目錄結構:
springbootApplication里面的配置,如有需要可以自行添加
實現JWT功能
在pom.xml中的配置
1 <?xml version="1.0" encoding="UTF-8"?> 2 <project xmlns="http://maven.apache.org/POM/4.0.0" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0</modelVersion> 6 7 <parent> 8 <groupId>org.springframework.boot</groupId> 9 <artifactId>spring-boot-starter-parent</artifactId> 10 <version>2.1.5.RELEASE</version> 11 </parent> 12 13 <groupId>com.my</groupId> 14 <artifactId>my-springsecurity</artifactId> 15 <version>1.0-SNAPSHOT</version> 16 17 18 <dependencies> 19 <dependency> 20 <groupId>org.springframework.boot</groupId> 21 <artifactId>spring-boot-starter-web</artifactId> 22 </dependency> 23 <dependency> 24 <groupId>org.springframework.boot</groupId> 25 <artifactId>spring-boot-starter-thymeleaf</artifactId> 26 </dependency> 27 <dependency> 28 <groupId>org.springframework.boot</groupId> 29 <artifactId>spring-boot-starter-jdbc</artifactId> 30 </dependency> 31 <dependency> 32 <groupId>org.springframework.data</groupId> 33 <artifactId>spring-data-redis</artifactId> 34 <version>2.1.5.RELEASE</version> 35 </dependency> 36 <dependency> 37 <groupId>redis.clients</groupId> 38 <artifactId>jedis</artifactId> 39 </dependency> 40 <dependency> 41 <groupId>org.springframework.boot</groupId> 42 <artifactId>spring-boot-test</artifactId> 43 <scope>test</scope> 44 </dependency> 45 <!-- oracle數據庫驅動 --> 46 <dependency> 47 <groupId>com.oracle</groupId> 48 <artifactId>ojdbc6</artifactId> 49 <version>11.2.0.3</version> 50 </dependency> 51 <dependency> 52 <groupId>org.mybatis.spring.boot</groupId> 53 <artifactId>mybatis-spring-boot-starter</artifactId> 54 <version>1.3.2</version> 55 </dependency> 56 57 <dependency> 58 <groupId>org.springframework.boot</groupId> 59 <artifactId>spring-boot-starter-security</artifactId> 60 </dependency> 61 <dependency> 62 <groupId>org.springframework.security</groupId> 63 <artifactId>spring-security-web</artifactId> 64 <version>5.0.4.RELEASE</version> 65 </dependency> 66 <dependency> 67 <groupId>org.springframework.security</groupId> 68 <artifactId>spring-security-config</artifactId> 69 <version>5.0.4.RELEASE</version> 70 </dependency> 71 <dependency> 72 <groupId>io.jsonwebtoken</groupId> 73 <artifactId>jjwt</artifactId> 74 <version>0.9.0</version> 75 </dependency> 76 77 <dependency> 78 <groupId>com.alibaba</groupId> 79 <artifactId>fastjson</artifactId> 80 <version>1.2.30</version> 81 </dependency> 82 <dependency> 83 <groupId>org.springframework.boot</groupId> 84 <artifactId>spring-boot-starter-test</artifactId> 85 <scope>test</scope> 86 </dependency> 87 </dependencies> 88 89 <build> 90 <finalName>${project.artifactId}</finalName> 91 <plugins> 92 <!-- <!– 資源文件拷貝插件 –> 93 <plugin> 94 <groupId>org.apache.maven.plugins</groupId> 95 <artifactId>maven-resources-plugin</artifactId> 96 <configuration> 97 <encoding>UTF-8</encoding> 98 </configuration> 99 </plugin>--> 100 <!-- java編譯插件 --> 101 <plugin> 102 <groupId>org.apache.maven.plugins</groupId> 103 <artifactId>maven-compiler-plugin</artifactId> 104 <configuration> 105 <source>1.8</source> 106 <target>1.8</target> 107 <encoding>UTF-8</encoding> 108 </configuration> 109 </plugin> 110 <plugin> 111 <groupId>org.springframework.boot</groupId> 112 <artifactId>spring-boot-maven-plugin</artifactId> 113 </plugin> 114 </plugins> 115 </build> 116 </project>
