技术栈:AOP,拦截器,自定义注解,
实现思路:
SpringSecurity只用它的BCrypt对密码加密,用户注册的时候
jjwt用来在登录的时候利用jjwt.builder生成token返回
拦截器用jjwt.parse方法来验证token,并把role放到request域中
自定义注解+AOP主要用来实现判断当前role是否有权限造作该方法
核心依赖:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
工具类:jjwtutil参考之前文章
jjwt拦截器
@Component
public class JwtFilter extends HandlerInterceptorAdapter {
@Autowired
private JwtUtil jwtUtil;
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
System.out.println("经过了拦截器");
final String authHeader = request.getHeader("Authorization");
if (authHeader != null && authHeader.startsWith("Bearer ")) {
final String token = authHeader.substring(7); // The part
after "Bearer "
Claims claims = jwtUtil.parseJWT(token);
if (claims != null) {
if("admin".equals(claims.get("roles"))){//如果是管理员
request.setAttribute("role", "admin");
}
if("user".equals(claims.get("roles"))){//如果是用户
request.setAttribute("role", "user");
}
}
}
return true;
}
}
下面是权限控制
参考这篇文章
https://blog.csdn.net/zhanglf02/article/details/89787937