Spring Boot集成Spring Security 搭建登录模块

最新推荐文章于 2024-07-03 18:24:21 发布
最新推荐文章于 2024-07-03 18:24:21 发布
阅读量1.3k 收藏 27
点赞数 30
分类专栏: Spring Cloud Spring Boot 文章标签: 后端 spring boot spring cloud
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_58353992/article/details/136289632
版权

目录

环境介绍

Spring Boot 3.1.8 + Spring Cloud 2022.0.5 + Spring Security 6.1.6

Spring Security

1. Spring Security 原理

1.1 概念

认证:就是可不可以登录系统
授权:有没有权限访问资源
权限模型:RBAC

1.2 流程图

引用同学流程图https://www.jb51.net/article/283381.htm#_label0,感谢

2.Spring Security 搭建

2.1 项目目录介绍

main 父级工程
----parent 版本控制
----core 核心框架 依赖jar包
----common 公共依赖
----gateway 网关
----plateform 客户业务模块
----admin 后台模块
在本文中有两套登录系统一套为客户登录(plateform),一套为运营登录(admin)
两套登录复用一个core中的登录,并采用用户名密码和手机验证码两种登录方式

2.2 添加依赖

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <scope>compile</scope>
        </dependency>

2.3 自定义 UserDetail

@Data
public class User implements UserDetails {
    private Long userId;

    private String username;
    
    private String password;

    private Long organizationId;

    private Collection<? extends GrantedAuthority> authorities = List.of();

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return authorities;
    }

    public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
        this.authorities = authorities;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }`
}

public interface UserService extends UserDetailsService {

 UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

2.4 配置Spring Security 忽略Path

可以使用使用配置类配置,在本文中将config相关配置放在了登录接口中实线

@Component
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
   //处理登录认证
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //登录过程处理
        http.formLogin()    //表单登录
                .loginProcessingUrl("/api/user/login") //登录请求url地址
                .successHandler(loginSuccessHandler)   //认证成功
                .failureHandler(loginFailureHandler)   //认证失败
                .and()
                .csrf().disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS) //不创建Session
                .and().authorizeRequests() //设置需要拦截的请求
                .antMatchers("/api/user/login").permitAll()//登录放行
                .anyRequest().authenticated()  //其他请求一律拦截
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(anonymousAuthenticationHandler)  //匿名无权限类
                .accessDeniedHandler(customerAccessDeniedHandler)       //认证用户无权限
                .and()
                .cors();//支持跨域
    }

本文配置白名单

@Configuration(proxyBeanMethods = false)
public class WebSecurityCustomizerConfig {
    @Autowired
    private IgnorePatternsProperty ignorePatternsProperty;
    @Bean
    public Collection<RequestMatcher> requestIgnoreRequestMatchers() {
        Set<String> patterns = new HashSet<>();

        if (ignorePatternsProperty != null &&
            ignorePatternsProperty.getPatterns() != null) {
            patterns.addAll(ignorePatternsProperty.getPatterns());
        }
        List<RequestMatcher> requestMatchers = new ArrayList<>();
        for (String str : patterns) {
            requestMatchers.add(AntPathRequestMatcher.antMatcher(str));
        }
        return requestMatchers;
    }
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        Collection<RequestMatcher> requestMatchers = requestIgnoreRequestMatchers();

        return new WebSecurityCustomizer() {
            @Override
            public void customize(WebSecurity web) {
                if (requestMatchers.isEmpty()) {
                    return;
                }
                web.ignoring()
                    .requestMatchers(requestMatchers.toArray(new RequestMatcher[0]));
            }
        };
    }
    @Bean
    public WebMvcProperties webMvcProperties() {
        WebMvcProperties properties = new WebMvcProperties();
        // 设置其他属性,例如视图解析器、静态资源位置等
        properties.setThrowExceptionIfNoHandlerFound(true);
        return properties;
    }

2.5 编写登录接口

public abstract class AbstractAuthServerController {

    private final AuthenticationManager authenticationManager;

    public AbstractAuthServerController(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    protected ClaimUser authenticate(Authentication authenticationToken) {

        Authentication authentication = authenticationManager.authenticate(authenticationToken);

        User authenticatedUser = (User) authentication.getPrincipal();

