SpringBoot整合SpringSecurity

1. 引入依赖

1
2
3
4
5
6
7
8
9
10
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.0.4.RELEASE</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version>
</dependency>

2. 实体类

用户实体类

1
2
3
4
5
6
7
8
public class User {
    private long userId;
    private String username;
    private String password;
    private List<Role> roles;
    
    // getter&setter
}

角色实体类

1
2
3
4
5
6
7
public class Role {
    private long id;
    private String name;
    private String nameZh;
    
    // getter&setter
}

用户详细信息实体类(继承了User,实现了org.springframework.security.core.userdetails.UserDetails

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
public class SecurityUserDetails extends User implements UserDetails {

    public SecurityUserDetails(User user) {
        if(user!=null) {
            this.setUserId(user.getUserId());
            this.setUsername(user.getUsername());
            this.setPassword(user.getPassword());
            this.setRoles(user.getRoles());
        }
    }

    // 获取用户权限
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> authorityList = new ArrayList<>();
        List<Role> roles = this.getRoles();
        if(roles!=null&&roles.size()>0){
            for (Role role : roles) {
                authorityList.add(new SimpleGrantedAuthority(role.getName()));
            }
        }
        return authorityList;
    }


    /**
     * 账户是否过期
     * @return
     */
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    /**
     * 是否禁用
     * @return
     */
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    /**
     * 密码是否过期
     * @return
     */
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    /**
     * 是否启用
     * @return
     */
    @Override
    public boolean isEnabled() {
        return true;
    }

}

3. 自定义用户信息服务类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import org.springframework.security.core.userdetails.UserDetailsService;

@Component(value="CustomUserDetailsService")
public class CustomUserDetailsService implements UserDetailsService {

   @Autowired
   private AuthDao authDao;

   /**
    * @Description:加载用户信息&权限
    * @param: username 用户名
    * @Return: org.springframework.security.core.userdetails.UserDetails
    */
   @Override
   public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
      //UsernamePasswordAuthenticationFilter
      SecurityUserDetails userDetail = new SecurityUserDetails(authDao.findByUsername(userName));
      if (userDetail == null) {
         throw new UsernameNotFoundException(String.format("No userDetail found with username '%s'.", userName));
      }
      List<Role> roles = authDao.findRoleByUserId(userDetail.getUserId());
      userDetail.setRoles(roles);
      return userDetail;
   }
}

4. Java Web Token工具类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
@Component
public class JwtUtils {

    @Value("${jwt.secret}")
    private String secret;

    @Value("${jwt.expiration}")
    private Long accessTokenExpiration;

    @Value("${jwt.header}")
    private String tokenHeader;

    @Value("${jwt.tokenHead}")
    private String tokenHead;

    public String getTokenHead() {
        return tokenHead;
    }

    public String getTokenHeader() {
        return tokenHeader;
    }

    /**
     * @Description:利用Jwts生成token
     * @param: userDetails
     * @Return: java.lang.String
     */
    public String generateAccessToken(UserDetails userDetails) {
        SecurityUserDetails securityUserDetails = (SecurityUserDetails) userDetails;
        //登陆成功生成JWT
        return Jwts.builder()
                //主题 放入用户名
                .setSubject(userDetails.getUsername())
                .setId(securityUserDetails.getUserId() + "")
                //自定义属性 放入用户拥有权限
                .claim(tokenHeader, JSON.toJSONString(securityUserDetails.getAuthorities()))
                //失效时间
                .setExpiration(new Date(System.currentTimeMillis() + accessTokenExpiration))
                //签名算法和密钥
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();

    }
    
    /**
     * 根据token生成用户信息
     * @param token
     * @return
     * @throws ExpiredJwtException
     * @throws UnsupportedJwtException
     * @throws MalformedJwtException
     * @throws SignatureException
     * @throws IllegalArgumentException
     */
    public UserDetails getUserFromToken(String token) throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {

        Claims claims = Jwts.parser()
                .setSigningKey(secret)
                .parseClaimsJws(token.replace(tokenHead, ""))
                .getBody();

