1. 簡介
Spring Security是一個功能強大且易於擴展的安全框架,主要用於為Java程序提供用戶認證(Authentication)和用戶授權(Authorization)功能。
用戶認證指的是驗證某個用戶是否合法,即驗證用戶名密碼是否正確;用戶授權指的是驗證用戶是否擁有訪問資源的權限。在一個系統中,用戶認證和授權是分不開的,既要保證用戶能合法登錄系統,也要保住用戶再訪問資源時具有足夠的權限。
JWT(Json Web Token)是為了在網絡應用環境間傳遞聲明而執行的一種基於JSON的開放標准。一般用於在身份提供者和服務提供者之間傳遞被認證成功的用戶身份信息,以便於從資源服務器獲取資源。基於無狀態、結構簡單、傳輸快且不會在服務端保存會話信息等的特點,在分布式系統認證授權場景中發揮重要作用。
本文使用SpringBoot整合SpringSecurity實現JWT Token認證授權。
2. 數據庫設計
| 表名稱 | 字段 | 說明 |
|---|---|---|
| sys_user | id(ID,主鍵) username(用戶名) password(密碼) status(狀態,0-正常,1-刪除,2-禁用) |
系統用戶表 |
| sys_role | id(ID,主鍵) role_name(角色名稱) |
系統角色表 |
| sys_auth | id(ID,主鍵) name(權限名稱) permission(權限標識) |
系統權限表 |
| sys_user_role | id(ID,主鍵) user_id(用戶ID) role_id(角色ID) |
系統用戶角色中間表 |
| sys_role_auth | id(ID,主鍵) role_id(角色ID) auth_id(角色權限ID) |
系統角色權限中間表 |
3. 搭建環境
- 創建項目
- 修改pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.c3stones</groupId>
<artifactId>spring-security-jwt-demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>spring-security-jwt-demo</name>
<description>Spring Boot + Srping Security + Mybatis-Plus + JWT Demo</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.6.RELEASE</version>
</parent>
<properties>
<java.version>1.8</java.version>
<jjwt.version>0.9.0</jjwt.version>
<druid.version>1.1.6</druid.version>
<jwt.version>1.0.9.RELEASE</jwt.version>
<fastjson.version>1.2.45</fastjson.version>
<mybatis-plus.version>3.3.1</mybatis-plus.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!--Spring Security依賴 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Mybatis-Plus 依賴 -->
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>${mybatis-plus.version}</version>
</dependency>
<!-- Druid 連接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>${druid.version}</version>
</dependency>
<!-- StringUtils 工具 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<!-- JSON工具 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>${fastjson.version}</version>
</dependency>
<!-- JWT依賴 -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
<version>${jwt.version}</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>${jjwt.version}</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
- 添加配置文件application.yml
server:
port: 8080
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/security?useSSL=false&useUnicode=true&characterEncoding=utf-8&zeroDateTimeBehavior=convertToNull
username: root
password: 123456
# JWT配置
jwt:
# 密匙Key
secret: JWTSecret,C3Stones
# HeaderKey
tokenHeader: Authorization
# Token前綴
tokenPrefix: Bearer
# 過期時間,單位秒
expiration: 86400
# 配置白名單(不需要認證)
antMatchers: /login/**,/register/**,/static/**
# Mybatis-plus配置
mybatis-plus:
mapper-locations: classpath:mapper/*.xml
global-config:
db-config:
id-type: AUTO
configuration:
# 打印sql
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
- 添加Entity、Dao、Dao.xml、Serivce
以系統用戶SysUser為例,其余請自行添加。
創建實體類:
import java.io.Serializable;
import com.baomidou.mybatisplus.annotation.TableId;
import com.baomidou.mybatisplus.annotation.TableName;
import lombok.Data;
/**
* 系統用戶
*
* @author CL
*
*/
@Data
@TableName("sys_user")
public class SysUser implements Serializable {
private static final long serialVersionUID = 1L;
/**
* 用戶ID
*/
@TableId
private Long id;
/**
* 用戶名
*/
private String username;
/**
* 密碼
*/
private String password;
/**
* 狀態(0-正常,1-刪除,2-禁用)
*/
private String status;
}
創建Dao類:
import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.c3stones.entity.SysUser;
/**
* 系統用戶Dao
*
* @author CL
*
*/
@Mapper
public interface SysUserDao extends BaseMapper<SysUser> {
}