在application.yml中的配置
1 server: 2 port: ${PORT:8080} 3 spring: 4 application: 5 name: my-springsecurity 6 datasource: 7 url: jdbc:oracle:thin:@localhost:1521:orcl 8 username: scott 9 password: oracle 10 driver-class-name: oracle.jdbc.driver.OracleDriver 11 redis: 12 host: ${REDIS_HOST:127.0.0.1} 13 port: ${REDIS_PORT:6379} 14 timeout: 5000 #連接超時 毫秒 15 # main: 16 # allow-bean-definition-overriding: true #同名bean覆蓋 17 security: 18 loginType: JSONs 19 20 # 無法掃描到resources下的templates中的靜態文件時可以配置,如果可以無需配置 21 #注入到TomcatConfig 22 bw: 23 factory: 24 doc: 25 root: E:\JAVAIDEA\My\springboot\my-springsecurity\src\main\resources\templates
首先需要繼承WebSecurityConfigurerAdapter類,配置security中的認證授權相關配置
1 @EnableWebSecurity 2 @EnableGlobalMethodSecurity(prePostEnabled = true) 3 public class SecurityConfig extends WebSecurityConfigurerAdapter { 4 5 //token 過濾器,解析token 6 @Autowired 7 MyJwtTokenFilter jwtTokenFilter; 8 9 10 @Autowired 11 MyUserDetailsService myUserDetailsService; 12 13 @Autowired 14 private SendSmsSecurityConfig sendSmsSecurityConfig; 15 16 //加密機制 17 @Bean 18 public PasswordEncoder passwordEncoder() { 19 return NoOpPasswordEncoder.getInstance(); 20 } 21 22 23 //認證 24 @Override 25 protected void configure(AuthenticationManagerBuilder auth) throws Exception { 26 auth.userDetailsService(myUserDetailsService) 27 .passwordEncoder(passwordEncoder()); 28 } 29 30 @Override 31 protected void configure(HttpSecurity http) throws Exception { 32 http.authorizeRequests() 33 // .antMatchers("/admin/api/**").hasRole("ADMIN") 34 // .antMatchers("/user/api/**").hasRole("USER") 35 .antMatchers("/SendSms").permitAll() 36 .antMatchers("/**").permitAll() 37 .anyRequest().authenticated()//任何請求登錄后訪問 38 .and() 39 // 基於token,所以不需要session 40 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) 41 // .sessionManagement() //會話管理 42 // .maximumSessions(1); //限制登錄人數 43 .and().csrf().disable(); 44 45 //登錄操作 46 http.formLogin() 47 .loginPage("/login.html")//登錄路徑 48 .loginProcessingUrl("/farmerlogin")//登錄表單提交請求 49 .usernameParameter("username")//設置登錄賬號參數,默認username 50 .passwordParameter("password")//設置登錄密碼參數,默認password 51 // .defaultSuccessUrl("/home.html")//登錄成功跳轉,不能和successHandler一起使用 52 // .failureUrl("/login.html")// 登錄失敗跳轉,不能和failureHandler一起使用 53 .permitAll() 54 //登錄成功處理 55 .successHandler(new LoginSuccessHandler()) 56 //登錄失敗處理 57 .failureHandler(new LoginFailureHandler()) 58 .and().apply(sendSmsSecurityConfig); 59 60 61 //退出操作 62 http.logout() 63 .logoutUrl("/aaa")//退出提交參數 64 .logoutSuccessUrl("/login.html");//退出后跳轉,不能和logoutSuccessHandler一起使用 65 // .logoutSuccessHandler();//退出處理 66 67 // 禁用緩存 68 http.headers().cacheControl(); 69 70 http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class) 71 // 添加權限不足 filter 72 .exceptionHandling().accessDeniedHandler(new MyAccessDeniedHandler()) 73 //其他異常處理類 74 .authenticationEntryPoint(new MyAuthenticationException()); 75 } 76 77 //忽略攔截 78 @Override 79 public void configure(WebSecurity web) throws Exception { 80 web.ignoring().antMatchers("/css/**", "/elementuidemo/**", 81 "/img/**", "/js/**", "/plugins/**", "/static/json/**", "/pages/**"); 82 } 83 84 }