        User user = new User();
        user.setUserId(Long.parseLong(claims.getId()));
        user.setUsername(claims.getSubject());
        List<Role> roles = new ArrayList<>();
        Role role = null;
        String authority = claims.get(tokenHeader).toString();
        if(!org.springframework.util.StringUtils.isEmpty(authority)){
            List<Map<String,String>> authrityMap = JSONObject.parseObject(authority, List.class);
            for(Map<String,String> auth : authrityMap){
                role = new Role();
                role.setName(auth.get("authority"));
                roles.add(role);
            }
        }
        user.setRoles(roles);

        return new SecurityUserDetails(user);

    }
}

5. 处理类

  • 在访问一个受保护的资源,用户没有通过登录认证,则抛出登录认证异常。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
/**
 * @desc: 验证为未登陆状态会进入此方法,认证错误
 */
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {
    private final static Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);
    private static final long serialVersionUID = -8970718410437077606L;

    @Override
    public void commence(HttpServletRequest request,
                         HttpServletResponse response,
                         AuthenticationException authException) throws IOException {

        LOGGER.error("认证失败:" + authException.getMessage());
        response.setStatus(200);
        response.setCharacterEncoding("UTF-8");
        response.setContentType("application/json; charset=utf-8");
        PrintWriter printWriter = response.getWriter();
        String body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.UNAUTHORIZED.code(),authException.getMessage()));
        printWriter.write(body);
        printWriter.flush();
    }
}
  • 在访问一个受保护的资源,用户通过了登录认证,但是权限不够,抛出授权异常
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/**
 * @Description: 权限不足处理类
 *               自定义权限不足需要做的业务操作
 *               包括:处理权限不足的逻辑
 */
@Component
public class MyAccessDeniedHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
        StringBuffer msg = new StringBuffer("请求: ");
        msg.append(request.getRequestURI()).append(" 权限不足,无法访问该资源.");
        response.setStatus(200);
        response.setCharacterEncoding("UTF-8");
        response.setContentType("application/json; charset=utf-8");
        PrintWriter printWriter = response.getWriter();
        String body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.FORBIDDEN.code(),msg.toString()));
        printWriter.write(body);
        printWriter.flush();
    }
}

  • 登录成功后MyAuthenticationSuccessHandler类中onAuthenticationSuccess()被调用

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    /**
     * @Description: 登录成功处理类
     *               用户登录系统成功后,需要做的业务操作
     */
    @Component
    public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
        private final static Logger LOGGER = LoggerFactory.getLogger(MyAuthenticationSuccessHandler.class);
        @Value("${jwt.tokenHead}")
        private String tokenHead;
        @Autowired
        JwtUtils jwtUtil;

        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {

            LOGGER.debug("认证通过,开始获取token");
            SecurityUserDetails securityUserDetails = (SecurityUserDetails)authentication.getPrincipal();
            String token = jwtUtil.generateAccessToken(securityUserDetails);
            token = tokenHead + token;
            LOGGER.debug("获取token:"+token);
            User user = new User();
            user.setUserId(securityUserDetails.getUserId());
            user.setUsername(securityUserDetails.getUsername());
            user.setRoles(securityUserDetails.getRoles());
            response.setStatus(200);
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json; charset=utf-8");
            PrintWriter printWriter = response.getWriter();
            String body = JSON.toJSONString(ResponseGenerator.genSuccessResult(new ResponseUserToken(token,user)));
            printWriter.write(body);
            printWriter.flush();
        }
    }

  • 登录失败后MyAuthenticationFailureHandler 类中onAuthenticationFailure()被调用

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    /**
     * @Description: 登录失败处理类
     *               用户登录系统失败后需要做的业务操作
     */
    @Component
    public class MyAuthenticationFailHandler extends SimpleUrlAuthenticationFailureHandler {
        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,AuthenticationException e) throws IOException, ServletException {
            String body = "";
            if (e instanceof UsernameNotFoundException || e instanceof BadCredentialsException) {
                body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.UNAUTHORIZED.code(),"用户名或密码错误"));
            } else if (e instanceof DisabledException) {
                body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.UNAUTHORIZED.code(),"账户被禁用,请联系管理员"));
            } else {
                body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.UNAUTHORIZED.code(),"登录失败"));
            }
            response.setStatus(200);
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json; charset=utf-8");
            PrintWriter printWriter = response.getWriter();
            printWriter.write(body);
            printWriter.flush();
        }
    }