在rsource目錄下創建mapper文件夾,並在文件夾下創建SysUserDao.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.c3stones.dao.SysUserDao">
</mapper>
創建Service:
import com.baomidou.mybatisplus.extension.service.IService;
import com.c3stones.entity.SysUser;
/**
* 系統用戶Service
*
* @author CL
*
*/
public interface SysUserService extends IService<SysUser> {
}
創建Service實現類:
import org.springframework.stereotype.Service;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.c3stones.dao.SysUserDao;
import com.c3stones.entity.SysUser;
import com.c3stones.service.SysUserService;
/**
* 系統用戶Service實現
*
* @author CL
*
*/
@Service
public class SysUserSerivceImpl extends ServiceImpl<SysUserDao, SysUser> implements SysUserService {
}
- 創建系統用戶詳情類,必須實現org.springframework.security.core.userdetails.UserDetails:
import java.io.Serializable;
import java.util.Collection;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import com.c3stones.entity.SysUser;
import lombok.Data;
import lombok.EqualsAndHashCode;
/**
* 系統用戶詳情
*
* @author CL
*
*/
@Data
@EqualsAndHashCode(callSuper = false)
public class SysUserDetails extends SysUser implements UserDetails, Serializable {
private static final long serialVersionUID = 1L;
/**
* 用戶角色
*/
private Collection<GrantedAuthority> authorities;
/**
* 賬號是否過期
*/
private boolean isAccountNonExpired = false;
/**
* 賬號是否鎖定
*/
private boolean isAccountNonLocked = false;
/**
* 證書是否過期
*/
private boolean isCredentialsNonExpired = false;
/**
* 賬號是否有效
*/
private boolean isEnabled = true;
/**
* 獲得用戶權限
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
/**
* 判斷賬號是否過期
*/
@Override
public boolean isAccountNonExpired() {
return isAccountNonExpired;
}
/**
* 判斷賬號是否鎖定
*/
@Override
public boolean isAccountNonLocked() {
return isAccountNonLocked;
}
/**
* 判斷證書是否過期
*/
@Override
public boolean isCredentialsNonExpired() {
return isCredentialsNonExpired;
}
/**
* 判斷賬號是否有效
*/
@Override
public boolean isEnabled() {
return isEnabled;
}
}
- 編寫JWT配置信息類:
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
/**
* JWT配置基礎類
*
* @author CL
*
*/
@Component
@ConfigurationProperties(prefix = "jwt")
@SuppressWarnings("static-access")
public class JWTConfig {
/**
* 密匙Key
*/
public static String secret;
/**
* HeaderKey
*/
public static String tokenHeader;
/**
* Token前綴
*/
public static String tokenPrefix;
/**
* 過期時間
*/
public static Integer expiration;
/**
* 配置白名單
*/
public static String antMatchers;
/**
* 將過期時間單位換算成毫秒
*
* @param expiration 過期時間,單位秒
*/
public void setExpiration(Integer expiration) {
this.expiration = expiration * 1000;
}
public void setSecret(String secret) {
this.secret = secret;
}
public void setTokenHeader(String tokenHeader) {
this.tokenHeader = tokenHeader;
}
public void setTokenPrefix(String tokenPrefix) {
this.tokenPrefix = tokenPrefix + " ";
}
public void setAntMatchers(String antMatchers) {
this.antMatchers = antMatchers;
}
}
4. 編寫工具類
- 創建響應工具類
import java.io.PrintWriter;
import javax.servlet.ServletResponse;
import com.alibaba.fastjson.JSON;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.extern.slf4j.Slf4j;
/**
* 響應結果工具類
*
* @author CL
*
*/
@Slf4j
@Data
@AllArgsConstructor
public class ResponseUtils {
/**
* 返回編碼
*/
private Integer code;
/**
* 返回消息
*/
private String msg;
/**
* 返回數據
*/
private Object data;
/**
* Response輸出Json格式
*
* @param response
* @param data 返回數據
*/
public static void responseJson(ServletResponse response, Object data) {
PrintWriter out = null;
try {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
out = response.getWriter();
