Spring Security
Spring Security 是一个提供身份验证、授权和防御常见攻击的框架。它为保护命令式和响应式应用程序提供了一流的支持,是保护基于 Spring 的应用程序的事实标准。
这篇博客主要是记录自己第一次使用springSecurity实现登录逻辑的过程。
使用Spring Security+jwt+redis实现登录注册逻辑
1. 导入依赖
<!--jwt依赖-->
<dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId>
</dependency>
<dependency><groupId>com.auth0</groupId><artifactId>java-jwt</artifactId>
</dependency>
<dependency><groupId>javax.xml.bind</groupId><artifactId>jaxb-api</artifactId>
</dependency>
<!--SpringSecurity启动器-->
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- redis -->
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
package com.h3m.utils;import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;import java.util.Date;@Data
@Component
@ConfigurationProperties(prefix = "config.jwt",ignoreInvalidFields = true)
public class JwtUtils {private String secret;private long expire;// private String header; /*** 生成token, 根据用户名* @param username* @return*/public String createToken(String username){// 获取当前时间Date nowDate = new Date();// 过期时间Date expireDate = new Date(nowDate.getTime() + expire * 1000);// 生成tokenreturn Jwts.builder().setHeaderParam("typ", "JWT").setSubject(username).setIssuedAt(nowDate).setExpiration(expireDate).signWith(SignatureAlgorithm.HS512, secret).compact();}/*** 获取token中的信息* @param token* @return*/public Claims getTokenClaim(String token){try {return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();}catch (Exception e){e.printStackTrace();return null;}}/*** 获取token中的用户名* @param token* @return*/public String getUsernameFromToken(String token){Claims claims = getTokenClaim(token);if(claims == null){return null;}return claims.getSubject();}/*** Validate the token* @param token* @param userDetails* @return 返回true表示有效*/public boolean validateToken(String token, UserDetails userDetails) {String username = getUsernameFromToken(token);return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));}/*** Check if the token is expired* @param token* @return 返回true表示过期*/private boolean isTokenExpired(String token) {Date expiration = getTokenClaim(token).getExpiration();return expiration.before(new Date());}
}package com.h3m.domain;import com.h3m.constants.SYSConstant;
import lombok.Data;@Data
public class Result {private Integer code;private String message;private Object data;public Result() {}public Result(Integer code) {this.code = code;}public Result(Integer code, String message) {this.code = code;this.message = message;}public Result(Integer code, String message, Object data) {this.code = code;this.message = message;this.data = data;}// 创建一些静态常量字段public static final Result ADD_SUCCESS = new Result(SYSConstant.CODE_SUCCESS,SYSConstant.ADD_SUCCESS);public static final Result ADD_ERROR = new Result(SYSConstant.CODE_ERROR, SYSConstant.ADD_ERROR);public static final Result UPDATE_SUCCESS = new Result(SYSConstant.CODE_SUCCESS, SYSConstant.UPDATE_SUCCESS);public static final Result UPDATE_ERROR = new Result(SYSConstant.CODE_ERROR, SYSConstant.UPDATE_ERROR);public static final Result DELETE_SUCCESS = new Result(SYSConstant.CODE_SUCCESS, SYSConstant.DELETE_SUCCESS);public static final Result DELETE_ERROR = new Result(SYSConstant.CODE_ERROR, SYSConstant.DELETE_ERROR);public static final Result LOGIN_SUCCESS = new Result(SYSConstant.CODE_SUCCESS, SYSConstant.LOGIN_SUCCESS);public static final Result LOGIN_ERROR = new Result(SYSConstant.CODE_ERROR, SYSConstant.LOGIN_ERROR);
}
我们需要创建一个用于Security的实体类,并实现UserDetails接口
package com.h3m.domain.entity;import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;@Data
@AllArgsConstructor
@NoArgsConstructor
public class SecurityUser implements UserDetails {private User CurrentUserInfo;
// private Collection<? extends GrantedAuthority> authorities;private List<Access> accessList;@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {List<GrantedAuthority> authorities = accessList.stream().map(access -> new SimpleGrantedAuthority(access.getAccessName())).collect(Collectors.toList());return authorities;}@Overridepublic String getPassword() {return CurrentUserInfo.getPassword();}@Overridepublic String getUsername() {return CurrentUserInfo.getUserName();}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}
} 这个工具类主要是用于返回数据到前端的。
package com.h3m.utils;import com.fasterxml.jackson.databind.ObjectMapper;
import com.h3m.domain.Result;import javax.servlet.http.HttpServletResponse;
import java.io.IOException;public class ResponseUtils {public static void writeResponse(HttpServletResponse response, Result result) throws IOException {response.setCharacterEncoding("UTF-8");response.setContentType("application/json; charset=UTF-8");ObjectMapper objectMapper = new ObjectMapper();String jsonResponse = objectMapper.writeValueAsString(result);response.getWriter().write(jsonResponse);}
