Spring Security(三)

SpringSecurity整合SpringBoot集中式版本

技術選型

  • SpringBoot 2.1.3
  • SpringSecurity
  • MySQL 5.7
  • Mybatis
  • JSP

初步整合認證初版

建立工程並導入jar包

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.1.3.RELEASE</version>
    <relativePath/>
</parent>
<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
</dependencies>

編寫控制器

package com.weiwei.xu.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
@RequestMapping(value = "/product")
public class ProductController {

    @RequestMapping(value = "/findAll")
    @ResponseBody
    public String findAll(){
        return "success";
    }

}

編寫啓動類

package com.weiwei.xu;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringBootSecurityApplication {
    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityApplication.class, args);
    }
}

測試

集中版整合認證初版測試

加入SpringSecurity的jar包

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

重啓測試

  • SpringBoot已經爲SpringSecurity提供了默認配置,默認全部的資源都必須認證經過以後才能訪問。

默認的認證頁面

  • SpringBoot已經提供了默認的用戶名user,密碼在項目啓動的時候隨機生成,以下圖所示:

默認生成的密碼

  • 認證經過以後就能夠繼續訪問處理器資源:

認證經過以後

項目地址

初步整合認證第二版

說明

  • SpringBoot官方是不推薦在SpringBoot中使用JSP的,可是SpringBoot是可使用JSP做爲模板引擎的,本項目採用JSP做爲前端展現頁面。

導入SpringBoot的tomcat啓動插件jar包

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-tomcat</artifactId>
</dependency>
<dependency>
    <groupId>org.apache.tomcat.embed</groupId>
    <artifactId>tomcat-embed-jasper</artifactId>
</dependency>

加入JSP頁面等靜態資源

  • 若是在src/main目錄下沒有webapp目錄,那麼就建立webapp目錄,而且手動將Java工程改成web工程。

手動修改pom文件,將Java工程改成web工程

  • 若是webapp目錄,和下圖的相似,就能夠用了。

webapp目錄.png

  • 導入靜態資源,注意WEB-INF就不用了。

    導入靜態資源

提供SpringSecurity的配置類

package com.weiwei.xu.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * SpringSecurity的配置類
 *
 * @author weiwei.xu
 */
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {


    /**
     * 認證用戶的來源[內存或數據庫]
     *
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("{noop}123456").roles("USER");
    }


    /**
     * SpringSecurity相關信息
     *
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //釋放靜態資源,指定資源攔截規則,指定自定義認證頁面,指定退出認證配置,csrf配置
        http.authorizeRequests().antMatchers("/login.jsp","/failer.jsp","/css/**","/img/**","/pages/**").permitAll()
                .antMatchers("/**").access("hasAnyRole('USER','ADMIN')")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin().loginPage("/login.jsp").loginProcessingUrl("/login").successForwardUrl("/index.jsp").failureForwardUrl("/failer.jsp").permitAll()
                .and()
                .logout().logoutUrl("/logout").logoutSuccessUrl("/login.jsp")
                .invalidateHttpSession(true) //清空session
                .permitAll();
    }
}

修改啓動類

package com.weiwei.xu;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;

/**
 * 啓動類
 *
 * @author weiwei.xu
 */
@SpringBootApplication(exclude={DataSourceAutoConfiguration.class})
public class SpringBootSecurityApplication extends SpringBootServletInitializer {
    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityApplication.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(SpringBootSecurityApplication.class);
    }


}

配置視圖解析器

  • application.yml
server:
  port: 8080

# 配置視圖解析器
spring:
  mvc:
    view:
      prefix: /pages/
      suffix: .jsp

測試

自定義認證頁面

自定義認證頁面

認證成功頁面

認證成功頁面

項目地址

初步整合認證第三版(數據庫認證)

準備工做

/*
 Navicat Premium Data Transfer

 Source Server         : 192.168.1.57
 Source Server Type    : MySQL
 Source Server Version : 50729
 Source Host           : 192.168.1.57:33060
 Source Schema         : security

 Target Server Type    : MySQL
 Target Server Version : 50729
 File Encoding         : 65001

 Date: 26/04/2020 11:18:36
*/

SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;

-- ----------------------------
-- Table structure for persistent_logins
-- ----------------------------
DROP TABLE IF EXISTS `persistent_logins`;
CREATE TABLE `persistent_logins`  (
  `username` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
  `series` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
  `token` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
  `last_used` timestamp(0) NOT NULL DEFAULT CURRENT_TIMESTAMP(0) ON UPDATE CURRENT_TIMESTAMP(0),
  PRIMARY KEY (`series`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of persistent_logins
-- ----------------------------
INSERT INTO `persistent_logins` VALUES ('xiaoming', '93OEeplI7zAKwc0BqVnW+Q==', 'e4JvptA5h8fR+FFgmJSL9g==', '2020-04-24 10:23:57');
INSERT INTO `persistent_logins` VALUES ('xiaoming', 'CmWGQ/rmb7lXAx7dHiEVGw==', 'OvsaKtaC046whNL56Y4MqA==', '2020-04-24 10:30:29');
INSERT INTO `persistent_logins` VALUES ('xiaoming', 'JJqJ5vJ/7IqMLxj/JpLDRg==', 'vIfFHeD6fYSV8oCHMdty7g==', '2020-04-24 10:42:48');
INSERT INTO `persistent_logins` VALUES ('xiaoming', 'T9NMx6AiG5J3RNSM841juw==', 'v67JBqXg7AkhLtH++LISNw==', '2020-04-24 10:35:57');