        ClaimUser claimUser = new ClaimUser();
        claimUser.setId(authenticatedUser.getUserId());
        claimUser.setUsername(authenticatedUser.getUsername());
        claimUser.setOrganizationId(authenticatedUser.getOrganizationId());
        claimUser.setAuthorities(AuthorityUtils.authorityListToSet(authenticatedUser.getAuthorities()));

        return claimUser;
    }
}

@Slf4j
@Tag(name = "DefaultAuthServerController")
@RequestMapping("/auth")
@RestController
@Validated
@Observed(name = "DefaultAuthServerController")
public class DefaultAuthServerController extends AbstractAuthServerController {

    private final JwtService jwtService;
    private final UserService userService;
    private final ModelMapper modelMapper;

    public DefaultAuthServerController(
        JwtService jwtService,
        AuthenticationManager authenticationManager,
        UserService userService, ModelMapper modelMapper) {
        super(authenticationManager);
        this.jwtService = jwtService;
        this.userService = userService;
        this.modelMapper = modelMapper;
    }

    @PostMapping("/login")
    public ResponseEntity<LoginResponse> login(@RequestBody @Validated LoginUsernameRequest request) {
        userService.preUsernameLoginCheck(request);

        try {
            ClaimUser claimUser = super.authenticate(
                new UsernameAuthenticationToken(request.getUsername(), request.getPassword(), request.getExtraInfo())
            );

            Map<String, String> jwtTokenPair = jwtService.generateToken(claimUser);

            LoginResponse response = new LoginResponse();

            response.setTokenType(Constant.DEFAULT_TOKEN_TYPE);
            response.setAccessToken(jwtTokenPair.get(Constant.ACCESS_TOKEN));
            response.setAccessExpiresIn(jwtService.getAccessExpirationTime());
            response.setRefreshToken(jwtTokenPair.get(Constant.REFRESH_TOKEN));

            userService.usernameLoginSuccessHandle(request, claimUser);

            return ResponseEntity.ok(response);
        } catch (Exception ex) {
            log.error("Username login failed. message = {}", ex.getMessage());
            userService.usernameLoginFailedHandle(request, ex);
            throw ex;
        }
    }

    @PostMapping(value = "/refresh", consumes = MediaType.TEXT_PLAIN_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
    public ResponseEntity<LoginResponse> refresh(@RequestBody @NotBlank(message = "{act.refresh.token.not.blank}") String token) {

        var claim = jwtService.extractAllClaims(token);
        if (!jwtService.isTokenValid(token, claim.getSubject())) {
            throw new ActBadRequestException(MessageSourceContext.getAccessor().getMessage("act.refresh.token.invalid"));
        }
        User user = userService.findById(Long.parseLong(claim.getSubject()));

        ClaimUser claimUser = modelMapper.map(user, ClaimUser.class);
        claimUser.setId(user.getUserId());

        Map<String, String> jwtTokenPair = jwtService.generateToken(claimUser);

        LoginResponse response = new LoginResponse();

        response.setTokenType(Constant.DEFAULT_TOKEN_TYPE);
        response.setAccessToken(jwtTokenPair.get(Constant.ACCESS_TOKEN));
        response.setAccessExpiresIn(jwtService.getAccessExpirationTime());
        response.setRefreshToken(jwtTokenPair.get(Constant.REFRESH_TOKEN));

        return ResponseEntity.ok(response);
    }

@Slf4j
@Tag(name = "SmsAuthServerController")
@RequestMapping("/auth/sms")
@RestController
@Observed(name = "SmsAuthServerController")
public class SmsAuthServerController extends AbstractAuthServerController {

    private final JwtService jwtService;
    private final UserService userService;

    public SmsAuthServerController(JwtService jwtService,
                                   AuthenticationManager authenticationManager,
                                   UserService userService) {
        super(authenticationManager);
        this.jwtService = jwtService;
        this.userService = userService;
    }

    @PostMapping("/login")
    public ResponseEntity<LoginResponse> authenticate(@RequestBody @Validated LoginSmsVerifyCodeRequest request) {
        userService.preSMSLoginCheck(request);

        try {
            ClaimUser claimUser = super.authenticate(
                new SmsAuthenticationToken(request.getPhoneNumber(), request.getVerifyCode(), request.getExtraInfo())
            );

            Map<String, String> jwtTokenPair = jwtService.generateToken(claimUser);

            LoginResponse response = new LoginResponse();

            response.setTokenType(Constant.DEFAULT_TOKEN_TYPE);
            response.setAccessToken(jwtTokenPair.get(Constant.ACCESS_TOKEN));
            response.setAccessExpiresIn(jwtService.getAccessExpirationTime());
            response.setRefreshToken(jwtTokenPair.get(Constant.REFRESH_TOKEN));

            userService.smsLoginSuccessHandle(request, claimUser);

            return ResponseEntity.ok(response);
        } catch (Exception ex) {
            log.error("SMS login failed. message = {}", ex.getMessage());
            userService.smsLoginFailedHandle(request, ex);
            throw ex;
        }
    }

