一、Spring Security官方解释
Spring Security是一个强大的和高度可定制的身份验证和访问控制框架。它是保证基于spring的应用程序安全的实际标准。Spring Security是一个框架,着重于为Java应用程序提供身份验证和授权。春天像所有项目,Spring Security的真正力量是很容易找到的它可以扩展以满足定制需求。
本项目使用jwt当作token,使用redis存储token,登录信息不依赖于单个项目,集中存储到redis内存型数据库中。
二、spring boot集成步骤(完整项目地址:https://gitee.com/fds520/spring-security-demo)
1. 项目结构
2.核心代码
主配置类SpringSecurityConfig
package com.fds.system.config;
import com.alibaba.fastjson.JSON;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/**
* spring security 主配置类
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
@Autowired
private SecurityProperties securityProperties;
@Override
protected void configure(HttpSecurity http) throws Exception {
// 禁用 csrf 拦截
http.csrf().disable()
.sessionManagement()
// 关闭session管理,使用token机制处理
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// 未登录返回 JSON 格式的数据
.httpBasic().authenticationEntryPoint((httpServletRequest, httpServletResponse, e) -> {
httpServletRequest.setCharacterEncoding("utf-8");
httpServletResponse.setHeader("Content-type", "application/json;charset=UTF-8");
httpServletResponse.getWriter().write(JSON.toJSONString("未登录"));
})
.and()
// 无权访问 JSON 格式的数据
.exceptionHandling().accessDeniedHandler((httpServletRequest, httpServletResponse, e) -> {
httpServletResponse.setCharacterEncoding("utf-8");
httpServletResponse.setHeader("Content-type", "application/json;charset=UTF-8");
httpServletResponse.getWriter().write(JSON.toJSONString("没有权限"));
})
.and()
.authorizeRequests()
// 对option不校验
.antMatchers(HttpMethod.OPTIONS).permitAll()
// 设置不校验白名单
.antMatchers(securityProperties.getIgnoreUrl()).permitAll()
.anyRequest().authenticated()
.and()
// 添加自定义请求jwt过滤器
.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
@Override
public void configure(WebSecurity web) {
// 设置拦截忽略文件夹,可以对静态资源放行
web.ignoring().antMatchers("/images/**");
}
}
登录service
/**
* 获取数据库用户
*
* @param username 用户名
* @return
* @throws UsernameNotFoundException
*/
public String login(String username, String password) {
// 模拟从数据库 获取登录用户
LoginUser loginUser = new LoginUser("fds", "123");
loginUser.setId(123L);
loginUser.setType("people");
Set authoritiesSet = new HashSet();
// 模拟从数据库中获取用户权限
authoritiesSet.add("test:add");
authoritiesSet.add("test:list");
authoritiesSet.add("ddd:list");
loginUser.setCustomAuthorities(authoritiesSet);
String token = JwtTokenUtil.generateToken(loginUser);
redisUtil.set(token, JSONObject.toJSONString(loginUser), securityProperties.getExpirationMilliSeconds());
return token;
}
token过滤器
package com.fds.system.config;
import com.alibaba.fastjson.JSONObject;
import com.fds.system.model.LoginUser;
import com.fds.system.utils.RedisUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @author: fds
* @description: jwt-token过滤器
*/
@Component
@Slf4j
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
@Autowired
private SecurityProperties securityProperties;
@Autowired
private RedisUtil redisUtil;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String authToken = request.getHeader("Authorization");
response.setCharacterEncoding("utf-8");
if (StringUtils.isEmpty(authToken)) {
// 用户未登录
filterChain.doFilter(request, response);
return;
}
// 获取redis中的token信息
if (!redisUtil.hasKey(authToken)) {
// 用户未登录
filterChain.doFilter(request, response);
return;
}
Object data = redisUtil.get(authToken);
if (null == data) {
// 用户未登录
filterChain.doFilter(request, response);
return;
}
// 获取缓存中的信息(根据自己的业务进行拓展)
LoginUser loginUser = JSONObject.parseObject(data.toString(), LoginUser.class);
// 设置权限
loginUser.setSystemAuthorities();
// 从tokenInfo中取出用户信息
// 更新token过期时间
redisUtil.setKeyExpire(authToken, securityProperties.getExpirationMilliSeconds());
// 将信息交给security
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
filterChain.doFilter(request, response);
}
}
7680
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
