1、SpringSecurity是什么
作为Spring生态圈中的一员,适配Spring下的安全框架,极其简单的配置操作就能让你的项目套上一层保护膜。SpringSecurity主要分为两部分,分别是认证和授权。其中核心就是他的过滤链(filter)。
2、账号密码认证
默认身份认证
在Maven中导入SpringSecurity时,在其自动配置类中就已经默认帮你实现了账号密码的默认登录页,其中DefaultSecurityConfig类中,需要注意的几点,使用了EnableWebSecurity注解开启Security配置,在#inMemoryUserDetailsManager方法中实现了用户名为user 密码随机生成并会打印到控制台。#defaultAuthenticationEventPublisher主要是发布认证的事件发布器。
@EnableWebSecurity
@Configuration
public class DefaultSecurityConfig {
@Bean
@ConditionalOnMissingBean(UserDetailsService.class)
InMemoryUserDetailsManager inMemoryUserDetailsManager() {
String generatedPassword = // ...;
return new InMemoryUserDetailsManager(User.withUsername("user")
.password(generatedPassword).roles("ROLE_USER").build());
}
@Bean
@ConditionalOnMissingBean(AuthenticationEventPublisher.class)
DefaultAuthenticationEventPublisher defaultAuthenticationEventPublisher(ApplicationEventPublisher delegate) {
return new DefaultAuthenticationEventPublisher(delegate);
}
}
SecurityContextHolder
Spring Security 的认证模型的核心是 SecurityContextHolder。它包含了SecurityContext,SecurityContext中保存了用户的细节,包括用户名和密码以及角色,可以直接尝试给SecurityContext赋值,来表明用户已被认证。默认情况下SecurityContextHolder使用ThreadLocal来存储,所以在同一线程中SecurityContextHolder总是可用的。
SecurityContext context = SecurityContextHolder.createEmptyContext();
Authentication authentication =
new TestingAuthenticationToken("username", "password", "ROLE_USER");
context.setAuthentication(authentication);
SecurityContextHolder.setContext(context);
如何使用做一个简单的身份验证
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(Customizer.withDefaults())
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.httpBasic(Customizer.withDefaults())
.formLogin(Customizer.withDefaults());
return http.build();
}
}
上述代码中是官方文档中给出的一段实例
下面示例
package com.tcb.config;
import com.tcb.filter.JwtAuthenticationTokenFilter;
import com.tcb.utils.JwtTokenUtil;
import lombok.AllArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/**
* @author Tu
*/
@Configuration
@EnableWebSecurity
@AllArgsConstructor
public class CustomSecurityConfig {
private final JwtTokenUtil jwtTokenUtil;
private final UserDetailsService userDetailsService;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.sessionManagement(sessionManager -> sessionManager.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authenticationManager(this.authenticationManager())
// 配置 JwtTokenAuthenticationFilter
.addFilterBefore(new JwtAuthenticationTokenFilter(
this.jwtTokenUtil,
this.userDetailsService()),
UsernamePasswordAuthenticationFilter.class)
// 请求认证授权
.authorizeHttpRequests(requests -> {
// 放行 POST 请求接口 /auth/signin,/auth/signup
requests.requestMatchers(HttpMethod.POST, "/auth/signin", "/auth/signup").permitAll()
// 放行 /test/** 接口所有请求
.requestMatchers("/test/**").permitAll()
// 其余请求,一律需要进行认证
.anyRequest().authenticated();
});
return http.build();
}
// 密码加密器
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
// 获取用户及其相关详细信息
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userService.findUser(username);
if (null == user) {
throw new UsernameNotFoundException(String.format("[username: %s] not found!", username));
}
return user;
}
};
}
// 负责具体用户认证流程
@Bean
public AuthenticationProvider authenticationProvider() {
// 创建一个用户认证提供者
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
// 将该 Provider 关联到我们设置的 UserDetailsService
authProvider.setUserDetailsService(this.userDetailsService());
// 关联到我们设置的加密算法
authProvider.setPasswordEncoder(this.passwordEncoder());
return authProvider;
}
// 认证管理者
@Bean
public AuthenticationManager authenticationManager() {
// 关联到我们设置的 AuthenticationProvider
return new ProviderManager(this.authenticationProvider());
}
}
自定义Jwt工具类生成token
package com.tcb.utils;
import io.jsonwebtoken.Claims;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
