目录
3.登录校验(UsernamePasswordAuthenticationFilter)
4.登录成功处理器(CustomizeAuthenticationSuccessHandler)
5.登录失败处理器(CustomizeAuthenticationFailureHandler)
6.登录异常处理器(CustomizeAuthenticationEntryPoint)
写在前面
本文使用的是mybatis-plus操作mysql数据库,并且使用到了redis。如果不了解该框架的可以先去了解了再看本文章。文末有gitee链接,想要查看和使用整个工程的可以直接跳到结尾。
一、springSecurity
springSecurity集成了大量的过滤器来实现用户登录认证和权限认证,对于一个登录系统而言,我们最需要的便是登录功能,springSecurity中把登录分为了多个处理,大致流程如下:
1.用户信息
默认为form表单形式的post提交,编码类型为pplication/x-www-form-urlencoded,采用键值对形式,键必须为username和password,本文未对此做更改。
2.身份认证(JwtLoginFilter)
此过滤器添加在验证登录之前,采用Jwt形式,在第二节中会详细讲解。
3.登录校验(UsernamePasswordAuthenticationFilter)
本文也未做更改,源码如下:
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER = new AntPathRequestMatcher("/login", "POST");
private String usernameParameter = "username";
private String passwordParameter = "password";
private boolean postOnly = true;
public UsernamePasswordAuthenticationFilter() {
super(DEFAULT_ANT_PATH_REQUEST_MATCHER);
}
public UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager) {
super(DEFAULT_ANT_PATH_REQUEST_MATCHER, authenticationManager);
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (this.postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
} else {
String username = this.obtainUsername(request);
username = username != null ? username : "";
username = username.trim();
String password = this.obtainPassword(request);
password = password != null ? password : "";
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
this.setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
}
@Nullable
protected String obtainPassword(HttpServletRequest request) {
return request.getParameter(this.passwordParameter);
}
@Nullable
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(this.usernameParameter);
}
protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
}
public void setUsernameParameter(String usernameParameter) {
Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
this.usernameParameter = usernameParameter;
}
public void setPasswordParameter(String passwordParameter) {
Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
this.passwordParameter = passwordParameter;
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
public final String getUsernameParameter() {
return this.usernameParameter;
}
public final String getPasswordParameter() {
return this.passwordParameter;
}
}
从中可以很清楚的看清对用户信息中键值的要求和请求格式的要求,如果想要用自己的验证逻辑,可以添加一个类继承该类并重写方法。其中验证功能的账号密码需要从数据库中查询,需要在springSecurity的config中注入userDetailsService
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(password());
}
其中userDetailsService如下:
package com.cg.springSecurity.service.impl;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.cg.springSecurity.mapper.UserMapper;
import com.cg.springSecurity.pojo.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import java.util.List;
@Service("userDetailsService")
public class MyUserDetailsService implements UserDetailsService {
@Autowired
private UserMapper userMapper;
@Override
public UserDetails loadUserByUsername(String username) throws BadCredentialsException {
//todo 加入登录参数验证逻辑
// if(user == null){//数据库没有数据,认证失败
// throw new BadCredentialsException("用户名不存在!");
// }
//调用usersMapper方法,根据用户名查询数据库
QueryWrapper<User> wrapper = new QueryWrapper<>();
wrapper.eq("username",username);
User user = userMapper.selectOne(wrapper);
//手动设置了role,也可以通过数据库查询获取
List<GrantedAuthority> auths = AuthorityUtils.commaSeparatedStringToAuthorityList(user.getRole()); //配置角色