-- ----------------------------
-- Table structure for sys_permission
-- ----------------------------
DROP TABLE IF EXISTS `sys_permission`;
CREATE TABLE `sys_permission`  (
  `id` int(11) NOT NULL AUTO_INCREMENT COMMENT '編號',
  `permission_name` varchar(30) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '菜單名稱',
  `permission_url` varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '菜單地址',
  `parent_id` int(11) NOT NULL DEFAULT 0 COMMENT '父菜單id',
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 1 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Table structure for sys_role
-- ----------------------------
DROP TABLE IF EXISTS `sys_role`;
CREATE TABLE `sys_role`  (
  `id` int(11) NOT NULL AUTO_INCREMENT COMMENT '編號',
  `role_name` varchar(30) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '角色名稱',
  `role_desc` varchar(60) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '角色描述',
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 8 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of sys_role
-- ----------------------------
INSERT INTO `sys_role` VALUES (6, 'ROLE_USER', '普通用戶');
INSERT INTO `sys_role` VALUES (7, 'ROLE_ADMIN', '系統管理員');

-- ----------------------------
-- Table structure for sys_role_permission
-- ----------------------------
DROP TABLE IF EXISTS `sys_role_permission`;
CREATE TABLE `sys_role_permission`  (
  `rid` int(11) NOT NULL COMMENT '角色編號',
  `pid` int(11) NOT NULL COMMENT '權限編號',
  PRIMARY KEY (`rid`, `pid`) USING BTREE,
  INDEX `FK_Reference_12`(`pid`) USING BTREE,
  CONSTRAINT `FK_Reference_11` FOREIGN KEY (`rid`) REFERENCES `sys_role` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT,
  CONSTRAINT `FK_Reference_12` FOREIGN KEY (`pid`) REFERENCES `sys_permission` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT
) ENGINE = InnoDB CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Table structure for sys_user
-- ----------------------------
DROP TABLE IF EXISTS `sys_user`;
CREATE TABLE `sys_user`  (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(32) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '用戶名稱',
  `password` varchar(120) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '密碼',
  `status` int(1) NULL DEFAULT 1 COMMENT '1開啓0關閉',
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 6 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of sys_user
-- ----------------------------
INSERT INTO `sys_user` VALUES (4, 'admin', '$2a$10$ynlaufZM048G5jsp98seeuvkAXNCVD5RFEudlrW.xiNihU.2Tjm9W', 1);
INSERT INTO `sys_user` VALUES (5, 'xiaoming', '$2a$10$ynlaufZM048G5jsp98seeuvkAXNCVD5RFEudlrW.xiNihU.2Tjm9W', 1);

-- ----------------------------
-- Table structure for sys_user_role
-- ----------------------------
DROP TABLE IF EXISTS `sys_user_role`;
CREATE TABLE `sys_user_role`  (
  `uid` int(11) NOT NULL COMMENT '用戶編號',
  `rid` int(11) NOT NULL COMMENT '角色編號',
  PRIMARY KEY (`uid`, `rid`) USING BTREE,
  INDEX `FK_Reference_10`(`rid`) USING BTREE,
  CONSTRAINT `FK_Reference_10` FOREIGN KEY (`rid`) REFERENCES `sys_role` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT,
  CONSTRAINT `FK_Reference_9` FOREIGN KEY (`uid`) REFERENCES `sys_user` (`id`) ON DELETE RESTRICT ON UPDATE RESTRICT
) ENGINE = InnoDB CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of sys_user_role
-- ----------------------------
INSERT INTO `sys_user_role` VALUES (5, 6);
INSERT INTO `sys_user_role` VALUES (4, 7);

SET FOREIGN_KEY_CHECKS = 1;

導入數據庫操做相關的jar包

<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>5.1.47</version>
</dependency>
<dependency>
    <groupId>org.mybatis.spring.boot</groupId>
    <artifactId>mybatis-spring-boot-starter</artifactId>
    <version>2.1.2</version>
</dependency>

在配置文件中添加數據庫操做相關配置

  • application.yml
server:
  port: 8080

# 配置視圖解析器
spring:
  mvc:
    view:
      prefix: /pages/
      suffix: .jsp
  datasource:
    driver-class-name: com.mysql.jdbc.Driver
    url: jdbc:mysql://192.168.1.57:33060/security
    username: root
    password: 123456

mybatis:
  type-aliases-package: com.weiwei.xu.domain
  mapper-locations:  classpath:/com/weiwei/xu/mapper/*.mapper.xml

編寫實體類

  • SysUser.java
package com.weiwei.xu.domain;

import com.fasterxml.jackson.annotation.JsonIgnore;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;

/**
 * 系統用戶
 *
 * @author weiwei.xu
 */
public class SysUser implements UserDetails {

    private Integer id;

    private String username;

    private String password;

    private Integer status;

    private Set<SysRole> roles = new HashSet<>();

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }


    public Integer getId() {
        return id;
    }

    public void setId(Integer id) {
        this.id = id;
    }

    @Override
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @Override
    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public Integer getStatus() {
        return status;
    }

    public void setStatus(Integer status) {
        this.status = status;
    }

    public Set<SysRole> getRoles() {
        return roles;
    }

    public void setRoles(Set<SysRole> roles) {
        this.roles = roles;
    }

    @JsonIgnore
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return roles;
    }