2.6 进入认证流程

username认证流程
  1. 将请求信息封装到Authentication实现UserNameAuthenticationToken
    调用AuthenticationManage下的ProviderManager.authenticate(UserNameAuthenticationToken)
  2. 调用provider.authenticate委托认证AuthenticationProvider
  3. 实现AuthenticationProvider,重写authenticate()方法
  4. 调用 retrieveUser(),在方法里查询user信息返回UserDetails
2.6.1 封装认证信息
public class UsernameAuthenticationToken extends AbstractAuthenticationToken {

    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    private final Object principal;

    private Object credentials;

    private final Object extraInfo;

    /**
     * This constructor can be safely used by any code that wishes to create a
     * <code>UsernameAuthenticationToken</code>, as the {@link #isAuthenticated()}
     * will return <code>false</code>.
     */
    public UsernameAuthenticationToken(Object principal, Object credentials, Object extraInfo) {
        super(null);
        this.principal = principal;
        this.credentials = credentials;
        this.extraInfo = extraInfo;
        setAuthenticated(false);
    }

    /**
     * This constructor should only be used by <code>AuthenticationManager</code> or
     * <code>AuthenticationProvider</code> implementations that are satisfied with
     * producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
     * authentication token.
     *
     * @param principal
     * @param credentials
     * @param authorities
     */
    public UsernameAuthenticationToken(Object principal, Object credentials, Object extraInfo,
                                       Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        this.extraInfo = extraInfo;
        super.setAuthenticated(true); // must use super, as we override
    }

    /**
     * This factory method can be safely used by any code that wishes to create a
     * unauthenticated <code>UsernameAuthenticationToken</code>.
     *
     * @param principal
     * @param credentials
     * @return UsernameAuthenticationToken with false isAuthenticated() result
     * @since 5.7
     */
    public static UsernameAuthenticationToken unauthenticated(Object principal, Object credentials, Object extraInfo) {
        return new UsernameAuthenticationToken(principal, credentials, extraInfo);
    }

    /**
     * This factory method can be safely used by any code that wishes to create a
     * authenticated <code>UsernameAuthenticationToken</code>.
     *
     * @param principal
     * @param credentials
     * @param extraInfo
     * @return UsernameAuthenticationToken with true isAuthenticated() result
     * @since 5.7
     */
    public static UsernameAuthenticationToken authenticated(Object principal, Object credentials, Object extraInfo,
                                                                    Collection<? extends GrantedAuthority> authorities) {
        return new UsernameAuthenticationToken(principal, credentials, extraInfo, authorities);
    }

    @Override
    public Object getCredentials() {
        return this.credentials;
    }

    @Override
    public Object getPrincipal() {
        return this.principal;
    }

    public String getExtraInfo() {
        return extraInfo == null ? null : extraInfo.toString();
    }

    @Override
    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        Assert.isTrue(!isAuthenticated,
            "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        super.setAuthenticated(false);
    }

    @Override
    public void eraseCredentials() {
        super.eraseCredentials();
        this.credentials = null;
    }

}

@Slf4j
@Tag(name = "SmsAuthServerController")
@RequestMapping("/auth/sms")
@RestController
@Observed(name = "SmsAuthServerController")
public class SmsAuthServerController extends AbstractAuthServerController {

    private final JwtService jwtService;
    private final UserService userService;

    public SmsAuthServerController(JwtService jwtService,
                                   AuthenticationManager authenticationManager,
                                   UserService userService) {
        super(authenticationManager);
        this.jwtService = jwtService;
        this.userService = userService;
    }

    @PostMapping("/login")
    public ResponseEntity<LoginResponse> authenticate(@RequestBody @Validated LoginSmsVerifyCodeRequest request) {
        userService.preSMSLoginCheck(request);

        try {
            ClaimUser claimUser = super.authenticate(
                new SmsAuthenticationToken(request.getPhoneNumber(), request.getVerifyCode(), request.getExtraInfo())
            );

            Map<String, String> jwtTokenPair = jwtService.generateToken(claimUser);

            LoginResponse response = new LoginResponse();

            response.setTokenType(Constant.DEFAULT_TOKEN_TYPE);
            response.setAccessToken(jwtTokenPair.get(Constant.ACCESS_TOKEN));
            response.setAccessExpiresIn(jwtService.getAccessExpirationTime());
            response.setRefreshToken(jwtTokenPair.get(Constant.REFRESH_TOKEN));

            userService.smsLoginSuccessHandle(request, claimUser);

            return ResponseEntity.ok(response);
        } catch (Exception ex) {
            log.error("SMS login failed. message = {}", ex.getMessage());
            userService.smsLoginFailedHandle(request, ex);
            throw ex;
        }
    }
}
2.6.2 自定义实现AuthenticationProvider
public class UsernameAuthenticationProvider extends AbstractUsernameAuthenticationProvider {