out.println(JSON.toJSONString(data));
out.flush();
} catch (Exception e) {
log.error("Response輸出Json異常:" + e);
} finally {
if (out != null) {
out.close();
}
}
}
/**
* 返回信息
*
* @param code 返回編碼
* @param msg 返回消息
* @param data 返回數據
* @return
*/
public static ResponseUtils response(Integer code, String msg, Object data) {
return new ResponseUtils(code, msg, data);
}
/**
* 返回成功
*
* @param data 返回數據
* @return
*/
public static ResponseUtils success(Object data) {
return ResponseUtils.response(200, "成功", data);
}
/**
* 返回失敗
*
* @param data 返回數據
* @return
*/
public static ResponseUtils fail(Object data) {
return ResponseUtils.response(500, "失敗", data);
}
}
- 編寫JWTToken工具類:
/**
* JWT生產Token工具類
*
* @author CL
*
*/
@Slf4j
public class JWTTokenUtil {
/**
* 創建Token
*
* @param sysUserDetails 用戶信息
* @return
*/
public static String createAccessToken(SysUserDetails sysUserDetails) {
String token = Jwts.builder().setId(// 設置JWT
sysUserDetails.getId().toString()) // 用戶Id
.setSubject(sysUserDetails.getUsername()) // 主題
.setIssuedAt(new Date()) // 簽發時間
.setIssuer("C3Stones") // 簽發者
.setExpiration(new Date(System.currentTimeMillis() + JWTConfig.expiration)) // 過期時間
.signWith(SignatureAlgorithm.HS512, JWTConfig.secret) // 簽名算法、密鑰
.claim("authorities", JSON.toJSONString(sysUserDetails.getAuthorities())).compact(); // 自定義其他屬性,如用戶組織機構ID,用戶所擁有的角色,用戶權限信息等
return JWTConfig.tokenPrefix + token;
}
/**
* 解析Token
*
* @param token Token信息
* @return
*/
public static SysUserDetails parseAccessToken(String token) {
SysUserDetails sysUserDetails = null;
if (StringUtils.isNotEmpty(token)) {
try {
// 去除JWT前綴
token = token.substring(JWTConfig.tokenPrefix.length());
// 解析Token
Claims claims = Jwts.parser().setSigningKey(JWTConfig.secret).parseClaimsJws(token).getBody();
// 獲取用戶信息
sysUserDetails = new SysUserDetails();
sysUserDetails.setId(Long.parseLong(claims.getId()));
sysUserDetails.setUsername(claims.getSubject());
// 獲取角色
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
String authority = claims.get("authorities").toString();
if (StringUtils.isNotEmpty(authority)) {
List<Map<String, String>> authorityList = JSON.parseObject(authority,
new TypeReference<List<Map<String, String>>>() {
});
for (Map<String, String> role : authorityList) {
if (!role.isEmpty()) {
authorities.add(new SimpleGrantedAuthority(role.get("authority")));
}
}
}
sysUserDetails.setAuthorities(authorities);
} catch (Exception e) {
log.error("解析Token異常:" + e);
}
}
return sysUserDetails;
}
}
5. 編寫Spring Security核心實現類
- 編寫無權限處理類
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;
import com.c3stones.utils.ResponseUtils;
/**
* 無權限處理類
*
* @author CL
*
*/
@Component
public class UserAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
ResponseUtils.responseJson(response, ResponseUtils.response(403, "拒絕訪問", accessDeniedException.getMessage()));
}
}
- 編寫未登錄處理類
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import com.c3stones.utils.ResponseUtils;
/**
* 未登錄處理類
*
* @author CL
*
*/
@Component
public class UserNotLoginHandler implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
ResponseUtils.responseJson(response, ResponseUtils.response(401, "未登錄", authException.getMessage()));
}
}
- 編寫登錄成功處理類
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import com.c3stones.security.entity.SysUserDetails;
import com.c3stones.security.utils.JWTTokenUtil;
import com.c3stones.utils.ResponseUtils;
/**
* 登錄成功處理類
*
* @author CL
*
*/
@Component
public class UserLoginSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