配置相關配件:
登錄成功處理:繼承SavedRequestAwareAuthenticationSuccessHandler類,該類繼承AuthenticationSuccessHandler類,AuthenticationSuccessHandler登錄成功父類,之所以用SavedRequestAwareAuthenticationSuccessHandler類,里面可以實現其他的方法,如:登錄成功跳轉到登錄之前請求的頁面
1 /** 2 * <p> 3 * AuthenticationSuccessHandler登錄成功父類 4 * SavedRequestAwareAuthenticationSuccessHandler 繼承AuthenticationSuccessHandler 5 * <p> 6 * 登錄成功處理 7 */ 8 @Component 9 public class LoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler { 10 11 /* @Value("${spring.security.loginType}") 12 private String loginType;*/ 13 14 /* @Autowired 15 JwtTokenUtil jwtTokenUtil;*/ 16 17 @Override 18 public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException { 19 System.out.println("登錄成功"); 20 //從authentication中獲取用戶信息 21 final User farmerDetail = (User) authentication.getPrincipal(); 22 JwtTokenUtil jwtTokenUtil = new JwtTokenUtil(); 23 //生成jwt 24 String token = jwtTokenUtil.generateToken(farmerDetail); 25 httpServletResponse.addHeader("token", "Bearer " + token); 26 27 /* if (loginType.equalsIgnoreCase("JSON")) { 28 httpServletResponse.setContentType("application/json"); 29 httpServletResponse.setCharacterEncoding("UTF-8"); 30 httpServletResponse.getWriter().write("{\"result\":\"ok\"}"); 31 // httpServletResponse.getWriter().flush(); 32 } else { 33 //跳轉到登錄之前請求的頁面 34 super.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authentication); 35 }*/ 36 httpServletResponse.setContentType("application/json"); 37 httpServletResponse.setCharacterEncoding("UTF-8"); 38 httpServletResponse.getWriter().write("{\"result\":\"ok\"}"); 39 40 } 41 }
登錄失敗處理:繼承SimpleUrlAuthenticationFailureHandler類,該類繼承SimpleUrlAuthenticationFailureHandler類,SimpleUrlAuthenticationFailureHandler類登錄失敗父類,之所以用SimpleUrlAuthenticationFailureHandler類,里面可以實現其他方法,如:登錄失敗跳轉到登錄頁面
1 /** 2 * 3 * AuthenticationFailureHandler登錄失敗父類 4 * SimpleUrlAuthenticationFailureHandler 繼承AuthenticationFailureHandler 5 * 6 * 登錄失敗處理 7 */ 8 @Component 9 public class LoginFailureHandler extends SimpleUrlAuthenticationFailureHandler { 10 11 /* @Value("${spring.security.loginType}") 12 private String loginType;*/ 13 14 @Override 15 public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { 16 /* if (loginType.equalsIgnoreCase("JSON")) { 17 httpServletResponse.setContentType("application/json;charset=UTF-8"); 18 httpServletResponse.setStatus(401); 19 PrintWriter out = httpServletResponse.getWriter(); 20 out.write("{\"error_code\":\"401\",\"name\":\""+e.getClass()+"\",\"message\":\""+e.getMessage()+"\"}"); 21 22 }else { 23 //登錄失敗跳轉到登錄頁面 24 super.onAuthenticationFailure(httpServletRequest,httpServletResponse,e); 25 }*/ 26 27 httpServletResponse.setContentType("application/json;charset=UTF-8"); 28 httpServletResponse.setStatus(401); 29 PrintWriter out = httpServletResponse.getWriter(); 30 out.write("{\"error_code\":\"401\",\"name\":\""+e.getClass()+"\",\"message\":\""+e.getMessage()+"\"}"); 31 32 } 33 }
權限不足處理:實現的AccessDeniedHandler類,進行的權限校驗