    /**
     * The plaintext password used to perform
     * {@link PasswordEncoder#matches(CharSequence, String)} on when the user is not found
     * to avoid SEC-2056.
     */
    private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";

    private PasswordEncoder passwordEncoder;

    /**
     * The password used to perform {@link PasswordEncoder#matches(CharSequence, String)}
     * on when the user is not found to avoid SEC-2056. This is necessary, because some
     * {@link PasswordEncoder} implementations will short circuit if the password is not
     * in a valid format.
     */
    private volatile String userNotFoundEncodedPassword;

    private UserDetailsService userDetailsService;

    private UserDetailsPasswordService userDetailsPasswordService;

    public UsernameAuthenticationProvider() {
        this(PasswordEncoderFactories.createDelegatingPasswordEncoder());
    }

    /**
     * Creates a new instance using the provided {@link PasswordEncoder}
     *
     * @param passwordEncoder the {@link PasswordEncoder} to use. Cannot be null.
     * @since 6.0.3
     */
    public UsernameAuthenticationProvider(PasswordEncoder passwordEncoder) {
        setPasswordEncoder(passwordEncoder);
    }

    @Override
    @SuppressWarnings("deprecation")
    protected void additionalAuthenticationChecks(UserDetails userDetails,
                                                  UsernameAuthenticationToken authentication) throws AuthenticationException {
        if (authentication.getCredentials() == null) {
            this.logger.debug("Failed to authenticate since no credentials provided");
            throw new BadCredentialsException(this.messages
                .getMessage("act.login.bad.credentials", "Bad credentials"));
        }
        String presentedPassword = authentication.getCredentials().toString();
        if (StringUtils.isEmpty(userDetails.getPassword()) || !this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
            this.logger.debug("Failed to authenticate since password does not match stored value");
            throw new ActBadPasswordException(this.messages
                .getMessage("act.login.bad.password", "Bad Password"));
        }
    }

    @Override
    protected void doAfterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");
    }

    @Override
    protected final UserDetails retrieveUser(String username, UsernameAuthenticationToken authentication)
        throws AuthenticationException {
        prepareTimingAttackProtection();
        try {
            if (!(this.getUserDetailsService() instanceof UserService userService)) {
                throw new InternalAuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
            }

            UserDetails loadedUser = userService.findByUsername(username, authentication.getExtraInfo());
            if (loadedUser == null) {
                throw new InternalAuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
            }

            return loadedUser;
        } catch (UsernameNotFoundException ex) {
            mitigateAgainstTimingAttack(authentication);
            throw ex;
        } catch (InternalAuthenticationServiceException ex) {
            throw ex;
        } catch (Exception ex) {
            throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
        }
    }

    @Override
    protected Authentication createSuccessAuthentication(Object principal, UsernameAuthenticationToken authentication,
                                                         UserDetails user) {
        boolean upgradeEncoding = this.userDetailsPasswordService != null
            && this.passwordEncoder.upgradeEncoding(user.getPassword());
        if (upgradeEncoding) {
            String presentedPassword = authentication.getCredentials().toString();
            String newPassword = this.passwordEncoder.encode(presentedPassword);
            user = this.userDetailsPasswordService.updatePassword(user, newPassword);
        }
        return super.createSuccessAuthentication(principal, authentication, user);
    }

    private void prepareTimingAttackProtection() {
        if (this.userNotFoundEncodedPassword == null) {
            this.userNotFoundEncodedPassword = this.passwordEncoder.encode(USER_NOT_FOUND_PASSWORD);
        }
    }

    private void mitigateAgainstTimingAttack(UsernameAuthenticationToken authentication) {
        if (authentication.getCredentials() != null) {
            String presentedPassword = authentication.getCredentials().toString();
            this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword);
        }
    }

    /**
     * Sets the PasswordEncoder instance to be used to encode and validate passwords. If
     * not set, the password will be compared using
     * {@link PasswordEncoderFactories#createDelegatingPasswordEncoder()}
     *
     * @param passwordEncoder must be an instance of one of the {@code PasswordEncoder}
     *                        types.
     */
    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
        this.passwordEncoder = passwordEncoder;
        this.userNotFoundEncodedPassword = null;
    }

    protected PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    protected UserDetailsService getUserDetailsService() {
        return this.userDetailsService;
    }

    public void setUserDetailsPasswordService(UserDetailsPasswordService userDetailsPasswordService) {
        this.userDetailsPasswordService = userDetailsPasswordService;
    }