SysUserDetails sysUserDetails = (SysUserDetails) authentication.getPrincipal();
String token = JWTTokenUtil.createAccessToken(sysUserDetails);
Map<String, String> tokenMap = new HashMap<>();
tokenMap.put("token", token);
ResponseUtils.responseJson(response, ResponseUtils.response(200, "登錄成功", tokenMap));
}
}
- 編寫登錄失敗處理類
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;
import com.c3stones.utils.ResponseUtils;
/**
* 登錄失敗處理類
*
* @author CL
*
*/
@Component
public class UserLoginFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) {
ResponseUtils.responseJson(response, ResponseUtils.response(500, "登錄失敗", exception.getMessage()));
}
}
- 編寫登出成功處理類
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.stereotype.Component;
import com.c3stones.utils.ResponseUtils;
/**
* 登出成功處理類
*
* @author CL
*
*/
@Component
public class UserLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
SecurityContextHolder.clearContext();
ResponseUtils.responseJson(response, ResponseUtils.response(200, "登出成功", null));
}
}
- 用戶Service、Dao中添加認證和授權時需要的方法
import java.util.List;
import com.baomidou.mybatisplus.extension.service.IService;
import com.c3stones.entity.SysAuth;
import com.c3stones.entity.SysRole;
import com.c3stones.entity.SysUser;
/**
* 系統用戶Service
*
* @author CL
*
*/
public interface SysUserService extends IService<SysUser> {
/**
* 根據用戶名稱查詢用戶信息
*
* @param username 用戶名稱
* @return
*/
SysUser findUserByUserName(String username);
/**
* 根據用戶ID查詢角色
*
* @param userId 用戶ID
* @return
*/
List<SysRole> findRoleByUserId(Long userId);
/**
* 根據用戶ID查詢權限
*
* @param userId 用戶ID
* @return
*/
List<SysAuth> findAuthByUserId(Long userId);
}
import java.util.List;
import org.springframework.stereotype.Service;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.c3stones.dao.SysUserDao;
import com.c3stones.entity.SysAuth;
import com.c3stones.entity.SysRole;
import com.c3stones.entity.SysUser;
import com.c3stones.service.SysUserService;
/**
* 系統用戶Service實現
*
* @author CL
*
*/
@Service
public class SysUserSerivceImpl extends ServiceImpl<SysUserDao, SysUser> implements SysUserService {
/**
* 根據用戶名稱查詢用戶信息
*
* @param username 用戶名稱
* @return
*/
@Override
public SysUser findUserByUserName(String username) {
return this.baseMapper.selectOne(
new QueryWrapper<SysUser>().lambda().eq(SysUser::getUsername, username).ne(SysUser::getStatus, "1"));
}
/**
* 根據用戶ID查詢角色
*
* @param userId 用戶ID
* @return
*/
@Override
public List<SysRole> findRoleByUserId(Long userId) {
return this.baseMapper.findRoleByUserId(userId);
}
/**
* 根據用戶ID查詢權限
*
* @param userId 用戶ID
* @return
*/
@Override
public List<SysAuth> findAuthByUserId(Long userId) {
return this.baseMapper.findAuthByUserId(userId);
}
}
import java.util.List;
import org.apache.ibatis.annotations.Mapper;
import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.c3stones.entity.SysAuth;
import com.c3stones.entity.SysRole;
import com.c3stones.entity.SysUser;
/**
* 系統用戶Dao
*
* @author CL
*
*/
@Mapper
public interface SysUserDao extends BaseMapper<SysUser> {
/**
* 根據用戶ID查詢角色
*
* @param userId 用戶ID
* @return
*/
List<SysRole> findRoleByUserId(Long userId);
/**
* 根據用戶ID查詢權限
*
* @param userId 用戶ID
* @return
*/
List<SysAuth> findAuthByUserId(Long userId);
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.c3stones.dao.SysUserDao">
<!-- 根據用戶ID查詢角色 -->
<select id="findRoleByUserId" resultType="com.c3stones.entity.SysRole" parameterType="long">
SELECT
r.*
FROM
sys_role r
LEFT JOIN sys_user_role ur ON ur.role_id = r.id
WHERE
ur.user_id = #{userId}
</select>
<!-- 根據用戶ID查詢權限 -->
