Spring Security框架下Restful Token的驗證方案

項目使用Restful的規範，權限內容的訪問，考慮使用Token驗證的權限解決方案。

驗證方案（簡要歸納）：

首先，用戶須要登錄，成功登錄後返回一個Token串；

而後用戶訪問有權限的內容時須要上傳Token串進行權限驗證

代碼方案：

Spring MVC + Spring Security + Redis的框架下實現權限驗證，此文重點談談Spring Security下的Token驗證明現。

首先，看看spring security的配置：

<http pattern="/service/secure/**"
          entry-point-ref="serviceUnauthorizedEntryPoint"
          create-session="stateless">
          <!-- Added after moving to Spring Boot 1.3 + Spring Security 4.x, otherwise we could not login with basic auth because of: Expected CSRF token not found TODO: Please, mind, that I did not migrate this XML to Spring Security 4.x except for this element -->
          <csrf disabled="true"/>
          
          <intercept-url pattern="/service/secure/admin/login*" access="permitAll"/>
          
          <custom-filter ref="preTokenAuthenticationFilter" before="PRE_AUTH_FILTER" />
    </http>

接下來詳細說明配置以及訪問流程：

1. 考慮到支持Restful規範，因此spring security須要設置create-session爲stateless狀態

2. 當訪問權限驗證失敗是，根據Restful規範返回401 Unauthorized，所以須要設定entry-point-ref，從新指向一個自定義的entrypoint以下：

public class ServiceUnauthorizedEntryPoint implements AuthenticationEntryPoint {

    private static final Logger logger = LoggerFactory.getLogger(ServiceTokenAuthenticationFilter.class);
    
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException arg2) throws IOException, ServletException {
        // return 401 UNAUTHORIZED status code if the user is not authenticated
        logger.debug(" *** UnauthorizedEntryPoint.commence: " + request.getRequestURI());
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }

}

3. Token的驗證重點在於PRE_AUTH_FILTER的攔截器

關於FllterChain請看官方解釋security-filter-chain

另外關於PRE_AUTH_FILTER攔截器的官方解釋preauth，咱們在此就採起已經被可靠的驗證系統驗證過的流程即驗證Token的合法性，咱們看一下這個攔截器的bean設置

<b:bean id="preTokenAuthenticationFilter"
            class="com.will.security.token.PreRequestHeaderAuthenticationFilter">
            <b:property name="authenticationManager" ref="preAuthenticationManager" />
            <b:property name="authenticationFailureHandler" ref="authFailureHandler"/>
            <b:property name="principalRequestHeader" value="X-Auth-Token"/>
            <b:property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
    </b:bean>
    
     <!-- PreAuthentication manager. -->
    <b:bean id="authFailureHandler" class="org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler" >
         <b:constructor-arg value="/service/secure/admin/login/failed" />
    </b:bean>
    
    <b:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <b:property name="preAuthenticatedUserDetailsService">
            <b:bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <b:property name="userDetailsService" ref="tokenUserDetailsService"/>
            </b:bean>
        </b:property>
        <b:property name="userDetailsChecker">
            <b:bean id="tokenUserDetailsChecker" class="com.will.security.token.TokenUserDetailsChecker" />
        </b:property>
    </b:bean>
    <authentication-manager id="preAuthenticationManager">
         <authentication-provider ref="preauthAuthProvider" />
    </authentication-manager>

 

PreRequestHeaderAuthenticationFilter裏，截取訪問的request，而後獲取上傳的Token串，這裏的Token串儲存在「SM_UER」的header裏，
代碼以下：

public class PreRequestHeaderAuthenticationFilter extends
        AbstractCustomPreAuthenticatedProcessingFilter {

    private String principalRequestHeader = "SM_USER";
    private String credentialsRequestHeader;
    private boolean exceptionIfHeaderMissing = true;
    
    @Override
    protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
　　　　 /*獲取principal信息*/
        String principal = request.getHeader(principalRequestHeader);

        if (principal == null && exceptionIfHeaderMissing) {
            // 對於request進行BadException處理
            request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException("No pre-authenticated credentials found in request."));
           
            return "N/A";
        }

        return principal;
    }

    @Override
    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
        if (credentialsRequestHeader != null) {
            return request.getHeader(credentialsRequestHeader);
        }

        return "N/A";
    }

    public void setPrincipalRequestHeader(String principalRequestHeader) {
        Assert.hasText(principalRequestHeader,
                "principalRequestHeader must not be empty or null");
        this.principalRequestHeader = principalRequestHeader;
    }

    public void setCredentialsRequestHeader(String credentialsRequestHeader) {
        Assert.hasText(credentialsRequestHeader,
                "credentialsRequestHeader must not be empty or null");
        this.credentialsRequestHeader = credentialsRequestHeader;
    }

    /**
     * Defines whether an exception should be raised if the principal header is missing.
     * Defaults to {@code true}.
     *
     * @param exceptionIfHeaderMissing set to {@code false} to override the default
     * behaviour and allow the request to proceed if no header is found.
     */
    public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing) {
        this.exceptionIfHeaderMissing = exceptionIfHeaderMissing;
    }
}

若是須要詳細瞭解認證流程建議查看PreAuthenticatedAuthenticationProvider的源碼，對於provider的配置也就一目瞭然了

TokenUserDetailsService的代碼以下

public class TokenUserDetailsService implements UserDetailsService {

    private TokenManager tokenManager;
    
    @Override
    public UserDetails loadUserByUsername(String token)
            throws UsernameNotFoundException {
        if (token.equalsIgnoreCase("N/A")) {
            return null;
        }
        
        return tokenManager != null ? tokenManager.getUserDetails(token) : null;
    }
    
    public void setTokenManager(TokenManager tm) {
        this.tokenManager = tm;
    }

}

TokenManager負責Token的生成，驗證以及刪除等等操做

public interface TokenManager {

    /**
     * Creates a new token for the user and returns its {@link TokenInfo}.
     * It may add it to the token list or replace the previous one for the user. Never returns {@code null}.
     */
    TokenInfo createNewToken(UserDetails userDetails);

    /** Removes all tokens for user. */
    //void removeUserDetails(UserDetails userDetails);

    /** Removes a single token. */
    UserDetails removeToken(String token);

    /** Returns user details for a token. */
    UserDetails getUserDetails(String token);
    
    /** Returns user details for a username. */
    UserDetails getUserDetailsByUsername(String username);

    /** Returns a collection with token information for a particular user. */
    Collection<TokenInfo> getUserTokens(UserDetails userDetails);
    
    
    Boolean validateToken(String token);
    
}

咱們能夠根據本身的須要好比藉助Redis作緩存，或者使用JWT等等，具體可實現本身的TokenManager