目录
Token验证
添加Redis依赖
在 pom.xml
文件中添加Redis核心依赖
<!--redis -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
编写全局配置文件
在 application.yml
全局配置文件中加入Redis相关配置
spring:
redis:
host: localhost
port: 6379
database: 0
timeout: 10000
编写Redis配置类
在 com.example.mybox.config.redis
包下创建RedisConfig配置类和RedisService业务工具类
(1)编写RedisConfig配置类
/**
* redis配置类
*/
@Configuration
public class RedisConfig {
//缓存过期时间
private Long expire = 60000L;
@Bean
public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory factory) {
RedisTemplate<String, Object> template = new RedisTemplate<>();
// 配置连接工厂
template.setConnectionFactory(factory);
//使用Jackson2JsonRedisSerialize 替换默认序列化(默认采用的是JDK序列化)
Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);
//解决查询缓存转换异常的问题
ObjectMapper om = new ObjectMapper();
//设置在生成 json 串时,对象中的成员的可见性
om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
//存储到redis的json将是有类型的数据
//指定序列化输入的类型,类必须是非final修饰的,final修饰的类,比如String,Integer等会跑出异常
om.activateDefaultTyping(om.getPolymorphicTypeValidator(),
ObjectMapper.DefaultTyping.NON_FINAL);
jackson2JsonRedisSerializer.setObjectMapper(om);
StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
// key采用String的序列化方式
template.setKeySerializer(stringRedisSerializer);
// hash的key也采用String的序列化方式
template.setHashKeySerializer(stringRedisSerializer);
// value序列化方式采用jackson
template.setValueSerializer(jackson2JsonRedisSerializer);
// hash的value序列化方式采用jackson
template.setHashValueSerializer(jackson2JsonRedisSerializer);
template.afterPropertiesSet();
return template;
}
//@Cacheable注解字符集编码配置
@Bean
public RedisCacheManager cacheManager(RedisConnectionFactory factory) {
RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig();
config.entryTtl(Duration.ofMinutes(expire))//缓存过期时间
.serializeKeysWith(RedisSerializationContext.SerializationPair.fromSerializer(RedisSerializer.string()))
.serializeValuesWith(RedisSerializationContext.SerializationPair.fromSerializer(RedisSerializer.json()));
return RedisCacheManager
.builder(factory)
.cacheDefaults(config)
.build();
}
}
(2)编写RedisService业务工具类
@Component
public class RedisService {
@Resource
private RedisTemplate<String, Object> redisTemplate;
//存缓存
public void set(String key, String value, Long timeOut) {
redisTemplate.opsForValue().set(key, value, timeOut, TimeUnit.SECONDS);
}
//取缓存
public String get(String key) {
return (String) redisTemplate.opsForValue().get(key);
}
//清除缓存
public void del(String key) {
redisTemplate.delete(key);
}
}
设置登录认证请求地址
在 application.yml
全局配置文件中自定义登录验证的请求地址
request:
login: /user/login
编写token验证过滤器类
在 com.example.mybox.config.filter
包下创建CheckTokenFilter过滤器类
/**
* token验证过滤器
*/
@Data
@Component
public class CheckTokenFilter extends OncePerRequestFilter {
@Value("${request.login}")
private String loginUrl;
@Resource
private RedisService redisService;
@Resource
private JwtUtils jwtUtils;
@Resource
private CustomerUserDetailsService customerUserDetailsService;
@Resource
private LoginFailureHandler loginFailureHandler;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
try {
//获取当前请求的url地址
String requestURI = request.getRequestURI();
//判断当前请求是否是登录请求,如果不是则需要验证token
if (!requestURI.equals(loginUrl)){
//进行token验证
validateToken(request);
}
} catch (AuthenticationException e) {
loginFailureHandler.onAuthenticationFailure(request, response, e);
}
//登录请求不需要token,直接放行
doFilter(request,response,filterChain);
}
/**
* 验证token信息
* @param request
*/
private void validateToken(HttpServletRequest request) {
//获取前端提交的token
String token = request.getHeader("token");
//判断token是否存在,不存在从参数里面获取
if(StringUtils.isEmpty(token)){
//获取参数里的token
token = request.getParameter("token");
}
//token不存在
if(StringUtils.isEmpty(token)){
//抛出异常
System.out.println("抛出异常一");
throw new CustomerAuthenticationException("请先登录后再操作");
}
//判断redis中是否存在token信息
String tokenKey = "token_" + token;
String redisToken = redisService.get(tokenKey);
if(StringUtils.isEmpty(redisToken)){
//抛出异常
System.out.println("抛出异常2");
throw new CustomerAuthenticationException("登陆已过期,请重新登录后在操作");
}
//判断token和redis中token是否一致
if (!token.equals(redisToken)){
//抛出异常
throw new CustomerAuthenticationException("登陆已过期,请重新登录后在操作");
}
//如果token存在则解析token
String username = jwtUtils.getUsernameFromToken(token);
//判断用户名是否存在
if(StringUtils.isEmpty(username)){
//抛出异常
System.out.println("抛出异常3");
throw new CustomerAuthenticationException("请先登录后再操作");
}
//获取用户信息
UserDetails userDetails = customerUserDetailsService.loadUserByUsername(username);
//判断用户信息是否为空
if (userDetails == null) {
System.out.println("抛出异常4");
throw new CustomerAuthenticationException("请先登录后再操作");
}
//创建身份验证对象
UsernamePasswordAuthenticationToken authenticationToken = new
UsernamePasswordAuthenticationToken(userDetails, null,
userDetails.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
//设置到Spring Security上下文
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
配置token验证过滤器类
将 CheckTokenFilter过滤器类 交给Spring Security进行管理,在SpringSecurityConfig配置类中添加如下代码
@Resource
private CheckTokenFilter checkTokenFilter;
/**
* 处理登录认证
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
//登陆前进行过滤
http.addFilterBefore(checkTokenFilter, UsernamePasswordAuthenticationFilter.class);
//省略后续代码....