}
  • SysRole.java
package com.weiwei.xu.domain;

import com.fasterxml.jackson.annotation.JsonIgnore;
import org.springframework.security.core.GrantedAuthority;

/**
 * 系統角色
 *
 * @author weiwei.xu
 */
public class SysRole implements GrantedAuthority {

    private Integer id;

    private String roleName;

    private String roleDesc;

    public Integer getId() {
        return id;
    }

    public void setId(Integer id) {
        this.id = id;
    }

    public String getRoleName() {
        return roleName;
    }

    public void setRoleName(String roleName) {
        this.roleName = roleName;
    }

    public String getRoleDesc() {
        return roleDesc;
    }

    public void setRoleDesc(String roleDesc) {
        this.roleDesc = roleDesc;
    }

    @JsonIgnore
    @Override
    public String getAuthority() {
        return roleName;
    }
}

編寫Mapper接口

  • SysUserMapper.java
package com.weiwei.xu.mapper;

import com.weiwei.xu.domain.SysUser;
import org.apache.ibatis.annotations.Many;
import org.apache.ibatis.annotations.Result;
import org.apache.ibatis.annotations.Results;
import org.apache.ibatis.annotations.Select;

import java.util.Set;

public interface SysUserMapper {

    @Select("select * from sys_user where username = #{username} ")
    @Results({
            @Result(id = true, property = "id", column = "id"),
            @Result(property = "roles", column = "id", javaType = Set.class,
                    many = @Many(select = "com.weiwei.xu.mapper.SysRoleMapper.findByUid"))
    })
    SysUser findByUsername(String username);

}
  • SysRoleMapper.java
package com.weiwei.xu.mapper;

import com.weiwei.xu.domain.SysRole;
import org.apache.ibatis.annotations.Select;

import java.util.Set;

public interface SysRoleMapper {

    /**
     * 根據uid查詢用戶所對應的角色
     *
     * @param uid
     * @return
     */
    @Select("SELECT r.id, r.role_name roleName, r.role_desc roleDesc " +
            "FROM sys_role r, sys_user_role ur " +
            "WHERE r.id=ur.rid AND ur.uid=#{uid}")
    Set<SysRole> findByUid(Integer uid);

}

編寫業務層接口和實現類

  • SysUserService.java
package com.weiwei.xu.service;

import org.springframework.security.core.userdetails.UserDetailsService;

public interface SysUserService extends UserDetailsService {
}
  • SysUserServiceImpl.java
package com.weiwei.xu.service.impl;

import com.weiwei.xu.mapper.SysUserMapper;
import com.weiwei.xu.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Service
@Transactional
public class SysUserServiceImpl implements SysUserService {

    @Autowired
    private SysUserMapper sysUserMapper;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return sysUserMapper.findByUsername(username);
    }
}

修改SpringSecurity的配置類

package com.weiwei.xu.config;

import com.weiwei.xu.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

/**
 * SpringSecurity的配置類
 *
 * @author weiwei.xu
 */
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private SysUserService sysUserService;

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    /**
     * 認證用戶的來源[內存或數據庫]
     *
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(sysUserService).passwordEncoder(passwordEncoder());
    }


    /**
     * SpringSecurity相關信息
     *
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //釋放靜態資源,指定資源攔截規則,指定自定義認證頁面,指定退出認證配置,csrf配置
        http.authorizeRequests().antMatchers("/login.jsp", "/failer.jsp", "/css/**", "/img/**", "/pages/**").permitAll()
                .antMatchers("/**").access("hasAnyRole('USER','ADMIN')")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin().loginPage("/login.jsp").loginProcessingUrl("/login").successForwardUrl("/index.jsp").failureForwardUrl("/failer.jsp").permitAll()
                .and()
                .logout().logoutUrl("/logout").logoutSuccessUrl("/login.jsp")
                .invalidateHttpSession(true) //清空session
                .permitAll();
    }
}
  • 在啓動類上開啓方法級的受權註解:
package com.weiwei.xu;

import org.mybatis.spring.annotation.MapperScan;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

/**
 * 啓動類
 *
 * @author weiwei.xu
 */
@MapperScan("com.weiwei.xu.mapper")
@SpringBootApplication
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SpringBootSecurityApplication extends SpringBootServletInitializer {
    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityApplication.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(SpringBootSecurityApplication.class);
    }
}
  • 在產品處理器上添加註解:
package com.weiwei.xu.controller;

import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
@RequestMapping(value = "/product")
public class ProductController {

    @RequestMapping(value = "/findAll")
    @Secured({"ROLE_PRODUCT","ROLE_ADMIN"})
    public String findAll(){
        return "product-list";
    }

}

處理403異常和其它異常

package com.weiwei.xu.exception;

import org.springframework.security.acls.model.NotFoundException;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;

import java.nio.file.AccessDeniedException;

@ControllerAdvice
public class SecurityExceptionHandler {

    @ExceptionHandler(value = AccessDeniedException.class)
    public String handle403Exception(){
        return "redirect:403";
    }

    @ExceptionHandler(value = RuntimeException.class)
    public String handle500Exception(){
        return "redirect:500";
    }

    @ExceptionHandler(value = NotFoundException.class)
    public String handle404Exception(){
        return "redirect:404";
    }
}