1 /** 2 * Spring security權限不足處理類 3 * 只有登錄后(即接口有傳token)接口權限不足才會進入AccessDeniedHandler, 4 * 如果是未登陸或者會話超時等,不會觸發AccessDeniedHandler,而是會直接跳轉到登陸頁面。 5 */ 6 @Component 7 public class MyAccessDeniedHandler implements AccessDeniedHandler { 8 @Override 9 public void handle(HttpServletRequest httpServletRequest, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException { 10 //登陸狀態下,權限不足執行該方法 11 System.out.println("權限不足:" + e.getMessage()); 12 response.setStatus(200); 13 response.setCharacterEncoding("UTF-8"); 14 response.setContentType("application/json; charset=utf-8"); 15 PrintWriter printWriter = response.getWriter(); 16 response.getWriter().write("{\"result\":\"權限不足\"}"); 17 printWriter.flush(); 18 } 19 }
異常處理:實現AuthenticationEntryPoint類,實現異常的處理,如果不配置此類,則spring security默認會跳轉到登錄頁面
1 /** 2 * Spring security其他異常處理類,比如請求路徑不存在等, 3 * 如果不配置此類,則Spring security默認會跳轉到登錄頁面 4 */ 5 @Component 6 public class MyAuthenticationException implements AuthenticationEntryPoint { 7 @Override 8 public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { 9 System.out.println("AuthenticationEntryPoint檢測到異常:"+e); 10 httpServletResponse.setStatus(200); 11 httpServletResponse.setCharacterEncoding("UTF-8"); 12 httpServletResponse.setContentType("application/json; charset=utf-8"); 13 PrintWriter printWriter = httpServletResponse.getWriter(); 14 httpServletResponse.getWriter().write("AuthenticationEntryPoint檢測到異常:"+e); 15 printWriter.flush(); 16 } 17 }
UserDetailsService驗證用戶名、密碼和授權處理,實現從數據庫查詢用戶功能
1 /** 2 * 根據賬號查詢用戶 3 */ 4 @Component 5 public class MyUserDetailsService implements UserDetailsService { 6 7 @Autowired 8 private UserMapper userMapper; 9 10 11 12 @Override 13 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 14 15 //從數據庫讀取該用戶 16 User user = userMapper.findByUserName(username); 17 // 用戶不存在,拋出異常 18 if (user == null){ 19 throw new UsernameNotFoundException("用戶不存在"); 20 } 21 //將數據庫形式的roles解析為UserDtails的權限集 22 // farmer.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList(farmer.getRoles())); 23 List<GrantedAuthority> authorities = generateAuthorities(user.getRoles()); 24 user.setAuthorities(authorities); 25 return user; 26 27 //基於內存驗證用戶信息 28 // UserDetails userDetails = Farmer.withUsername("123").password("123").roles("USER").build(); 29 // return userDetails; 30 } 31 32 //自定義實現權限轉換 33 private List<GrantedAuthority> generateAuthorities(String roles){ 34 List<GrantedAuthority> authorities = new ArrayList<>(); 35 String[] roleArray = roles.split(","); 36 if (roles != null && !"".equals(roles)){ 37 for (String role : roleArray) { 38 authorities.add(new SimpleGrantedAuthority(role)); 39 } 40 } 41 return authorities; 42 } 43 }
token過濾器進行解析判斷是否登錄,繼承OncePerRequestFilter類
