SpringClond微服务架构篇 五 、整合security鉴权篇

已于 2024-09-04 14:42:52 修改
阅读量853 收藏 8
点赞数 3
文章标签: java spring cloud spring 架构 微服务
于 2024-09-04 14:39:00 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ShiXZ213/article/details/141892235
版权

 Spring Security介绍


Spring Security是一个Java框架,用于保护应用程序的安全性。它提供了一套全面的安全解决方案,包括身份验证、授权、防止攻击等功能。Spring Security基于过滤器链的概念,可以轻松地集成到任何基于Spring的应用程序中。它支持多种身份验证选项和授权策略,开发人员可以根据需要选择适合的方式。此外,Spring Security还提供了一些附加功能,如集成第三方身份验证提供商和单点登录,以及会话管理和密码编码等。总之,Spring Security是一个强大且易于使用的框架,可以帮助开发人员提高应用程序的安全性和可靠性。

使用版本:

spring-boot-starter-security 2.7.10

springboot全家桶依赖 2.7.10

使用写法:

security 共两种写法 分别为mvc 与webflux 

本系统时间有限采用mvc方式,经典且自由。

思路一:如果采用webflux  可以与网关gateway模块合并鉴权。

一、加入依赖

  <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
        <version>2.7.10</version>
      </dependency>

二、配置文件配置(只给出了权限部分的)

jwt:
  token:
    header: Authorization
    expired: 10000 #token 过期时间 单位秒
    secret: cereshuzhitingnizhenbangcereshuzhitingnizhenbang #token 密钥
    refresh:
      expired: 30  #token 刷新时间 单位秒
security:
  noFilter:
    - /swagger-ui/**    # Swagger UI v3
    - /swagger-resources/**
    - /v2/api-docs/**  # Swagger v2
    - /auth/v2/api-docs
    - /v2/api-docs  # Swagger v2
    - /**/v2/api-docs  # Swagger v2
    - /webjars/**       # Webjars, typically for static resources
    - /favicon.ico      # Favicon
    - /css/**           # CSS files
    - /js/**            # JavaScript files
    - /images/**        # Images
    - /public/**        # Public folder
    - /static/**         # Static resources
    - /doc.html
    - /webjars/**
    - /system/logout
    - /login
    - /permission/**
    - /getCaptcha  #获取验证码
    - /system/sysUser/list
    - /**/doc.html

三、配置读取

SecurityPathConfig  白名单配置读取
JwtConfig  jwt token配置读取

JwtConfig.java

import lombok.Data;
import lombok.Getter;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;

@Data
@ConfigurationProperties("jwt.token")
@Configuration
public class JwtConfig {
    //token 密钥
    private String secret;
    //token 过期时间 单位秒
    private Long expired;
    //token 刷新时间 单位秒
    @Value("${jwt.token.refresh.expired}")
    private Long refreshExpired;
    //header 请求鉴权头
    private String header;


}

 SecurityPathConfig.java

import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;

import java.util.List;

@ConfigurationProperties("security")
@Configuration
@Data
public class SecurityPathConfig {

    List<String> noFilter;
}

四、封装User对象实体

LoginDto为获取用户实体 根据自己的用户实体进行放入

import cn.hutool.core.lang.Assert;
import com.pinyi.supply.system.dto.LoginDto;
import com.pinyi.supply.system.model.SysUser;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;

public class LoginUser implements UserDetails {

    private LoginDto loginDto;

    public LoginDto getLoginDto() {
        return loginDto;
    }

    public void setLoginDto(LoginDto loginDto) {
        this.loginDto = loginDto;
    }

    private static final long serialVersionUID = 540L;
    private String password;

    private final String username;
    private final Collection<? extends GrantedAuthority> authorities;
    private final boolean accountNonExpired;
    private final boolean accountNonLocked;
    private final boolean credentialsNonExpired;
    private final boolean enabled;


    public LoginUser(LoginDto loginDto, String username, String password, Collection<? extends GrantedAuthority> authorities) {
        this(loginDto, username, password, true, true, true, true, authorities);
    }

    public LoginUser(LoginDto loginDto, String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {
        Assert.isTrue(username != null && !"".equals(username) && password != null, "Cannot pass null or empty values to constructor");
        this.loginDto = loginDto;

        this.username = username;
        this.password = password;
        this.enabled = enabled;
        this.accountNonExpired = accountNonExpired;
        this.credentialsNonExpired = credentialsNonExpired;
        this.accountNonLocked = accountNonLocked;
        this.authorities = authorities;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return this.authorities;
    }

    @Override
    public String getPassword() {
        return this.password;
    }


    @Override
    public String getUsername() {
        return this.username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return this.accountNonExpired;
    }

    @Override
    public boolean isAccountNonLocked() {
        return this.accountNonLocked;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return this.credentialsNonExpired;
    }

    @Override
    public boolean isEnabled() {
        return this.enabled;
    }
}

五、自定义获取用户

import com.pinyi.security.security.entity.LoginUser;
import com.pinyi.supply.system.dto.LoginDto;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.ArrayList;
import java.util.List;