項目地址

SpringSecurity整合SpringBoot分佈式版本

分佈式認證概念說明

  • 分佈式認證,即咱們常說的單點登陸,簡稱SSO,指的是在多應用系統的項目中,用戶只須要登陸一次,就能夠訪問全部互相信任的應用系統。

分佈式認證流程圖

  • 在分佈式項目中,每臺服務器都有各自獨立的session,而這些session之間是沒法直接共享資源的,因此,session一般不能做爲單點登陸的解決方案。
  • 最合理的單點登陸方案流程以下圖所示:

最合理的單點登陸方案流程

  • 總結,單點登陸要實現的兩大環節:css

    • ①用戶認證:用戶向認證服務器發起認證請求,認證服務器給用戶返回一個成功的令牌token,主要在認證服務器中完成,認證服務器只有一個。
    • ②身份校驗:用戶攜帶token去訪問其餘服務器時,在其餘服務器中藥對token的真僞進行校驗,主要在資源服務器中完成,資源服務器能夠有多個。

JWT介紹

概念說明

  • 從分佈式認證流程中,我不難發現,這中間起最關鍵做用的就是token,token的安全與否,直接關係到系統的健壯性,這裏咱們選擇使用jwt來實現token的生成和校驗。
  • jwt,全程JSON Web Token,官網地址,是一款出色的分佈式身份校驗方案。能夠生成token,也能夠解析校驗token。
  • JWT生成的token由如下三部分組成:html

    • 頭部:主要設置一些規範信息,簽名部分的編碼格式就在頭部中聲明。
    • 載荷:token中存放有效信息的部分,好比用戶名、用戶角色、過時時間等,可是不要放密碼,會泄露!
    • 簽名:將頭部和載荷分別採用base64編碼後,用「.」相連,再加入鹽,最後使用頭部聲明的編碼類型進行編碼,就獲得了簽名。

JWT生成的token的安全性分析

  • 從JWT生成的token組成上來看,要想避免token被僞造,主要就看簽名部分了,而簽名部分又有三部分組成,其中頭部和載荷的base編碼,幾乎是透明的,毫無安全性可言,那麼最終守護token安全的重擔就落在了加入鹽上面了。
  • 若是生成token所用的鹽和解析token所加入的鹽是同樣的,那後果將不堪設想,你們均可以使用這個鹽來解析token,用來僞造token。
  • 這時,就須要對鹽採用非對稱加密的方式進行加密,以達到生成token和校驗token時所用的鹽不一致的安全效果。

非對稱機密RSA介紹

  • 基本原理:同時生成兩把密鑰:私鑰和公鑰,私鑰隱藏保存,公鑰能夠發給信任客戶端。前端

    • 私鑰加密,持有私鑰或公鑰才能夠解密。
    • 公鑰加密,持有私鑰才能夠解密。
  • 優勢:安全,難以破解。
  • 缺點:算法比較耗時,爲了安全,能夠接受。
  • 歷史:三位數學家Rivest、Shamir和Adleman設計了一種算法,能夠實現非對稱加密。這種算法用他們三我的的名字縮寫:RSA。

SpringSecurity+JWT+RSA分佈式認證思路分析

SpringSecurity主要是經過過濾器來實現功能的,因此咱們須要找到SpringSecurity實現認證和校驗身份的過濾器。

回顧集中式認證流程

  • 用戶認證:java

    • 使用UsernamePasswordAuthenticationFilter過濾器中的attemptAuthentication方法實現認證功能,該過濾器父類中的successfulAuthentication方法實現認證成功後的操做。
  • 身份校驗:mysql

    • 使用BasicAuthenticationFilter過濾器中的doFilterInternal方法驗證是否登陸,以決定可否進入後續過濾器。

分佈式認證流程

  • 用戶認證:git

    • 因爲,分佈式項目,多數是先後端分離的架構設計,咱們要知足能夠接受異步POST的認證請求參數,須要修改UsernamePasswordAuthenticationFilter過濾器中的attemptAuthentication方法,讓其可以接受請求體。另外,默認的successfulAuthentication方法在認證經過後,是把用戶信息直接放入到session中就完事了,如今咱們須要修改這個方法,在認證經過後生成token並返回給用戶。
  • 身份認證:web

    • 原來BasicAuthenticationFilter過濾器中的doFilterInternal方法校驗用戶是否登陸,就是看session中是否有用戶信息,咱們須要修改成,驗證用戶攜帶的token是否合法,並解析出用戶信息,交給SpringSecurity,以便後續的受權功能能夠正常使用。

SpringSecurity+JWT+RSA分佈式實現

導入相應的jar包

<properties>
        <java.version>1.8</java.version>
        <!--   swagger   -->
        <io.springfox.version>2.9.2</io.springfox.version>
        <io.swagger.version>1.5.21</io.swagger.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-configuration-processor</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-api</artifactId>
            <version>0.10.7</version>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-impl</artifactId>
            <version>0.10.7</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-jackson</artifactId>
            <version>0.10.7</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>cn.hutool</groupId>
            <artifactId>hutool-all</artifactId>
            <version>4.6.4</version>
        </dependency>
        <!--   mysql     -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.1.2</version>
        </dependency>
        <!-- Swagger -->
        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger2</artifactId>
            <version>${io.springfox.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>io.swagger</groupId>
                    <artifactId>swagger-annotations</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>io.swagger</groupId>
                    <artifactId>swagger-models</artifactId>
                </exclusion>
                <exclusion>
                    <artifactId>mapstruct</artifactId>
                    <groupId>org.mapstruct</groupId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger-ui</artifactId>
            <version>${io.springfox.version}</version>
        </dependency>
        <dependency>
            <groupId>io.swagger</groupId>
            <artifactId>swagger-annotations</artifactId>
            <version>${io.swagger.version}</version>
        </dependency>
        <dependency>
            <groupId>io.swagger</groupId>
            <artifactId>swagger-models</artifactId>
            <version>${io.swagger.version}</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

