Spring Boot2 + Spring Security + JWT 实现项目级前后端分离认证授权

Spring Security 是 Spring 家族中的一个安全管理框架。相比与另外一个安全框架 Shiro，它提供了更丰富的功能，扩展性更好，社区资源也比 Shiro 丰富。在 Spring Boot 出现之前，Spring Security 就已经发展了多年了，但是使用的并不多，安全管理这个领域，一直是 Shiro 的天下。
相对于 Shiro，在 SSM/SSH 中整合 Spring Security 都是比较麻烦的操作，所以 Spring Security 虽然功能比 Shiro 强大，但是使用反而没有 Shiro 多（Shiro 虽然功能没有 Spring Security 多，但是对于大部分项目而言，Shiro 上手简单也够用了）。
自从有了 Spring Boot 之后，Spring Boot 对于 Spring Security 提供了 自动化配置方案，可以零配置使用 Spring Security。

一般 WEB 应用的需要进行认证和授权。

认证：验证当前访问系统的是不是系统用户，并且要确认具体是那个用户。授权：经过认证后判断当前用户是否有权限进行某个操作。

常见的安全管理技术栈的组合是这样的：

SSM + ShiroSpring Boot/Spring Cloud + Spring Security

注意：这只是一个推荐的组合而已，如果单纯从技术上来说，无论怎么组合，都是可以运行的。

项目技术：Spring Boo2 、Spring Security、MyBatis、MySQL

项目结构：

        
        
            org.springframework.boot
            spring-boot-starter-security
        

        
        
            io.jsonwebtoken
            jjwt
            0.9.0
        

# jwt token配置
# 令牌自定义标识
jwt.token.header=token
# 令牌秘钥
jwt.token.secret=abcdefghijklmnopqrstuvwxyz
# 令牌有效期（默认30分钟）
jwt.token.expireTime=30

package com.modules.security;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;


@Slf4j
@Component
public class JwtTokenUtil {

    private static final String CLAIM_KEY_USERNAME = "sub";
    private static final String CLAIM_KEY_CREATED = "created";

    // 令牌自定义标识
    @Value("${jwt.token.header}")
    private String header;

    // 令牌秘钥
    @Value("${jwt.token.secret}")
    private String secret;

    // 令牌有效期（默认30分钟）
    @Value("${jwt.token.expireTime}")
    private Long expiration;


    
    private String generateToken(Map claims) {
        return Jwts.builder()
                .setClaims(claims)
                .setExpiration(generateExpirationDate())
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }

    
    private Claims getClaimsFromToken(String token) {
        Claims claims = null;
        try {
            claims = Jwts.parser()
                    .setSigningKey(secret)
                    .parseClaimsJws(token)
                    .getBody();
        } catch (Exception e) {
            log.info("JWT格式验证失败:{}",token);
        }
        return claims;
    }

    
    private Date generateExpirationDate() {
        return new Date(System.currentTimeMillis() + expiration * 1000);
    }

    
    public String getUserNameFromToken(String token) {
        String username;
        try {
            Claims claims = getClaimsFromToken(token);
            username =  claims.getSubject();
        } catch (Exception e) {
            username = null;
        }
        return username;
    }

    
    public boolean validateToken(String token, UserDetails userDetails) {
        String username = getUserNameFromToken(token);
        return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
    }

    
    public boolean isTokenExpired(String token) {
        Date expiredDate = getExpiredDateFromToken(token);
        return expiredDate.before(new Date());
    }

    
    private Date getExpiredDateFromToken(String token) {
        Claims claims = getClaimsFromToken(token);
        return claims.getExpiration();
    }

    
    public String generateToken(UserDetails userDetails) {
        Map claims = new HashMap<>();
        claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }

    
    public String generateToken(LoginUser loginUser) {
        Map claims = new HashMap<>();
        claims.put(CLAIM_KEY_USERNAME, loginUser.getUsername());
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }

    
    public boolean canRefresh(String token) {
        return !isTokenExpired(token);
    }

    
    public String refreshToken(String token) {
        Claims claims = getClaimsFromToken(token);
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }

    
    public String getToken(HttpServletRequest request)
    {
        return request.getHeader(header);
    }
}

package com.modules.security.handle;

import com.alibaba.fastjson.JSON;
import com.modules.common.utils.ServletUtils;
import com.modules.common.web.Result;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;


@Component
public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {
        ServletUtils.renderString(response, JSON.toJSonString(Result.unauth("权限不足")));
    }
}

package com.modules.security.handle;

import com.alibaba.fastjson.JSON;
import com.modules.common.utils.ServletUtils;
import com.modules.common.web.Result;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;