} 这里我们主要是重写三个方法,实现整个登录的过滤。
package com.h3m.filter;import com.fasterxml.jackson.databind.ObjectMapper;
import com.h3m.constants.SYSConstant;
import com.h3m.domain.Result;
import com.h3m.utils.JwtUtils;
import com.h3m.domain.entity.SecurityUser;
import com.h3m.domain.entity.User;
import com.h3m.utils.ResponseUtils;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;public class JwtLoginFilter extends UsernamePasswordAuthenticationFilter {private JwtUtils jwtConfig;private AuthenticationManager authenticationManager;private RedisTemplate redisTemplate;public JwtLoginFilter(AuthenticationManager authenticationManager, JwtUtils jwtConfig, RedisTemplate redisTemplate) {this.authenticationManager = authenticationManager;this.jwtConfig = jwtConfig;this.redisTemplate = redisTemplate;super.setFilterProcessesUrl("/login");}/*** 这个方法是在用户登录的时候调用的方法* @param request* @param response* @return* @throws AuthenticationException*/@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {//获取表单提供的数据ObjectMapper objectMapper = new ObjectMapper();try {User user = objectMapper.readValue(request.getInputStream(), User.class);//校验==认证的过程Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(user.getUserName(), user.getPassword(), new ArrayList<>()));return authenticate;} catch (IOException e) {e.printStackTrace();throw new RuntimeException("认证失败");}}/*** 这个方法是在用户登录成功后调用的方法* @param request* @param response* @param chain* @param authResult*/@Overrideprotected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws ServletException, IOException {//得到用户名SecurityUser securityUser = (SecurityUser) authResult.getPrincipal();System.out.println("securityUser = " + securityUser);String username = securityUser.getUsername();//生成tokenString token = jwtConfig.createToken(username);//存入到redis username: 权限redisTemplate.opsForValue().set(username, securityUser.getAuthorities());// 返回tokenresponse.addHeader("Authorization", "Bearer " + token);// 登录成功后,封装用户以及对应权限信息返回// 返回用户信息Result result = new Result(SYSConstant.CODE_SUCCESS, SYSConstant.LOGIN_SUCCESS, securityUser);ResponseUtils.writeResponse(response, result);}/*** 这个方法是在用户登录失败后调用的方法* @param request* @param response* @param failed* @throws AuthenticationException*/@Overrideprotected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws AuthenticationException, ServletException, IOException {ResponseUtils.writeResponse(response, new Result(SYSConstant.CODE_ERROR, "登录失败, 主要原因:"+failed.getMessage()));}
}package com.h3m.filter;import com.h3m.utils.JwtUtils;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;public class AuthFilter extends BasicAuthenticationFilter {private JwtUtils jwtConfig;private RedisTemplate redisTemplate;public AuthFilter(AuthenticationManager authenticationManager, RedisTemplate redisTemplate, JwtUtils jwtConfig) {super(authenticationManager);this.jwtConfig = jwtConfig;this.redisTemplate = redisTemplate;}/*** 这里我们只需要重写过滤方法,在其中实现我们的逻辑即可**/@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {// 从请求头中获取token所在的字段String authorizationHeader = request.getHeader("Authorization");if (authorizationHeader != null && !authorizationHeader.isEmpty() && authorizationHeader.startsWith("Bearer ")) {// 获取tokenString token = authorizationHeader.substring(7);// 解析token,获得用户名String username = jwtConfig.getUsernameFromToken(token);//从redis中获得该用户名对应的权限List<String> authList = (List<String>) redisTemplate.opsForValue().get(username);//将取出的权限存入到权限上下文中,表示当前token对应的用户具备哪些权限Collection<GrantedAuthority> authorities = new ArrayList<>();if (authList != null) {for (String auth : authList) {authorities.add(new SimpleGrantedAuthority(auth));}}// 生成认证信息对象UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, authorities);// 把认证信息对象存入到权限上下文中SecurityContextHolder.getContext().setAuthentication(authenticationToken);}// 放行chain.doFilter(request, response);}}
package com.h3m.handler;import com.h3m.constants.SYSConstant;
import com.h3m.domain.Result;
import com.h3m.utils.JwtUtils;
import com.h3m.utils.ResponseUtils;
import com.mysql.cj.util.StringUtils;
import lombok.RequiredArgsConstructor;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.stereotype.Component;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;@RequiredArgsConstructor
@Component
