Spring Security + JWT实现权限校验

浏览次数:

一、说明

Spring Security是Spring进行用户权限认证与授权的安全框架,一般在使用中都会结合JWT(Java Web Token)来进行用户登陆的验证,看用户是否有权限登陆进行相关的操作。JWT实则就是一个过滤器,根据密钥和时间来验证当前用户的请求是否有效,具体的方法访问权限由Sping Security控制。

为什么使用Token而不使用Session?

这里要明确一点,Session是存放在服务器端的,大量Session会占用内存,同时,多服务器又会出现Session如何共享的问题,使用Token更加方便前后的分离的项目或者多系统间进行权限认证,也不会占用服务内存,更不用考虑Session共享问题,只需要在请求的时候带上这个Token就可以了。

二、代码实现

1.jwt工具类

完成Token的创建,刷新,验证等功能

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
@Slf4j
@Component
public class JwtTokenUtil {
    private static final String CLAIM_KEY_USERNAME = "sub";
    private static final String CLAIM_KEY_CREATED = "created";

    @Value("${jwt.secret}")
    private String secret;
    @Value("${jwt.expiration}")
    private Long expiration;

    /*
     * 根据负载生成token
     * */
    private String generateToken(Map<String, Object> claims) {
        return Jwts.builder()
                .setClaims(claims)
                .setExpiration(generateExpirationDate())
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }

    /*
     * 根据Token获取负载
     * */
    private Claims getClaimsFromToken(String token) {
        Claims claims = null;
        try {
            claims = Jwts.parser()
                    .setSigningKey(secret)
                    .parseClaimsJws(token)
                    .getBody();
        } catch (Exception e) {
            log.error("JWT格式验证失败:{}", token);
        }
        return claims;
    }

    /*
     * 生成token的过期时间
     * */
    private Date generateExpirationDate() {
        return new Date(System.currentTimeMillis() + expiration * 1000);
    }

    /*
     * 从token中获取登陆用户名
     * */
    public String getUserNameFromToken(String token) {
        String username = null;
        try {
            Claims claims = getClaimsFromToken(token);
            username = claims.getSubject();
        } catch (Exception e) {
            log.error("get user name by token error");
        }
        return username;
    }

    /*
    * 验证token是否还有效
    * */
    public boolean validateToken(String token, UserDetails userDetails) {
        String username = getUserNameFromToken(token);
        return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
    }

    /*
    * 判段token是否过期
    * */
    private boolean isTokenExpired(String token) {
        Date expiredDate = getExpiredDateFromToken(token);
        return expiredDate.before(new Date());
    }

    /*
    * 从token中,获取token过期时间
    * */
    private Date getExpiredDateFromToken(String token) {
        Date expiredDate = null;
        try {
            Claims claims = getClaimsFromToken(token);
            expiredDate = claims.getExpiration();
        } catch (Exception e) {
            log.error("get token expire date error");
        }
        return expiredDate;
    }

    /*
    * 根据用户信息生成token
    * */
    public String generateTokenByUserDetails(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }

    /*
    * 判断token是否可以被刷新
    * */
    public boolean canRefresh(String token) {
        return !isTokenExpired(token);
    }

    /*
    * 刷新token
    * */
    public String refreshToken(String token) {
        Claims claims = getClaimsFromToken(token);
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }


}

2.jwt登陆过滤器

配合Spring Security完成Token的校验

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
@Slf4j
@Component
public class JwtLoginFilter extends OncePerRequestFilter {

    @Autowired
    private MyUserDetailsService userDetailsService;
    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    // 前端请求来的token的标识
    @Value("${jwt.tokenHeader}")
    private String tokenHeader;
    // jwt的token都是以Bearer开头
    @Value("${jwt.tokenHead}")
    private String tokenHead;