}

public class SmsAuthenticationProvider extends AbstractSmsAuthenticationProvider {
    private UserDetailsService userDetailsService;
    private SmsVerifyCodeService smsVerifyCodeService;

    public SmsAuthenticationProvider() {
    }

    @Override
    protected void additionalAuthenticationChecks(String phoneNumber,
                                                  SmsAuthenticationToken authentication) throws AuthenticationException {
        if (authentication.getCredentials() == null) {
            this.logger.debug("Failed to authenticate since no credentials provided");
            throw new BadCredentialsException(this.messages
                .getMessage("AbstractSmsAuthenticationProvider.badCredentials", "Bad credentials"));
        }
        String inputVerifyCode = authentication.getCredentials().toString();
        String verifyCode = smsVerifyCodeService.loadVerifyCodeByPhoneNumber(phoneNumber);

        if (!verifyCode.matches(inputVerifyCode)) {
            this.logger.debug("Failed to authenticate since verify code does not match stored value");
            throw new ActBadSmsVerifyCodeException(this.messages
                .getMessage("act.login.bad.sms.verify.code", "Bad sms verify code"));
        }
    }

    @Override
    protected void doAfterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");
    }

    @Override
    protected final UserDetails retrieveUser(String phoneNumber, SmsAuthenticationToken authentication)
        throws AuthenticationException {
        prepareTimingAttackProtection();
        try {

            if (!(userDetailsService instanceof UserService userService)) {
                throw new InternalAuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
            }

            UserDetails loadedUser = userService.findByPhoneNumber(phoneNumber, authentication.getExtraInfo());
            if (loadedUser == null) {
                throw new InternalAuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
            }
            return loadedUser;
        } catch (ActPhoneNumberNotFoundException ex) {
            mitigateAgainstTimingAttack(authentication);
            throw ex;
        } catch (InternalAuthenticationServiceException ex) {
            throw ex;
        } catch (Exception ex) {
            throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
        }
    }

    @Override
    protected Authentication createSuccessAuthentication(Object principal, SmsAuthenticationToken authentication,
                                                         UserDetails user) {
        return super.createSuccessAuthentication(principal, authentication, user);
    }

    private void prepareTimingAttackProtection() {
    }

    private void mitigateAgainstTimingAttack(SmsAuthenticationToken authentication) {
    }

    public void setSmsVerifyCodeService(SmsVerifyCodeService smsVerifyCodeService) {
        Assert.notNull(smsVerifyCodeService, "smsVerifyCodeService cannot be null");
        this.smsVerifyCodeService = smsVerifyCodeService;
    }

    protected SmsVerifyCodeService getSmsVerifyCodeService() {
        return this.smsVerifyCodeService;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    protected UserDetailsService getUserDetailsService() {
        return this.userDetailsService;
    }

}

2.7 生成JWT token

@Service
public class JwtServiceImpl implements JwtService {
    @Autowired
    private JwtSecurityProperty jwtSecurityProperty;

    @Override
    public Claims extractAllClaims(String token) {
        return Jwts
                .parserBuilder()
                .setSigningKey(getSignInKey())
                .build()
                .parseClaimsJws(token)
                .getBody();
    }

    @Override
    public String extractSubject(String token) {
        return extractClaim(token, Claims::getSubject);
    }

    @Override
    public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = extractAllClaims(token);
        return claimsResolver.apply(claims);
    }

    @Override
    public Map<String, String> generateToken(ClaimUser claimUser) {
        Map<String, Object> accessClaims = new HashMap<>();
        accessClaims.put("id", claimUser.getId());
        accessClaims.put("username", claimUser.getUsername());
        accessClaims.put("organizationId", claimUser.getOrganizationId());
        accessClaims.put("authorities", claimUser.getAuthorities());

        Map<String, Object> refreshClaims = new HashMap<>();
        refreshClaims.put("id", claimUser.getId());

        return generateTokenPair(accessClaims, refreshClaims,
                claimUser.getUsername(),
                String.valueOf(claimUser.getId()),
                System.currentTimeMillis(),
                jwtSecurityProperty.getAccessExpirationTime(),
                jwtSecurityProperty.getRefreshExpirationTime());
    }

    public Map<String, String> generateTokenPair(Map<String, Object> accessClaims,
                                                 Map<String, Object> refreshClaims,
                                                 String accessTokenSubject,
                                                 String refreshTokenSubject,
                                                 long issuedAt,
                                                 long accessTokenExpiration,
                                                 long refreshTokenExpiration) {

        Map<String, String> tokenPair = new HashMap<>();

        String accessToken = buildToken(accessClaims, accessTokenSubject, issuedAt, accessTokenExpiration);
        tokenPair.put(Constant.ACCESS_TOKEN, accessToken);