@Service
public class UserDetailServiceImpl implements UserDetailsService {

    @Autowired
    SysUserService sysUserService;


    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {


        System.out.println("查询用户");

        LoginDto userDto = sysUserService.getByUsername(username);
        if (userDto == null) {
            throw new UsernameNotFoundException("用户不存在");
        }
        return new LoginUser(userDto, userDto.getSysUser().getLoginName()
                , userDto.getSysUser().getPassword(), getUserAuthority(userDto.getPermissions()));
    }

    /**
     * 获取用户权限信息(角色、菜单权限)
     *
     * @param permissions
     * @return
     */
    public List<GrantedAuthority> getUserAuthority(List<String> permissions) {
        // 实际怎么写以数据表结构为准,这里只是写个例子
        // 角色(比如ROLE_admin),菜单操作权限(比如sys:user:list)
        List<GrantedAuthority> listPram = new ArrayList<>();
        for (String s : permissions) {
            listPram.add(new SimpleGrantedAuthority(s));
        }
        return listPram;
    }
}

六、查询用户service

remoteSystemService 采用的Feign 调用的用户服务获取信息。
@Service
public class SysUserService {


    @Resource
    private RemoteSystemService remoteSystemService;

    public LoginDto getByUsername(String userName) {

        LoginDto result = remoteSystemService.getUserByUsername(userName);

        if (ObjectUtils.isEmpty(result)) {
            throw new UsernameNotFoundException("用户不存在");
        }
        return result;
    }
}

Feign 接口实例

import com.pinyi.security.security.feign.factory.RemoteAuthServiceFactory;
import com.pinyi.supply.common.http.HttpResult;
import com.pinyi.supply.system.dto.LoginDto;
import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;

@FeignClient(contextId = "systemService", value = "system", fallbackFactory = RemoteAuthServiceFactory.class)
public interface RemoteSystemService {


    @GetMapping("/sysUser/getUserByUsername")
    public LoginDto getUserByUsername(@RequestParam(value = "username") String username);
}

    七、登录实现

@Api(tags = "用户授权接口")
@RestController
@RequestMapping
public class AuthController {

    @Autowired
    LoginService loginService;
    @Autowired
    JwtTokenUtils jwtUtils;


    /**
     * 用户登录接口
     * 该方法处理用户登录请求,通过POST方法提交登录信息
     *
     * @param username 用户名,用于识别用户身份
     * @param password 密码,用户账户的安全凭证
     * @param captcha  验证码,用于防止暴力破解,提高登录安全性
     */
    @ApiOperation(value = "登录接口", notes = "登录接口")
    @ApiResponses(value = {
            @ApiResponse(code = 200, message = "成功", response = HttpResult.class),
            @ApiResponse(code = 500, message = "服务器内部错误")
    })
    @PostMapping("/login")
    public void login(@ApiParam(value = "账号", required = true) @RequestParam(value = "username") String username,
                      @ApiParam(value = "密码", required = true) @RequestParam(value = "password") String password,
                      @ApiParam(value = "验证码", required = true) @RequestParam(value = "captcha") String captcha) {
        loginService.login(new LoginEntity(username, password, captcha));
    }





    /**
     * 获取验证码接口
     *
     * @param request  HTTP请求对象
     * @param response HTTP响应对象
     * @param username 用户名,用于识别请求验证码的用户
     * @return 返回HttpResult对象,包含验证码信息
     * <p>
     * 说明:
     * 1. 该方法通过调用loginService.addCaptcha(username)生成验证码,并将验证码与用户名关联后存储。
     * 2. 成功生成验证码后,通过HttpResult对象返回验证码信息。
     * 3. 该方法使用@GetMapping注解,指定请求URL为"/getCaptcha",处理GET类型的请求。
     */
    @ApiOperation(value = "获取验证码", notes = "获取验证码")
    @ApiImplicitParams({
            @ApiImplicitParam(name = "username", value = "用户名", required = true, dataType = "String", paramType = "query")
    })
    @GetMapping("/getCaptcha")
    public HttpResult getCaptcha(HttpServletRequest request, HttpServletResponse response, String username) {
        String captcha = loginService.addCaptcha(username);
        return HttpResult.success("获取成功", captcha);
    }

}

登录service接口

import com.pinyi.security.security.entity.dto.LoginEntity;
import com.pinyi.supply.system.dto.LoginDto;

public interface LoginService {

    /**
     * 登录
     * @param entity 登录对象
     * @return token
     */
    String login(LoginEntity entity);


    /**
     * 获取用户信息
     * @return 用户信息
     */
    LoginDto getUserInfo();


    /**
     * 退出登录
     * @return 是否成功
     */
    Boolean logout();

    /**
     * 获取验证码
     * @param username 用户名
     * @return 验证码
     */
    String addCaptcha(String username);