return new org.springframework.security.core.userdetails.User(user.getUsername(),
new BCryptPasswordEncoder().encode(user.getPassword()),auths);
}
}
4.登录成功处理器(CustomizeAuthenticationSuccessHandler)
由于是前后端分离,所以必须添加该处理器来实现返回数据给前端页面,其中包含Jwt的处理逻辑(可以先忽略)。
package com.school.demo.security;
import com.google.gson.Gson;
import com.school.demo.base.ResultInfo;
import com.school.demo.utils.JwtUtil;
import com.school.demo.utils.RedisUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
@Component
public class CustomizeAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Autowired
private RedisUtils redisUtils;
@Autowired
private Gson gson;
@Autowired
private JwtUtil jwtUtil;
@Override
public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
//更新用户表上次登录时间、更新人、更新时间等字段
User userDetails = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (userDetails == null){
//处理编码方式,防止中文乱码的情况
httpServletResponse.setContentType("text/json;charset=utf-8");
//塞到HttpServletResponse中返回给前台
httpServletResponse.getWriter().write(gson.toJson(new ResultInfo<>("接受数据为空")));
}else {
//处理编码方式,防止中文乱码的情况
httpServletResponse.setContentType("text/json;charset=utf-8");
//塞到HttpServletResponse中返回给前台
Map<String, String> data = new HashMap<>();
String username = userDetails.getUsername();
String token = jwtUtil.generate(username);
data.put("username" , username);
data.put("token", token);
//将token的username保存到redis,实现服务端对用户的控制
redisUtils.set(username, "token", jwtUtil.expiration, TimeUnit.HOURS);
httpServletResponse.getWriter().write(gson.toJson(new ResultInfo<>(data)));
}
}
}
5.登录失败处理器(CustomizeAuthenticationFailureHandler)
springSecurity在登录认证环节失败后会抛出相应的异常,所有的异常都继承AuthenticationException接口。
本文只针对一些常见的异常作了处理,并以json的形式传给前端
package com.cg.springSecurity.security;
import com.google.gson.Gson;
import com.cg.springSecurity.base.ResultInfo;
import org.springframework.security.authentication.*;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class CustomizeAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
//返回json数据
ResultInfo result = null;
Gson gson =new Gson();
if (e instanceof AccountExpiredException) {
//账号过期
result = new ResultInfo<>("error" , "账号过期");
} else if (e instanceof BadCredentialsException) {
//密码错误
result = new ResultInfo<>("error" , "密码错误");
} else if (e instanceof CredentialsExpiredException) {
// 密码过期
result = new ResultInfo<>("error" , "密码过期");
} else if (e instanceof DisabledException) {
//账号不可用
result = new ResultInfo<>("error" , "账号不可用");
} else if (e instanceof LockedException) {
//账号锁定
result = new ResultInfo<>("error" , "账号锁定");
} else if (e instanceof InternalAuthenticationServiceException) {
//用户不存在
result = new ResultInfo<>("error" , "用户名不存在");
}else{
//其他错误
result = new ResultInfo<>("error" , "用户名和密码格式错误");
}
//处理编码方式,防止中文乱码的情况
httpServletResponse.setContentType("text/json;charset=utf-8");
//塞到HttpServletResponse中返回给前台
httpServletResponse.getWriter().write(gson.toJson(result));
}
}
6.登录异常处理器(CustomizeAuthenticationEntryPoint)
在登录验证阶段出现的异常由该类处理。
package com.cg.springSecurity.security;
import com.google.gson.Gson;
import com.cg.springSecurity.base.ResultInfo;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class CustomizeAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException, IOException {
// JsonResult result = ResultTool.fail(ResultCode.USER_NOT_LOGIN);
Gson gson = new Gson();
httpServletResponse.setContentType("text/json;charset=utf-8");
httpServletResponse.getWriter().write(gson.toJson(new ResultInfo<>("error!" , "用户未登录")));
