spring-security登录流程和集成JWT功能

一、基本登录流程

编写一个配置文件 SecurityConfig.java

package com.wesdata.com.config;
import com.wesdata.com.filter.JwtAuthenticationTokenFilter;
import com.wesdata.com.handler.MyAccessDeniedHandler;
import com.wesdata.com.handler.MyAuthenticationEntryPoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

}

配置登录访问路由

spring-boot默认路径为/login,可以根据需要自己设置，当访问www.xxx.com/login的时候，即为进行登录

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // 配置自定义登录页面
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin().loginProcessingUrl("/login") // 访问登录页面的路径 
    }
}

3. 配置处理登录的逻辑

   ```java
   @Configuration
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       

       @Autowired
       UserDetailsService userDetailsService;

       // 当进行登录时，spring会调用这里设置的userDetailsService的某个方法，这个方法名称是约定好的
       protected void configure(AuthenticationManagerBuilder auth) throws Exception {

           auth.userDetailsService(userDetailsService)   // 指定使用 userDetailsService 服务来获取用户信息
               .passwordEncoder(passwordEncoder());    // 设置加密方式
       }

       @Bean
       public PasswordEncoder passwordEncoder() {
           return new BCryptPasswordEncoder();
       }
   }

编写userDetailsService

大致思路就是，spring调用loadUserByUsername方法，然后返回一个User实例提供给spring进行认证比较用。在loadUserByUsername方法中，根据传递的name字段到数据库查询用户信息，如果查不到用户，直接抛出错误，如果查询到用户信息，则把用户名，密码，权限包装到User中。

package com.wesdata.com.service;

import com.wesdata.com.bean.Employee;
import com.wesdata.com.mapper.EmployeeMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;

import java.util.*;

// 注册一个service
@Service("userDetailsService")
public class MyUserDetailService implements UserDetailsService {

    @Autowired
    EmployeeMapper employeeMapper;

    // 主要作用就是根据名字获取用户信息，然后构建一个User对象，提供给调用者
    @Override
    public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {

        // 从数据库根据name查询用户信息
        Employee employee = employeeMapper.findEmpByName(name);
        if (employee == null) {
            throw new UsernameNotFoundException("用户名" + name + "不存在");
        }

        // 设置加密方式
        BCryptPasswordEncoder passwordEncoder =  new BCryptPasswordEncoder();
        String password = passwordEncoder.encode(employee.getPassword());

        // 权限是一个集合
        List auths = AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_admin");

        // 把用户名、密码、权限返给调用者，系统会自己对密码进行比较，注意，系统只会对密码进行比较，所以这里name传任何值都能通过
        return new User(employee.getName(), password, auths);
    }
}

二、集成JWT

集成jwt就不能走spring的自动登录流程了，整体思路就是，手动调用系统的认证功能，认证成功，生成token返回给前端，前端对token进行缓存，当请求其他api时，将token通过请求头携带上。在过滤器中，对token进行检查。

配置
- 对登录路径设置无需授权即可访问
- 禁用session
- 将token过滤器插入到过滤器链中
- 将登录管理器注入到IOC容器中

   @Configuration
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
       JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;


       // 配置自定义登录页面
       @Override
       protected void configure(HttpSecurity http) throws Exception {
           http
                   .authorizeRequests()
                   // ==1.权限设置==
                   .antMatchers(
                           "/user/login"
                   )
                   
                   .permitAll()
                   .and().csrf().disable() // 开启跨域访问
                   // ==2.禁用session==
                   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 

           // ==3.配置过滤日==
           // 配置jwtAuthenticationTokenFilter 过滤器插入到 UsernamePasswordAuthenticationFilter 前面
           http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
       }

       // == 4.将登录管理器 注入IOC容器中 ==
       @Bean
       @Override
       public AuthenticationManager authenticationManagerBean() throws Exception{
           return super.authenticationManagerBean();
       }
   }

编写登录控制器

package com.wesdata.com.controller;

import com.wesdata.com.bean.User;
import com.wesdata.com.domain.ResponseResult;
import com.wesdata.com.mapper.UserMapper;
import com.wesdata.com.utils.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;

import java.util.HashMap;
import java.util.Map;
import java.util.Objects;

import com.alibaba.fastjson.JSONObject;

@RequestMapping("user")
@RestController
public class UserController {

    @Autowired
    AuthenticationManager authenticationManager;

    @Autowired
    UserMapper userMapper;

    @RequestMapping("login")
    public ResponseResult login(@RequestParam("name") String name, @RequestParam("password") String password) {

        // 在这里进行主动登录操作
        UsernamePasswordAuthenticationToken usernamePasswordToken = new UsernamePasswordAuthenticationToken(name, password);
        Authentication authentication = authenticationManager.authenticate(usernamePasswordToken);
        if (Objects.isNull(authentication)) {
            return new ResponseResult("登录失败");
        } else {
            // "登录成功";
            String token = JwtUtil.createJwt(name , "15");
            System.out.println(token);
            Map data = new HashMap<>();
            data.put("token", token);
            return ResponseResult.success(data);
        }
    }

    @RequestMapping("logout")
    public String logout() {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        // UsernamePasswordAuthenticationToken的第一个参数
        auth.getPrincipal();
        return "logout success";
    }
}

编写token过滤器

package com.wesdata.com.filter;

import com.wesdata.com.utils.JwtUtil;
import io.jsonwebtoken.Claims;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;

@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain)
    {
        String token = request.getHeader("token");

        // 对于不带token的请求，直接进入下一个过滤器
        if (Objects.isNull(token)) {
            try {
                filterChain.doFilter(request, response);
            } catch (Exception e) {
                System.out.println(e.getMessage());
            }
            return;
        }

        Claims body = JwtUtil.parseToken(token);
        String name = body.get("userName").toString();
        String id = body.get("userId").toString();
        System.out.println(name);
        System.out.println(id);

        // 权限列表
        List authorities = new ArrayList<>();
        authorities.add( new SimpleGrantedAuthority("student"));

        // 这里非常关键
        UsernamePasswordAuthenticationToken authenticationToken =
                new UsernamePasswordAuthenticationToken(name, null, authorities);

        SecurityContextHolder
                .getContext()
                .setAuthentication(authenticationToken);

        try {
            filterChain.doFilter(request, response);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }
}

本文由博客一文多发平台 OpenWrite 发布！

spring-security登录流程和集成JWT功能

Java相关栏目本月热门文章