SpringBoot集成 SpringSecurity和JWT 實現認證和授權(一)
SpringSecurity(SpringSecurity是一個強大的可高度定製的認證和授權框架,對於Spring應用來說它是一套Web安全標準)
JWT(JWT是JSON WEB TOKEN的縮寫,它是基於 RFC 7519 標準定義的一種可以安全傳輸的的JSON對象,由於使用了數字簽名,所以是可信任和安全的。)
JWT實現認證和授權的原理
- 用戶調用登錄接口,登錄成功後獲取到
JWT的token; - 之後用戶每次調用接口都在
http請求的header(頭部)中添加一個叫Authorization的頭,值爲JWT的token; - 後臺程序通過對
Authorization頭中信息的解碼及數字簽名校驗來獲取其中的用戶信息,從而實現認證和授權。
項目使用表說明
user_admin:後臺用戶表user_role:後臺用戶角色表user_permission:後臺用戶權限表user_admin_role_relation:後臺用戶和角色關係表,用戶與角色是多對多關係user_role_permission_relation:後臺用戶角色和權限關係表,角色與權限是多對多關係
整合SpringSecurity及JWT
1. 引用依賴;
<dependencies>
<!--SpringSecurity依賴配置-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--Hutool Java工具包-->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>4.5.7</version>
</dependency>
<!--JWT(Json Web Token)登錄支持-->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
</dependencies>
2. application.yml
spring:
datasource:
url: jdbc:mysql://127.0.0.1:3306/mall?useUnicode=true&characterEncoding=UTF-8&useSSL=false&autoReconnect=true&failOverReadOnly=false&serverTimezone=GMT%2B8
username: root
password: root
driver-class-name: com.mysql.jdbc.Driver
type: com.zaxxer.hikari.HikariDataSource
initialization-mode: always
continue-on-error: true
hikari:
minimum-idle: 5
connection-test-query: SELECT 1 FROM DUAL
maximum-pool-size: 20
auto-commit: true
idle-timeout: 30000
pool-name: SpringBootDemoHikariCP
max-lifetime: 60000
connection-timeout: 30000
mybatis:
configuration:
# 下劃線轉駝峯
map-underscore-to-camel-case: true
mapper-locations: classpath:mappers/*.xml
type-aliases-package: com.zhihao.entity
jwt:
secret: zhihao #加密密鑰
expiration: 3000 #過期時間
tokenHeader: authorize #獲取請求頭的key
tokenHead: Bearer #和前端約定token加上的前綴
3.添加JWT token的工具類(用於生成和解析token的工具類)
/**
* JwtToken生成的工具類
*
*/
@Component
public class JwtTokenUtil {
private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class);
private static final String CLAIM_KEY_USERNAME = "sub";
private static final String CLAIM_KEY_CREATED = "created";
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
/**
* 根據負責生成JWT的token
*/
private String generateToken(Map<String, Object> claims) {
return Jwts.builder()
.setClaims(claims)
.setExpiration(generateExpirationDate())
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
/**
* 從token中獲取JWT中的負載
*/
private Claims getClaimsFromToken(String token) {
Claims claims = null;
try {
claims = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
} catch (Exception e) {
LOGGER.info("JWT格式驗證失敗:{}",token);
}
return claims;
}
/**
* 生成token的過期時間
*/
private Date generateExpirationDate() {
return new Date(System.currentTimeMillis() + expiration * 1000);
}
/**
* 從token中獲取登錄用戶名
*/
public String getUserNameFromToken(String token) {
String username;
try {
Claims claims = getClaimsFromToken(token);
username = claims.getSubject();
} catch (Exception e) {
username = null;
}
return username;
}
/**
* 驗證token是否還有效
*
* @param token 客戶端傳入的token
* @param userDetails 從數據庫中查詢出來的用戶信息
*/
public boolean validateToken(String token, UserDetails userDetails) {
String username = getUserNameFromToken(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
/**
* 判斷token是否已經失效
*/
private boolean isTokenExpired(String token) {
Date expiredDate = getExpiredDateFromToken(token);
return expiredDate.before(new Date());
}
/**
* 從token中獲取過期時間
*/