/**
* @author tu.cb
*/
@Slf4j
public class JwtTokenUtil {
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
@Value("${jwt.tokenHead}")
private String tokenHead;
private static final String CLAIM_KEY_USERNAME = "sub";
private static final String CLAIM_KEY_CREATED = "created";
/**
* 根据用户信息生成token
*/
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
claims.put(CLAIM_KEY_CREATED, System.currentTimeMillis());
return generateToken(claims);
}
/**
* 根据用户名、创建时间生成JWT的token
*/
private String generateToken(Map<String, Object> claims) {
return Jwts.builder()
.setClaims(claims)
.setExpiration(generateExpirationDate())
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
private Date generateExpirationDate() {
return new Date(System.currentTimeMillis() + expiration * 1000);
}
/**
* 从token中获取登录用户名
*/
public String getUserNameFromToken(String token) {
String username = null;
Claims claims = getClaimsFromToken(token);
if (claims != null) {
username = claims.getSubject();
}
return username;
}
/**
* 从token中获取JWT中的负载
*/
private Claims getClaimsFromToken(String token) {
Claims claims = null;
try {
claims = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
} catch (Exception e) {
log.info("JWT格式验证失败:{}", token);
}
return claims;
}
/**
* 验证token是否还有效
*
* @param token 客户端传入的token
* @param userDetails 从数据库中查询出来的用户信息
*/
public boolean validateToken(String token, UserDetails userDetails) {
String username = getUserNameFromToken(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
/**
* 判断token是否已经失效
*/
public boolean isTokenExpired(String token) {
Date expiredDate = getExpiredDateFromToken(token);
return expiredDate.before(new Date());
}
/**
* 从token中获取过期时间
*/
private Date getExpiredDateFromToken(String token) {
Claims claims = getClaimsFromToken(token);
return claims.getExpiration();
}
}
JWT过滤器,在HttpSecurity中添加到过滤链中
package com.tcb.filter;
import com.tcb.service.LoginService;
import com.tcb.service.RedisServer;
import com.tcb.utils.JwtTokenUtil;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
/**
* JWT登录授权过滤器
* on 2018/4/26.
*/
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
private final LoginService loginService;
private final RedisServer redisServer;
private final JwtTokenUtil jwtTokenUtil;
@Value("${jwt.tokenHeader}")
private String tokenHeader;
@Value("${jwt.tokenHead}")
private String tokenHead;
@Value("${redis.redisPrefix}")
private String redisPrefix;
public JwtAuthenticationTokenFilter(LoginService loginService, RedisServer redisServer, JwtTokenUtil jwtTokenUtil) {
this.loginService = loginService;
this.redisServer = redisServer;
this.jwtTokenUtil = jwtTokenUtil;
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
// 从客户端请求中获取 JWT
String authHeader = request.getHeader(this.tokenHeader);
// 该 JWT 是我们规定的格式,以 tokenHead 开头
if (authHeader != null && authHeader.startsWith(this.tokenHead)) {
// The part after "Bearer "
String authToken = authHeader.substring(this.tokenHead.length());
// 从 JWT 中获取用户名
String username = jwtTokenUtil.getUserNameFromToken(authToken);
LOGGER.info("checking username:{}", username);
// SecurityContextHolder 是 SpringSecurity 的一个工具类
// 保存应用程序中当前使用人的安全上下文
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
// 根据用户名获取登录用户信息
UserDetails userDetails = this.loginService.loadUserByUsername(username);
// 验证 token 是否过期
if (jwtTokenUtil.validateToken(authToken, userDetails)&&redisServer.getValue(redisPrefix+username).equals(authToken)) {
// 将登录用户保存到安全上下文中
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails,
null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
LOGGER.info("authenticated user:{}", username);
}
}
}
chain.doFilter(request, response);
}
}
然后根据自定义登录逻辑判断写一个Service类来判断账号密码是否正确。
引用:
1、https://springdoc.cn/spring-security/ Spring Security中文文档