}

实现service


import com.pinyi.security.security.entity.dto.LoginEntity;
import com.pinyi.supply.common.utils.StringUtils;
import com.pinyi.supply.redis.service.RedisService;
import com.pinyi.supply.system.dto.LoginDto;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;

import javax.annotation.Resource;
import java.util.Objects;
import java.util.concurrent.ThreadLocalRandom;

import static com.pinyi.supply.redis.enuns.RedisCacheEnum.CAPTCHA_PATH;

@Service
public class LoginServiceImpl implements LoginService {


    @Resource
    private AuthenticationManager authenticationManager;
    @Resource
    private RedisService redisService;


    /**
     * 登录方法
     *
     * @param entity 登录对象
     * @return 登录结果
     */
    @Override
    public String login(LoginEntity entity) {
        //进行用户认证
        UsernamePasswordAuthenticationToken authenticationToken =
                new UsernamePasswordAuthenticationToken(entity.getUsername(), entity.getPassword());
        Authentication authenticate = authenticationManager.authenticate(authenticationToken);
        //认证未通过,给出提示
        if (Objects.isNull(authenticate)) {
            throw new RuntimeException("登陆失败!");

        }
        return "";
    }

    /**
     * 获取用户信息
     *
     * @return 用户信息
     */
    @Override
    public LoginDto getUserInfo() {
        UsernamePasswordAuthenticationToken authenticationToken = (UsernamePasswordAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
         //details里面可能存放了当前登录用户的详细信息,也可以通过cast后拿到
        LoginDto loginDto = (LoginDto) authenticationToken.getPrincipal();
        if (loginDto != null && loginDto.getSysUser() != null) {
            loginDto.getSysUser().setPassword(null);
        }
        return loginDto;
    }

    @Override
    public Boolean logout() {
        return true;
    }

    /**
     * 生成并返回一个随机的验证码
     *
     * @param username 用户名,此参数在本方法中未被使用
     * @return 返回一个随机生成的验证码字符串
     * <p>
     * 方法说明:
     * 1. 该方法的作用是添加并返回一个随机验证码,验证码与特定用户无关,因此不使用username参数
     * 2. 验证码生成的具体逻辑在random3()方法中,此处应调用random3()以获取验证码
     * 3. 由于方法功能简单明了,故无需额外导入类或复杂逻辑
     */
    @Override
    public String addCaptcha(String username) {
        if (StringUtils.isBlank(username)) {
            throw new RuntimeException("用户名不能为空");
        }
        String code = random3();
        //redis存储
        redisService.set(CAPTCHA_PATH.getPath() + username, code, 120);
        return code;
    }

    /**
     * 生成并返回一个随机的验证码
     *
     * @return 返回一个随机生成的验证码字符串
     * <p>
     * 方法说明:
     * 1. 该方法的作用是添加并返回一个随机验证码,验证码与特定用户无关,因此不使用username参数
     * 2. 验证码生成的具体逻辑在random3()方法中,此处应调用random3()以获取验证码
     * 3. 由于方法功能简单明了,故无需额外导入类或复杂逻辑
     */
    private static String random3() {
        // jdk1.7出的随机生成数,关键还并发安全
        // nextInt(int origin, int bound) 范围:[origin,bound)
        return String.valueOf(ThreadLocalRandom.current().nextInt(100000, 1000000));
    }

}

八、security配置config

由于配置了加密

BCryptPasswordEncoder 所以用户密码要存储该方式加密字符

import com.pinyi.security.security.filter.CaptchaFilter;
import com.pinyi.security.security.filter.JwtAuthenticationEntryPoint;
import com.pinyi.security.security.filter.JwtAuthenticationFilter;
import com.pinyi.security.security.handler.*;
import com.pinyi.security.security.service.UserDetailServiceImpl;
import com.pinyi.security.security.utils.JwtTokenUtils;
import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    LoginFailureHandler loginFailureHandler;

    @Autowired
    LoginSuccessHandler loginSuccessHandler;

    @Autowired
    CaptchaFilter captchaFilter;

    @Autowired
    JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

    @Autowired
    JwtAccessDeniedHandler jwtAccessDeniedHandler;

    @Autowired
    UserDetailServiceImpl userDetailService;

    @Autowired
    JWTLogoutSuccessHandler jwtLogoutSuccessHandler;
    @Autowired
    JwtCustomLogoutHandler jwtCustomLogoutHandler;


    @Autowired
    SecurityPathConfig securityPathConfig;
    @Autowired
    JwtTokenUtils jwtTokenUtils;

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

    @Bean
    JwtAuthenticationFilter jwtAuthenticationFilter() throws Exception {
        JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter(authenticationManager());
        return jwtAuthenticationFilter;
    }


    public String[] getOpenPaths() {
        return securityPathConfig.getNoFilter().toArray(new String[0]);
    }


//    @Bean
//    PasswordEncoder PasswordEncoder() {
//        return new PasswordEncoder();
//    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                // 登录配置
                .formLogin()
                .loginProcessingUrl("/login")
                .successHandler(loginSuccessHandler)
                .failureHandler(loginFailureHandler)