<select id="findAuthByUserId" resultType="com.c3stones.entity.SysAuth" parameterType="long">
SELECT
a.*
FROM
sys_auth a
LEFT JOIN sys_role_auth ra ON ra.auth_id = a.id
LEFT JOIN sys_user_role ur ON ur.role_id = ra.role_id
WHERE
ur.user_id = #{userId}
</select>
</mapper>
- 編寫用戶認證Service,必須實現org.springframework.security.core.userdetails.UserDetailsService
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.c3stones.entity.SysRole;
import com.c3stones.entity.SysUser;
import com.c3stones.security.entity.SysUserDetails;
import com.c3stones.service.SysUserService;
/**
* 用戶登錄Service
*
* @author CL
*
*/
@Service
public class SysUserDetailsService implements UserDetailsService {
@Autowired
private SysUserService sysUserService;
/**
* 根據用戶名查用戶信息
*
* @param username 用戶名
* @return 用戶詳細信息
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
SysUser sysUser = sysUserService.findUserByUserName(username);
if (sysUser != null) {
SysUserDetails sysUserDetails = new SysUserDetails();
BeanUtils.copyProperties(sysUser, sysUserDetails);
Set<GrantedAuthority> authorities = new HashSet<>(); // 角色集合
List<SysRole> roleList = sysUserService.findRoleByUserId(sysUserDetails.getId());
roleList.forEach(role -> {
authorities.add(new SimpleGrantedAuthority("ROLE_" + role.getRoleName()));
});
sysUserDetails.setAuthorities(authorities);
return sysUserDetails;
}
return null;
}
}
- 編寫用戶登錄驗證處理類
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Component;
import com.c3stones.security.entity.SysUserDetails;
import com.c3stones.security.service.SysUserDetailsService;
/**
* 用戶登錄驗證處理類
*
* @author CL
*
*/
@Component
public class UserAuthenticationProvider implements AuthenticationProvider {
@Autowired
private SysUserDetailsService userDetailsService;
/**
* 身份驗證
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = (String) authentication.getPrincipal(); // 獲取用戶名
String password = (String) authentication.getCredentials(); // 獲取密碼
SysUserDetails sysUserDetails = (SysUserDetails) userDetailsService.loadUserByUsername(username);
if (sysUserDetails == null) {
throw new UsernameNotFoundException("用戶名不存在");
}
if (!new BCryptPasswordEncoder().matches(password, sysUserDetails.getPassword())) {
throw new BadCredentialsException("用戶名或密碼錯誤");
}
if (sysUserDetails.getStatus().equals("2")) {
throw new LockedException("用戶已禁用");
}
return new UsernamePasswordAuthenticationToken(sysUserDetails, password, sysUserDetails.getAuthorities());
}
/**
* 支持指定的身份驗證
*/
@Override
public boolean supports(Class<?> authentication) {
return true;
}
}
- 編寫用戶權限注解處理類
import java.io.Serializable;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
import com.c3stones.entity.SysAuth;
import com.c3stones.security.entity.SysUserDetails;
import com.c3stones.service.SysUserService;
/**
* 用戶權限注解處理類
*
* @author CL
*
*/
@Component
public class UserPermissionEvaluator implements PermissionEvaluator {
@Autowired
private SysUserService sysUserService;
/**
* 判斷是否擁有權限
*
* @param authentication 用戶身份
* @param targetUrl 目標路徑
* @param permission 路徑權限
*
* @return 是否擁有權限
*/
@Override
public boolean hasPermission(Authentication authentication, Object targetUrl, Object permission) {
SysUserDetails sysUserDetails = (SysUserDetails) authentication.getPrincipal();
Set<String> permissions = new HashSet<String>(); // 用戶權限
List<SysAuth> authList = sysUserService.findAuthByUserId(sysUserDetails.getId());
authList.forEach(auth -> {
permissions.add(auth.getPermission());
});
// 判斷是否擁有權限
if (permissions.contains(permission.toString())) {
return true;