6. token过滤器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/**
 * @Description:
 * jwt认证token
 * 每次请求接口时,就会进入这里验证token是否合法token,
 */
@Component
public class JWTAuthenticationTokenFilter extends OncePerRequestFilter {
    private final static Logger LOGGER = LoggerFactory.getLogger(JWTAuthenticationTokenFilter.class);
    @Value("${jwt.header}")
    private String tokenHeader;
    @Value("${jwt.tokenHead}")
    private String tokenHead;
    @Autowired
    JwtUtils jwtUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        LOGGER.info("开始认证JWT_TOKEN,tokenHeader:"+tokenHeader+",tokenHead:"+tokenHead);
        //获得accessToken
        String accessToken = request.getHeader(tokenHeader);
        if (null!=accessToken && accessToken.startsWith(tokenHead)) {
            try {
                UsernamePasswordAuthenticationToken authentication = getAuthentication(request, response);
                SecurityContextHolder.getContext().setAuthentication(authentication);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        chain.doFilter(request, response);
        return;
    }

    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException {
        String token = request.getHeader(tokenHeader);
        if (!StringUtils.isEmpty(token)) {
            try {
                SecurityUserDetails userDetail = (SecurityUserDetails)jwtUtil.getUserFromToken(token);
                if(!StringUtils.isEmpty(userDetail.getUsername())) {
                    //此处password不能为null
                    User principal = new User(userDetail.getUsername(), "", userDetail.getAuthorities());
                    return new UsernamePasswordAuthenticationToken(principal, userDetail.getUserId(), userDetail.getAuthorities());
                }
            } catch (ExpiredJwtException e) {
                LOGGER.error("toekn超过有效期,请重新登");
                response.setStatus(200);
                response.setCharacterEncoding("UTF-8");
                response.setContentType("application/json; charset=utf-8");
                PrintWriter printWriter = response.getWriter();
                String body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.TOKEN_OUT.code(),"toekn超过有效期,请重新登"));
                printWriter.write(body);
                printWriter.flush();
            } catch (Exception e){
                LOGGER.error("token invalid"+e.getMessage());
                response.setStatus(200);
                response.setCharacterEncoding("UTF-8");
                response.setContentType("application/json; charset=utf-8");
                PrintWriter printWriter = response.getWriter();
                String body = JSON.toJSONString(ResponseGenerator.genFailResult(ResponseCode.LOGIN_ERROR.code(),"token invalid"));
                printWriter.write(body);
                printWriter.flush();
            }
        }
        return null;
    }
}

7. 自定义资源权限认证器和加载资源与权限的对应关系

  • 资源权限认证器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
/**
 * @Description: 资源权限认证器,接口AccessDecisionManager也是必须实现的
 *               功能:证用户是否拥有所请求资源的权限
 *               详情:decide方法里面写的就是授权策略了,需要什么策略,可以自己写其中的策略逻辑
 *               认证通过就返回,不通过抛异常就行了,spring security会自动跳到权限不足处理类(WebSecurityConfig 类中配置文件上配的)
 */
@Component
public class MyAccessDecisionManager implements AccessDecisionManager {
    private final static Logger LOGGER = LoggerFactory.getLogger(MyAccessDecisionManager.class);