private Date getExpiredDateFromToken(String token) {
Claims claims = getClaimsFromToken(token);
return claims.getExpiration();
}
/**
* 根據用戶信息生成token
*/
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
claims.put(CLAIM_KEY_CREATED, new Date());
return generateToken(claims);
}
/**
* 判斷token是否可以被刷新
*/
public boolean canRefresh(String token) {
return !isTokenExpired(token);
}
/**
* 刷新token
*/
public String refreshToken(String token) {
Claims claims = getClaimsFromToken(token);
claims.put(CLAIM_KEY_CREATED, new Date());
return generateToken(claims);
}
}
4. 添加SpringSecurity的配置類
/**
* SpringSecurity的配置
*/
@Configuration
@EnableWebSecurity //啓用security
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UmsAdminService adminService;
@Autowired
private RestfulAccessDeniedHandler restfulAccessDeniedHandler;
@Autowired
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf()// 由於使用的是JWT,我們這裏不需要csrf 進行關閉
.disable()
.sessionManagement()// 基於token,所以不管理Session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, // 允許對於網站靜態資源的無授權訪問
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/swagger-resources/**",
"/v2/api-docs/**"
)
.permitAll()
.antMatchers("/login", "/register")// 對登錄註冊要允許匿名訪問
.permitAll()
.antMatchers(HttpMethod.OPTIONS)//跨域請求會先進行一次options請求
.permitAll()
// .antMatchers("/**")//測試時全部運行訪問
// .permitAll()
.anyRequest()// 除上面外的所有請求全部需要鑑權認證
.authenticated();
// 禁用緩存
httpSecurity.headers().cacheControl();
// 添加自定義 JWT 過濾器
httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
//添加自定義未授權和未登錄結果返回
httpSecurity
.exceptionHandling() //異常處理
.accessDeniedHandler(restfulAccessDeniedHandler)
.authenticationEntryPoint(restAuthenticationEntryPoint);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService() {
//獲取登錄用戶信息
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//根據用戶名獲取用戶
UmsAdmin admin = adminService.getAdminByUsername(username);
if (admin != null) {
//獲取用戶的所有權限
List<UmsPermission> permissionList = adminService.getPermissionList(admin.getId());
//返回自己實現的用戶用戶信息
return new AdminUserDetails(admin,permissionList);
}
throw new UsernameNotFoundException("用戶名或密碼錯誤");
}
};
}
/**
* 註冊自定義JWT登錄授權過濾器
* @return JwtAuthenticationTokenFilter
*/
@Bean
public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){
return new JwtAuthenticationTokenFilter();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
相關依賴及方法說明
- configure(HttpSecurity httpSecurity):用於配置需要攔截的url路徑、jwt過濾器及出異常後的處理器;
- configure(AuthenticationManagerBuilder auth):用於配置UserDetailsService及PasswordEncoder;
- RestfulAccessDeniedHandler:當用戶沒有訪問權限時的處理器,用於返回JSON格式的處理結果;
- RestAuthenticationEntryPoint:當未登錄或token失效時,返回JSON格式的結果;
- UserDetailsService:SpringSecurity定義的核心接口,用於根據用戶名獲取用戶信息,需要自行實現;
- UserDetails:SpringSecurity定義用於封裝用戶信息的類(主要是用戶信息和權限),需要自行實現;
- PasswordEncoder:SpringSecurity定義的用於對密碼進行編碼及比對的接口,目前使用的是BCryptPasswordEncoder;
- JwtAuthenticationTokenFilter:在用戶名和密碼校驗前添加的過濾器,如果有jwt的token,會自行根據token信息進行登錄。
5.RestfulAccessDeniedHandler:
當用戶沒有訪問權限時的處理器
/**
* 當訪問接口沒有權限時,自定義的返回結果
*/
@Component
public class RestfulAccessDeniedHandler implements AccessDeniedHandler{
@Override
public void handle(HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException e) throws IOException, ServletException {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
response.getWriter().println(JSONUtil.parse(CommonResult.forbidden(e.getMessage())));