}
return false;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
return false;
}
}
6. 編寫JWT過濾器
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import com.c3stones.security.config.JWTConfig;
import com.c3stones.security.entity.SysUserDetails;
import com.c3stones.security.utils.JWTTokenUtil;
/**
* JWT權限過濾器,用於驗證Token是否合法
*
* @author CL
*
*/
public class JWTAuthenticationFilter extends BasicAuthenticationFilter {
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
// 取出Token
String token = request.getHeader(JWTConfig.tokenHeader);
if (token != null && token.startsWith(JWTConfig.tokenPrefix)) {
SysUserDetails sysUserDetails = JWTTokenUtil.parseAccessToken(token);
if (sysUserDetails != null) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
sysUserDetails, sysUserDetails.getId(), sysUserDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
filterChain.doFilter(request, response);
}
}
7. 編寫Spring Security核心配置類
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import com.c3stones.security.UserAuthenticationProvider;
import com.c3stones.security.UserPermissionEvaluator;
import com.c3stones.security.filter.JWTAuthenticationFilter;
import com.c3stones.security.handler.UserAccessDeniedHandler;
import com.c3stones.security.handler.UserLoginFailureHandler;
import com.c3stones.security.handler.UserLoginSuccessHandler;
import com.c3stones.security.handler.UserLogoutSuccessHandler;
import com.c3stones.security.handler.UserNotLoginHandler;
/**
* 系統安全核心配置
*
* @author CL
*
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) // 開啟方法權限注解
public class SysSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 無權限處理類
*/
@Autowired
private UserAccessDeniedHandler userAccessDeniedHandler;
/**
* 用戶未登錄處理類
*/
@Autowired
private UserNotLoginHandler userNotLoginHandler;
/**
* 用戶登錄成功處理類
*/
@Autowired
private UserLoginSuccessHandler userLoginSuccessHandler;
/**
* 用戶登錄失敗處理類
*/
@Autowired
private UserLoginFailureHandler userLoginFailureHandler;
/**
* 用戶登出成功處理類
*/
@Autowired
private UserLogoutSuccessHandler userLogoutSuccessHandler;
/**
* 用戶登錄驗證
*/
@Autowired
private UserAuthenticationProvider userAuthenticationProvider;
/**
* 用戶權限注解
*/
@Autowired
private UserPermissionEvaluator userPermissionEvaluator;
/**
* 加密方式
*
* @return
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 注入自定義PermissionEvaluator
*
* @return
*/
@Bean
public DefaultWebSecurityExpressionHandler userSecurityExpressionHandler() {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(userPermissionEvaluator);
return handler;
}
/**
* 用戶登錄驗證
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(userAuthenticationProvider);
}
/**
* 安全權限配置
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() // 權限配置
.antMatchers(JWTConfig.antMatchers.split(",")).permitAll()// 獲取白名單(不進行權限驗證)
.anyRequest().authenticated() // 其他的需要登陸后才能訪問
.and().httpBasic().authenticationEntryPoint(userNotLoginHandler) // 配置未登錄處理類
.and().formLogin().loginProcessingUrl("/login/submit")// 配置登錄URL
.successHandler(userLoginSuccessHandler) // 配置登錄成功處理類
.failureHandler(userLoginFailureHandler) // 配置登錄失敗處理類
.and().logout().logoutUrl("/logout/submit")// 配置登出地址
.logoutSuccessHandler(userLogoutSuccessHandler) // 配置用戶登出處理類
.and().exceptionHandling().accessDeniedHandler(userAccessDeniedHandler)// 配置沒有權限處理類
.and().cors()// 開啟跨域
.and().csrf().disable(); // 禁用跨站請求偽造防護
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // 禁用session(使用Token認證)
http.headers().cacheControl(); // 禁用緩存
http.addFilter(new JWTAuthenticationFilter(authenticationManager())); //// 添加JWT過濾器
