并发访问量不高的系统中,我们通常将应用部署到一台app服务器,为用户提供服务,当用户使用用户名和密码登录完成后,会把用户的信息会保存到session中,大家也都知道,session是保存在app服务器端的,这时,随着业务量的增长,一台服务器已经不能很好的为用户服务了,我们这时会横向扩展,比如增加服务器数量,使用负载均衡等,这时,将同一个应用部署到两台服务器时,A用户在A服务器中登陆了,session信息被保存在服务器A,当用户关闭页面,A用户再访问时,请求被负载均衡到B服务器时,由于用户A的登录状态被保存在服务器A,而访问服务器B时,需要重新登录,这显然是不友好的,并且不方便的。
那怎样解决这个问题呢,这里就涉及到分布式登录和令牌的概念,分布式登录的概念呢就是,我在多台app服务器中,例如A服务器,B服务器,C服务器等,部署同一个应用,当用户在A服务器登录后,在访问B服务器或者是C服务器,登录的状态会被记住,不需要再重新登录,也称为单点认证,那么用什么来实现呢,就涉及到令牌的概念,简单的说,就是当用户登陆成功后,服务器会向客户端发送一个令牌,当用户在访问其他资源时,会带着令牌,我们只要校验令牌的可用性,过期时间等,便可实现这个功能。废话这么多,简单的说就是用用户名和密码来换取令牌。
现在比较常用的令牌就是JWT(JSON Web Tokens),简单的说就是使用Base64编码过的一个字符串,由三部分组成,头部、载荷与签名,头部信息呢,就是类型和算法,载荷呢,装载东西的容器,可以装载用户自定义的信息,例如jwt签发者,签发时间,jwt过期时间,用户名,权限等等,签名比较重要,它是来保证jwt没有被篡改过,使用头部提供的算法来,下边的字符串就是一个jwt,我们可以使用https://jwt.io/网站来解析jwt,具体的可以baidu下jwt,了解更多。
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
概念部分就简单的介绍到这里,下面我们动手来搭建一个springsecurity分布式登录及验证的系统,怎样搭建springmvc的web项目,我就不介绍了,可以参照我之前的文章。
上边的文章中,pom文件中已经导入了,springmvc,springsecurity,mybatis等web项目所需要的jar包,这里我主要讲解怎样生成jwt,以及怎样校验jwt,首先在pom文件中,添加jwt的jar包依赖以及json的jar包
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.10.7</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.10.7</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.7</version>
<scope>runtime</scope>
</dependency><dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.10.1</version>
</dependency>
接下来编写jwt生成,校验的工具类,公钥秘钥生成的工具类,以及json读写的工具类,我就不重复造轮子了,主要感谢下黑马程序员为我们提供的三个工具类,注释也写的非常到位,导入到我们的工程中。
- JwtUtils.java
package com.example.SpringSecurity_jwt_rsa.common;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.Date;
import java.util.UUID;import com.example.SpringSecurity_jwt_rsa.domain.Payload;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;/**
* @author: 黑马程序员
* 生成token以及校验token相关方法
*/
public class JwtUtils {private static final String JWT_PAYLOAD_USER_KEY = "user";
/**
* 私钥加密token
*
* @param userInfo 载荷中的数据
* @param privateKey 私钥
* @param expire 过期时间,单位分钟
* @return JWT
*/
public static String generateTokenExpireInMinutes(Object userInfo, PrivateKey privateKey, int expire) {
return Jwts.builder()
.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo))
.setId(createJTI())
.setExpiration(
Date.from(ZonedDateTime.of(LocalDateTime.now().plusMinutes(expire), ZoneId.systemDefault())
.toInstant()))
.signWith(privateKey, SignatureAlgorithm.RS256)
.compact();
}/**
* 私钥加密token
*
* @param userInfo 载荷中的数据
* @param privateKey 私钥
* @param expire 过期时间,单位秒
* @return JWT
*/
public static String generateTokenExpireInSeconds(Object userInfo, PrivateKey privateKey, int expire) {
return Jwts.builder()
.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo))
.setId(createJTI())
.setExpiration(Date.from(ZonedDateTime.of(LocalDateTime.now().plusSeconds(expire), ZoneId.systemDefault())
.toInstant()))
.signWith(privateKey, SignatureAlgorithm.RS256)
.compact();
}/**
* 公钥解析token
*
* @param token 用户请求中的token
* @param publicKey 公钥
* @return Jws<Claims>
*/
private static Jws<Claims> parserToken(String token, PublicKey publicKey) {
return Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token);
}private static String createJTI() {
return new String(Base64.getEncoder().encode(UUID.randomUUID().toString().getBytes()));
}/**
* 获取token中的用户信息
*
* @param token 用户请求中的令牌
* @param publicKey 公钥
* @return 用户信息
*/
public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey, Class<T> userType) {
Jws<Claims> claimsJws = parserToken(token, publicKey);
Claims body = claimsJws.getBody();
Payload<T> claims = new Payload<>();
claims.setId(body.getId());
claims.setUserInfo(JsonUtils.toBean(body.get(JWT_PAYLOAD_USER_KEY).toString(), userType));
claims.setExpiration(body.getExpiration());
return claims;
}/**
* 获取token中的载荷信息
*
* @param token 用户请求中的令牌
* @param publicKey 公钥
* @return 用户信息
*/
public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey) {
Jws<Claims> claimsJws = parserToken(token, publicKey);
Claims body = claimsJws.getBody();
Payload<T> claims = new Payload<>();
