前言
之前一直都是用shiro在做用戶的驗證和鑑權,最近在SpringSecurity上也踩了不少坑。對於SpringSecurity比較官方的解釋是:Spring Security是Spring提供的一個安全框架,提供認證和授權功能,最主要的是它提供了簡單的使用方式,同時又有很高的靈活性,簡單,靈活,強大。但在使用的時候,卻沒有說的那樣輕鬆,明明作爲一個框架,應該是又簡單又方便使用,配合上JWT,那就是雙倍的快樂。
技術棧
SpringBoot、SpringSecurity、JWT、Spring Data JPA
引入依賴
創建maven項目,導入所需依賴
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.chen</groupId>
<artifactId>SpringSecurity_jwt_test</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>SpringSecurity_jwt_test</name>
<description></description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.12</version>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
配置數據源
server.port=8028
spring.datasource.url=jdbc:mysql://localhost:3306/test?useSSL=false
spring.datasource.username=root
spring.datasource.password=123456
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
關於JPA這裏就不進行解釋。需要的可以查看JPA的使用文章:
實體類
新建一個用戶實體,屬性包括賬號、密碼、角色,這裏因爲使用了JPA框架,所以當項目啓動時,會將該實體類自動生成對應的數據庫表。
package com.chen.entity;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.*;
/**
* author:chen
*/
@Entity
@Getter
@Setter
@Table(name = "user_test")
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Integer id;
@Column(name = "username")
private String username;
@Column(name = "password")
private String password;
@Column(name = "role")
private String role;
}
封裝JWT工具類
對jwt進行封裝,以便後面可以直接調用。
package com.chen.utils;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Date;
import java.util.HashMap;
/**
* author:chen
*/
public class JwtTokenUtils {
public static final String TOKEN_HEADER = "Authorization";
public static final String TOKEN_PREFIX = "Bearer ";
private static final String SECRET = "mysecret";
private static final String ISS = "chen";
// 角色的key
private static final String ROLE_CLAIMS = "rol";
// 過期時間是3600秒,既是1個小時
private static final long EXPIRATION = 3600L;
// 選擇了記住我之後的過期時間爲7天
private static final long EXPIRATION_REMEMBER = 604800L;
// 創建token
public static String createToken(String username,String role, boolean isRememberMe) {
long expiration = isRememberMe ? EXPIRATION_REMEMBER : EXPIRATION;
HashMap<String, Object> map = new HashMap<>();
map.put(ROLE_CLAIMS, role);
return Jwts.builder()
.signWith(SignatureAlgorithm.HS512, SECRET)
.setClaims(map)
.setIssuer(ISS)
.setSubject(username)
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
.compact();
}
// 從token中獲取用戶名
public static String getUsername(String token){
return getTokenBody(token).getSubject();
}
// 獲取用戶角色
public static String getUserRole(String token){
return (String) getTokenBody(token).get(ROLE_CLAIMS);
}
// 是否已過期
public static boolean isExpiration(String token) {
try {
return getTokenBody(token).getExpiration().before(new Date());
} catch (ExpiredJwtException e) {
return true;
}
}
private static Claims getTokenBody(String token){
return Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token)
.getBody();
}
}
DAO層
這裏我只定義了一個方法(通過用戶名查找用戶),其他常見的單表操作方法JPA已經在內部幫我們實現了,這就是JPA的快樂。
package com.chen.repository;
import com.chen.entity.User;
import org.springframework.data.repository.CrudRepository;
/**
* author:chen
*/
public interface UserRepository extends CrudRepository<User, Integer> {
User findByUsername(String username);
}
Service層
使用SpringSecurity需要實現UserDetailsService接口供權限框架調用,該方法只需要實現一個方法就可以了,那就是根據用戶名去獲取用戶,那就是上面repository定義的方法了,這裏直接調用了。
package com.chen.service;
import com.chen.entity.JwtUser;
import com.chen.entity.User;
import com.chen.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
/**
* author:chen
*/
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
User user = userRepository.findByUsername(s);
return new JwtUser(user);
}
}
實現接口
由於接口方法需要返回一個UserDetails類型的接口,所以這邊就再寫一個類去實現一下這個接口。
package com.chen.entity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
