【spring cloud】自定義jwt實現spring cloud nosession

時間 2019-11-08

標籤 spring cloud 自定義 jwt 實現 spring cloud nosession 欄目 Spring 简体版

原文原文鏈接

JWT實如今網關模塊，網關的路由是默認配置。 jwt 生成、驗證依賴css

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.7.0</version>
</dependency>

最核心的配置是在spring security中加入咱們token校驗機制的fiter：JwtAuthenticationTokenFilterhtml

protected void doFilterInternal(
    HttpServletRequest request,
    HttpServletResponse response,
    FilterChain chain) throws ServletException, IOException {
    String authHeader = request.getHeader(this.tokenHeader);
    if (authHeader != null && authHeader.startsWith(tokenHead)) {
        String authToken = authHeader.substring(tokenHead.length()); // The part after "Bearer "
        String username = jwtTokenUtil.getUsernameFromToken(authToken);
        logger.info("checking authentication " + username);

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);

            if (jwtTokenUtil.validateToken(authToken, userDetails)) {
                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(
                        request));
                logger.info("authenticated user " + username + ", setting security context");
                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
        }
    }

    chain.doFilter(request, response);
}

在看咱們的spring security 配置git

protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
    // 因爲使用的是JWT，咱們這裏不須要csrf
    .csrf().disable()

    .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

    // 基於token，因此不須要session
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

    .authorizeRequests()
    //.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()

    // 容許對於網站靜態資源的無受權訪問
    .antMatchers(
            HttpMethod.GET,
            "/",
            "/*.html",
            "/favicon.ico",
            "/**/*.html",
            "/**/*.css",
            "/**/*.js"
    ).permitAll()
    .antMatchers("/auth/**").permitAll()
    .anyRequest().authenticated();
// 添加JWT filter
httpSecurity
        .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
// 禁用緩存
httpSecurity.headers().cacheControl();
}

獲取tokengithub

POST 

http://localhost:8080/auth

Content-Type: application/json

{"username":"1234","password":"1234"}

---
結果

{
  "token" : "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxMjM0IiwiY3JlYXRlZCI6MTUwMzQxMzMwODkxOCwiZXhwIjoxNTA0MDE4MTA4fQ.jQc5MRdgKfi5ds1N0ZSsxkunQQVkFuGJ7Giv1_JrjTiKsu3h7UwE8vjU5wVPaipM_zkbHaMpRqXvF__ci5p7aw"
}

訪問資源web

GET

http://localhost:8080/user-service/bizUser/getUserScore

Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxMjM0IiwiY3JlYXRlZCI6MTUwMzQxMzMwODkxOCwiZXhwIjoxNTA0MDE4MTA4fQ.jQc5MRdgKfi5ds1N0ZSsxkunQQVkFuGJ7Giv1_JrjTiKsu3h7UwE8vjU5wVPaipM_zkbHaMpRqXvF__ci5p7aw

---
結果
[
  {
    "id": 11,
    "username": "123",
    "password": "456",
    "scoreList": [
      {
        "id": 1,
        "score": 100
      }
    ]
  }
]

不加認證tokenspring

{
  "timestamp": 1503413947608,
  "status": 401,
  "error": "Unauthorized",
  "message": "手動滑稽(　 ´-ω ･)▄︻┻┳══━一",
  "path": "/user-service/bizUser/getUserScore"
}

參考https://github.com/wpcfan/spring-boot-tutjson

詳細整合源碼：springcloud-zuul-jwt 和 springboot-mybatis-plus 緩存