@Component
public class AuthenticationEntryPointImpl implements AuthenticationEntryPoint
{

    @Override
    public void commence(HttpServletRequest equest, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        ServletUtils.renderString(response, JSON.toJSonString(Result.auth("token认证失败")));
    }
}

package com.modules.security.handle;

import com.alibaba.fastjson.JSON;
import com.modules.common.utils.ServletUtils;
import com.modules.common.web.Result;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;


@Component
public class AuthenticationEntryPointImpl implements AuthenticationEntryPoint
{

    @Override
    public void commence(HttpServletRequest equest, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        ServletUtils.renderString(response, JSON.toJSonString(Result.auth("token认证失败")));
    }
}

package com.modules.security;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.modules.system.entity.SysUser;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;
import java.util.Set;


public class LoginUser implements UserDetails
{
    private static final long serialVersionUID = 1L;

    
    private String token;

    
    private Long loginTime;

    
    private Long expireTime;

    
    private String ipaddr;

    
    private String loginLocation;

    
    private String browser;

    
    private String os;

    
    private Set permissions;

    
    private SysUser user;

    public String getToken()
    {
        return token;
    }

    public void setToken(String token)
    {
        this.token = token;
    }

    public LoginUser()
    {
    }

    public LoginUser(SysUser user, Set permissions)
    {
        this.user = user;
        this.permissions = permissions;
    }

    @JsonIgnore
    @Override
    public String getPassword()
    {
        return user.getPassword();
    }

    @Override
    public String getUsername()
    {
        return user.getUserName();
    }

    
    @JsonIgnore
    @Override
    public boolean isAccountNonExpired()
    {
        return true;
    }

    
    @JsonIgnore
    @Override
    public boolean isAccountNonLocked()
    {
        return true;
    }

    
    @JsonIgnore
    @Override
    public boolean isCredentialsNonExpired()
    {
        return true;
    }

    
    @JsonIgnore
    @Override
    public boolean isEnabled()
    {
        return true;
    }

    public Long getLoginTime()
    {
        return loginTime;
    }

    public void setLoginTime(Long loginTime)
    {
        this.loginTime = loginTime;
    }

    public String getIpaddr()
    {
        return ipaddr;
    }

    public void setIpaddr(String ipaddr)
    {
        this.ipaddr = ipaddr;
    }

    public String getLoginLocation()
    {
        return loginLocation;
    }

    public void setLoginLocation(String loginLocation)
    {
        this.loginLocation = loginLocation;
    }

    public String getBrowser()
    {
        return browser;
    }

    public void setBrowser(String browser)
    {
        this.browser = browser;
    }

    public String getOs()
    {
        return os;
    }

    public void setOs(String os)
    {
        this.os = os;
    }

    public Long getExpireTime()
    {
        return expireTime;
    }

    public void setExpireTime(Long expireTime)
    {
        this.expireTime = expireTime;
    }

    public Set getPermissions()
    {
        return permissions;
    }

    public void setPermissions(Set permissions)
    {
        this.permissions = permissions;
    }

    public SysUser getUser()
    {
        return user;
    }

    public void setUser(SysUser user)
    {
        this.user = user;
    }

    @Override
    public Collection getAuthorities()
    {
        return null;
    }
}

package com.modules.security.service;

import com.modules.common.enmus.PublicEnum;
import com.modules.common.exception.CustomException;
import com.modules.common.utils.StringUtils;
import com.modules.security.LoginUser;
import com.modules.system.entity.SysUser;
import com.modules.system.service.SysUserService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;


@Slf4j
@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private SysUserService sysUserService;

    
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        SysUser sysUser = sysUserService.selectUserByLoginName(username);
        if (StringUtils.isNull(sysUser))
        {
            log.info("登录用户：{} 不存在.", username);
            throw new UsernameNotFoundException("登录账号不存在");
        }
        else if (PublicEnum.DELETE.getCode().equals(sysUser.getStatus()))
        {
            log.info("登录用户：{} 已被删除.", username);
            throw new CustomException("账号已被删除");
        }
        else if (PublicEnum.DISABLE.getCode().equals(sysUser.getStatus()))
        {
            log.info("登录用户：{} 已被停用.", username);
            throw new CustomException("账号已停用");
        }
        return createLoginUser(sysUser);
    }

    public UserDetails createLoginUser(SysUser user)
    {
        return new LoginUser(user, null);
    }
}

package com.modules.security.service;

import com.modules.security.JwtTokenUtil;
import com.modules.security.LoginUser;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Service;