                .and()
                .logout()
                .addLogoutHandler(jwtCustomLogoutHandler)
                .permitAll()
                .logoutSuccessUrl("/")

                .logoutSuccessHandler(jwtLogoutSuccessHandler)

                // 禁用session
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                // 配置拦截规则
                .and()
                .authorizeRequests()
                .antMatchers(getOpenPaths()).permitAll()
                .anyRequest().authenticated()
                // 异常处理器
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(jwtAuthenticationEntryPoint)
                .accessDeniedHandler(jwtAccessDeniedHandler)

                // 配置自定义的过滤器
                .and()
                .addFilter(jwtAuthenticationFilter())
                // 验证码过滤器放在UsernamePassword过滤器之前
                .addFilterBefore(captchaFilter, UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(jwtAuthenticationFilter(), LogoutFilter.class)
        ;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailService);
    }
}

九、拦截器处理

使用拦截器介绍

CaptchaFilter 验证码拦截器 (只登录时拦截)

import com.pinyi.security.security.exception.CaptchaException;
import com.pinyi.security.security.handler.LoginFailureHandler;
import com.pinyi.supply.redis.enuns.RedisCacheEnum;
import com.pinyi.supply.redis.service.RedisService;
import lombok.extern.log4j.Log4j2;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Objects;

@Component
@Log4j2
public class CaptchaFilter extends OncePerRequestFilter {

    private static final String LOGIN_URL = "/login";
    private static final String POST_METHOD = "POST";

    @Autowired
    LoginFailureHandler loginFailureHandler;
    @Autowired
    private RedisService redisService;

    @Override
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        log.debug("验证码拦截器处理");
        String url = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();

        if (Objects.equals(LOGIN_URL, url) && Objects.equals(POST_METHOD, method)) {
            handleLoginValidation(httpServletRequest, httpServletResponse);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }


    // 处理登录验证码
    private void handleLoginValidation(HttpServletRequest request, HttpServletResponse response) throws CaptchaException, ServletException, IOException {
        try {
            validate(request);
        } catch (CaptchaException e) {
            log.error("验证码校验失败: {}", e.getMessage(), e);
            loginFailureHandler.onAuthenticationFailure(request, response, e);
        }
    }


    // 校验验证码逻辑
    private void validate(HttpServletRequest request) {
        String code = request.getParameter("captcha");
        String username = request.getParameter("username");

        if (StringUtils.isBlank(username) || StringUtils.isBlank(code)) {
            throw new CaptchaException("用户名与验证码不能为空");
        }

        if (redisService.hasKey(RedisCacheEnum.CAPTCHA_PATH.getPath() + username)) {
            String captcha = (String) redisService.get(RedisCacheEnum.CAPTCHA_PATH.getPath() + username);
            if (!captcha.equals(code)) {
                throw new CaptchaException("验证码错误");
            }
        } else {
            throw new CaptchaException("验证码已过期");
        }

        if (StringUtils.isBlank(code)) {
            throw new CaptchaException("验证码错误");
        }
    }
}

JwtAuthenticationEntryPoint 认证失败过滤器

import com.alibaba.fastjson.JSON;
import com.pinyi.security.security.enums.AuthorizationCodeEnum;
import com.pinyi.supply.common.http.HttpResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {

    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);

    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        logger.info("JWT认证失败处理器JwtAuthenticationEntryPoint");
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK); // 使用常量代替数字提高可读性

        try (ServletOutputStream outputStream = httpServletResponse.getOutputStream()) {
            String jsonResult = JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TEMPORARILY_WITHOUT_AUTHORITY)); // 使用Jackson转换对象为JSON字符串
            outputStream.write(jsonResult.getBytes(StandardCharsets.UTF_8));
            outputStream.flush();
        } catch (IOException ex) {
            logger.error("Failed to write response", ex);
        }
    }
}

JwtAuthenticationFilter 每次请求(jwt身份)认证过滤器


import com.alibaba.fastjson.JSON;
import com.pinyi.security.security.config.JwtConfig;
import com.pinyi.security.security.config.SecurityPathConfig;
import com.pinyi.security.security.enums.AuthorizationCodeEnum;
import com.pinyi.security.security.service.SysUserService;
import com.pinyi.security.security.service.UserDetailServiceImpl;
import com.pinyi.security.security.utils.JwtTokenUtils;
import com.pinyi.security.security.utils.WhitelistChecker;
import com.pinyi.supply.common.exception.BusinessRuntimeException;
import com.pinyi.supply.common.http.HttpResult;
import com.pinyi.supply.common.utils.StringUtils;
import com.pinyi.supply.redis.enuns.RedisCacheEnum;
import com.pinyi.supply.redis.service.RedisService;
import com.pinyi.supply.system.dto.LoginDto;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.UnsupportedJwtException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class JwtAuthenticationFilter extends BasicAuthenticationFilter {