}
}
7.配置SecurityConfig
注入对应的处理器和过滤器,其中不拦截的路径中包含了swagger,方便接口的调试。退出功能logout会在第二节再进行讲解。
package com.cg.springSecurity.config;
import com.cg.springSecurity.security.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.web.filter.CharacterEncodingFilter;
import javax.annotation.Resource;
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
//登录成功处理器
@Resource
private CustomizeAuthenticationSuccessHandler authenticationSuccessHandler;
//登录失败处理器
@Autowired
private CustomizeAuthenticationFailureHandler authenticationFailureHandler;
//注销处理器
@Autowired
private CustomizeLogoutSuccessHandler logoutSuccessHandler;
//异常处理器
@Autowired
private CustomizeAuthenticationEntryPoint authenticationEntryPoint;
// jwt验证
@Autowired
private JwtLoginFilter jwtLoginFilter;
//注销处理器
@Autowired
private JwtLogoutHandler logoutHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
//添加转码,防止中文乱码
CharacterEncodingFilter encodingFilter = new CharacterEncodingFilter();
encodingFilter.setEncoding("UTF-8");
encodingFilter.setForceEncoding(true);
http.addFilterBefore(encodingFilter, CsrfFilter.class);
http.addFilterBefore(jwtLoginFilter, UsernamePasswordAuthenticationFilter.class);
//配置没有权限访问跳转自定义页面
// http.exceptionHandling().accessDeniedPage("/403.html");
http.logout()
.logoutUrl("/user/logout")
.addLogoutHandler(logoutHandler)
.logoutSuccessUrl("/user/logout")
.logoutSuccessHandler(logoutSuccessHandler)
// .deleteCookies("JSESSIONID")//删除cookie
.permitAll();
//关闭默认登陆页面
// http.removeConfigurer(DefaultLoginPageConfigurer.class);
//禁止session验证
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.formLogin() //自定义自己编写的登陆页面
// .loginPage("/login.html") //登陆页面设置
.loginProcessingUrl("/user/login") //登陆访问路径
.successHandler(authenticationSuccessHandler)
// .defaultSuccessUrl("/success" , true) //登陆成功后跳转路径
// .successForwardUrl("/")
// .failureUrl("/user/fail")//登录失败跳转的路径
.failureHandler(authenticationFailureHandler)
.permitAll()
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)//登陆异常处理
.and().authorizeRequests()
.antMatchers("/user/**","/**/info","/img/**",
"/swagger-ui.html", "/v2/**", "/swagger-resources/**", "/webjars/springfox-swagger-ui/**")
.permitAll()//不拦截的路径
//todo 权限管理
.antMatchers("/school/**").hasAuthority("admin")
// .antMatchers("/test/findAll").hasAnyAuthority("addUser,findAll")
// .antMatchers("/test/hello").hasRole("admin")
// .antMatchers("/test/hello").hasAnyRole("admin")
.anyRequest().authenticated()
.and()
.rememberMe().rememberMeParameter("remember_me")
.userDetailsService(userDetailsService)
.and()
.csrf()
.disable(); //关闭csrf的保护
http.cors();//开启跨域
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(password());
}
@Bean
PasswordEncoder password(){
return new BCryptPasswordEncoder();
}
}
二、jwt认证
jwt是一种无状态的验证方式,具体参考单点登录和JWT的介绍与使用。本文主要讲解jwt在springSecurity中的使用。
1.jwt的生成和解析(JwtUtil)
package com.cg.springSecurity.utils;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.time.Duration;
import java.util.Date;
@Component
public final class JwtUtil {
/**
* 这个秘钥是防止JWT被篡改的关键,随便写什么都好,但决不能泄露
*/
private final static String secretKey = "whatever";
/**
* 过期时间目前设置成2小时,这个配置随业务需求而定
*/
@Value("${expiration.jwt}")
public int expiration;
/**
* 生成JWT
*
* @param userName 用户名
* @return JWT
*/
public String generate(String userName) {
// 过期时间
Date expiryDate = new Date(System.currentTimeMillis() + Duration.ofHours(expiration).toMillis());
return Jwts.builder()
.setSubject(userName) // 将userName放进JWT
.setIssuedAt(new Date()) // 设置JWT签发时间