        String refreshToken = buildToken(refreshClaims, refreshTokenSubject, issuedAt, refreshTokenExpiration);
        tokenPair.put(Constant.REFRESH_TOKEN, refreshToken);

        return tokenPair;
    }

    public long getAccessExpirationTime() {
        return jwtSecurityProperty.getAccessExpirationTime();
    }

    public long getRefreshExpirationTime() {
        return jwtSecurityProperty.getRefreshExpirationTime();
    }

    private String buildToken(
            Map<String, Object> extraClaims,
            String subject,
            long issuedAt,
            long expiration
    ) {
        return Jwts
                .builder()
                .setClaims(extraClaims)
                .setSubject(subject)
                .setIssuedAt(new Date(issuedAt + expiration))
                .setExpiration(new Date(issuedAt + expiration))
                .signWith(getSignInKey(), SignatureAlgorithm.HS256)
                .compact();
    }

    public boolean isTokenValid(String token, String subject) {
        return (extractSubject(token).equals(subject)) && !isTokenExpired(token);
    }

    private boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    private Date extractExpiration(String token) {
        return
                extractClaim(token, Claims::getExpiration);
    }

    private Key getSignInKey() {
        byte[] keyBytes = Decoders.BASE64.decode(jwtSecurityProperty.getSecretKey());
        return Keys.hmacShaKeyFor(keyBytes);
    }
}

2.8 访问服务解析JWT token

2.8.1 JWT token 解析过滤器
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {

    private final Collection<RequestMatcher> requestIgnoreRequestMatchers;
    private final HandlerExceptionResolver handlerExceptionResolver;

    private final JwtService jwtService;

    public JwtAuthenticationFilter(
        Collection<RequestMatcher> requestIgnoreRequestMatchers, JwtService jwtService,
        HandlerExceptionResolver handlerExceptionResolver
    ) {
        this.requestIgnoreRequestMatchers = requestIgnoreRequestMatchers;
        this.jwtService = jwtService;

        this.handlerExceptionResolver = handlerExceptionResolver;
    }

    @Override
    protected void doFilterInternal(
        @NonNull HttpServletRequest request,
        @NonNull HttpServletResponse response,
        @NonNull FilterChain filterChain
    ) throws ServletException, IOException {
        final String authHeader = request.getHeader("Authorization");

        if (authHeader == null || !authHeader.startsWith("Bearer ") || isIgnoreRequests(request)) {
            filterChain.doFilter(request, response);
            return;
        }

        try {
            final String jwt = authHeader.substring(7);
            final var claims = jwtService.extractAllClaims(jwt);
            final String username = claims.getSubject();

            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (username != null && authentication == null) {

                if (jwtService.isTokenValid(jwt, username)) {
                    ClaimUser claimUser = convert(claims);

                    Collection<? extends GrantedAuthority> authorities
                        = AuthorityUtils.createAuthorityList(claimUser.getAuthorities().toArray(new String[0]));

                    UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
                        claimUser,
                        null,
                        authorities
                    );

                    authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                    SecurityContextHolder.getContext().setAuthentication(authToken);
                }
            }

            filterChain.doFilter(request, response);
        } catch (Exception exception) {
            handlerExceptionResolver.resolveException(request, response, null, exception);
        }
    }

    private ClaimUser convert(Claims claims) {
        ClaimUser claimUser = new ClaimUser();
        claimUser.setId(claims.get("id", Long.class));
        claimUser.setOrganizationId(claims.get("organizationId", Long.class));
        claimUser.setUsername(claims.getSubject());

        var data = claims.get("authorities", Collection.class);
        List<String> authorities = new ArrayList<>();
        for (Object obj : data) {
            authorities.add(obj.toString());
        }
        claimUser.setAuthorities(authorities);

        return claimUser;

    }

    private boolean isIgnoreRequests(HttpServletRequest request) {

        for (RequestMatcher requestMatcher : this.requestIgnoreRequestMatchers) {
            if (requestMatcher.matches(request)) {
                return true;
            }
        }

        return false;
    }
}
2.8.2 配置JWT token过滤器
@Slf4j
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
@Configuration(proxyBeanMethods = false)
public class AuthServerSecurityConfig {
    private final JwtAuthenticationFilter jwtAuthenticationFilter;

    public AuthServerSecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter
    ) {
        this.jwtAuthenticationFilter = jwtAuthenticationFilter;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.exceptionHandling(exceptionHandlingConfig -> exceptionHandlingConfig
                        .authenticationEntryPoint(new UnauthorizedEntryPoint()))
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                .sessionManagement((sessionManagement) -> sessionManagement
                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                )
                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }
}

2.9 将core中的登录相关bean注入登录Service

2.9.1 创建注解,导入core config
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Inherited
@Import({AuthServerAppConfig.class})
public @interface EnableActsAuthServer {
}