工具類

  • RsaUtils.java
package com.weiwei.xu.utils;

import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

/**
 * RSA算法
 *
 * @author weiwei.xu
 */
public class RsaUtils {

    private static final int DEFAULT_KEY_SIZE = 2048;

    /**
     * 從文件中讀取公鑰
     *
     * @param filename 公鑰保存路徑,相對於classpath
     * @return 公鑰對象
     * @throws Exception
     */
    public static PublicKey getPublicKey(String filename) throws Exception {
        byte[] bytes = readFile(filename);
        return getPublicKey(bytes);
    }

    /**
     * 從文件中讀取密鑰
     *
     * @param filename 私鑰保存路徑,相對於classpath
     * @return 私鑰對象
     * @throws Exception
     */
    public static PrivateKey getPrivateKey(String filename) throws Exception {
        byte[] bytes = readFile(filename);
        return getPrivateKey(bytes);
    }

    /**
     * 獲取公鑰
     *
     * @param bytes 公鑰的字節形式
     * @return
     * @throws Exception
     */
    private static PublicKey getPublicKey(byte[] bytes) throws Exception {
        bytes = Base64.getDecoder().decode(bytes);
        X509EncodedKeySpec spec = new X509EncodedKeySpec(bytes);
        KeyFactory factory = KeyFactory.getInstance("RSA");
        return factory.generatePublic(spec);
    }

    /**
     * 獲取密鑰
     *
     * @param bytes 私鑰的字節形式
     * @return
     * @throws Exception
     */
    private static PrivateKey getPrivateKey(byte[] bytes) throws NoSuchAlgorithmException, InvalidKeySpecException {
        bytes = Base64.getDecoder().decode(bytes);
        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);
        KeyFactory factory = KeyFactory.getInstance("RSA");
        return factory.generatePrivate(spec);
    }

    /**
     * 根據密文,生存rsa公鑰和私鑰,並寫入指定文件
     *
     * @param publicKeyFilename  公鑰文件路徑
     * @param privateKeyFilename 私鑰文件路徑
     * @param secret             生成密鑰的密文
     */
    public static void generateKey(String publicKeyFilename, String privateKeyFilename, String secret, int keySize) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        SecureRandom secureRandom = new SecureRandom(secret.getBytes());
        keyPairGenerator.initialize(Math.max(keySize, DEFAULT_KEY_SIZE), secureRandom);
        KeyPair keyPair = keyPairGenerator.genKeyPair();
        // 獲取公鑰並寫出
        byte[] publicKeyBytes = keyPair.getPublic().getEncoded();
        publicKeyBytes = Base64.getEncoder().encode(publicKeyBytes);
        writeFile(publicKeyFilename, publicKeyBytes);
        // 獲取私鑰並寫出
        byte[] privateKeyBytes = keyPair.getPrivate().getEncoded();
        privateKeyBytes = Base64.getEncoder().encode(privateKeyBytes);
        writeFile(privateKeyFilename, privateKeyBytes);
    }

    private static byte[] readFile(String fileName) throws Exception {
        return Files.readAllBytes(new File(fileName).toPath());
    }

    private static void writeFile(String destPath, byte[] bytes) throws IOException {
        File dest = new File(destPath);
        if (!dest.getParentFile().exists()) {
            dest.getParentFile().mkdirs();
        }
        if (!dest.exists()) {
            dest.createNewFile();
        }
        Files.write(dest.toPath(), bytes);
    }
}
  • JwtUtils.java
package com.weiwei.xu.utils;


import cn.hutool.json.JSONUtil;
import com.weiwei.xu.common.Payload;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

import java.security.PrivateKey;
import java.security.PublicKey;
import java.sql.Date;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.Base64;
import java.util.UUID;

/**
 * 生成token以及校驗token相關方法
 *
 * @author: weiwei.xu
 */
public class JwtUtils {

    private static final String JWT_PAYLOAD_USER_KEY = "user";

    /**
     * 私鑰加密token
     *
     * @param userInfo   載荷中的數據
     * @param privateKey 私鑰
     * @param expire     過時時間,單位分鐘
     * @return JWT
     */
    public static String generateTokenExpireInMinutes(Object userInfo, PrivateKey privateKey, int expire) {
        return Jwts.builder()
                .claim(JWT_PAYLOAD_USER_KEY, JSONUtil.parseObj(userInfo).toStringPretty())
                .setId(createJTI())
                .setExpiration(Date.from(LocalDateTime.now().plusMinutes(expire).atZone(ZoneId.systemDefault()).toInstant()))
                .signWith(privateKey, SignatureAlgorithm.RS256)
                .compact();
    }

    /**
     * 私鑰加密token
     *
     * @param userInfo   載荷中的數據
     * @param privateKey 私鑰
     * @param expire     過時時間,單位秒
     * @return JWT
     */
    public static String generateTokenExpireInSeconds(Object userInfo, PrivateKey privateKey, int expire) {
        return Jwts.builder()
                .claim(JWT_PAYLOAD_USER_KEY, JSONUtil.parseObj(userInfo).toStringPretty())
                .setId(createJTI())
                .setExpiration(Date.from(LocalDateTime.now().plusSeconds(expire).atZone(ZoneId.systemDefault()).toInstant()))
                .signWith(privateKey, SignatureAlgorithm.RS256)
                .compact();
    }