}
}
8. 編寫測試Controller
- 編寫注冊用戶Controller
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import com.c3stones.entity.SysUser;
import com.c3stones.entity.SysUserRole;
import com.c3stones.service.SysUserRoleService;
import com.c3stones.service.SysUserService;
import com.c3stones.utils.ResponseUtils;
/**
* 注冊用戶實例Contrller
*
* @author CL
*
*/
@RestController
@RequestMapping(value = "/register")
public class RegisterController {
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
private SysUserService sysUserService;
@Autowired
private SysUserRoleService sysUserRoleService;
/**
* 注冊普通用戶
*
* @param username 用戶名
* @param password 密碼
* @return
*/
@RequestMapping(value = "/user")
public ResponseUtils user(String username, String password) {
SysUser sysUser = new SysUser();
sysUser.setUsername(username);
sysUser.setPassword(bCryptPasswordEncoder.encode(password));
sysUser.setStatus("0");
sysUserService.save(sysUser);
// 注冊普通用戶
SysUserRole sysUserRole = new SysUserRole();
sysUserRole.setUserId(sysUser.getId());
sysUserRole.setRoleId(2L);
sysUserRoleService.save(sysUserRole);
return ResponseUtils.success(sysUser);
}
}
- 編寫普通用戶Controller
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import com.c3stones.entity.SysUser;
import com.c3stones.security.entity.SysUserDetails;
import com.c3stones.service.SysUserService;
import com.c3stones.utils.ResponseUtils;
/**
* 普通用戶Contrller
*
* @author CL
*
*/
@RestController
@RequestMapping(value = "/user")
public class UserController {
@Autowired
private SysUserService sysUserSerivce;
/**
* 查詢用戶信息
*
* @return
*/
@PreAuthorize(value = "hasPermission('/user/info', 'sys:user:info')")
@RequestMapping(value = "/info")
public ResponseUtils info() {
SysUserDetails sysUserDetails = (SysUserDetails) SecurityContextHolder.getContext().getAuthentication()
.getPrincipal();
SysUser sysUser = sysUserSerivce.getById(sysUserDetails.getId());
return ResponseUtils.success(sysUser);
}
}
- 編寫管理員Controller
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import com.c3stones.entity.SysAuth;
import com.c3stones.entity.SysRole;
import com.c3stones.entity.SysUser;
import com.c3stones.service.SysUserService;
import com.c3stones.utils.ResponseUtils;
/**
* 管理員Contrller
*
* @author CL
*
*/
@RestController
@RequestMapping(value = "/admin")
public class AdminController {
@Autowired
private SysUserService sysUserSerivce;
/**
* 查詢用戶信息
*
* @return
*/
@PreAuthorize(value = "hasRole('ADMIN')")
@RequestMapping(value = "/list")
public ResponseUtils list() {
List<SysUser> userList = sysUserSerivce.list();
return ResponseUtils.success(userList);
}
/**
* 查詢用戶角色
*
* @return
*/
@PreAuthorize(value = "hasRole('ADMIN') or hasPermission('/user/role', 'sys:role:info')")
@RequestMapping(value = "/role")
public ResponseUtils role(Long id) {
List<SysRole> roleList = sysUserSerivce.findRoleByUserId(id);
return ResponseUtils.success(roleList);
}
/**
* 查詢用戶權限
*
* @return
*/
@PreAuthorize(value = "hasAnyRole('ADMIN', 'USER') and hasPermission('/user/auth', 'sys:auth:info')")
@RequestMapping(value = "/auth")
public ResponseUtils auth(Long id) {
List<SysAuth> authList = sysUserSerivce.findAuthByUserId(id);
return ResponseUtils.success(authList);
}
}
9. 測試
使用curl插件進行測試,建議使用Postman測試。
# 注冊用戶:
curl "http://127.0.0.1:8080/register/user?username=C3Stones&password=123456"
# 結果:
{"code":200,"msg":"成功","data":{"id":3,"username":"C3Stones","password":"$2a$10$Z6a7DSehk58ypqyWzfFAbOR0gaqpwVzY9aNXKqf4UhDCSJxsbDqDK","status":"0"}}
# 查詢用戶信息:
curl "http://127.0.0.1:8080/user/info"