@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Inherited
@Import({SmsAuthServerController.class})
public @interface EnableActsAuthSmsLogin {
}
2.9.2 创建 config
@Configuration
@Import({AuthResourceSecurityConfig.class,
        WebSecurityCustomizerConfig.class,
        PasswordEncoderConfig.class,
        WebMvcConfig.class,
        GrpcAuthConfig.class,
        RedisCacheConfig.class,
        ModelMapperConfig.class,
        MessageSourceConfig.class,
        OpenAPISecurityConfig.class,
        ObservedAspectConfig.class,
        GrpcZipkinConfig.class})
@ComponentScans(value = {
        @ComponentScan(value = "com.core.properties"),
        @ComponentScan(value = "com.core.filter"),
        @ComponentScan(value = "com.core.component"),
        @ComponentScan(value = "com.core.exceptions"),
        @ComponentScan(value = "com.core.utils"),
        @ComponentScan(value = "com.core.controller", excludeFilters = {
                @ComponentScan.Filter(type = FilterType.ASSIGNABLE_TYPE, classes = {
                       SmsAuthServerController.class
                })
        }),
        @ComponentScan(value = "com.core.service")
})
public class AuthServerAppConfig {
    private final UserService userService;

    private final PasswordEncoder passwordEncoder;

    @Autowired(required = false)
    private SmsVerifyCodeService smsVerifyCodeService;
    private final AuthenticationManagerBuilder authenticationManagerBuilder;

    public AuthServerAppConfig(UserService userService, PasswordEncoder passwordEncoder, AuthenticationManagerBuilder authenticationManagerBuilder) {
        this.userService = userService;
        this.passwordEncoder = passwordEncoder;
        this.authenticationManagerBuilder = authenticationManagerBuilder;
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
        authenticationManagerBuilder.authenticationProvider(authenticationProvider());

        AuthenticationProvider smsAuthenticationProvider = smsAuthenticationProvider();
        if (smsAuthenticationProvider != null) {
            authenticationManagerBuilder.authenticationProvider(smsAuthenticationProvider());
        }

        return config.getAuthenticationManager();
    }

    @Bean
    AuthenticationProvider authenticationProvider() {
        UsernameAuthenticationProvider authProvider = new UsernameAuthenticationProvider();

        authProvider.setUserDetailsService(userService);
        authProvider.setPasswordEncoder(passwordEncoder);

        return authProvider;
    }

    private AuthenticationProvider smsAuthenticationProvider() {
        if (smsVerifyCodeService == null) {
            return null;
        }

        SmsAuthenticationProvider authProvider = new SmsAuthenticationProvider();
        authProvider.setUserDetailsService(userService);
        authProvider.setSmsVerifyCodeService(smsVerifyCodeService);

        return authProvider;
    }
}
2.9.3 启动类添加注解
@EnableActsAuthSmsLogin
public class PlatformApplication {
	public static void main(String[] args) {
		SpringApplication.run(PlatformApplication.class, args);
	}
}

@EnableActsAuthServer
public class AdminApplication {
	 public static void main(String[] args) {
        SpringApplication.run(AdminApplication.class, args);
    }
}