@Slf4j
@Service
public class LoginService {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    
    public LoginUser login(String username, String password) {
        String token = null;
        LoginUser loginUser = null;
        // 用户验证
        Authentication authentication = null;
        // 该方法会去调用UserDetailsServiceImpl.loadUserByUsername
        authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        loginUser = (LoginUser) authentication.getPrincipal();
        token = jwtTokenUtil.generateToken(loginUser);
        loginUser.setToken(token);
        return loginUser;
    }
}

package com.modules.common.web;


import com.modules.common.utils.StringUtils;

import java.util.HashMap;


public class Result extends HashMap {
    private static final long serialVersionUID = 1L;

    public static final String CODE_TAG = "code";

    public static final String MSG_TAG = "msg";

    public static final String DATA_TAG = "data";
    public static final String success_Count = "successCount";
    public static final String fail_Count = "failCount";
    public static final String messCell_Count = "messCellCount";

    
    public enum Type {
        
        SUCCESS(200),
        
        WARN(300),

        
        FAIL(400),

        
        ERROR(500),

        
        UNAUTH(600),

        
        AUTH(700);

        private final int value;


        Type(int value) {
            this.value = value;
        }

        public int value() {
            return this.value;
        }
    }

    
    public Result(Type type, String msg, int successCount, int failCount, int messCellCount, Object data) {
        super.put(CODE_TAG, type.value);
        super.put(MSG_TAG, msg);
        if (StringUtils.isNotNull(data)) {
            super.put(DATA_TAG, data);
        }
        super.put(success_Count, successCount);
        super.put(fail_Count, failCount);
        super.put(messCell_Count, messCellCount);

    }

    
    public Result(Type type, String msg) {
        super.put(CODE_TAG, type.value);
        super.put(MSG_TAG, msg);
    }

    
    public Result(Type type, Object msg, Object data) {
        super.put(CODE_TAG, type.value);
        super.put(MSG_TAG, msg);
        if (StringUtils.isNotNull(data)) {
            super.put(DATA_TAG, data);
        }
    }

    
    public static Result success() {
        return success("操作成功");
    }

    
    public static Result success(Object data) {
        return success("操作成功", data);
    }

    
    public static Result success(String msg) {
        return success(msg, null);
    }

    
    public static Result success(String msg, Object data) {
        return new Result(Type.SUCCESS, msg, data);
    }

    
    public static Result success(String msg, int successCount, int failCount, int messCellCount, Object data) {
        return new Result(Type.SUCCESS, msg, successCount, failCount, messCellCount, data);
    }

    
    public static Result error(String msg, int successCount, int failCount, int messCellCount, Object data) {
        return new Result(Type.ERROR, msg, successCount, failCount, messCellCount, data);
    }


    
    public static Result warn(String msg) {
        return warn(msg, null);
    }

    
    public static Result warn(String msg, Object data) {
        return new Result(Type.WARN, msg, data);
    }

    
    public static Result error() {
        return error("操作失败");
    }

    
    public static Result error(Object msg) {
        return error(msg, null);
    }

    
    public static Result error(Object msg, Object data) {
        return new Result(Type.ERROR, msg, data);
    }

    
    public static Result unauth() {
        return error("权限不足");
    }

    
    public static Result unauth(String msg) {
        return error(msg, null);
    }

    
    public static Result unauth(String msg, Object data) {
        return new Result(Type.UNAUTH, msg, data);
    }

    
    public static Result auth() {
        return error("token认证失败");
    }

    
    public static Result auth(String msg) {
        return error(msg, null);
    }

    
    public static Result auth(String msg, Object data) {
        return new Result(Type.AUTH, msg, data);
    }

    
    public static Result fail()
    {
        return fail("操作失败");
    }

    
    public static Result fail(String msg)
    {
        return fail(msg, null);
    }

    
    public static Result fail(String msg, Object data)
    {
        return new Result(Type.FAIL, msg, data);
    }

}

package com.modules.common.config;

import com.modules.security.filter.JwtAuthenticationTokenFilter;
import com.modules.security.handle.AccessDeniedHandlerImpl;
import com.modules.security.handle.AuthenticationEntryPointImpl;
import com.modules.security.handle.LogoutSuccessHandlerImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.annotation.Resource;


@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    
    @Resource
    private UserDetailsService userDetailsService;

    
    @Autowired
    private AccessDeniedHandlerImpl accessDeniedHandler;

    
    @Autowired
    private AuthenticationEntryPointImpl authenticationEntryPoint;

    
    @Autowired
    private LogoutSuccessHandlerImpl logoutSuccessHandler;

    
    @Autowired
    private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;


    
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception
    {
        return super.authenticationManagerBean();
    }