    /**
     *  授权策略
     *
     * decide()方法在url请求时才会调用,服务器启动时不会执行这个方法
     *
     * @param configAttributes 装载了请求的url允许的角色数组 。这里是从MyInvocationSecurityMetadataSource里的loadResourceDefine方法里的atts对象取出的角色数据赋予给了configAttributes对象
     * @param object url
     * @param authentication 装载了从数据库读出来的权限(角色) 数据。这里是从MyUserDetailService里的loadUserByUsername方法里的grantedAuths对象的值传过来给 authentication 对象,简单点就是从spring的全局缓存SecurityContextHolder中拿到的,里面是用户的权限信息
     *
     * 注意: Authentication authentication 如果是前后端分离 则有跨域问题,跨域情况下 authentication 无法获取当前登陆人的身份认证(登陆成功后),我尝试用token来效验权限
     *
     */
    @Override
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
        LOGGER.info("进入自定义MyAccessDecisionManager");
        // 无权限访问
        if(CollectionUtils.isEmpty(configAttributes)){
            LOGGER.info("无访问权限");
            throw new AccessDeniedException("无访问权限.");
        }
        Iterator<ConfigAttribute> iterator = configAttributes.iterator();
        while (iterator.hasNext()){
            ConfigAttribute configAttribute = iterator.next();
            String needRole = configAttribute.getAttribute();
            for(GrantedAuthority grantedAuthority : authentication.getAuthorities()){
                //grantedAuthority 为用户所被赋予的权限。 needRole 为访问相应的资源应该具有的权限。
                //判断两个请求的url的权限和用户具有的权限是否相同,如相同,允许访问 权限就是那些以ROLE_为前缀的角色
                if (needRole.trim().equals(grantedAuthority.getAuthority().trim())){
                    //匹配到对应的角色,则允许通过
                    LOGGER.info("所需权限:"+needRole.trim()+",拥有权限:"+grantedAuthority.getAuthority().trim());
                    return;
                }
            }
        }
        //该url具有访问权限,但是当前登录用户没有匹配到URL对应的权限,则抛出无权限错误
        LOGGER.info("无访问权限");
        throw  new AccessDeniedException("无访问权限.");
    }

    @Override
    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return true;
    }
}
  • 加载资源与权限的对应关系,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
/**
 * @Description: 加载资源与权限的对应关系,实现FilterInvocationSecurityMetadataSource接口也是必须的。
 *               这个类的工作是从数据库中获取授权信息。
 *               1.其中loadResourceDefine方法不是必须的,这个只是加载所有的资源与权限的对应关系并缓存起来,避免每次获取权限都访问数据库(提高性能),然后getAttributes根据参数(被拦截url)返回权限集合。
 *               这种缓存的实现其实有一个缺点,因为loadResourceDefine方法是放在构造器上调用的,而这个类的实例化只在web服务器启动时调用一次,那就是说loadResourceDefine方法只会调用一次,
 *               2.如果资源和权限的对应关系在启动后发生了改变,那么缓存起来的权限数据就和实际授权数据不一致,那就会授权错误了。但如果资源和权限对应关系是不会改变的,这种方法性能会好很多。
 *               要想解决权限数据的一致性,可以直接在getAttributes方法里面调用数据库操作获取权限数据,通过被拦截url获取数据库中的所有权限,封装成Collection<ConfigAttribute>返回就行了。(灵活、简单
 *               3.容器启动加载顺序:1:调用loadResourceDefine()方法  2:调用supports()方法   3:调用getAllConfigAttributes()方法
 */
@Component
public class MyInvocationSecurityMetadataSourceService implements FilterInvocationSecurityMetadataSource {
    private final static Logger LOGGER = LoggerFactory.getLogger(MyInvocationSecurityMetadataSourceService.class);
    //存放资源配置对象
    private Map<RequestMatcher, Collection<ConfigAttribute>> requestMap = null;

    @Autowired
    private RoleDao roleDao;

    public MyInvocationSecurityMetadataSourceService() {
    }

    public MyInvocationSecurityMetadataSourceService(LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap) {
        this.requestMap = requestMap;
        System.out.println(requestMap.size());
    }
    
    /**
     * 参数是要访问的url,返回这个url对应的所有权限(或角色)
     * 每次请求后台就会调用 得到请求所拥有的权限
     * 这个方法在url请求时才会调用,服务器启动时不会执行这个方法
     * getAttributes这个方法会根据你的请求路径去获取这个路径应该是有哪些权限才可以去访问。
     *
     */
    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        LOGGER.info("进入自定义MyInvocationSecurityMetadataSourceService");
        // object 是一个URL,被用户请求的url。
        String uri = ((FilterInvocation) object).getRequest().getRequestURI();
        LOGGER.info("请求 uri :" + uri);
        Collection<ConfigAttribute> atts = getRoles(uri);
        if(atts != null && atts.size() != 0){
            return  atts;
        }