1 /** 2 * token 過濾器,在這里解析token,拿到該用戶角色,設置到springsecurity的上下文環境中,讓springsecurity自動判斷權限 3 * 所有請求最先進入此過濾器,包括登錄接口,而且在springsecurity的密碼驗證之前執行 4 */ 5 @Component 6 public class MyJwtTokenFilter extends OncePerRequestFilter { 7 8 @Autowired 9 MyUserDetailsService myUserDetailsService; 10 @Autowired 11 private JwtTokenUtil jwtTokenUtil; 12 13 14 @Override 15 protected void doFilterInternal(HttpServletRequest request, 16 HttpServletResponse response, 17 FilterChain chain) 18 throws ServletException, IOException { 19 20 String authHeader = request.getHeader("Authorization"); 21 String tokenHead = "Bearer "; 22 23 if (authHeader != null && authHeader.startsWith(tokenHead)) { 24 String authToken = authHeader.substring(tokenHead.length()); 25 String username = jwtTokenUtil.getUsernameFromToken(authToken); 26 if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { 27 UserDetails userDetails = this.myUserDetailsService.loadUserByUsername(username); 28 //驗證令牌是否有效 29 if (jwtTokenUtil.validateToken(authToken, userDetails)) { 30 UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); 31 authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); 32 SecurityContextHolder.getContext().setAuthentication(authentication); 33 } 34 } 35 } 36 chain.doFilter(request, response); 37 } 38 }
JWT工具類
1 @Component 2 public class JwtTokenUtil implements Serializable { 3 /** 4 * 密鑰 5 */ 6 private final String secret = "aaaaaaaa"; 7 8 /** 9 * 從數據聲明生成令牌 10 * 11 * @param claims 數據聲明 12 * @return 令牌 13 */ 14 private String generateToken(Map<String, Object> claims) { 15 Date expirationDate = new Date(System.currentTimeMillis() + 2592000L * 1000); 16 return Jwts.builder().setClaims(claims).setExpiration(expirationDate).signWith(SignatureAlgorithm.HS512, secret).compact(); 17 } 18 19 /** 20 * 從令牌中獲取數據聲明 21 * 22 * @param token 令牌 23 * @return 數據聲明 24 */ 25 private Claims getClaimsFromToken(String token) { 26 Claims claims; 27 try { 28 claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody(); 29 } catch (Exception e) { 30 claims = null; 31 } 32 return claims; 33 } 34 35 /** 36 * 生成令牌 37 * 38 * @param userDetails 用戶 39 * @return 令牌 40 */ 41 public String generateToken(UserDetails userDetails) { 42 Map<String, Object> claims = new HashMap<>(2); 43 claims.put("sub", userDetails.getUsername()); 44 claims.put("created", new Date()); 45 return generateToken(claims); 46 } 47 48 /** 49 * 從令牌中獲取用戶名 50 * 51 * @param token 令牌 52 * @return 用戶名 53 */ 54 public String getUsernameFromToken(String token) { 55 String username; 56 try { 57 Claims claims = getClaimsFromToken(token); 58 username = claims.getSubject(); 59 } catch (Exception e) { 60 username = null; 61 } 62 return username; 63 } 64 65 /** 66 * 判斷令牌是否過期 67 * 68 * @param token 令牌 69 * @return 是否過期 70 */ 71 public Boolean isTokenExpired(String token) { 72 try { 73 Claims claims = getClaimsFromToken(token); 74 Date expiration = claims.getExpiration(); 75 return expiration.before(new Date()); 76 } catch (Exception e) { 77 return false; 78 } 79 } 80 81 /** 82 * 刷新令牌 83 * 84 * @param token 原令牌 85 * @return 新令牌 86 */ 87 public String refreshToken(String token) { 88 String refreshedToken; 89 try { 90 Claims claims = getClaimsFromToken(token); 91 claims.put("created", new Date()); 92 refreshedToken = generateToken(claims); 93 } catch (Exception e) { 94 refreshedToken = null; 95 } 96 return refreshedToken; 97 } 98 99 /** 100 * 驗證令牌 101 * 102 * @param token 令牌 103 * @param userDetails 用戶 104 * @return 是否有效 105 */ 106 public Boolean validateToken(String token, UserDetails userDetails) { 107 User user = (User) userDetails; 108 String username = getUsernameFromToken(token); 109 return (username.equals(user.getUsername()) && !isTokenExpired(token)); 110 } 111 }
