在前端的文章中,我們實現了使用 SpringSecurity 實現登錄鑑權,並使用數據庫存儲用戶信息,實現登錄鑑權
登錄頁都是使用 SpringSecurity 提供的默認登錄,入參爲 username 及 password,前端通過 form 表單提交請求,後臺使用 request.getParameter() 獲取填寫數據。
目前,在實際項目中,更多的企業選擇使用前後端分離的項目架構,前後端數據交互選擇使用 application/json 方式進行傳遞,同時,在實際的項目中,擁有更多形式的登錄,比如手機號/短信驗證碼,不能使用單一的 usernamepassword 結構進行處理,需要自行定義入參結構。
目標
本章將整合 SpringSecurity 實現使用自定義格式進行登錄,並使用 json 方式進行前後端交互。
準備工作
創建用戶表 user、角色表 role、用戶角色關係表 user_role
CREATE TABLE `role` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`rolename` varchar(32) NOT NULL COMMENT '角色名',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=15 DEFAULT CHARSET=utf8mb4 COMMENT='角色';
CREATE TABLE `user` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`username` varchar(32) NOT NULL COMMENT '用戶名',
`password` varchar(128) NOT NULL COMMENT '密碼',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=15 DEFAULT CHARSET=utf8mb4 COMMENT='用戶';
CREATE TABLE `user_role` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_id` bigint(20) NOT NULL,
`role_id` bigint(20) NOT NULL,
PRIMARY KEY (`id`),
KEY `user_id` (`user_id`,`role_id`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COMMENT='用戶角色關係表';
操作步驟
添加依賴
引入 Spring Boot Starter 父工程
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
</parent>
添加 springSecurity 及 mybatisPlus 的依賴,添加後的整體依賴如下
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
</dependencies>
配置
配置一下數據源
spring:
datasource:
url: jdbc:mysql://127.0.0.1:3306/test?characterEncoding=utf8&useSSL=false
username: app
password: 123456
編碼
實體類
角色實體類 Role,實現權限接口 GrantedAuthority
@Data
@NoArgsConstructor
@AllArgsConstructor
@TableName("role")
public class Role implements GrantedAuthority {
@TableId(type = IdType.AUTO)
private Long id;
private String rolename;
@Override
public String getAuthority() {
return this.rolename;
}
}
用戶實體類 user,實現權限接口 UserDetails,主要方法是 getAuthorities,用於獲取用戶的角色列表
@Data
@NoArgsConstructor
@AllArgsConstructor
@TableName("user")
public class User implements UserDetails {
@TableId(type = IdType.AUTO)
private Long id;
private String username;
private String password;
@TableField(exist = false)
private List<Role> roleList;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return roleList;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
用戶角色關係實體
@Data
@NoArgsConstructor
@AllArgsConstructor
@TableName("user_role")
public class UserRole {
@TableId(type = IdType.AUTO)
private Long id;
private Long userId;
private Long roleId;
}
Repository 層
分別爲三個實體類添加 Mapper
@Mapper
public interface RoleRepository extends BaseMapper<Role> {
}
@Mapper
public interface UserRepository extends BaseMapper<User> {
}
@Mapper
public interface UserRoleRepository extends BaseMapper<UserRole> {
}
權限配置
實現 UserDetailsService 接口
UserDetailsService 是 SpringSecurity 提供的登陸時用於根據用戶名獲取用戶信息的接口
@AllArgsConstructor
@Service
public class UserService implements UserDetailsService {
private UserRepository userRepository;
private RoleRepository roleRepository;
private UserRoleRepository userRoleRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if (username == null || username.isEmpty()) {
throw new UsernameNotFoundException("用戶名不能爲空");
}
User user = userRepository.selectOne(new QueryWrapper<User>().lambda().eq(User::getUsername, username));
if (user == null) {
throw new UsernameNotFoundException("用戶不存在");
}
List<UserRole> userRoles = userRoleRepository.selectList(new QueryWrapper<UserRole>().lambda().eq(UserRole::getUserId, user.getId()));
if (userRoles != null && !userRoles.isEmpty()) {
List<Long> roleIds = userRoles.stream().map(UserRole::getRoleId).collect(Collectors.toList());
List<Role> roles = roleRepository.selectList(new QueryWrapper<Role>().lambda().in(Role::getId, roleIds));
user.setRoleList(roles);
}
return user;
}
}
自定義登錄參數格式
@Data
public class LoginDto {
private String mobile;
private String password;
private String dycode;
}
自定義登錄過濾器
繼承 SpringSecurity 提供的 AbstractAuthenticationProcessingFilter 類,實現 attemptAuthentication 方法,用於登錄校驗。
本例中,模擬前端使用 json 格式傳遞參數,所以通過 objectMapper.readValue 的方式從流中獲取入參,之後借用了用戶名密碼登錄的校驗,並返回權限對象
@Data
public class JsonAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private ObjectMapper objectMapper;
public JsonAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
// 從輸入流中獲取到登錄的信息
try {
LoginDto loginUser = objectMapper.readValue(request.getInputStream(), LoginDto.class);