.setExpiration(expiryDate) // 设置过期时间
.signWith(SignatureAlgorithm.HS512, secretKey) // 设置加密算法和秘钥
.compact();
}
/**
* 解析JWT
*
* @param token JWT字符串
* @return 解析成功返回Claims对象,解析失败返回null
*/
public Claims parse(String token) {
// 如果是空字符串直接返回null
if (StringUtils.isEmpty(token)) {
return null;
}
// 这个Claims对象包含了许多属性,比如签发时间、过期时间以及存放的数据等
Claims claims = null;
// 解析失败了会抛出异常,所以我们要捕捉一下。token过期、token非法都会导致解析失败
try {
claims = Jwts.parser()
.setSigningKey(secretKey) // 设置秘钥
.parseClaimsJws(token)
.getBody();
} catch (JwtException e) {
// 这里应该用日志输出,为了演示方便就直接打印了
System.err.println("解析失败!");
}
return claims;
}
}
2.修改登录逻辑
2.1在登录成功处理器中利用用户名生成jwt并传给前端。
此处保存到redis的key值可以自己更改,保证唯一即可。
//塞到HttpServletResponse中返回给前台
Map<String, String> data = new HashMap<>();
String username = userDetails.getUsername();
String token = jwtUtil.generate(username);
data.put("username" , username);
data.put("token", token);
//将token的username保存到redis,实现服务端对用户的控制
redisUtils.set(username, "token", jwtUtil.expiration, TimeUnit.HOURS);
2.2在登录验证前添加token认证过滤器
package com.cg.springSecurity.security;
import com.cg.springSecurity.service.impl.MyUserDetailsService;
import com.cg.springSecurity.utils.JwtUtil;
import com.cg.springSecurity.utils.RedisUtils;
import io.jsonwebtoken.Claims;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
//自定义的UsernamePasswordAuthenticationFilter
@Component
public class JwtLoginFilter extends OncePerRequestFilter {
@Autowired
private JwtUtil jwtUtil;
@Autowired
private MyUserDetailsService userDetailsService;
@Autowired
private RedisUtils redisUtils;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
// 从请求头中获取token字符串并解析
Claims claims = jwtUtil.parse(request.getHeader("Authorization"));
if (claims != null) {
// 从`JWT`中提取出之前存储好的用户名
String username = claims.getSubject();
//验证redis中是否存在该用户
if (redisUtils.hasKey(username)) {
// 查询出用户对象
UserDetails user = userDetailsService.loadUserByUsername(username);
// 手动组装一个认证对象
Authentication authentication = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
// 将认证对象放到上下文中
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
chain.doFilter(request, response);
}
}
3.jwt存在的问题及问题解决
既然都采用了jwt来验证,那为何在代码中还要保存用户名到redis中并在登录时验证token呢?
因为jwt不受后端的控制,用户在拿到token的有效期内可以一直访问后端,即使中途出现异常操作也无法阻止,本文防止了该情况的发生而采用了redis来校验。当然,你也可以不用这一步,或者采用黑名单的方式,仅仅只用在注销的时候将token存入redis,减少与redis的交互次数。因此,由于加入了删除逻辑,所以需要加入注销逻辑。与登录一样,只需要自己写好注销处理器和注销成功处理器即可。
3.1 注销处理器
package com.cg.springSecurity.security;
import com.cg.springSecurity.utils.JwtUtil;
import com.cg.springSecurity.utils.RedisUtils;
import io.jsonwebtoken.Claims;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Component
public class JwtLogoutHandler implements LogoutHandler {
@Autowired
private JwtUtil jwtUtil;
@Autowired
private RedisUtils redisUtils;
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
Claims claims = jwtUtil.parse(request.getHeader("Authorization"));
if (claims != null) {
redisUtils.removeKey(claims.getSubject());
}
}
}
3.2 注销成功处理器
package com.cg.springSecurity.security;
import com.google.gson.Gson;
import com.cg.springSecurity.base.ResultInfo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class CustomizeLogoutSuccessHandler implements LogoutSuccessHandler {
@Autowired
private Gson gson;
@Override
public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
String header = httpServletRequest.getHeader("Authorization");
httpServletResponse.setContentType("text/json;charset=utf-8");
if (header == null) {