在pojo文件中,寫User實體類實現UserDetails類
1 public class User implements UserDetails{ 2 3 private int id; 4 private String username; 5 private String password; 6 private String roles; 7 8 9 private List<GrantedAuthority> authorities; 10 11 public int getId() { 12 return id; 13 } 14 15 public void setId(int id) { 16 this.id = id; 17 } 18 19 public void setUsername(String username) { 20 this.username = username; 21 } 22 23 public void setPassword(String password) { 24 this.password = password; 25 } 26 @Override 27 public String getPassword() { 28 return password; 29 } 30 31 @Override 32 public String getUsername() { 33 return username; 34 } 35 36 public String getRoles() { 37 return roles; 38 } 39 40 public void setRoles(String roles) { 41 this.roles = roles; 42 } 43 44 public void setAuthorities(List<GrantedAuthority> authorities) { 45 this.authorities = authorities; 46 } 47 48 @Override 49 public Collection<? extends GrantedAuthority> getAuthorities() { 50 return this.authorities; 51 } 52 53 54 //賬號是否沒過期 55 @Override 56 public boolean isAccountNonExpired() { 57 return true; 58 } 59 //賬號是否沒被鎖定 60 @Override 61 public boolean isAccountNonLocked() { 62 return true; 63 } 64 //密碼是否沒過期 65 @Override 66 public boolean isCredentialsNonExpired() { 67 return true; 68 } 69 //賬號是否可用 70 @Override 71 public boolean isEnabled() { 72 return true; 73 } 74 75 @Override 76 public String toString() { 77 return "User{" + 78 "id=" + id + 79 ", username='" + username + '\'' + 80 ", password='" + password + '\'' + 81 ", roles='" + roles + '\'' + 82 ", authorities=" + authorities + 83 '}'; 84 } 85 }
dao層,mapper.xml,數據庫可以進行簡單的配置進行測試。數據庫為Oracle,可以自行配置mysql或Oracle
數據庫就四個字段,id,username,password,權限
controller中有三個測試類
1 @RestController 2 @RequestMapping("/admin/api") 3 public class AdminController { 4 5 @GetMapping("hello") 6 @PreAuthorize("hasRole('ROLE_ADMIN')") 7 public String hello(){ 8 return "hello,admin"; 9 } 10 }
1 @RestController 2 @RequestMapping("/app/api") 3 public class AppController { 4 5 @GetMapping("hello") 6 public String hello(){ 7 return "hello,app"; 8 } 9 }
1 @RestController 2 @RequestMapping("/user/api") 3 public class UserController { 4 5 @GetMapping("/hello") 6 @PreAuthorize("hasAuthority('ROLE_USER')") 7 public String hello(){ 8 return "hello,user"; 9 } 10 }
在Postman中進行登錄測試
登錄成功顯示: farmerlogin是在SecurityConfig中自定義的,默認為login
會在Headers中生成一個token
這個token是自己定義的,在登錄成功處理類中生成的token令牌
在驗證時,在Key中存放 Authorization ,在Value中把生成的token保存進去,然后會在MyJwtTokenFilter類中進行令牌校驗
成功示例:
SendSmsSecurityConfig類為短信登錄的配置類,須在SecurityConfig進行聲明
SendSms文件中的類為短信登錄相關的配置,和本章並無沖突,遇到相關配置可直接刪除
不重要需要了可以配置結合:
1 @Configuration 2 public class TomcatConfig { 3 @Value("${bw.factory.doc.root}") 4 private String rootDoc; 5 @Bean 6 public AbstractServletWebServerFactory embeddedServletContainerFactory() { 7 8 TomcatServletWebServerFactory tomcatServletWebServerFactory = new TomcatServletWebServerFactory(); 9 tomcatServletWebServerFactory.setDocumentRoot( 10 new File(rootDoc)); 11 return tomcatServletWebServerFactory; 12 } 13 }