    @Autowired
    JwtTokenUtils jwtUtils;

    @Autowired
    UserDetailServiceImpl userDetailService;

    @Autowired
    SysUserService sysUserService;
    @Autowired
    JwtConfig jwtConfig;
    @Autowired
    SecurityPathConfig securityPathConfig;
    @Autowired
    RedisService redisService;

    public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        String url = request.getRequestURI();
        System.out.println("JWT过滤器,url-" + url);
        response.setCharacterEncoding("UTF-8");

        String jwt = request.getHeader(jwtConfig.getHeader());
        // 这里如果没有jwt,继续往后走,因为后面还有鉴权管理器等去判断是否拥有身份凭证,所以是可以放行的
        // 没有jwt相当于匿名访问,若有一些接口是需要权限的,则不能访问这些接口
        //跳过不需要验证token
        WhitelistChecker checker = new WhitelistChecker(securityPathConfig.getNoFilter());
        if (checker.isWhitelisted(url)) {
            chain.doFilter(request, response);
            return;
        }


        //校验jwt
        if (StringUtils.isBlank(jwt)) {
            //token为空
            response.getWriter().write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TOKEN_NULL)));
            return;
        }

        try {
            UsernamePasswordAuthenticationToken authentication = getAuthentication(request, response);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            chain.doFilter(request, response);
        } catch (ExpiredJwtException e) {
            response.getWriter().write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TOKEN_EXPIRED)));
            logger.error("Token已过期: {} " + e);
        } catch (UnsupportedJwtException e) {
            response.getWriter().write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TOKEN_FORMAT_ERROR)));
            logger.error("Token格式错误: {} " + e);
        } catch (MalformedJwtException e) {
            response.getWriter().write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TOKEN_IS_NOT_CONSTRUCTED_CORRECTLY)));
            logger.error("Token没有被正确构造: {} " + e);
        } catch (IllegalArgumentException e) {
            response.getWriter().write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TOKEN_INVALID_PARAMETER_IS_ABNORMAL)));
            logger.error("非法参数异常: {} " + e);
        } catch (Exception e) {
            response.getWriter().write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TOKEN_LESS)));
            logger.error("无效token" + e.getMessage());
        }

    }

    //获取用户凭证
    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request, HttpServletResponse response) {
        String token = request.getHeader(jwtConfig.getHeader());
        if (token != null) {
            String userName = "";
            LoginDto loginDto = null;
            try {
                // 解密Token
                userName = jwtUtils.getUserName(token);
                if (StringUtils.isNotBlank(userName)) {
                    // 判断redis是否包含该用户信息
                    boolean hasKey = redisService.hasKey(RedisCacheEnum.LOGIN_PATH.getPath() + userName + RedisCacheEnum.USER_PATH.getPath());
                    if (!hasKey) {
                    throw  new BusinessRuntimeException("登录已过期,请重新登录");
                    }
                    loginDto = JSON.parseObject(redisService.get(RedisCacheEnum.LOGIN_PATH.getPath() + userName + RedisCacheEnum.USER_PATH.getPath()).toString(), LoginDto.class);
                    // 构建UsernamePasswordAuthenticationToken,这里密码为null,是因为提供了正确的JWT,实现自动登录
                    UsernamePasswordAuthenticationToken tokenAuth = new UsernamePasswordAuthenticationToken(loginDto, null, userDetailService.getUserAuthority(loginDto.getPermissions()));
                    return tokenAuth;

                }
            } catch (ExpiredJwtException e) {
                throw e;
                //throw new TokenException("Token已过期");
            } catch (UnsupportedJwtException e) {
                throw e;
                //throw new TokenException("Token格式错误");
            } catch (MalformedJwtException e) {
                throw e;
                //throw new TokenException("Token没有被正确构造");
            } catch (IllegalArgumentException e) {
                throw e;
                //throw new TokenException("非法参数异常");
            } catch (Exception e) {
                throw e;
                //throw new IllegalStateException("Invalid Token. "+e.getMessage());
            }
            return null;
        }
        return null;
    }

}

JwtAccessDeniedHandler 无权限访问

import com.alibaba.fastjson.JSON;
import com.pinyi.security.security.enums.AuthorizationCodeEnum;
import com.pinyi.supply.common.http.HttpResult;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

/**
 * @author :Shixing
 * @date :Created in 2020/7/14 11:04
 * @description:无权限访问拦截
 */
@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
        System.out.println("无权限访问");
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        outputStream.write(JSON.toJSONString(HttpResult.error(AuthorizationCodeEnum.TEMPORARILY_WITHOUT_AUTHORITY)).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

JwtCustomLogoutHandler 自定义登出实现

import com.pinyi.supply.redis.enuns.RedisCacheEnum;
import com.pinyi.supply.redis.service.RedisService;
import com.pinyi.supply.system.dto.LoginDto;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@Component
public class JwtCustomLogoutHandler implements LogoutHandler {

    @Autowired
    RedisService redisService;