# 結果:
{"code":401,"data":"Full authentication is required to access this resource","msg":"未登錄"}
# 不存在用戶登錄:
curl -X POST "http://127.0.0.1:8080/login/submit?username=guest&password=123456"
# 結果:
{"code":500,"data":"用戶名不存在","msg":"登錄失敗"}
# 密碼錯誤用戶登錄:
curl -X POST "http://127.0.0.1:8080/login/submit?username=user&password=123"
# 結果:
{"code":500,"data":"用戶名或密碼錯誤","msg":"登錄失敗"}
# 將剛剛注冊的人的狀態在數據庫中改成2(禁用狀態),登錄:
curl -X POST "http://127.0.0.1:8080/login/submit?username=C3Stones&password=123456"
# 結果:
{"code":500,"data":"用戶已禁用","msg":"登錄失敗"}
# 普通用戶登錄:
curl -X POST "http://127.0.0.1:8080/login/submit?username=user&password=123456"
# 結果:
{"code":200,"data":{"token":"Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiIyIiwic3ViIjoidXNlciIsImlhdCI6MTU5NDcwNzA0OSwiaXNzIjoiQzNTdG9uZXMiLCJleHAiOjE1OTQ3OTM0NDksImF1dGhvcml0aWVzIjoiW3tcImF1dGhvcml0eVwiOlwiUk9MRV9VU0VSXCJ9XSJ9.PSwPsO-ECc6EHz84-nM881pMcMfbjOpzr5N2gpXj9ku-Z5YrjEP-_c08anrBalV2F4-MSA-oy8qQNM71b_QPSA"},"msg":"登錄成功"}
# 查詢用戶信息:
curl -H "Authorization:Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiIyIiwic3ViIjoidXNlciIsImlhdCI6MTU5NDcwNzA0OSwiaXNzIjoiQzNTdG9uZXMiLCJleHAiOjE1OTQ3OTM0NDksImF1dGhvcml0aWVzIjoiW3tcImF1dGhvcml0eVwiOlwiUk9MRV9VU0VSXCJ9XSJ9.PSwPsO-ECc6EHz84-nM881pMcMfbjOpzr5N2gpXj9ku-Z5YrjEP-_c08anrBalV2F4-MSA-oy8qQNM71b_QPSA" "http://127.0.0.1:8080/user/info"
# 結果:
{"code":200,"msg":"成功","data":{"id":2,"username":"user","password":"$2a$10$szHoqQ64g66PymVJkip98.Fap21Csy8w.RD8v5Dhq08BMEZ9KaSmS","status":"0"}}
# 查詢用戶列表:
curl -H "Authorization:Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiIyIiwic3ViIjoidXNlciIsImlhdCI6MTU5NDcwNzA0OSwiaXNzIjoiQzNTdG9uZXMiLCJleHAiOjE1OTQ3OTM0NDksImF1dGhvcml0aWVzIjoiW3tcImF1dGhvcml0eVwiOlwiUk9MRV9VU0VSXCJ9XSJ9.PSwPsO-ECc6EHz84-nM881pMcMfbjOpzr5N2gpXj9ku-Z5YrjEP-_c08anrBalV2F4-MSA-oy8qQNM71b_QPSA" "http://127.0.0.1:8080/admin/list"
# 結果:
{"code":403,"data":"不允許訪問","msg":"拒絕訪問"}
# 管理員登錄:
curl -X POST "http://127.0.0.1:8080/login/submit?username=admin&password=123456"
# 結果:
{"code":200,"data":{"token":"Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiIxIiwic3ViIjoiYWRtaW4iLCJpYXQiOjE1OTQ3MDc1MDAsImlzcyI6IkMzU3RvbmVzIiwiZXhwIjoxNTk0NzkzOTAwLCJhdXRob3JpdGllcyI6Ilt7XCJhdXRob3JpdHlcIjpcIlJPTEVfQURNSU5cIn1dIn0.3yL2Lpbmau5X6PA1OmnE4FFwOzrqwRaFcRa8OfRAgHY45VVJfGfm5kp8qfk96HvigaPQvzf8HmMC_Xx75Lwr8Q"},"msg":"登錄成功"}
# 查詢用戶列表:
curl -H "Authorization:Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiIxIiwic3ViIjoiYWRtaW4iLCJpYXQiOjE1OTQ3MDc1MDAsImlzcyI6IkMzU3RvbmVzIiwiZXhwIjoxNTk0NzkzOTAwLCJhdXRob3JpdGllcyI6Ilt7XCJhdXRob3JpdHlcIjpcIlJPTEVfQURNSU5cIn1dIn0.3yL2Lpbmau5X6PA1OmnE4FFwOzrqwRaFcRa8OfRAgHY45VVJfGfm5kp8qfk96HvigaPQvzf8HmMC_Xx75Lwr8Q" "http://127.0.0.1:8080/admin/list"
# 結果:
{"code":200,"msg":"成功","data":[{"id":1,"username":"admin","password":"$2a$10$5T851lZ7bc2U87zjt/9S6OkwmLW62tLeGLB2aCmq3XRZHA7OI7Dqa","status":"0"},{"id":2,"username":"
user","password":"$2a$10$szHoqQ64g66PymVJkip98.Fap21Csy8w.RD8v5Dhq08BMEZ9KaSmS","status":"0"},{"id":3,"username":"C3Stones","password":"$2a$10$O.1ynDeJtlaG9roOJoUZzukc6aGfqFo/YW5ErRERQD2eC5r5cV9dC","status":"0"}]}
10. 權限注解示例
| 權限注解 | 說明 |
|---|---|
| hasRole('ADMIN') | 擁有ADMIN角色才可訪問 |
| hasPermission('/user/list', 'sys:role:info') | 擁有sys:role:info權限才可訪問/user/list接口 |
| hasAnyRole('ADMIN', 'USER') | 擁有ADMIN角色或者USER角色均可訪問 |
| hasRole('ADMIN') and hasRole('USER') | 擁有ADMIN角色和USER角色才可訪問 |
| hasRole('ADMIN') or hasPermission('/user/list', 'sys:role:info') | 擁有ADMIN角色或者擁有sys:role:info權限均可訪問 |
其他權限注解請自行查找。