    /**
     * 公鑰解析token
     *
     * @param token     用戶請求中的token
     * @param publicKey 公鑰
     * @return Jws<Claims>
     */
    private static Jws<Claims> parserToken(String token, PublicKey publicKey) {
        return Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token);
    }

    private static String createJTI() {
        return new String(Base64.getEncoder().encode(UUID.randomUUID().toString().getBytes()));
    }

    /**
     * 獲取token中的用戶信息
     *
     * @param token     用戶請求中的令牌
     * @param publicKey 公鑰
     * @return 用戶信息
     */
    public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey, Class<T> userType) {
        Jws<Claims> claimsJws = parserToken(token, publicKey);
        Claims body = claimsJws.getBody();
        Payload<T> claims = new Payload<>();
        claims.setId(body.getId());
        claims.setUserInfo(JSONUtil.toBean(body.get(JWT_PAYLOAD_USER_KEY).toString(), userType));
        claims.setExpiration(body.getExpiration());
        return claims;
    }

    /**
     * 獲取token中的載荷信息
     *
     * @param token     用戶請求中的令牌
     * @param publicKey 公鑰
     * @return 用戶信息
     */
    public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey) {
        Jws<Claims> claimsJws = parserToken(token, publicKey);
        Claims body = claimsJws.getBody();
        Payload<T> claims = new Payload<>();
        claims.setId(body.getId());
        claims.setExpiration(body.getExpiration());
        return claims;
    }
}
  • Payload.java
package com.weiwei.xu.common;

import lombok.*;

import java.util.Date;

/**
 * @author weiwei.xu
 * 爲了方便後期獲取token中的用戶信息,將token中載荷部分單獨封裝成一個對象
 */
@Setter
@Getter
@NoArgsConstructor
@AllArgsConstructor
@EqualsAndHashCode
@ToString
public class Payload<T> {
    private String id;
    private T userInfo;
    private Date expiration;
}

SpringBoot的配置文件

  • application.yml
server:
  port: 8080
  servlet:
    context-path: /security

spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://192.168.1.57:33060/security?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true
    username: root
    password: 123456


mybatis:
  mapper-locations: classpath:com/weiwei/xu/mapper/*.mapper.xml
  type-aliases-package: com.weiwei.xu.domain
  configuration:
    map-underscore-to-camel-case: true

rsa:
  key:
    pubKeyFile: D:/auth_key/id_key_rsa.pub
    priKeyFile: D:/auth_key/id_key_rsa

配置類

  • RsaKeyProperties.java
package com.weiwei.xu.config;

import com.weiwei.xu.utils.RsaUtils;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;

import javax.annotation.PostConstruct;
import java.security.PrivateKey;
import java.security.PublicKey;

/**
 * @author weiwei.xu
 */
@Configuration
@ConfigurationProperties(value = "rsa.key")
public class RsaKeyProperties {

    private String pubKeyFile;

    private String priKeyFile;

    private PublicKey publicKey;

    private PrivateKey privateKey;

    public String getPubKeyFile() {
        return pubKeyFile;
    }

    public void setPubKeyFile(String pubKeyFile) {
        this.pubKeyFile = pubKeyFile;
    }

    public String getPriKeyFile() {
        return priKeyFile;
    }

    public void setPriKeyFile(String priKeyFile) {
        this.priKeyFile = priKeyFile;
    }

    public PublicKey getPublicKey() {
        return publicKey;
    }

    public void setPublicKey(PublicKey publicKey) {
        this.publicKey = publicKey;
    }

    public PrivateKey getPrivateKey() {
        return privateKey;
    }

    public void setPrivateKey(PrivateKey privateKey) {
        this.privateKey = privateKey;
    }

    @PostConstruct
    public void createResKey() throws Exception {
        publicKey = RsaUtils.getPublicKey(pubKeyFile);
        privateKey = RsaUtils.getPrivateKey(priKeyFile);
    }
}
  • SpringSecurityConfig.java
package com.weiwei.xu.config;

import com.weiwei.xu.filter.JwtTokenFilter;
import com.weiwei.xu.filter.JwtVerifyFilter;
import com.weiwei.xu.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

/**
 * SpringSecurity的配置類
 *
 * @author weiwei.xu
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private SysUserService sysUserService;

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    private RsaKeyProperties rsaKeyProperties;


    /**
     * 配置認證來源
     *
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(sysUserService).passwordEncoder(passwordEncoder());
    }

    /**
     * 配置過濾請求
     *
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {


        http.   //關閉跨域站點請求
                cors().and().csrf().disable().authorizeRequests()
                // swagger 文檔
                .antMatchers("/swagger-ui.html/**").permitAll()
                .antMatchers("/swagger-resources/**").permitAll()
                .antMatchers("/webjars/**").permitAll()
                .antMatchers("/*/api-docs").permitAll()
                // 文件
                .antMatchers("/avatar/**").permitAll()
                .antMatchers("/file/**").permitAll()
                // 阿里巴巴 druid
                .antMatchers("/druid/**").permitAll()
                .anyRequest().authenticated()
                .and()
                //自定義認證過濾器
                .addFilter(new JwtTokenFilter(authenticationManager(), rsaKeyProperties))
                //自定義URL過濾器
                .addFilter(new JwtVerifyFilter(authenticationManager(), rsaKeyProperties))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        ;
    }
}
  • SwaggerConfig.java
package com.weiwei.xu.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.bind.annotation.RestController;
import springfox.documentation.builders.ApiInfoBuilder;
import springfox.documentation.builders.ParameterBuilder;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.schema.ModelRef;
import springfox.documentation.service.ApiInfo;
import springfox.documentation.service.Parameter;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;

import java.util.ArrayList;
import java.util.List;