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        System.out.println("自定义登出方法拦截");
        LoginDto loginDto = (LoginDto) authentication.getPrincipal();
        //删除redis缓存
        String[] keys = {
                RedisCacheEnum.LOGIN_PATH.getPath() + loginDto.getSysUser().getLoginName() + RedisCacheEnum.USER_PATH.getPath(),
                RedisCacheEnum.LOGIN_PATH.getPath() + loginDto.getSysUser().getLoginName() + RedisCacheEnum.PARAMETER_PATH.getPath(),
                RedisCacheEnum.LOGIN_PATH.getPath() + loginDto.getSysUser().getLoginName() + RedisCacheEnum.TOKEN_PATH.getPath()
        };
        redisService.del(keys);
        //TODO 记录登出日志

    }
}

JWTLogoutSuccessHandler 登出成功拦截


@Component
public class JWTLogoutSuccessHandler implements LogoutSuccessHandler {

    @Autowired
    JwtTokenUtils jwtUtils;

    @Autowired
    JwtConfig jwtConfig;


    @Override
    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        System.out.println("登出方法拦截");
        if (authentication != null) {
            new SecurityContextLogoutHandler().logout(httpServletRequest, httpServletResponse, authentication);
        }

        httpServletResponse.setContentType("application/json;charset=UTF-8");
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        httpServletResponse.setHeader(jwtConfig.getHeader(), "");

        outputStream.write(JSONUtil.toJsonStr(HttpResult.success("登出成功")).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

LoginFailureHandler 登录失败拦截


import cn.hutool.json.JSONUtil;
import com.pinyi.security.security.enums.AuthorizationCodeEnum;
import com.pinyi.security.security.exception.CaptchaException;
import com.pinyi.supply.common.http.HttpResult;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

/**
 * 登录失败处理器
 *
 * @author shixing
 * @create 2021-05-07-22:06
 */
@Component
public class LoginFailureHandler implements AuthenticationFailureHandler {


    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        response.setContentType("application/json;charset=UTF-8");
        String lang = request.getHeader("lang");
        String msg = AuthorizationCodeEnum.UNKNOWN_ERROR.getMsg();
        if (exception instanceof BadCredentialsException) {
            msg = exception.getMessage();
        } else if (exception instanceof CaptchaException) {
            msg = exception.getMessage();
        } else if (exception != null) {
            msg = exception.getMessage();
            // 可以添加更多的异常处理逻辑
        }
        //返回错误信息
        try (ServletOutputStream outputStream = response.getOutputStream()) {
            outputStream.write(JSONUtil.toJsonStr(HttpResult.error(msg)).getBytes(StandardCharsets.UTF_8));
            outputStream.flush();
        }
        // 抛出异常,终止后续过滤器链的执行
        throw new ServletException("Authentication failed", exception);
    }
}

LoginSuccessHandler 登录成功拦截

import cn.hutool.json.JSONUtil;
import com.alibaba.fastjson.JSON;
import com.pinyi.security.security.config.JwtConfig;
import com.pinyi.security.security.entity.LoginUser;
import com.pinyi.security.security.utils.JwtTokenUtils;
import com.pinyi.supply.common.http.HttpResult;
import com.pinyi.supply.redis.enuns.RedisCacheEnum;
import com.pinyi.supply.redis.service.RedisService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

@Component
public class LoginSuccessHandler implements AuthenticationSuccessHandler {

    @Autowired
    JwtTokenUtils jwtTokenUtils;
    @Autowired
    JwtConfig jwtConfig;
    @Autowired
    RedisService redisService;


    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        System.out.println("登录成功");
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        //通过了,生成jwt
        LoginUser loginUser = (LoginUser) authentication.getPrincipal();
        String token = jwtTokenUtils.generateToken(loginUser.getUsername());
        //将用户信息存入redis
        httpServletResponse.setHeader(jwtConfig.getHeader(), token);
        redisService.set(RedisCacheEnum.LOGIN_PATH.getPath() + loginUser.getUsername() + RedisCacheEnum.USER_PATH.getPath(),
                JSON.toJSONString(loginUser.getLoginDto()), jwtConfig.getExpired() + 600);
        redisService.set(RedisCacheEnum.LOGIN_PATH.getPath() + loginUser.getUsername() + RedisCacheEnum.PARAMETER_PATH.getPath()
                , JSON.toJSONString(loginUser.getLoginDto().getPermissions()), jwtConfig.getExpired() + 600);
        redisService.set(RedisCacheEnum.LOGIN_PATH.getPath() + loginUser.getUsername() + RedisCacheEnum.TOKEN_PATH.getPath(),
                token, jwtConfig.getExpired() + 600);

        //删除验证码
        redisService.del(RedisCacheEnum.CAPTCHA_PATH.getPath() + loginUser.getUsername());
        outputStream.write(JSON.toJSONString(HttpResult.success("登录成功", token)).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