编写自定义异常类
在 com.example.mybox.config.security.exception
包下编写CustomerAuthenticationException异常处理类
/**
* 自定义验证异常类
*/
public class CustomerAuthenticationException extends AuthenticationException {
public CustomerAuthenticationException(String message){
super(message);
}
}
Token验证失败处理
在 LoginFailureHandler
用户认证失败处理类中加入判断
/**
* 登录认证失败处理器类
*/
@Component
public class LoginFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException exception)
throws IOException, ServletException {
//设置客户端响应编码格式
response.setContentType("application/json;charset=UTF-8");
//获取输出流
ServletOutputStream outputStream = response.getOutputStream();
String message = null;//提示信息
int code = ResultCode.UNAUTHORIZED_CODE;//错误编码
//判断异常类型
if (exception instanceof AccountExpiredException) {
message = "账户过期,登录失败!";
} else if (exception instanceof BadCredentialsException) {
message = "用户名或密码错误!";
} else if (exception instanceof CredentialsExpiredException) {
message = "密码过期,登录失败!";
} else if (exception instanceof DisabledException) {
message = "账户被禁用,登录失败!";
} else if (exception instanceof LockedException) {
message = "账户被锁,登录失败!";
} else if (exception instanceof InternalAuthenticationServiceException) {
message = "账户不存在,登录失败!";
}else if (exception instanceof CustomerAuthenticationException) {
message = exception.getMessage();
} else {
message = "登录失败!";
}
//将错误信息转换成JSON
String result = JSON.toJSONString(Result.error(message, code));
outputStream.write(result.getBytes(StandardCharsets.UTF_8));
outputStream.flush();
outputStream.close();
}
}
认证成功处理
修改 LoginSuccessHandler
登录认证成功处理类,将token保存到Redis缓存中
@Component
public class LoginSuccessHandler implements AuthenticationSuccessHandler {
@Resource
private JwtUtils jwtUtils;
@Resource
private RedisService redisService;
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication authentication)
throws IOException, ServletException {
//设置客户端的响应的内容类型
response.setContentType("application/json;charset=UTF-8");
//获取当登录用户信息
User user = (User) authentication.getPrincipal();
//生成token
String token = jwtUtils.generateToken(user);
//设置token签名以及过期时间
long jwt = Jwts.parser()
.setSigningKey(jwtUtils.getSecret())
.parseClaimsJws(token.replace("jwt_", ""))
.getBody().getExpiration().getTime();
LoginResult loginResult = new LoginResult(user.getUsername(), ResultCode.SUCCESS_CODE, token, jwt);
//消除循环引用
String result = JSON.toJSONString(loginResult, SerializerFeature.DisableCircularReferenceDetect);
//获取输出流
ServletOutputStream outputStream = response.getOutputStream();
outputStream.write(result.getBytes(StandardCharsets.UTF_8));
outputStream.flush();
outputStream.close();
//把生成的token存到redis
String tokenKey = "token_"+token;
redisService.set(tokenKey,token,jwtUtils.getExpiration() / 1000);
}
}
Token验证测试
登陆操作
获取用户信息
刷新Token信息
创建TokenVo类
在 com.example.mybox.vo
包下创建TokenVo类,该类用于保存Token信息
@Data
@NoArgsConstructor
@AllArgsConstructor
public class TokenVo {
//过期时间
private Long expireTime;
//token
private String token;
}
编写刷新Token方法
在 com.example.mybox.controller
包下创建SysUserController控制器类,并在该类中编写refreshToken刷新token的方法
/**
* 刷新token
*
* @param request
* @return
*/
@PostMapping("/refreshToken")
public Result refreshToken(HttpServletRequest request) {
//从header中获取前端提交的token
String token = request.getHeader("token");
//header中没有从参数中获取
if (StringUtils.isEmpty(token)) {
token = request.getParameter("token");
}
//从Spring上下文中获取用户信息
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//获取身份信息
UserDetails details = (UserDetails) authentication.getPrincipal();
//重新生成token
String reToken = "";
//验证原来的token是否合法
if (jwtUtils.validateToken(token, details)) {
//生成新的token
reToken = jwtUtils.refreshToken(token);
}
//获取本次token到期时间交给前端判断
long expireTime = Jwts.parser().setSigningKey(jwtUtils.getSecret())
.parseClaimsJws(reToken.replace("jwt_", ""))
.getBody()
.getExpiration().getTime();
//清除原来的token信息
String oldTokenKey = "token_" + token;
log.info("清除前:" + redisService.get(oldTokenKey));
redisService.del(oldTokenKey);
log.info("清除后:" + redisService.get(oldTokenKey));
//存储新的token
String newTokenKey = "token_" + reToken;
redisService.set(newTokenKey, reToken, jwtUtils.getExpiration() / 1000);
log.info("新token:" + redisService.get(newTokenKey));
//创建TokenVo对象
TokenVo tokenVo = new TokenVo(expireTime, reToken);
return Result.success(tokenVo, "token已刷新");
}
接口运行测试
- 先运行用户登录请求,生成token信息
- 测试查询用户信息,预期结果是查询成功
- 运行刷新token接口,重新生成token信息
- 再次测试查询用户信息,预期结果是token过期。