18. import org.springframework.security.crypto.password.PasswordEncoder;
  19. import org.springframework.web.cors.CorsConfiguration;
  20. import org.springframework.web.cors.CorsConfigurationSource;
  21. import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
  22.  
  23. @EnableWebSecurity
  24. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  25.  
  26.     @Autowired
  27.     @Qualifier("userDetailsServiceImpl")
  28.     private UserDetailsService userDetailsService;
  29.  
  30.     @Override
  31.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  32.         auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
  33.     }
  34.  
  35.     /**
  36.      * 安全配置
  37.      */
  38.     @Override
  39.     protected void configure(HttpSecurity http) throws Exception {
  40.         http.cors()
  41.                 .and()
  42.                 //跨域伪造请求限制无效
  43.                 .csrf().disable()
  44.                 .authorizeRequests()
  45.                 //访问/data路径下的请求需要admin
  46.                 .antMatchers("/data/**").hasRole("admin")
  47.                 //拦截所有请求
  48.                 .antMatchers("/").authenticated()
  49.                 //对登录做放行,生成token
  50.                 .antMatchers("/api/login").permitAll()
  51.                 .and()
  52.                 //添加jwt登录拦截器
  53.                 .addFilter(new JWTAuthenticationFilter(authenticationManager()))
  54.                 //添加jwt鉴权拦截器
  55.                 .addFilter(new JWTAuthorizationFilter(authenticationManager()))
  56.                 .sessionManagement()
  57.                 //关闭session
  58.                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  59.                 .and()
  60.                 //异常处理
  61.                 .exceptionHandling()
  62.                 .authenticationEntryPoint(new JWTAuthenticationEntryPoint());
  63.  
  64.     }
  65.  
  66.     //使用BCryptPasswordEncoder密码加密
  67.     @Bean
  68.     public PasswordEncoder passwordEncoder() {
  69.         return new BCryptPasswordEncoder();
  70.     }
  71.  
  72.     //跨域配置
  73.     @Bean
  74.     CorsConfigurationSource corsConfigurationSource(){
  75.         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  76.         //注册跨域配置
  77.         source.registerCorsConfiguration("/**",new CorsConfiguration().applyPermitDefaultValues());
  78.         return source;
  79.     }
  80.  
  81.     //静态资源放行
  82.     @Override
  83.     public void configure(WebSecurity web) {
  84.         // 设置拦截忽略文件夹,可以对静态资源放行
  85.         //web.ignoring().antMatchers("/images/**");
  86.     }
  87. }

8.创建Controller类,进行代码测试

我们在WebSecurityConfig 配置过,想要访问/data下的方法需要用户拥有admin角色

  1. package cn.zb.security.controller;
  2.  
  3. import org.springframework.web.bind.annotation.GetMapping;
  4. import org.springframework.web.bind.annotation.RequestMapping;
  5. import org.springframework.web.bind.annotation.RestController;
  6.  
  7. @RestController
  8. @RequestMapping("/data")
  9. public class UserController {
  10.     @GetMapping("/test")
  11.     private String data() {
  12.         return "访问成功";
  13.     }
  14. }

9.操作截图

用admin和as两个用户,其中as是没有admin权限的

 

 本文做记录使用,参考了其他博主

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/盐析白兔/article/detail/546360
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号