claims.setId(body.getId());
claims.setExpiration(body.getExpiration());
return claims;
}
}
- RsaUtils.java
package com.example.SpringSecurity_jwt_rsa.common;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;/**
* @author 黑马程序员
*/
public class RsaUtils {private static final int DEFAULT_KEY_SIZE = 2048;
/**
* 从文件中读取公钥
*
* @param filename 公钥保存路径,相对于classpath
* @return 公钥对象
* @throws Exception
*/
public static PublicKey getPublicKey(String filename) throws Exception {
byte[] bytes = readFile(filename);
return getPublicKey(bytes);
}/**
* 从文件中读取密钥
*
* @param filename 私钥保存路径,相对于classpath
* @return 私钥对象
* @throws Exception
*/
public static PrivateKey getPrivateKey(String filename) throws Exception {
byte[] bytes = readFile(filename);
return getPrivateKey(bytes);
}/**
* 获取公钥
*
* @param bytes 公钥的字节形式
* @return
* @throws Exception
*/
private static PublicKey getPublicKey(byte[] bytes) throws Exception {
bytes = Base64.getDecoder().decode(bytes);
X509EncodedKeySpec spec = new X509EncodedKeySpec(bytes);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePublic(spec);
}/**
* 获取密钥
*
* @param bytes 私钥的字节形式
* @return
* @throws Exception
*/
private static PrivateKey getPrivateKey(byte[] bytes) throws NoSuchAlgorithmException, InvalidKeySpecException {
bytes = Base64.getDecoder().decode(bytes);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(spec);
}/**
* 根据密文,生存rsa公钥和私钥,并写入指定文件
*
* @param publicKeyFilename 公钥文件路径
* @param privateKeyFilename 私钥文件路径
* @param secret 生成密钥的密文
*/
public static void generateKey(String publicKeyFilename, String privateKeyFilename, String secret, int keySize) throws Exception {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
SecureRandom secureRandom = new SecureRandom(secret.getBytes());
keyPairGenerator.initialize(Math.max(keySize, DEFAULT_KEY_SIZE), secureRandom);
KeyPair keyPair = keyPairGenerator.genKeyPair();
// 获取公钥并写出
byte[] publicKeyBytes = keyPair.getPublic().getEncoded();
publicKeyBytes = Base64.getEncoder().encode(publicKeyBytes);
writeFile(publicKeyFilename, publicKeyBytes);
// 获取私钥并写出
byte[] privateKeyBytes = keyPair.getPrivate().getEncoded();
privateKeyBytes = Base64.getEncoder().encode(privateKeyBytes);
writeFile(privateKeyFilename, privateKeyBytes);
}private static byte[] readFile(String fileName) throws Exception {
return Files.readAllBytes(new File(fileName).toPath());
}private static void writeFile(String destPath, byte[] bytes) throws IOException {
File dest = new File(destPath);
if (!dest.exists()) {
dest.createNewFile();
}
Files.write(dest.toPath(), bytes);
}
}
- JsonUtils.java
package com.example.SpringSecurity_jwt_rsa.common;
import java.io.IOException;
import java.util.List;
import java.util.Map;import org.slf4j.Logger;
import org.slf4j.LoggerFactory;import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;/**
* @author: 黑马程序员
**/
public class JsonUtils {public static final ObjectMapper mapper = new ObjectMapper();
private static final Logger logger = LoggerFactory.getLogger(JsonUtils.class);
//json化
public static String toString(Object obj) {
if (obj == null) {
return null;
}
if (obj.getClass() == String.class) {
return (String) obj;
}
try {
return mapper.writeValueAsString(obj);
} catch (JsonProcessingException e) {
logger.error("json序列化出错:" + obj, e);
return null;
}
}//json解析
public static <T> T toBean(String json, Class<T> tClass) {
try {
return mapper.readValue(json, tClass);
} catch (IOException e) {
logger.error("json解析出错:" + json, e);
return null;
}
}//解析list的json数据
public static <E> List<E> toList(String json, Class<E> eClass) {
try {
return mapper.readValue(json, mapper.getTypeFactory().constructCollectionType(List.class, eClass));
} catch (IOException e) {
logger.error("json解析出错:" + json, e);
return null;
}
}//json转map
public static <K, V> Map<K, V> toMap(String json, Class<K> kClass, Class<V> vClass) {
try {
return mapper.readValue(json, mapper.getTypeFactory().constructMapType(Map.class, kClass, vClass));
