热门标签
热门文章
- 1ROS2中用MoveIt2控制自己的舵机机械手(3)_ros2 moveit2
- 2idea配置mybatis 和 mapper xml模板_mybatis 设置 mapper.xml
- 3华为---USG6000V防火墙web基本配置示例
- 4flinkcdc 原理 + 实践
- 5全面解析RNN,LSTM,Seq2Seq,Attention注意力机制_rnn编码器最后输出的是什么
- 6Debezium vs OGG vs Tapdata:如何实时同步 Oracle 数据到 Kafka 消息队列?_debezium替换ogg
- 7微信小程序获取当前时间以及获取星期几_小程序 当前时间
- 8浙大Python 第4章-7 统计学生平均成绩与及格人数 (15 分)_7-2 统计一批学生的平均成绩与不及格人数 分数 15 作者 颜晖 单位 浙大城市学院
- 9Flink+StarRocks 实时数据分析新范式_flink starrocks
- 10Android Rust JNI系列教程(一) 环境配置_aarch64-linux-android-ar
当前位置: article > 正文
springboot3探索日记(3)——Security6配置_springboot3 security6
作者:繁依Fanyi0 | 2024-04-25 09:48:42
赞
踩
springboot3 security6
springboot版本:3.2.0
jdk版本:21
security,跟随boot版本。
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-security</artifactId>
- </dependency>
Security6相比Security5及之前的版本,在配置上做出了断层式的改变。和之前继承WebSecurityConfigurerAdapter相比,现在种种配置都是以bean的形式呈现的。
- @Slf4j
- @EnableWebSecurity
- @Configuration
- @EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
- public class SecurityConfig {
-
- // 白名单
- @Value("#{'${config.security.white-list}'.split(',')}")
- private String[] whiteList;
-
- @Resource
- private AuthenticationTokenFilter authenticationTokenFilter;
-
- @Bean
- public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
- return httpSecurity
- .authorizeHttpRequests(req -> req.requestMatchers(whiteList).permitAll()
- .anyRequest().authenticated())
- .exceptionHandling(http -> http.authenticationEntryPoint(failureHandling()))
- // token过滤器
- .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class)
- .csrf(AbstractHttpConfigurer::disable)
- .cors(AbstractHttpConfigurer::disable)
- // 无状态
- .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
- .build();
- }
-
- @Bean
- public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
- return authenticationConfiguration.getAuthenticationManager();
- }
-
- /**
- * 强散列哈希加密实现
- */
- @Bean
- public PasswordEncoder bCryptPasswordEncoder() {
- return new BCryptPasswordEncoder();
- }
-
- /**
- * 验证失败处理器
- *
- */
- public AuthenticationEntryPoint failureHandling() {
- return (request, response, exception) -> {
- log.error(exception.getMessage());
- RespEnum resultEnum = RespEnum.UNAUTHORIZED;
- exception.printStackTrace();
- Resp<Void> resp = Resp.error(resultEnum);
- response.setContentType("application/json");
- response.setCharacterEncoding("utf-8");
- response.getWriter().write(JSON.toJSONString(resp));
- };
- }
- }
这里用过滤器的方式验证用户,用户信息放到请求上下文中
- @Component
- public class AuthenticationTokenFilter extends OncePerRequestFilter {
-
- @Resource
- private TokenService tokenService;
-
-
- @Override
- public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
- String token = SecurityUtils.getToken(request);
- // 无token不加载用户信息
- if (Func.isEmpty(token) || token.startsWith("Basic")) {
- chain.doFilter(request, response);
- return;
- }
- // 解析token,并从redis中取出loginUser
- LoginUser loginUser = tokenService.verifyToken(token);
- // security的认证实际上最终操作的就是这个authenticationToken
- UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());
- authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
- SecurityContextHolder.getContext().setAuthentication(authenticationToken);
- chain.doFilter(request, response);
- }
- }
tokenService不变(主要是对token、用户的处理)。
- @Component
- public class TokenService {
-
- @Resource
- private RedisTemplate<String, String> redisTemplate;
-
- // 令牌默认存储时长
- protected static final long EXPIRE_SECOND = 3600;
- // token在redis中的key
- private final static String ACCESS_TOKEN = "login_tokens:";
-
- /**
- * 创建令牌
- */
- public String createToken(LoginUser loginUser) {
- String token = IdUtil.nanoId();
- // 存储
- refreshToken(loginUser, token);
- return token;
- }
-
-
- /**
- * 获取用户身份信息
- *
- * @return 用户信息
- */
- public LoginUser getLoginUser(String token) {
- if (StringUtils.isNotEmpty(token)) {
- String tokenKey = getTokenKey(token);
- String userStr = redisTemplate.opsForValue().get(tokenKey);
- LoginUser loginUser = JSON.parseObject(userStr, LoginUser.class);
- return loginUser;
- }
- return null;
- }
-
- /**
- * 删除用户缓存信息
- */
- public void removeToken(String token) {
- if (token == null) {
- return;
- }
- String tokenKey = getTokenKey(token);
- redisTemplate.delete(tokenKey);
- }
-
- /**
- * 验证令牌有效期,相差不足120分钟,自动刷新缓存
- *
- * @param token
- */
- public LoginUser verifyToken(String token) {
- LoginUser loginUser = getLoginUser(token);
- // 刷新token
- refreshToken(loginUser, token);
- return loginUser;
- }
-
- /**
- * 刷新令牌有效期
- *
- * @param loginUser 登录信息
- */
- public void refreshToken(LoginUser loginUser, String token) {
- // 将loginUser缓存
- String userKey = getTokenKey(token);
- ValueOperations<String, String> forValue = redisTemplate.opsForValue();
- forValue.set(userKey, JSON.toJSONString(loginUser) , Duration.ofSeconds(EXPIRE_SECOND));
- }
-
- private String getTokenKey(String token) {
- return ACCESS_TOKEN + token;
- }
- }
登录不变,还是原先的,核心代码:
- @Resource
- private AuthenticationManager authenticationManager;
-
- public Resp<String> login(@Valid @RequestBody LoginReqDTO loginBody) {
- String username = loginBody.getUsername();
- String password = loginBody.getPassword();
- UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);
- Authentication authenticate = authenticationManager.authenticate(authenticationToken);
- LoginUser loginUser = (LoginUser) authenticate.getPrincipal();
- String token = tokenService.createToken(loginUser);
- return Resp.success(token);
- }
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/484592
推荐阅读
相关标签