        return null ;
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        return null;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        //要返回true 不然要报异常 SecurityMetadataSource does not support secure object class: class
        return true;
    }

    public Collection<ConfigAttribute> getRoles(String uri){
        Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
        List<Role> roles = roleDao.getRoleByResource(uri);
        String authorizedSigns;
        ConfigAttribute configAttributes;
        for(Role r:roles){
            authorizedSigns = r.getName().trim();
            configAttributes = new SecurityConfig(authorizedSigns);
            atts.add(configAttributes);
        }

        return atts;
    }
}

8. 配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server.port = 8089
# MYSQL配置
spring.datasource.url=jdbc:mysql://localhost:3306/springboot_token?useUnicode=true&characterEncoding=utf-8&serverTimezone=GMT%2B8&useSSL=false
spring.datasource.username=root
spring.datasource.password=123456
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
# Mybatis
mybatis.mapper-locations=classpath:mapper/*.xml
# Token
jwt.header=Authorization
jwt.secret=mySecret
#### token有效期半天(毫秒级)
jwt.expiration=60000000
jwt.tokenHead=Bearer
jwt.antMatchers=/auth/**,/swagger/**,/swagger-resources/**,/v2/api-docs,/**/*.html,/location/**

9. Web配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
/**
 * @Description:
 * web 安全性配置
 * 当用户登录时会进入此类的loadUserByUsername方法对用户进行验证,验证成功后会被保存在当前回话的principal对象中
 */
@Configuration
//启动web安全性
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   @Autowired
   JwtUtils jwtUtils;
   @Autowired
   private CustomUserDetailsService myUserDetailService;
   @Autowired
   private MyAuthenticationSuccessHandler myLoginSuccessHandler;
   @Autowired
   private MyAuthenticationFailHandler myLoginFailHandler;
   @Autowired
   private JwtAuthenticationEntryPoint myAuthEntryPointHandler;
   @Autowired
   private MyAccessDeniedHandler myAccessDeniedHandler;
   @Autowired
   private MyLogoutSuccessHandler myLogoutSuccessHandler;
   @Autowired
   private JWTAuthenticationTokenFilter jwtAuthenticationTokenFilter;
   @Autowired
   private MyAccessDecisionManager myAccessDecisionManager;
   @Autowired
   private MyInvocationSecurityMetadataSourceService myInvocationSecurityMetadataSourceService;

   // 不需要认证的接口
   @Value("${jwt.antMatchers}")
   private String antMatchers;

   /**
    * 置user-detail服务
    *
    * 方法描述
    * accountExpired(boolean)                定义账号是否已经过期
    * accountLocked(boolean)                 定义账号是否已经锁定
    * and()                                  用来连接配置
    * authorities(GrantedAuthority...)       授予某个用户一项或多项权限
    * authorities(List)                      授予某个用户一项或多项权限
    * authorities(String...)                 授予某个用户一项或多项权限
    * disabled(boolean)                      定义账号是否已被禁用
    * withUser(String)                       定义用户的用户名
    * password(String)                       定义用户的密码
    * roles(String...)                       授予某个用户一项或多项角色
    *
    * @param auth
    * @throws Exception
    */
   @Override
   protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      // myUserDetailService 类中获取了用户的用户名、密码、是否启用的信息、用户被所授予的权限,用来认证
      auth.userDetailsService(myUserDetailService).passwordEncoder(passwordEncoder());
   }