} catch (IOException e) {
logger.error("json解析出错:" + json, e);
return null;
}
}//json解析自定义类型
public static <T> T nativeRead(String json, TypeReference<T> type) {
try {
return mapper.readValue(json, type);
} catch (IOException e) {
logger.error("json解析出错:" + json, e);
return null;
}
}
}
导入到工程中后,自己手写一个测试程序,使用RsaUtils.java来生成我们的公钥和秘钥文件,执行后,会在对应的文件夹下生成公钥和私钥文件,这是来验证我们的jwt是否被篡改过。
package com.example.SpringSecurity_jwt_rsa;
import com.example.SpringSecurity_jwt_rsa.common.RsaUtils;
public class Test {
private static String publicKeyFilename = "C:/auth_key/publicKey_rsa";
private static String privateKeyFilename = "C:/auth_key/privateKey_rsa";
public static void main(String[] args) throws Exception {
RsaUtils.generateKey(publicKeyFilename, privateKeyFilename, "iosoft2020", 2048);
}}
接下来配置application.yml文件,主要内容就是数据库信息,mybatis配置,在一个比较重要的是rsa-key的公钥和私钥的配置,这里的路径就是我们上边生成的路径,指定下。
spring:
thymeleaf:
cache: false
datasource:
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://192.168.100.100:3306/SpringSecurity
username: root
password: 123456
mybatis:
type-aliases-package: com.example.SpringSecurity_jwt_rsa.domain
configuration:
map-underscore-to-camel-case: true
logging:
level:
com.example.demo: debug
rsa:
key:
privateKeyFile: C:/auth_key/privateKey_rsa
publicKeyFile: C:/auth_key/publicKey_rsa
前几篇文章有讲过,springsecurity主要就是强大的过滤器链,来控制安全的,我们需要编写自己的过滤器,主要是继承下边的类,从类名就能看出,一个是登录认证的,一个就是校验的,登录认证呢,就是从客户端获取用户名和密码,进行校验,如果校验成功,使用JwtUtils生成令牌,返回给客户端,BasicAuthenticationFilter呢,就是来校验,校验令牌是否被篡改过,是否过期等。
UsernamePasswordAuthenticationFilter.java
BasicAuthenticationFilter.java
- JwtLoginFilter.java
package com.example.SpringSecurity_jwt_rsa.filter;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.List;
import java.util.Map;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import com.example.SpringSecurity_jwt_rsa.common.JwtUtils;
import com.example.SpringSecurity_jwt_rsa.config.RsaKeyProperties;
import com.example.SpringSecurity_jwt_rsa.domain.SysRole;
import com.example.SpringSecurity_jwt_rsa.domain.SysUser;
import com.fasterxml.jackson.databind.ObjectMapper;public class JwtLoginFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
private RsaKeyProperties prop;public JwtLoginFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {
this.authenticationManager = authenticationManager;
this.prop = prop;
}//重写springsecurity获取用户名和密码操作
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
try {
//从输入流中获取用户名和密码,而不是表单
SysUser sysUser = new ObjectMapper().readValue(request.getInputStream(), SysUser.class);
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
sysUser.getUsername(), sysUser.getPassword());
return authenticationManager.authenticate(authRequest);
} catch (Exception e) {
try {
//处理失败请求
response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
PrintWriter out = response.getWriter();
Map map = new HashMap<>();
map.put("code", HttpServletResponse.SC_UNAUTHORIZED);
map.put("msg", "用户名或者密码错误");
out.write(new ObjectMapper().writeValueAsString(map));
out.flush();
out.close();
} catch (Exception e1) {
e1.printStackTrace();
}throw new RuntimeException(e);
}
}//重写用户名密码授权成功操作----返回token凭证
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication authResult) throws IOException, ServletException {
//从authResult获取认证成功的用户信息
SysUser resultUser = new SysUser();
SysUser authUser = (SysUser) authResult.getPrincipal();
resultUser.setUsername(authUser.getUsername());
resultUser.setUid(authUser.getUid());
resultUser.setStatus(authUser.getStatus());
resultUser.setRoles((List<SysRole>) authResult.getAuthorities());
String token = JwtUtils.generateTokenExpireInMinutes(resultUser, prop.getPrivateKey(), 3600 * 24);
//将token写入header
response.addHeader("Authorization", "Bearer " + token);
try {
//登录成功時,返回json格式进行提示
response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = response.getWriter();
Map<String, Object> map = new HashMap<String, Object>();
map.put("code", HttpServletResponse.SC_OK);
map.put("message", "登陆成功!");