    
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception
    {
        httpSecurity
                // CRSF禁用，因为不使用session
                .csrf().disable()
                .exceptionHandling()
                // 认证失败处理类
                .authenticationEntryPoint(authenticationEntryPoint)
                // 权限不足处理类
                .accessDeniedHandler(accessDeniedHandler)
                .and()
                // 基于token，所以不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                // 过滤请求
                .authorizeRequests()
                // 对于登录login 验证码captchaImage 允许匿名访问
                .antMatchers("/user*.html",
                        "*.css",
                        "*.js"
                ).permitAll()
                .antMatchers("/profileapi-docs").anonymous()
                .antMatchers("/druid
    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception
    {
        builder.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
    }

    
    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder()
    {
        return new BCryptPasswordEncoder();
    }

}

package com.modules.system.controller;

import com.modules.common.aspectj.Log;
import com.modules.common.enmus.BusinessType;
import com.modules.common.web.baseController;
import com.modules.common.web.Result;
import com.modules.security.service.LoginService;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.web.bind.annotation.*;

import javax.servlet.http.HttpServletRequest;


@Api(tags = "登录管理")
@Slf4j
@CrossOrigin
@RestController
@RequestMapping("/user")
public class LoginController extends baseController {

    @Autowired
    private LoginService loginService;

    @Log(title = "用户登录", businessType = BusinessType.LOGIN)
    @ApiOperation(value = "用户登录", notes = "用户登录")
    @PostMapping(value = "/login")
    public Result login(HttpServletRequest request,
                        @ApiParam(name = "loginName", value = "登录账号") @RequestParam(value = "loginName", required = true) String loginName,
                        @ApiParam(name = "password", value = "密码") @RequestParam(value = "password", required = true) String password) {
        try {
            return success(loginService.login(loginName, password));
        }catch (Exception e) {
            if(e instanceof BadCredentialsException){
                log.error("BadCredentialsException=====>账号或者密码错误", e.getMessage());
                return error("账号或者密码错误");
            }else {
                log.error("CustomException=====>", e.getMessage());
                return error(e.getMessage());
            }
        }
    }
}

package com.modules.common.config;

import io.swagger.annotations.ApiOperation;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import springfox.documentation.builders.ApiInfoBuilder;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.service.*;
import springfox.documentation.spi.documentationType;
import springfox.documentation.spi.service.contexts.SecurityContext;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;

import java.util.ArrayList;
import java.util.List;


@Configuration
@EnableSwagger2
public class SwaggerConfig {

    @Value("${swagger.show}")
    private boolean swaggerShow;

    
    @Bean
    public Docket createRestApi() {
        return new Docket(documentationType.SWAGGER_2)
                // 是否开启
                .enable(swaggerShow)
                // 用来创建该API的基本信息，展示在文档的页面中（自定义展示的信息）
                .apiInfo(apiInfo())
                // 全局header配置
//                .globalOperationParameters(parameters)
                // 设置哪些接口暴露给Swagger展示
                .select()
                // 扫描所有有注解的api，用这种方式更灵活
                .apis(RequestHandlerSelectors.withMethodAnnotation(ApiOperation.class))
                // 扫描指定包中的swagger注解
                //.apis(RequestHandlerSelectors.basePackage("com.modules.swagger"))
                // 扫描所有 .apis(RequestHandlerSelectors.any())
                .paths(PathSelectors.any())
                .build()
                
                .securitySchemes(securitySchemes())
                .securityContexts(securityContexts());
    }

    
    private List securitySchemes()
    {
        List apiKeyList = new ArrayList();
        apiKeyList.add(new ApiKey("token", "token", "header"));
        return apiKeyList;
    }

    
    private List securityContexts()
    {
        List securityContexts = new ArrayList<>();
        securityContexts.add(
                SecurityContext.builder()
                        .securityReferences(defaultAuth())
                        .forPaths(PathSelectors.regex("^(?!auth).*$"))
                        .build());
        return securityContexts;
    }

    
    private List defaultAuth()
    {
        AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
        AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
        authorizationScopes[0] = authorizationScope;
        List securityReferences = new ArrayList<>();
        securityReferences.add(new SecurityReference("token", authorizationScopes));
        return securityReferences;
    }

    
    private ApiInfo apiInfo() {
        // 用ApiInfoBuilder进行定制
        return new ApiInfoBuilder()
                // 设置标题
                .title("标题：系统接口文档")
                // 描述
                .description("描述：用于描述系统接口...")
                // 作者信息
                .contact(new Contact("lc", null, null))
                // 版本
                .version("版本号:" + "v1.0.0")
                .build();
    }
}