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(loginUser.getMobile(), loginUser.getPassword())
);
} catch (IOException e) {
e.printStackTrace();
return null;
}
}
}
自定義登陸成功後處理
實現 SpringSecurity 提供的 AuthenticationSuccessHandler 接口,使用 JSON 格式返回
@AllArgsConstructor
public class JsonLoginSuccessHandler implements AuthenticationSuccessHandler {
private ObjectMapper objectMapper;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_OK);
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write(objectMapper.writeValueAsString(authentication));
}
}
自定義登陸失敗後處理
實現 SpringSecurity 提供的 AuthenticationFailureHandler 接口,使用 JSON 格式返回
public class JsonLoginFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write("{\"message\":\"" + exception.getMessage() + "\"}");
}
}
自定義權限校驗失敗後處理
登陸成功之後,訪問接口之前 SpringSecurity 會進行鑑權,如果沒有訪問權限,需要對返回進行處理。
實現 SpringSecurity 提供的 AccessDeniedHandler 接口,使用 JSON 格式返回
public class JsonAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException exception) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write("{\"message\":\"" + exception.getMessage() + "\"}");
}
}
自定義未登錄後處理
實現 SpringSecurity 提供的 AuthenticationEntryPoint 接口,使用 JSON 格式返回
public class JsonAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write("{\"message\":\"" + exception.getMessage() + "\"}");
}
}
註冊
在 configure 方法中調用 addFilterAfter 方法,將自定義的 jsonAuthenticationFilter 註冊進 SpringSecurity 的過濾器鏈中。
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Autowired
private ObjectMapper objectMapper;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and().csrf().disable()
.addFilterAfter(jsonAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(new JsonAuthenticationEntryPoint())
.accessDeniedHandler(new JsonAccessDeniedHandler());
}
@Bean
public JsonAuthenticationFilter jsonAuthenticationFilter() throws Exception {
JsonAuthenticationFilter filter = new JsonAuthenticationFilter();
filter.setAuthenticationManager(authenticationManager());
filter.setObjectMapper(this.objectMapper);
filter.setAuthenticationSuccessHandler(jsonLoginSuccessHandler());
filter.setAuthenticationFailureHandler(new JsonLoginFailureHandler());
return filter;
}
@Bean
public JsonLoginSuccessHandler jsonLoginSuccessHandler() {
return new JsonLoginSuccessHandler(objectMapper);
}
}
啓動類
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
驗證結果
初始化數據
執行測試用例進行初始化數據
@Slf4j
@RunWith(SpringRunner.class)
@WebAppConfiguration
@SpringBootTest(classes = Application.class)
public class SecurityTest {
@Autowired
private UserRepository userRepository;
@Autowired
private UserRoleRepository userRoleRepository;
@Autowired
private RoleRepository roleRepository;
@Test
public void initData() {
List<User> userList = new ArrayList<>();
userList.add(new User(1L, "admin", new BCryptPasswordEncoder().encode("123456"), null));
userList.add(new User(2L, "user", new BCryptPasswordEncoder().encode("123456"), null));
List<Role> roleList = new ArrayList<>();
roleList.add(new Role(1L, "ROLE_ADMIN"));
roleList.add(new Role(2L, "ROLE_USER"));
List<UserRole> urList = new ArrayList<>();
urList.add(new UserRole(1L, 1L, 1L));
urList.add(new UserRole(2L, 1L, 2L));
urList.add(new UserRole(3L, 2L, 2L));
userList.forEach(userRepository::insert);
roleList.forEach(roleRepository::insert);
urList.forEach(userRoleRepository::insert);
}
}
源碼地址
本章源碼 : https://gitee.com/gongm_24/spring-boot-tutorial.git
擴展
前面的示例只是使用了一個自定義結構去接收前端表單數據,但是處理還是使用的 username/password 那一套,調用 getAuthenticationManager().authenticate() 去進行入參的校驗,AuthenticationManager 中維護一個 AuthenticationProvider 列表,每一個 AuthenticationProvider 會支持一個 Token 類型,username/password 則是使用的 UsernamePasswordAuthenticationToken,併爲之提供了 AbstractUserDetailsAuthenticationProvider 進行登錄校驗,AbstractUserDetailsAuthenticationProvider 的實現類就是 DaoAuthenticationProvider,註冊的時候通過 auth.userDetailsService(userService) 方法調用,會將 DaoAuthenticationProvider 加入至 AuthenticationManager 中維護的 AuthenticationProvider 列表中。
如果需要完全自定義入參結構,按如下操作即可
1、自定義 AbstractAuthenticationToken 實現類
2、自定義 AuthenticationProvider 實現類,並支持自定義的 AbstractAuthenticationToken 實現類,具體實現可以參考 AbstractUserDetailsAuthenticationProvider
3、自定義 AuthenticationProcessingFilter 實現類,需要定義請求地址,接收入參,組裝 Token,調用 getAuthenticationManager().authenticate()
4、將自定義 AuthenticationProvider實現類加入至 AuthenticationManager 中維護的 AuthenticationProvider 列表中。
5、將自定義 AuthenticationProcessingFilter 實現類加入至過濾器列表中,置於 UsernamePasswordAuthenticationFilter 之後。