    @Override
    protected void doFilterInternal(HttpServletRequest httpServletRequest,
                                    HttpServletResponse httpServletResponse,
                                    FilterChain filterChain) throws ServletException, IOException {
        String authHeader = httpServletRequest.getHeader(this.tokenHeader);
        if(authHeader != null && authHeader.startsWith(this.tokenHead)) {
            String authToken = authHeader.substring(this.tokenHead.length());
            String username = jwtTokenUtil.getUserNameFromToken(authToken);
            log.info("get username:{}", username);
            if(username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
                UserDetails userDetails =this.userDetailsService.loadUserByUsername(username);
                if(jwtTokenUtil.validateToken(authToken, userDetails)) {
                    UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null,userDetails.getAuthorities());
                    authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
                    log.info("authenticated user:{}", username);
                    SecurityContextHolder.getContext().setAuthentication(authenticationToken);
                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }
}

3.Spring Security配置类

完成Spring Security的配置,包含认证与授权,同时包含Jwt验证和登陆失败和方法权限认证失败的拦截器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private MyUserDetailsService myUserDetailsService;
    @Autowired
    private AccessDeniedHandler accessDeniedHandler;
    @Autowired
    private LoginFailOrTokenFailAuthenticationEntryPoint loginFailOrTokenFailAuthenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.GET,
                        "/",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js")
                .permitAll()
                .antMatchers("/login")
                .permitAll()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasRole("USER")
                .antMatchers(HttpMethod.OPTIONS)
                .permitAll()
                .anyRequest()
                .authenticated();
        http.headers().cacheControl();
        http.addFilterBefore(getJwtLoginFilter(), UsernamePasswordAuthenticationFilter.class);
        http.exceptionHandling()
            .accessDeniedHandler(accessDeniedHandler)
            .authenticationEntryPoint(loginFailOrTokenFailAuthenticationEntryPoint);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public JwtLoginFilter getJwtLoginFilter() {
        return new JwtLoginFilter();
    }
}

4.自定义Spring Security UserDetails实现

重要是为了获取前端登陆是的用户信息,根据用户的登陆信息去数据库获取用户的权限,封装成一个UserDetails进行返回,Spring Security根据这个UserDetails进行具体的授权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
@Service
public class MyUserDetailsService implements UserDetailsService {
    @Autowired
    private UserServiceImpl userService;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // 根据用户名查找用户信息
        User user = userService.findUserByUserName(username);
        if(user == null) {
            throw new UsernameNotFoundException(username + "Not found");
        }
        List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
        String role = user.getRole();
        String[] roles = role.split(",");
        for (String s : roles) {
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(s);
            grantedAuthorities.add(grantedAuthority);
        }
        return new org.springframework.security.core.userdetails.User(username, user.getPassword(),grantedAuthorities);
    }
}

5.方法拒绝拦截器

1
2
3
4
5
6
7
8
9
10
@Component
public class AccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.setContentType("application/json");
        httpServletResponse.getWriter().println("access fail");
        httpServletResponse.getWriter().flush();
    }
}

6.登陆校验失败拦截器

1
2
3
4
5
6
7
8
9
10
@Component
public class LoginFailOrTokenFailAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.setContentType("application/json");
        httpServletResponse.getWriter().println("token fail");
        httpServletResponse.getWriter().flush();
    }
}

参考:

https://www.cnblogs.com/harrychinese/p/SpringBoot_security_basics.html

https://blog.csdn.net/itguangit/article/details/78960127

https://www.jianshu.com/p/6307c89fe3fa

https://www.cnblogs.com/demingblog/p/10874753.html#%E8%A7%92%E8%89%B2-%E8%B5%84%E6%BA%90-%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6

https://blog.csdn.net/moshowgame/article/details/96476554

https://blog.csdn.net/w605283073/article/details/51327182

https://cloud.tencent.com/developer/article/1046663

https://github.com/macrozheng/mall-learning

为什么要用token?

Thank you,么么哒

支付宝
微信

扫一扫,分享到微信

微信分享二维码
TotalVisits: | Visitors:

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

欢迎来到Zcoder的博客!!!