import java.util.Collections;
/**
* author:chen
*/
public class JwtUser implements UserDetails {
private Integer id;
private String username;
private String password;
private Collection<? extends GrantedAuthority> authorities;
public JwtUser() {
}
// 寫一個能直接使用user創建jwtUser的構造器
public JwtUser(User user) {
id = user.getId();
username = user.getUsername();
password = user.getPassword();
authorities = Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
@Override
public String toString() {
return "JwtUser{" +
"id=" + id +
", username='" + username + '\'' +
", password='" + password + '\'' +
", authorities=" + authorities +
'}';
}
}
配置攔截器
JWTAuthenticationFilter繼承於UsernamePasswordAuthenticationFilter 該攔截器用於獲取用戶登錄的信息,只需創建一個token並調用authenticationManager.authenticate()讓SpringSecurity去進行驗證就可以了,不用自己查數據庫再對比密碼了,這一步交給SpringSecurity去操作。 這個操作有點像是shiro的subject.login(new UsernamePasswordToken()),驗證的事情交給框架。
package com.chen.filter;
import com.chen.model.LoginUser;
import com.chen.utils.JwtTokenUtils;
import com.chen.entity.JwtUser;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
/**
* author:chen
*/
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private ThreadLocal<Integer> rememberMe = new ThreadLocal<>();
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
super.setFilterProcessesUrl("/login");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
// 前端傳過來的是json數據
/*try {
LoginUser loginUser = new ObjectMapper().readValue(request.getInputStream(), LoginUser.class);
rememberMe.set(loginUser.getRememberMe() == null ? 0 : loginUser.getRememberMe());
return authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginUser.getUsername(), loginUser.getPassword(), new ArrayList<>())
);
} catch (Exception e) {
e.printStackTrace();
return null;
}*/
// 前端傳過來的是key-value數據
String username = request.getParameter("username");
String password = request.getParameter("password");
System.out.println("username:"+username+",password:"+password);
LoginUser loginUser=new LoginUser(username,password);
rememberMe.set(loginUser.getRememberMe() == null ? 0 : loginUser.getRememberMe());
return authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginUser.getUsername(), loginUser.getPassword(), new ArrayList<>()));
}
// 成功驗證後調用的方法
// 如果驗證成功,就生成token並返回
@Override
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain,
Authentication authResult) throws IOException, ServletException {
JwtUser jwtUser = (JwtUser) authResult.getPrincipal();
System.out.println("jwtUser:" + jwtUser.toString());
boolean isRemember = rememberMe.get() == 1;
String role = "";
Collection<? extends GrantedAuthority> authorities = jwtUser.getAuthorities();
for (GrantedAuthority authority : authorities){
role = authority.getAuthority();
}
String token = JwtTokenUtils.createToken(jwtUser.getUsername(), role, isRemember);
//String token = JwtTokenUtils.createToken(jwtUser.getUsername(), false);
// 返回創建成功的token
// 但是這裏創建的token只是單純的token
// 按照jwt的規定,最後請求的時候應該是 `Bearer token`
response.setHeader("Authorization", JwtTokenUtils.TOKEN_PREFIX + token);
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
response.getWriter().write("authentication failed, reason: " + failed.getMessage());
}
}
花了一點時間在扯這部分的源碼,果然框架就是框架,連賬戶名參數,密碼參數,登錄接口都給你設定好了,當然,我們可以進行重寫,以上過濾器是在自己理解下進行改造重寫。
驗證成功當然就是進行鑑權了,每一次需要權限的請求都需要檢查該用戶是否有該權限去操作該資源,當然這也是框架幫我們做的,那麼我們需要做什麼呢?只要告訴SpringSecurity該用戶是否已登錄,是什麼角色,擁有什麼權限就可以了。 JWTAuthenticationFilter繼承於BasicAuthenticationFilter。
package com.chen.filter;
import com.chen.utils.JwtTokenUtils;
import com.chen.exception.TokenIsExpiredException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
/**
* author:chen
*/
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws IOException, ServletException {
String tokenHeader = request.getHeader(JwtTokenUtils.TOKEN_HEADER);