   /**
    * 配置如何通过拦截器保护请求
    * 指定哪些请求需要认证,哪些请求不需要认证,以及所需要的权限
    * 通过调用authorizeRequests()和anyRequest().authenticated()就会要求所有进入应用的HTTP请求都要进行认证
    *
    * 方法描述
    * anonymous()                                        允许匿名用户访问
    * authenticated()                                    允许经过认证的用户访问
    * denyAll()                                          无条件拒绝所有访问
    * fullyAuthenticated()                如果用户是完整的话(不是通过Remember-me功能认证的),就允许访问
    * hasAnyAuthority(String...)                 如果用户具备给定权限中的某一个的话,就允许访问
    * hasAnyRole(String...)                    如果用户具备给定角色中的某一个的话,就允许访问
    * hasAuthority(String)                     如果用户具备给定权限的话,就允许访问
    * hasIpAddress(String)                    如果请求来自给定IP地址的话,就允许访问
    * hasRole(String)                        如果用户具备给定角色的话,就允许访问
    * not()                               对其他访问方法的结果求反
    * permitAll()                           无条件允许访问
    * rememberMe()                          如果用户是通过Remember-me功能认证的,就允许访问
    * @param http
    * @throws Exception
    */
   @Override
   protected void configure(HttpSecurity http) throws Exception {
      // 关闭跨站请求防护
      http.csrf().disable()
            //基于token,所以不需要session;如果基于session 则表使用这段代码
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            //对请求进行认证
            //url认证配置顺序为:1.先配置放行不需要认证的 permitAll() 2.然后配置 需要特定权限的 hasRole() 3.最后配置 anyRequest().authenticated()
            .authorizeRequests()
            .antMatchers(antMatchers.split(",")).permitAll()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            //其他请求都需要进行认证,认证通过够才能访问
            // 待考证:如果使用重定向 httpServletRequest.getRequestDispatcher(url).forward(httpServletRequest,httpServletResponse); 重定向跳转的url不会被拦截(即在这里配置了重定向的url需要特定权限认证不起效),但是如果在Controller 方法上配置了方法级的权限则会进行拦截
            .anyRequest().authenticated()
            //注入自定义metaDataSource与decisionManager
            .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
               public <O extends FilterSecurityInterceptor> O postProcess(O fsi) {
                  fsi.setRejectPublicInvocations(false);
                  // 在我们自己的项目中使用了如下两行,替换了accessDecisionManager 和 securityMetadataSource,也就是如上面所说的用 ObjectPostProcessor 来修改或替换由Java配置创建的许多Object实例,也可以直接在自定义的filter中定义
                  fsi.setAccessDecisionManager(myAccessDecisionManager);
                  fsi.setSecurityMetadataSource(myInvocationSecurityMetadataSourceService);
                  return fsi;
               }
            })
            .and()
            .exceptionHandling()
            //在访问一个受保护的资源,用户没有通过登录认证,则抛出登录认证异常,MyAuthenticationEntryPointHandler类中commence()就会调用
            .authenticationEntryPoint(myAuthEntryPointHandler)
            //在访问一个受保护的资源,用户通过了登录认证,但是权限不够,抛出授权异常,在myAccessDeniedHandler中处理
            .accessDeniedHandler(myAccessDeniedHandler)
            .and()
            .formLogin()
            //登录url
            .loginProcessingUrl("/auth/login")//此登录url 和Controller 无关系
            //登录成功跳转路径
            .successForwardUrl("/")
            //登录失败跳转路径
            .failureUrl("/")
            .permitAll()
            //登录成功后 MyAuthenticationSuccessHandler类中onAuthenticationSuccess()被调用
            .successHandler(myLoginSuccessHandler)
            //登录失败后MyAuthenticationFailureHandler 类中onAuthenticationFailure()被调用
            .failureHandler(myLoginFailHandler)
            .and()
            .logout()
            //退出系统url
            .logoutUrl("/auth/logout")
            //退出系统后的url跳转
            .logoutSuccessUrl("/")
            //退出系统后的 业务处理
            .logoutSuccessHandler(myLogoutSuccessHandler)
            .permitAll()
            .invalidateHttpSession(true);

      //添加JWT filter 验证其他请求的Token是否合法
      http.addFilterAfter(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
   }

   @Bean
   public PasswordEncoder passwordEncoder() {
      return new BCryptPasswordEncoder();
   }

   @Bean
   @Override
   public AuthenticationManager authenticationManagerBean() throws Exception {
      return super.authenticationManagerBean();
   }
}

10. 测试

  • /findUserById需要ROLE_USER角色
  • /all需要ROLE_ADMIN角色
  • test用户有ROLE_ADMIN角色,无ROLE_USER角色

无token访问

登录获取token

带token访问,有权限

带token访问,无权限

參考

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

硕士在读。乐于学习新知识、新技能,喜欢交流,喜欢分享。平时打羽毛球,看电影。期待自己的技术和能力能有不断地提升。