// response.getWriter().println(e.getMessage());
response.getWriter().flush();
}
}
6. RestAuthenticationEntryPoint:
當未登錄或token失效時,返回JSON格式的結果;
/**
* 當未登錄或者token失效訪問接口時,自定義的返回結果
*/
@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
response.getWriter().println(JSONUtil.parse(CommonResult.unauthorized(authException.getMessage())));
// response.getWriter().println(authException.getMessage());
response.getWriter().flush();
}
}
7. 自定義JWT過濾器JwtAuthenticationTokenFilter
/**
* JWT登錄授權過濾器
*/
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Value("${jwt.tokenHeader}")
private String tokenHeader;
@Value("${jwt.tokenHead}")
private String tokenHead;
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
//獲取請求頭
String authHeader = request.getHeader(this.tokenHeader);
if (authHeader != null && authHeader.startsWith(this.tokenHead)) {
String authToken = authHeader.substring(this.tokenHead.length());// The part after "Bearer "
//根據token獲取用戶名
String username = jwtTokenUtil.getUserNameFromToken(authToken);
LOGGER.info("用戶名: username:{}", username);
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
LOGGER.info("authenticated user:{}", username);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
}
//放行
chain.doFilter(request, response);
}
}
8. UmsAdminService
public interface UmsAdminService {
/**
* 根據用戶名獲取用戶
*
* @param username 用戶名
* @return com.zhihao.entity.UmsAdmin
* @author: zhihao
* @date: 15/1/2020
*/
UmsAdmin getAdminByUsername(String username);
/**
* 根據用戶id獲取用戶擁有的權限
*
* @param id 用戶id
* @return java.util.List<com.zhihao.entity.UmsPermission>
* @author: zhihao
* @date: 15/1/2020
*/
List<UmsPermission> getPermissionList(Long id);
}
9. 實現類和mapper接口與xml文件.(登錄那放上全部)
登錄功能與權限校驗實現
1. UmsAdminController類
@RestController
public class UmsAdminController {
@Autowired
private UmsAdminService umsAdminService;
@Value("${jwt.tokenHeader}")
private String tokenHeader;
private Map<String,Object> resultMap;
//註冊省略..其他等等省略
/**
* 登錄接口,登錄成功返回token
* @param username
* @param password
* @return
*/
@PostMapping("/login")
public CommonResult login(String username,String password){
resultMap = new HashMap<>();
String token = umsAdminService.login(username, password);
if (token == null) {
return CommonResult.failed("用戶名或密碼錯誤");
}
resultMap.put("token", token);
return CommonResult.success(resultMap);
}
/**
* 登出功能
* @return
*/
@PostMapping(value = "/logout")
public CommonResult logout() {
return CommonResult.success(null);
}
/**
* 刷新token
* @param request
* @return
*/
@GetMapping(value = "/refreshToken")
@ResponseBody
public CommonResult refreshToken(HttpServletRequest request) {
//獲取去掉前綴請求頭的token
String token = request.getHeader(tokenHeader).substring(6);
String refreshToken = umsAdminService.refreshToken(token);
if (refreshToken == null) {
return CommonResult.failed("token已經過期!");
}
Map<String, String> tokenMap = new HashMap<>();
tokenMap.put("token", refreshToken);
return CommonResult.success(tokenMap);
}
/**
* 權限測試接口
* @return
*/
@GetMapping("/test")
@PreAuthorize("hasAuthority('pms:brand:delete')")
public CommonResult getBrandList() {
return CommonResult.success("權限訪問成功");
}
}
2. 修改後的UmsAdminService
public interface UmsAdminService {
/**
* 根據用戶名獲取用戶
*
* @param username 用戶名
* @return com.zhihao.entity.UmsAdmin
* @author: zhihao
* @date: 15/1/2020
*/
UmsAdmin getAdminByUsername(String username);