// 如果請求頭中沒有Authorization信息則直接放行了
if (tokenHeader == null || !tokenHeader.startsWith(JwtTokenUtils.TOKEN_PREFIX)) {
chain.doFilter(request, response);
return;
}
// 如果請求頭中有token,則進行解析,並且設置認證信息
try {
SecurityContextHolder.getContext().setAuthentication(getAuthentication(tokenHeader));
} catch (TokenIsExpiredException e) {
//返回json形式的錯誤信息
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
String reason = "統一處理,原因:" + e.getMessage();
response.getWriter().write(new ObjectMapper().writeValueAsString(reason));
response.getWriter().flush();
return;
}
super.doFilterInternal(request, response, chain);
}
// 這裏從token中獲取用戶信息並新建一個token
private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader) throws TokenIsExpiredException {
String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, "");
boolean expiration = JwtTokenUtils.isExpiration(token);
if (expiration) {
throw new TokenIsExpiredException("token超時了");
} else {
String username = JwtTokenUtils.getUsername(token);
String role = JwtTokenUtils.getUserRole(token);
if (username != null) {
return new UsernamePasswordAuthenticationToken(username, null,
Collections.singleton(new SimpleGrantedAuthority(role))
);
}
}
return null;
}
}
配置SpringSecurity
package com.chen.config;
import com.chen.exception.JWTAccessDeniedHandler;
import com.chen.exception.JWTAuthenticationEntryPoint;
import com.chen.filter.JWTAuthenticationFilter;
import com.chen.filter.JWTAuthorizationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
/**
* author:chen
*/
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("userDetailsServiceImpl")
private UserDetailsService userDetailsService;
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 對密碼進行編碼
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
// 對密碼不進行處理
//auth.userDetailsService(userDetailsService).passwordEncoder(NoOpPasswordEncoder.getInstance());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.DELETE, "/tasks/**").hasRole("ADMIN")
// 測試用資源,需要驗證了的用戶才能訪問
.antMatchers("/tasks/**").authenticated()
// 其他都放行了
.anyRequest().permitAll()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
// 不需要session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling().authenticationEntryPoint(new JWTAuthenticationEntryPoint())
.accessDeniedHandler(new JWTAccessDeniedHandler()); //添加無權限時的處理
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
}
登錄用戶實體
package com.chen.model;
import lombok.Getter;
import lombok.Setter;
/**
* author:chen
*/
@Setter
@Getter
public class LoginUser {
private String username;
private String password;
private Integer rememberMe;
}
定義異常處理
package com.chen.exception;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* author:chen
*/
public class JWTAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json; charset=utf-8");
httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
String reason = "統一處理,原因:" + e.getMessage();
httpServletResponse.getWriter().write(new ObjectMapper().writeValueAsString(reason));
}
}
package com.chen.exception;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* author:chen
*/
public class JWTAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
String reason = "統一處理,原因:" + authException.getMessage();
response.getWriter().write(new ObjectMapper().writeValueAsString(reason));
}
}
package com.chen.exception;
/**
* author:chen
*/
public class TokenIsExpiredException extends Exception {
public TokenIsExpiredException() {
}
public TokenIsExpiredException(String message) {
super(message);
}
public TokenIsExpiredException(String message, Throwable cause) {
super(message, cause);
}
public TokenIsExpiredException(Throwable cause) {
super(cause);
}
public TokenIsExpiredException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