完结某些错误信息 自定义修改即可

ShiXZ213
关注
  • 3
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
SpringCloud微服务整合Spring Security进行统一鉴权
lyy的博客
04-15 3695
有一个大坑,记得如果是单机操作多个微服务项目,要给每个微服务添加session cookie name,如下server : port : 8003 servlet : session : cookie : #防止 Cookie 冲突,冲突会导致登录验证不通过一定一定要做这一步。
SpringCloud微服务整合Spring Security OAuth2
lyy的博客
04-12 3202
要记得引入common后也要做必要的配置,比如nacos,相关配置可见博客:https://blog.csdn.net/qq_41076797/article/details/128509393、https://blog.csdn.net/qq_41076797/article/details/128508723;外面请求进来先通过网关进行身份认证,未登录的去登录,已登录的网关找到auth进行鉴权,通过才放行到具体的普通功能性微服务。代码会在后面给出,因为这段代码在后面的配置文件中。
微服务Spring Cloud架构详解
Peter_Changyb的博客
01-22 7260
负载均衡在系统架构中是一个非常重要的内容,因为负载均衡是对系统的高可用、网络的压力的缓冲和处理能力扩容的重要手段之一,我们通常说的负载均衡都是指的是服务端的负载均衡,其中分为硬件负载均衡和软件负载均衡。Spring Cloud 封装了Netflix公司开发的Eureka模块来实现服务治理 在传统的rpc远程调用框架中,管理每个服务与服务之间依赖关系比较复杂,管理比较复杂,所以需要使用服务治理,管理服务于服务之间依赖关系,可以实现服务调用、负载均衡、容错等,实现服务发现与注册。
微服务架构下的‘黑带’安全大师:Spring Cloud Security全攻略!
Geek_H
05-28 1632
在数字化浪潮中,微服务架构如同一场盛大的国际美食节,而Spring Cloud Security则是这场盛宴的安全守护神。本文将带你深入后厨,揭秘如何使用Spring Cloud Security微服务间搭建坚不可摧的安全防线。从环境搭建到服务间通信,从安全策略设计到经典问题的巧妙应对,每一环节都充满了智慧和趣味。准备好了吗?让我们一起探索微服务美食广场的秘密,打造一个星级的安全防护!
springcloud微服务体系(一)— 基于security和jwt实现认证及鉴权服务
热门推荐
BecauseSy的博客
05-22 2万+
文章目录知识点讲解具体实现一、业务流程 知识点讲解 传统的单体应用体系下,应用是一个整体,一般针对所有的请求都会进行权限校验。请求一般会通过一个权限的拦截器进行权限的校验,在登录时将用户信息缓存到 session 中,后续访问则从缓存中获取用户信息 但在微服务架构下,一个应用会被拆分成若干个微应用,每个微应用都需要对访问进行鉴权,每个微应用都需要明确当前访问用户以及其权限。尤其当访问来源不只是浏览...
最新版微服务架构鉴权解决方案Spring Cloud Gateway + Oauth2.0+mybatis+mysql+redis+nacos 统一认证和鉴权
Dream_it_possible!的博客
04-29 1万+
环境列表 网关服务。以springboot+springcloud+gateway 实现的网关服务。 Nacos server注册中心。本地或云上的Nacos server。 普通微服务: user-service。需要将user-service注册到Nacos。 Auth2 server 授权服务器。 需要将Auth2 server注册到Nacos。 资源服务器。 将user-service 配置成资源服务器。Oauth2.0原理简介 授权服务器: 给具有权限的资源拥有者对
SpringCloud微服务全家桶
weixin_44889526的博客
11-16 1961
SpringCloud微服务全家桶1、单体架构单体架构示意图单体架构的优缺点优点缺点2、微服务概述微服务微服务架构技术维度理解微服务的优缺点微服务技术栈有哪些?3、springcloud入门官网说明SpringCloud=分布式微服务架构下的一站式解决方案SpringCloudSpringBoot是什么关系Dubbo和SpringCloudCAP理论SpringCloud国内使用情况国内4、Rest微服务构建案例工程模块创建工程pom父工程Eureka微服务注册与发现注册中心Eureka原理Eureka服
微服务-SpringCloud】详细介绍,搭建一套微服务项目
分享学习
06-06 2816
微服务(Microservices)是一种软件架构风格,它将一个大型的应用程序分解成一系列小的、自治的服务单元。每个服务单元都围绕着特定的业务能力构建,可以独立部署、运行和扩展,它们之间通过API(通常采用HTTP RESTful API)进行轻量级通信。这种架构风格强调服务的松耦合、高内聚和业务领域的边界清晰。Spring CloudSpring家族中的一个项目,它为开发人员提供了一套全面的工具和框架,用于快速构建分布式系统和微服务架构
SpringCloud微服务项目下的权限校验
心比天高的小菜鸟