/**
* 根據用戶id獲取用戶擁有的權限
*
* @param id 用戶id
* @return java.util.List<com.zhihao.entity.UmsPermission>
* @author: zhihao
* @date: 15/1/2020
*/
List<UmsPermission> getPermissionList(Long id);
/**
* 登錄成功返回token
* @param username
* @param password
* @return
*/
String login(String username,String password);
/**
* 刷新token
* @param token
* @return
*/
String refreshToken(String token);
}
3. UmsAdminServiceImpl實現類
/**
* @Author: zhihao
* @Date: 15/1/2020 下午 9:32
* @Description:
* @Versions 1.0
**/
@Service
public class UmsAdminServiceImpl implements UmsAdminService {
private Logger LOGGER = LoggerFactory.getLogger(UmsAdminServiceImpl.class);
@Autowired
private UmsAdminMapper umsAdminMapper;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Override
public UmsAdmin getAdminByUsername(String username) {
return umsAdminMapper.getAdminByUsername(username);
}
@Override
public List<UmsPermission> getPermissionList(Long id) {
return umsAdminMapper.getPermissionList(id);
}
@Override
public String login(String username, String password) {
String token = null;
//密碼需要客戶端加密後傳遞
try {
UserDetails userDetails = loadUserByUsername(username);
if(!passwordEncoder.matches(password,userDetails.getPassword())){
throw new BadCredentialsException("密碼不正確");
}
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
token = jwtTokenUtil.generateToken(userDetails);
} catch (AuthenticationException e) {
LOGGER.warn("登錄異常:{}", e.getMessage());
}
return token;
}
@Override
public String refreshToken(String token) {
if (jwtTokenUtil.canRefresh(token)){
return jwtTokenUtil.refreshToken(token);
}
return null;
}
public UserDetails loadUserByUsername(String username){
//獲取用戶信息
UmsAdmin admin = getAdminByUsername(username);
if (admin != null) {
List<UmsPermission> permissionList = getPermissionList(admin.getId());
return new AdminUserDetails(admin,permissionList);
}
throw new UsernameNotFoundException("用戶名或密碼錯誤");
}
}
4. dao層UmsAdminMapper
@Mapper
public interface UmsAdminMapper {
UmsAdmin getAdminByUsername(String username);
List<UmsPermission> getPermissionList(Long id);
}
UmsAdminMapper.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.zhihao.dao.UmsAdminMapper">
<select id="getAdminByUsername" parameterType="string" resultType="com.zhihao.entity.UmsAdmin">
select * from ums_admin where username = #{username}
</select>
<select id="getPermissionList" parameterType="long" resultType="com.zhihao.entity.UmsPermission">
SELECT * FROM `ums_permission` pr
LEFT JOIN ums_role_permission_relation re ON pr.pid = re.permission_id
LEFT JOIN ums_role ro ON ro.id = re.role_id
LEFT JOIN ums_admin_role_relation r ON r.role_id=ro.id
LEFT JOIN ums_admin ad ON ad.id = r.admin_id
WHERE ad.id = #{id}
</select>
</mapper>
[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-vO7z5jsN-1579102390934)(https://app.yinxiang.com/FileSharing.action?hash=1/031b2da0b4dea7e84c8e1784cfb9aa82-46136)]
UmsPermission 和UmsAdmin 實體類與數據庫文件在項目代碼裏面
-
from ums_admin where username = #{username}
SELECT * FROM `ums_permission` pr LEFT JOIN ums_role_permission_relation re ON pr.pid = re.permission_id LEFT JOIN ums_role ro ON ro.id = re.role_id LEFT JOIN ums_admin_role_relation r ON r.role_id=ro.id LEFT JOIN ums_admin ad ON ad.id = r.admin_id WHERE ad.id = #{id}
項目帳號密碼都是123456
UmsPermission 和UmsAdmin 實體類與數據庫文件在項目代碼裏面
項目代碼(點擊打開)