super(message, cause, enableSuppression, writableStackTrace);
}
}
封裝restful風格的返回數據
這是出於個人習慣封裝的返回數據處理類。
package com.chen.model;
public class AppConstant {
// 文本消息
public static final String MESSAGE = "message";
// 單個對象
public static final String ITEM = "item";
// 返回的對象列表
public static final String LIST = "list";
// 狀態碼
public static final String ERROR = "error";
// 代表執行成功
public static int OK = 0;
// 代表執行失敗
public static int FAIL = 1;
}
package com.chen.utils;
import com.chen.model.AppConstant;
import java.util.HashMap;
import java.util.List;
public class RestResponse extends HashMap<String, Object> {
/**
* 禁止通過構造函數構造對象,只能通過靜態方法獲取實例。
*
* @see #ok()
* @see #ok(String)
* @see #fail()
* @see #fail(String)
*/
private RestResponse() {
}
/**
* 設置接口返回的文本消息,屬性 key: message
*
* @param msg
* @return
*/
public RestResponse msg(String msg) {
this.put(AppConstant.MESSAGE, msg);
return this;
}
/**
* 設置接口返回的數據對象,屬性 key: item
*
* @param item
* @return
*/
public RestResponse item(Object item) {
this.put(AppConstant.ITEM, item);
return this;
}
/**
* 設置接口返回的數據對象列表,屬性 key: list
*
* @param list
* @return
*/
public RestResponse list(List<?> list) {
this.put(AppConstant.LIST, list);
return this;
}
/**
* 設置接口返回的數據項,並指定數據項的屬性 key
*
* @param key
* @param value
* @return
*/
public RestResponse put(String key, Object value) {
super.put(key, value);
return this;
}
/**
* 接口執行成功的返回數據,其中屬性 error = 0
*
* @return
*/
public static RestResponse ok() {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, AppConstant.OK);
return result;
}
/**
* 接口執行成功的返回數據,並設置文本消息
*
* @param msg
* @return
*/
public static RestResponse ok(String msg) {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, AppConstant.OK).msg(msg);
return result;
}
/**
* 接口執行成功的返回數據,並設置對象數據
*
* @param item
* @return
*/
public static RestResponse ok(Object item) {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, AppConstant.OK).item(item);
return result;
}
/**
* 接口執行成功的返回數據,並設置列表對象數據
*
* @param list
* @return
*/
public static RestResponse ok(List<?> list) {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, AppConstant.OK).list(list);
return result;
}
/**
* 接口執行失敗的返回數據,其中屬性 error = 1
*
* @return
*/
public static RestResponse fail() {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, AppConstant.FAIL);
return result;
}
/**
* 接口執行失敗的返回數據,並設置文本消息,其中屬性 error = 1, message = {msg}
*
* @param msg
* @return
*/
public static RestResponse fail(String msg) {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, AppConstant.FAIL).msg(msg);
return result;
}
/**
* 接口執行失敗的返回數據,自定義狀態碼,其中屬性 error = {errcode}
*
* @param errcode
* @return
*/
public static RestResponse fail(int errcode) {
RestResponse result = new RestResponse();
result.put(AppConstant.ERROR, errcode);
return result;
}
}
到此整合完畢,接下來創建一個接口進行用戶的註冊。
Controller層
package com.chen.controller;
import com.chen.entity.User;
import com.chen.repository.UserRepository;
import com.chen.utils.RestResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;
/**
* author:chen
*/
@RestController
public class AuthController {
@Autowired
private UserRepository userRepository;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@PostMapping("/register")
public RestResponse registerUser(String username, String password){
User user = new User();
user.setUsername(username);
//對密碼進行編碼
user.setPassword(bCryptPasswordEncoder.encode(password));
//不對密碼進行編碼,存儲明文
//user.setPassword(password);
user.setRole("ROLE_USER");
User save = userRepository.save(user);
return RestResponse.ok().item(save);
}
}
註冊成功,並且設置了該用戶的角色爲ROLE_USER。接下來使用這個角色進行登錄,登錄成功之後在返回的響應頭可以得到我們想要的token。
登錄的接口我們已經在JWTAuthenticationFilter過濾器設置了。
利用在響應頭返回的token,便可以進行身份鑑權了。
附上我的代碼倉庫:https://github.com/ws980728/SpringSecurity_jwt_test/tree/master