12-15 3256
1.以前的单体架构权限验证 用户登录操作传入用户名和密码,传到后端,后端到DB里查询,如果查到就返回登录成功并把session信息存到内存中并把session的唯一标识(JessionId)返回给我们的浏览器,浏览器就会把我们的JessionId存到cookie里面,当我们下一次请求的时候,一样会被我们的登录拦截器拦截到,然后通过JessionId获取session判断你有没有登录过,如果有就说明你已经登录了,这是我们最传统的基于session的登录校验和登录,参考下图: 传统项目的问题: 1..
Spring Cloud Gateway 整合 Spring Security 统一登录认证鉴权
02-24
在构建分布式系统时,Spring Cloud Gateway 作为微服务架构中的边缘服务或 API 网关,扮演着至关重要的角色。它负责路由请求到相应的微服务,并可以提供过滤器功能,如限流、熔断等。而Spring Security 则是 Java ...
spring事务详细讲解-深入浅出
小电玩
09-08 265
Spring 事务是本身就是对数据库的事务的支持,没有数据库的事务 Spring 是本身无法实现事务的。Spring只提供了统一事务管理接口,具体的实现还是由各数据库自己实现。在使用 Spring 事务时,可以通过注解或编程方式将需要进行事务管理的方法和代码块标记为事务性操作,当这些操作被执行时,Spring 会负责开启时根据当前环境中设置的隔离级别,调整数据库隔离级别。
Java多线程:深入探索与详细解析
m0_63550220的博客
09-08 1133
作为Java中的基本执行单元,线程是轻量级的进程,由线程ID、程序计数器、Java虚拟机栈、本地方法栈、和线程私有内存等部分组成。每个线程都有独立的执行路径,但共享进程的资源(如内存)。:进程是系统资源分配的基本单位,它包含了一个或多个线程以及这些线程运行所需的资源。在Java中,JVM(Java虚拟机)就是一个进程,而运行在JVM上的多个线程则共享JVM的内存空间。:并发指的是多个任务在同一时间段内交替执行,而并行则指的是多个任务在同一时刻真正同时执行。
JAVA基础:值传递和址传递
weixin_53755148的博客
09-08 685
方法调用时,传递的实参是一个基本类型的数据形参改变,实参不变又称为地址传递,或引用传递方法调用时,传递的实参是一个引用类型的数据基本类型的数据,比较简单,可以直接存储在变量中引用类型的数据比较复杂,包含了一堆子数据,不能直接存储在变量中,存储在堆区,会为其分配一个内存地址我们在使用引用类型数据时,都是通过地址间接引用类型的数据所谓的地址传递,就是在方法调用时,传递的是引用类型的地址。形参(内容)改变,实参(内容)改变类似于值传递的址传递。
JAVA基础:数据类型、命名规范
weixin_53755148的博客
09-05 1290
变量类型就是用来指定变量中存储数据的类型。也称为数据类型。
okhttp,retrofit,rxjava 是如何配合工作的 作用分别是什么
追梦的鱼儿
09-04 643
OkHttp、Retrofit 和 RxJava 是 Android 开发中常用的三种库,它们各自有不同的作用,并且可以很好地配合工作来实现网络请求和响应的处理。
nmt---Docker-compose自动化部署
qq_69920145的博客
09-03 1034
static-rr 权重, leastconn 最少连接, source 请求IP, 轮询 roundrobin。# 这⾥是容器中的IP地址,由于配置的是轮询roundrobin,weight 权重其实没有⽣效。# 这⾥是容器中的IP地址,由于配置的是轮询roundrobin,weight 权重其实没有⽣效。# 在 mysql 创建⼀个没有权限的haproxy⽤户,密码为空。# 在 mysql 创建⼀个没有权限的haproxy⽤户,密码为空。10. docker-compose移除容器。
币安/OK现货合约量化系统APP开发
I592O929783的博客
09-08 402
后端:考虑系统需要处理大量实时数据和高频交易的特点,选择高性能的编程语言和技术框架,如Python的Django或Flask框架,JavaSpring Boot等。用户交互界面:设计直观易用的用户交互界面,包括交易界面、策略配置界面、风险管理界面等,方便用户进行交易操作、策略配置和风险管理。市场数据接入:开发市场数据接入模块,从币安等交易所或数据服务商获取实时的市场数据,包括行情数据、订单簿数据、成交数据等。前端:选择适合开发复杂界面的前端框架,如React、Vue.js等,以提供用户友好的交互界面。
基于SpringBoot的旅游管理系统
最新发布
heye0910032的博客
09-08 224
随着科技的发展,旅游管理系统的信息化成为提升旅游服务效率的关键。本系统采用JSP技术和SpringBoot框架,结合MySQL数据库,旨在实现一个功能全面、操作简便、安全可靠的旅游管理平台。系统通过需求分析、系统设计、功能实现和测试,确保了良好的用户体验和数据处理能力,为旅游业务的现代化管理提供了强有力的技术支持。本研究成功开发了一个基于SpringBoot的旅游管理系统,该系统通过集成多种旅游管理功能,显著提高了旅游服务的效率和质量。系统的用户友好界面和强大的后端功能,使得管理员和用户都能从中受益。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值