out.write(new ObjectMapper().writeValueAsString(map));
out.flush();
out.close();
} catch (Exception e1) {
e1.printStackTrace();
}
}
}
- JwtVerifyFilter.java
package com.example.SpringSecurity_jwt_rsa.filter;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.Map;import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;import com.example.SpringSecurity_jwt_rsa.common.JwtUtils;
import com.example.SpringSecurity_jwt_rsa.config.RsaKeyProperties;
import com.example.SpringSecurity_jwt_rsa.domain.Payload;
import com.example.SpringSecurity_jwt_rsa.domain.SysUser;
import com.fasterxml.jackson.databind.ObjectMapper;public class JwtVerifyFilter extends BasicAuthenticationFilter {
private RsaKeyProperties prop;public JwtVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {
super(authenticationManager);
this.prop = prop;
}/**
* 过滤请求
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) {
try {
//请求体的头中是否包含Authorization
String header = request.getHeader("Authorization");
//Authorization中是否包含Bearer,不包含直接返回
if (header == null || !header.startsWith("Bearer ")) {
chain.doFilter(request, response);
responseJson(response);
return;
}
//获取权限失败,会抛出异常
UsernamePasswordAuthenticationToken authentication = getAuthentication(request);
//获取后,将Authentication写入SecurityContextHolder中供后序使用
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(request, response);
} catch (Exception e) {
responseJson(response);
e.printStackTrace();
}
}/**
* 未登录提示
*
* @param response
*/
private void responseJson(HttpServletResponse response) {
try {
//未登录提示
response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
PrintWriter out = response.getWriter();
Map<String, Object> map = new HashMap<String, Object>();
map.put("code", HttpServletResponse.SC_FORBIDDEN);
map.put("message", "请登录!");
out.write(new ObjectMapper().writeValueAsString(map));
out.flush();
out.close();
} catch (Exception e1) {
e1.printStackTrace();
}
}/**
* 通过token,获取用户信息
*
* @param request
* @return
*/
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String token = request.getHeader("Authorization");
if (token != null) {
//通过token解析出载荷信息
Payload<SysUser> payload = JwtUtils.getInfoFromToken(token.replace("Bearer ", ""),
prop.getPublicKey(), SysUser.class);
SysUser user = payload.getUserInfo();
//不为null,返回
if (user != null) {
return new UsernamePasswordAuthenticationToken(user, null, user.getRoles());
}
return null;
}
return null;
}
}
到这里,就是怎样将过滤器整合到springsecurity中,将我们编写好的过滤器,调用addFilter方法,添加到springsecurity配置类中。
- SecurityConfig.java
package com.example.SpringSecurity_jwt_rsa.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Configurable;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;import com.example.SpringSecurity_jwt_rsa.filter.JwtLoginFilter;
import com.example.SpringSecurity_jwt_rsa.filter.JwtVerifyFilter;
import com.example.SpringSecurity_jwt_rsa.service.UserService;@Configurable
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Autowired
private RsaKeyProperties prop;@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}@Autowired
private UserService userDetailsService;@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.inMemoryAuthentication().withUser("user")
// .password("{noop}123") // {noop}
// .roles("USER");
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}@Override
protected void configure(HttpSecurity http) throws Exception {
http
//关闭跨站请求防护
.cors()
.and()
.csrf()
.disable()
//允许不登陆就可以访问的方法,多个用逗号分隔
.authorizeRequests()
.antMatchers("/product").hasAnyRole("ROLE_USER")
//其他的需要授权后访问
.anyRequest().authenticated()
.and()
//增加自定义认证过滤器
.addFilter(new JwtLoginFilter(authenticationManager(), prop))
//增加自定义验证认证过滤器
.addFilter(new JwtVerifyFilter(authenticationManager(), prop))
// 前后端分离是无状态的,不用session了,直接禁用。
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}}
这样,客户端每次请求就会先走到我们自定义的过滤器中,生成jwt,校验jwt等,以及页面跳转,下边我们测试下,使用postman这样可以发送post请求的浏览器,输入用户名和密码,验证成功后,会返回一个jwt的字符串,我们这样拿着这个jwt令牌,就可以访问到其他的系统资源,怎么样,没有想象的那么复杂吧,那么动手试试看,有什么问题留言,我们交流下。