/**
 * SwaggerConfig
 *
 * @author weiwei.xu
 */
@Configuration
@EnableSwagger2
public class SwaggerConfig {
    static List<Parameter> parameters;

    static {
        /**
         * 這是爲了咱們在用 swagger 測試接口的時候添加頭部信息
         */
        parameters = new ArrayList<>();
        ParameterBuilder tokenPar = new ParameterBuilder();
        tokenPar.name("Authorization").description("swagger測試用(模擬token傳入)非必填 header").modelRef(new ModelRef("string")).parameterType("header").required(false);
        parameters.add(tokenPar.build());
    }

    @Bean
    public Docket docket() {
        return new Docket(DocumentationType.SWAGGER_2)
                .apiInfo(apiInfo())
                .select()
//                .apis(RequestHandlerSelectors.basePackage("com.weiwei.xu.controller.ProductController"))
                .apis(RequestHandlerSelectors.withClassAnnotation(RestController.class))
                .paths(PathSelectors.ant("/**"))
                .build()
                .globalOperationParameters(parameters)
                .enable(true);
    }


    private ApiInfo apiInfo() {
        return new ApiInfoBuilder()
                .title("SpringBoot整合SpringSecurity分佈式版本")
                .termsOfServiceUrl("")
                .version("1.0")
                .build();
    }
}

實體類

  • SysUser.java
package com.weiwei.xu.domain;

import com.fasterxml.jackson.annotation.JsonIgnore;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.*;

/**
 * 系統用戶
 *
 * @author weiwei.xu
 */
public class SysUser implements UserDetails {

    private Integer id;

    private String username;

    private String password;

    private Integer status;

    private List<SysRole> roles = new ArrayList<>();

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }


    public Integer getId() {
        return id;
    }

    public void setId(Integer id) {
        this.id = id;
    }

    @Override
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @Override
    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public Integer getStatus() {
        return status;
    }

    public void setStatus(Integer status) {
        this.status = status;
    }

    public List<SysRole> getRoles() {
        return roles;
    }

    public void setRoles(List<SysRole> roles) {
        this.roles = roles;
    }

    @JsonIgnore
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return roles;
    }

}
  • SysRole.java
package com.weiwei.xu.domain;

import com.fasterxml.jackson.annotation.JsonIgnore;
import org.springframework.security.core.GrantedAuthority;

/**
 * 系統角色
 *
 * @author weiwei.xu
 */
public class SysRole implements GrantedAuthority {

    private Integer id;

    private String roleName;

    private String roleDesc;

    public Integer getId() {
        return id;
    }

    public void setId(Integer id) {
        this.id = id;
    }

    public String getRoleName() {
        return roleName;
    }

    public void setRoleName(String roleName) {
        this.roleName = roleName;
    }

    public String getRoleDesc() {
        return roleDesc;
    }

    public void setRoleDesc(String roleDesc) {
        this.roleDesc = roleDesc;
    }

    @JsonIgnore
    @Override
    public String getAuthority() {
        return roleName;
    }
}

Mapper接口

  • SysUserMapper.java
package com.weiwei.xu.mapper;

import com.weiwei.xu.domain.SysUser;
import org.apache.ibatis.annotations.*;

import java.util.List;
@Mapper
public interface SysUserMapper {

    @Select("select * from sys_user where username = #{username} ")
    @Results({
            @Result(id = true, property = "id", column = "id"),
            @Result(property = "roles", column = "id", javaType = List.class,
                    many = @Many(select = "com.weiwei.xu.mapper.SysRoleMapper.findByUid"))
    })
    SysUser findByUsername(String username);

}
  • SysRoleMapper.java
package com.weiwei.xu.mapper;

import com.weiwei.xu.domain.SysRole;
import org.apache.ibatis.annotations.Mapper;
import org.apache.ibatis.annotations.Select;

import java.util.Set;
@Mapper
public interface SysRoleMapper {

    /**
     * 根據uid查詢用戶所對應的角色
     *
     * @param uid
     * @return
     */
    @Select("SELECT r.id, r.role_name roleName, r.role_desc roleDesc " +
            "FROM sys_role r, sys_user_role ur " +
            "WHERE r.id=ur.rid AND ur.uid=#{uid}")
    Set<SysRole> findByUid(Integer uid);

}

Service層接口及實現類

  • SysUserService.java
package com.weiwei.xu.service;

import org.springframework.security.core.userdetails.UserDetailsService;

public interface SysUserService extends UserDetailsService {
}
  • SysUserServiceImpl.java
package com.weiwei.xu.service.impl;

import com.weiwei.xu.mapper.SysUserMapper;
import com.weiwei.xu.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Service
@Transactional
public class SysUserServiceImpl implements SysUserService {

    @Autowired
    private SysUserMapper sysUserMapper;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return sysUserMapper.findByUsername(username);
    }
}

控制器

  • ProductController.java
package com.weiwei.xu.controller;

import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;

@RestController
@RequestMapping(value = "/product")
public class ProductController {