public class TokenLogOutHandler implements LogoutHandler {private final JwtUtils jwtConfig;private final RedisTemplate redisTemplate;@Overridepublic void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {//1.获取token所在请求头String authorizationHeader = request.getHeader("Authorization");if (!StringUtils.isNullOrEmpty(authorizationHeader) && authorizationHeader.startsWith("Bearer ")) {String token = authorizationHeader.substring(7); // 去掉 "Bearer " 前缀,得到 token// 使用 token 进行后续操作String username = jwtConfig.getUsernameFromToken(token);redisTemplate.delete(username);}try {ResponseUtils.writeResponse(response, new Result(SYSConstant.CODE_SUCCESS, "登出成功"));} catch (IOException e) {throw new RuntimeException(e);}}
}- 创建UserDetailServiceImpl实现类
package com.h3m.service.ServiceImpl;import com.h3m.domain.entity.Access;
import com.h3m.domain.entity.SecurityUser;
import com.h3m.domain.entity.User;
import com.h3m.domain.entity.UserRole;
import com.h3m.service.AccessService;
import com.h3m.service.RoleAccessService;
import com.h3m.service.UserRoleService;
import com.h3m.service.UserService;
import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.PortResolverImpl;
import org.springframework.stereotype.Service;import java.math.BigInteger;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;@RequiredArgsConstructor
@Service
public class UserDetailServiceImpl implements UserDetailsService {private final UserService userService;private final UserRoleService userRoleService;private final RoleAccessService roleAccessService;private final AccessService accessService;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {//根据用户名从数据库查询到该用户的信息User user = userService.selectByUsername(username);if(Objects.isNull(user)) {throw new UsernameNotFoundException("当前用户不存在");}// 查询用户的权限信息// 1. 根据user_id查询用户的角色_idUserRole userRole = userRoleService.selectByUserId(user.getId());// 2. 根据角色id查询用户的权限_idList<BigInteger> AccessIdList = roleAccessService.selectByRoleId(userRole.getRoleId());// 3. 根据权限id查询用户的权限信息List<Access> accessList = accessService.selectByAccessIdList(AccessIdList);// 将权限信息转换为 GrantedAuthority 集合
// List<GrantedAuthority> authorities = accessList.stream()
// .map(access -> new SimpleGrantedAuthority(access.getAccessName()))
// .collect(Collectors.toList());// 返回SecurityUser对象return new SecurityUser(user, accessList);}
}- 创建SpringSecurity配置类
package com.h3m.config;import com.h3m.filter.AuthFilter;
import com.h3m.filter.JwtLoginFilter;import com.h3m.handler.TokenLogOutHandler;
import com.h3m.utils.JwtUtils;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import javax.servlet.http.HttpServletResponse;@Configuration
@RequiredArgsConstructor
public class SecurityConfig {private final JwtUtils jwtConfig;private final TokenLogOutHandler logoutHandler;private final RedisTemplate redisTemplate;@Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {JwtLoginFilter jwtLoginFilter = new JwtLoginFilter(authenticationManager, jwtConfig, redisTemplate);AuthFilter authFilter = new AuthFilter(authenticationManager, redisTemplate, jwtConfig);http.csrf().disable().authorizeHttpRequests().antMatchers("/login", "/user/register").permitAll().anyRequest().authenticated().and().addFilter(jwtLoginFilter) // 登录请求需要经过这个过滤器.addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class) // 确保 authFilter 在合适的位置.logout().logoutUrl("/logout").addLogoutHandler(logoutHandler).logoutSuccessHandler((request, response, authentication) -> response.setStatus(HttpServletResponse.SC_OK));return http.build();}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}@Beanpublic AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {return authenticationConfiguration.getAuthenticationManager();}}/login
由于我们在过滤器中已经实现了jwt的生成,以及返回信息,实际上登录接口这里我们不需要实现任何内容。
/*** 登录接口* @return*/@PostMapping("/login")public void login() {// 获取当前登录用户的信息
// Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
// SecurityUser currentUser = (SecurityUser) authentication.getPrincipal();
// return new Result(SYSConstant.CODE_SUCCESS, SYSConstant.LOGIN_SUCCESS, currentUser);}/register 我们在注册的时候需要对密码进行编码
private final PasswordEncoder passwordEncoder;private final UserService userService;private final UserRoleService userRoleService;@PostMapping("/register")public Result register(@RequestBody User user) {log.info("用户注册: {}", user);// 对密码进行加密user.setPassword(passwordEncoder.encode(user.getPassword()));// 注册用户, 调用save方法插入一条记录boolean flag_1 = userService.save(user);// 创建默认用户角色UserRole userRole = new UserRole();userRole.setUserId(user.getId());// 插入一条记录, 虽然这里只传入了一个userId,但是roleId字段有默认值为2,即普通用户boolean flag_2 = userRoleService.save(userRole);if (flag_1 && flag_2) {return new Result(SYSConstant.CODE_SUCCESS, "注册成功");} else {return new Result(SYSConstant.CODE_ERROR, "注册失败");}}
原理及其应用!!!)