httpServletResponse.getWriter().write(gson.toJson(new ResultInfo<>("error!","注销失败,不合法的token")));
} else httpServletResponse.getWriter().write(gson.toJson(new ResultInfo<>("注销成功!")));
}
}
4. postman验证
未添加token会抛出异常并被登录异常处理器处理
登录后会返回token信息
携带token信号后即可正常访问
注销用户,注销时也需要携带token,否则会默认未登录
再次访问则失败
三、Oauth2第三方认证登录
本文目前仅使用了gitee的授权登录,因为其不需要认证,比较方便,你们可以自行添加其他第三方平台。详情参考Gitee第三方授权登录本文主要介绍gitee授权在前后端分离项目中的应用。引用流程图:
1.添加认证重定向接口
该接口用于接受认证服务器验证成功后发送的令牌信息,使用该令牌获取用户在gitee上的公开信息,解析并生成jwt令牌返回给前端。其中发送post请求采用的是RestTemplate,不了解的可以自行去了解。
package com.cg.springSecurity.controller;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.cg.springSecurity.pojo.User;
import com.cg.springSecurity.service.UserService;
import com.cg.springSecurity.utils.JwtUtil;
import com.cg.springSecurity.utils.RedisUtils;
import com.cg.springSecurity.vo.Oauth2Vo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.PropertySource;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.client.RestTemplate;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
/**
* @author cg
* @date 2023/3/23 15:32
*/
@Controller
@CrossOrigin
@RequestMapping("user")
@PropertySource(value = "classpath:/oauth2.properties")
public class Oauth2Controller {
@Autowired
private RestTemplate restTemplate;
@Autowired
private JwtUtil jwtUtil;
@Autowired
private RedisUtils redisUtils;
@Autowired
private UserService userService;
@Value("${gitee.client_id}")
private String clientId;
@Value("${gitee.client_secret}")
private String clientSecret;
@Value("${gitee.client.redirect_uri}")
private String redirectUri;
@Value("${gitee.redirect_uri}")
private String address;//你的前端主页面地址
//处理code码
@RequestMapping("oauth2")
public void oauth2(String code,HttpServletResponse response) {
// System.out.println("code = " + code);
Map<String, Object> map = new HashMap<>();
String url = "https://gitee.com/oauth/token?" +
"grant_type=authorization_code&code=" + code +
"&client_id=" + clientId +
"&redirect_uri=" + redirectUri +
"&client_secret=" + clientSecret;
//利用RestTemplate发送post请求
ResponseEntity<Oauth2Vo> entity = restTemplate.postForEntity(url, null, Oauth2Vo.class);
Oauth2Vo oauth2Vo = entity.getBody();
//使用唯一id作为用户名生成token
String username = "gitee" + oauth2Vo.getCreated_at();
User user = new User();
user.setUsername(username);
user.setPassword(username);
//未注册则注册
if (userService.getOne(new QueryWrapper<User>().eq("username",username)) == null) userService.save(user);
String token = jwtUtil.generate(username);
if (token != null) {
redisUtils.set(username, "token");
try {
response.sendRedirect(address + token);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
}
2. 为啥返回的是重定向,而不是json数据
首先第三方认证需要用户点击链接进入访问,此操作必须由前端操控,而第三方认证成功后返回的令牌信息涉及到隐私和重要信息,必须在后端进行处理,那么此时后端要如何将生成的jwt令牌传输给前端呢?本文采用的是重定向的方式,将jwt信息放在url地址中,由前端负责解析。注意,在前后端分离项目中,前后端无法使用session来进行信息的交互。
前端解析代码如下:
<template>
<div class="app-container" >
<el-tree :data="data" :props="defaultProps" @node-click="handleNodeClick"></el-tree>
</div>
</template>
<script>
export default {
data() {
return{};
},
created(){
this.token()
},
methods: {
token(){
let url = window.location.href
console.log(url);
let token = this.$route.params.token
// console.log(token);
// alert(token)
this.$message.success('登录成功')
// 存储token到浏览器
localStorage.setItem('eleToken', token)
// sessionStorage.setItem('token',res.token)
this.$router.push({path:'/ucenter2'}); //跳转到主页
}
}
}
</script>
四.结尾
gitee链接:springSecurity: springSecurity + Jwt + Oauth2实现登录模块
目前还只有登录和注册功能,后续应该会继续添加功能并且增加springSecurity的第二大超级强的功能:权限管理。