    @GetMapping(value = "/findAll")
    @Secured({"ROLE_PRODUCT"})
    public Map<String, Object> findAll() {
        Map<String, Object> map = new ConcurrentHashMap<>();
        map.put("aa", "bb");
        return map;
    }

}

JWT相關的過濾器

  • JwtTokenFilter.java
package com.weiwei.xu.filter;


import com.fasterxml.jackson.databind.ObjectMapper;
import com.weiwei.xu.config.RsaKeyProperties;
import com.weiwei.xu.domain.SysRole;
import com.weiwei.xu.domain.SysUser;
import com.weiwei.xu.utils.JwtUtils;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;

/**
 * JWT的token Filter
 *
 * @author weiwei.xu
 */
public class JwtTokenFilter extends UsernamePasswordAuthenticationFilter {

    private RsaKeyProperties rsaKeyProperties;

    private AuthenticationManager authenticationManager;

    public JwtTokenFilter(AuthenticationManager authenticationManager, RsaKeyProperties rsaKeyProperties) {
        this.rsaKeyProperties = rsaKeyProperties;
        this.authenticationManager = authenticationManager;
    }

    /**
     * 試圖認證的方法
     *
     * @param request
     * @param response
     * @return
     * @throws AuthenticationException
     */
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        try {
            SysUser sysUser = new ObjectMapper().readValue(request.getInputStream(), SysUser.class);

            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(sysUser.getUsername(), sysUser.getPassword());

            return authenticationManager.authenticate(usernamePasswordAuthenticationToken);
        } catch (Exception e) {
            try {
                //若是認證失敗,提供自定義的json異常信息
                response.setContentType("application/json;charset=utf-8");
                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                PrintWriter writer = response.getWriter();
                Map<String, Object> resultMap = new ConcurrentHashMap<>();
                resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);
                resultMap.put("msg", "用戶名或密碼錯誤");
                writer.write(new ObjectMapper().writeValueAsString(resultMap));
                writer.flush();
                writer.close();
            } catch (Exception exception) {
                exception.printStackTrace();
            }
            return null;
        }


    }


    /**
     * 認證成功以後,生成token,返回給前端
     *
     * @param request
     * @param response
     * @param chain
     * @param authResult
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
        String name = authResult.getName();
        SysUser sysUser = new SysUser();
        sysUser.setUsername(name);

        sysUser.setRoles((List<SysRole>) authResult.getAuthorities());

        String token = JwtUtils.generateTokenExpireInMinutes(sysUser, rsaKeyProperties.getPrivateKey(), 24 * 60);

        //向客戶端響應token
        response.addHeader("Authorization", "Bearer " + token);

        response.setContentType("application/json;charset=utf-8");
        response.setStatus(HttpServletResponse.SC_OK);
        PrintWriter writer = response.getWriter();
        Map<String, Object> resultMap = new ConcurrentHashMap<>();
        resultMap.put("code", HttpServletResponse.SC_OK);
        resultMap.put("msg", "登陸成功");
        writer.write(new ObjectMapper().writeValueAsString(resultMap));
        writer.flush();
        writer.close();
    }
}
  • JwtVerifyFilter.java
package com.weiwei.xu.filter;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.weiwei.xu.common.Payload;
import com.weiwei.xu.config.RsaKeyProperties;
import com.weiwei.xu.domain.SysUser;
import com.weiwei.xu.utils.JwtUtils;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;

/**
 * @author weiwei.xu
 */
public class JwtVerifyFilter extends BasicAuthenticationFilter {

    private RsaKeyProperties rsaKeyProperties;

    public JwtVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties rsaKeyProperties) {
        super(authenticationManager);
        this.rsaKeyProperties = rsaKeyProperties;
    }


    /**
     * 過濾請求
     *
     * @param request
     * @param response
     * @param chain
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        String header = request.getHeader("Authorization");

        if (header == null || !header.startsWith("Bearer ")) {
            chain.doFilter(request, response);
//            try {
//                response.setContentType("application/json;charset=utf-8");
//                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
//                PrintWriter writer = response.getWriter();
//                Map<String, Object> resultMap = new ConcurrentHashMap<>();
//                resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);
//                resultMap.put("msg", "請登陸");
//                writer.write(new ObjectMapper().writeValueAsString(resultMap));
//                writer.flush();
//                writer.close();
//            } catch (IOException e) {
//                e.printStackTrace();
//            }

            return;
        } else {
            String token = header.replace("Bearer ", "");
            Payload<SysUser> sysUserPayload = null;
            try {
                sysUserPayload = JwtUtils.getInfoFromToken(token, rsaKeyProperties.getPublicKey(), SysUser.class);
            } catch (Exception e) {

                try {
                    //若是認證失敗,提供自定義的json異常信息
                    response.setContentType("application/json;charset=utf-8");
                    response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                    PrintWriter writer = response.getWriter();
                    Map<String, Object> resultMap = new ConcurrentHashMap<>();
                    resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);
                    resultMap.put("msg", "token解析錯誤");
                    writer.write(new ObjectMapper().writeValueAsString(resultMap));
                    writer.flush();
                    writer.close();
                } catch (Exception exception) {
                    exception.printStackTrace();
                }
            }


            SysUser sysUser = sysUserPayload.getUserInfo();

            if (null != sysUser) {

                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(sysUser.getUsername(), sysUser.getPassword(), sysUser.getAuthorities());

                SecurityContextHolder.getContext().setAuthentication(authentication);
                chain.doFilter(request, response);
            }
        }

    }
}

項目地址

相關文章
相關標籤/搜索