1.定义 Json Web Token 过滤器
ublic class JwtAuthenticationFilter extends OncePerRequestFilter {
private static final String AUTHENTICATION_PREFIX = "Bearer ";
/**
* 认证如果失败由该端点进行响应
*/
private AuthenticationEntryPoint authenticationEntryPoint = new SimpleAuthenticationEntryPoint();
private JwtTokenGenerator jwtTokenGenerator;
private JwtTokenStorage jwtTokenStorage;
public JwtAuthenticationFilter(JwtTokenGenerator jwtTokenGenerator, JwtTokenStorage jwtTokenStorage) {
this.jwtTokenGenerator = jwtTokenGenerator;
this.jwtTokenStorage = jwtTokenStorage;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
// 如果已经通过认证
if (SecurityContextHolder.getContext().getAuthentication() != null) {
chain.doFilter(request, response);
return;
}
// 获取 header 解析出 jwt 并进行认证 无token 直接进入下一个过滤器 因为 SecurityContext 的缘故 如果无权限并不会放行
String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (StringUtils.hasText(header) && header.startsWith(AUTHENTICATION_PREFIX)) {
String jwtToken = header.replace(AUTHENTICATION_PREFIX, "");
if (StringUtils.hasText(jwtToken)) {
try {
authenticationTokenHandle(jwtToken, request);
} catch (AuthenticationException e) {
authenticationEntryPoint.commence(request, response, e);
}
} else {
// 带安全头 没有带token
authenticationEntryPoint.commence(request, response, new AuthenticationCredentialsNotFoundException("token is not found"));
}
}
chain.doFilter(request, response);
}
/**
* 具体的认证方法 匿名访问不要携带token
* 有些逻辑自己补充 这里只做基本功能的实现
*
* @param jwtToken jwt token
* @param request request
*/
private void authenticationTokenHandle(String jwtToken, HttpServletRequest request) throws AuthenticationException {
// 根据我的实现 有效token才会被解析出来
JSONObject jsonObject = jwtTokenGenerator.decodeAndVerify(jwtToken);
if (Objects.nonNull(jsonObject)) {
String username = jsonObject.getStr("aud");
// 从缓存获取 token
JwtTokenPair jwtTokenPair = jwtTokenStorage.get(username);
if (Objects.isNull(jwtTokenPair)) {
if (log.isDebugEnabled()) {
log.debug("token : {} is not in cache", jwtToken);
}
// 缓存中不存在就算 失败了
throw new CredentialsExpiredException("token is not in cache");
}
String accessToken = jwtTokenPair.getAccessToken();
if (jwtToken.equals(accessToken)) {
// 解析 权限集合 这里
JSONArray jsonArray = jsonObject.getJSONArray("roles");
List<String> roles = jsonArray.toList(String.class);
String[] roleArr = roles.toArray(new String[0]);
List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList(roleArr);
User user = new User(username, "[PROTECTED]", authorities);
// 构建用户认证token
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user, null, authorities);
usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
// 放入安全上下文中
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
} else {
// token 不匹配
if (log.isDebugEnabled()){
log.debug("token : {} is not in matched", jwtToken);
}
throw new BadCredentialsException("token is not matched");
}
} else {
if (log.isDebugEnabled()) {
log.debug("token : {} is invalid", jwtToken);
}
throw new BadCredentialsException("token is invalid");
}
}
}2.将过滤器添加到 登陆配置类
// jwt 必须配置于 UsernamePasswordAuthenticationFilter 之前
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)启动项目,我们随便定义一个接口,进行访问,肯定无法访问,
这个时候我们登陆一下,获取access_token,将token放到如下所示,就能正常访问了
文章相关代码转载来自 https://www.felord.cn/categories/spring-security/ ,感谢大佬的分享哈
373
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