致谢

感谢领导的指导

二进制诗人
关注
  • 30
    点赞
  • 27
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
Spring Boot+Spring Security 实现自动登录功能(实战+源码分析)
weixin_47083537的博客
04-28 829
自动登录是我们在软件开发时一个非常常见的功能,例如我们登录 QQ 邮箱: 很多网站我们在登录的时候都会看到类似的选项,毕竟总让用户输入用户名密码是一件很麻烦的事。 自动登录功能就是,用户在登录成功后,在某一段时间内,如果用户关闭了浏览器并重新打开,或者服务器重启了,都不需要用户重新登录了,用户依然可以直接访问接口数据。 作为一个常见的功能,我们的 Spring Security 肯定也提供了相应...
详解Spring Boot 使用Spring security 集成CAS
08-30
Spring Boot 使用 Spring Security 集成 CAS Spring Boot 是一个基于 Java 的开源框架,用于快速构建生产级别的应用程序。Spring Security 是一个基于 Spring 的安全框架,提供了身份验证、授权和访问控制等功能。...
一百六十八
ouhou999的博客
12-28 192
简介 登录模块很简单,前端发送账号密码的表单,后端接收验证后即可~ 淦!可是我想多了,于是有了以下几个问题(里面还包含网络安全问题): 1.登录时的验证码 2.自动登录的实现 3.怎么维护前后端登录状态 在这和大家分享下我实现此功能的过程,包括一些技术和心得 1.登录时的验证码 为什么要验证码,原因很简单,防止脚本无限次重复登录,来暴力破解用户密码或者攻击服务器 验证码的出现,使得每次登录都有个动态变量需要输入,无法用脚本写死代码 具体可以参考:滑动验证码的设计和理解 2.自动登录的实现 所谓自动登录,指的
SpringBoot 整合 SpringSecurity
最新发布
一个95后开发者,热爱编程,喜欢玩游戏. 希望可以结识更多的小伙伴...
07-03 926
springboot-security安全登录
m0_46542185的博客
06-26 1640
springboot-security安全认证登录 简单示例
SpringBoot集成Spring Security(6)——登录管理
Jitwxs
11-29 1万+
文章目录一、限制最大登录数二、踢出用户 在本篇中,主要关注登录的管理,因此代码使用最原始版本的即可,即《SpringBoot集成Spring Security(1)——入门程序》源码即可。 源码地址:https://github.com/jitwxs/blog_sample 一、限制最大登录数 修改 WebSecurityConfig 的 configure() 方法,关键代码如下: .ses...
Springboot整合SpringSecurity实现登录认证和鉴权
weixin_44068320的博客
08-12 9793
springboot整合springsecurity实现用户登录认证和鉴权
SpringBoot + Spring Security 基本使用及个性化登录配置
热门推荐
whyalwaysmea
03-18 15万+
Spring Security 基本介绍 这里就不对Spring Security进行过多的介绍了,具体的可以参考官方文档 我就只说下SpringSecurity核心功能: 认证(你是谁) 授权(你能干什么) 攻击防护(防止伪造身份) 基本环境搭建 这里我们以SpringBoot作为项目的基本框架,我这里使用的是maven的方式来进行的包管理,所以这里先给出集成Spring S...
Spring Cloud Gateway 整合 Spring Security 统一登录认证鉴权
02-24
在压缩包文件`spring_gateway_security_webflux`中,可能包含了示例代码或配置文件,用于演示如何在Spring Cloud Gateway中集成Spring Security,实现统一登录认证鉴权。这些资源可以帮助开发者更快地理解和实践上述...
Spring Boot集成Spring Security的Demo
11-13
Spring Boot集成Spring Security是开发基于Java的Web应用时常见的安全框架选择。Spring Security提供了一整套强大且灵活的安全控制机制,使得开发者可以轻松地实现身份验证、授权以及各种安全功能。下面将详细介绍...
spring-boot集成spring-security的oauth2实现github登录网站的示例
08-28
Spring Boot 集成 Spring Security 的 OAuth2 实现 GitHub 登录网站的示例 本篇文章主要介绍了 Spring Boot 集成 Spring Security 的 OAuth2 实现 GitHub 登录网站的示例,非常具有实用价值,需要的朋友可以参考下...
Spring Boot2.0使用Spring Security的示例代码
08-27
Spring Boot 2.0 使用 Spring Security 的示例代码 Spring Security 是一个基于 Spring 框架的安全性解决方案,提供了用户认证和用户授权两个主要功能。用户认证指的是验证某个用户是否为系统中的合法主体,而用户...
Springboot登录模板
ljlCSDNnumber的博客
01-19 623
jwt是一种登录认证方式,目的是防止用户在未登录的情况下,访问到其他资源。没有登录认证情况下,后端资源会被随意访问:加入JWT认证后,访问后端资源,会首先校验是否先登录jwt结构:1、Header(头), 记录令牌类型和签名算法等2、PayLoad(载荷),携带自定义的信息3、Signature(签名),对头部和载荷进行加密计算得来作用:用于存放用户信息。用来存取数据: set()/get()使用ThreadLocal存储的数据, 线程安全用完记得调用remove方法释放。
第2章 Spring Boot实践,开发社区登录模块(上)
qq_50313418的博客
08-02 566
不是在LoginController中的getLoginPage访问登录方法之中写的,getLoginPage这个方法是给浏览器返回一个html,而这个html里面会包含一个图片的路径,浏览器会依据路径再次访问服务器获得这个图片,所以我们需要再单独写一个请求(LoginController中的方法)向浏览器返回图片,当然登录页面的html会引用这个方法的路径。,能存到cookie就存到cookie,不能存到cookie的数据就存到关系型数据库里,数据库的数据存在硬盘里,存取比较慢,性能慢。...
Spring Boot之优化登录模块
hutianle的博客
08-25 147
使用 Redis 优化登录模块
Spring Boot项目学习06之用户登陆模块登录拦截器
pikcacho_pkq的博客
08-08 1505
首先,在数据库中查询这条用户记录,如果不存在这条记录则表示身份验证失败,登录流程终止;如果存在这条记录,则表示身份验证成功,接下来则需要进行登录状态的存储和验证了,用户登录成功后我们将用户信息放到 session 对象中,之后再实现一个拦截器,在访问项目时判断 session 中是否有用户信息,有则放行请求,没有就跳转到登录页面。在 BBSUserController.java类中新增跳转功能。该方法用于处理 /login 请求,是登录页面的跳转处理方法,请求方法为 GET,在发起请求后会分别跳转到 tem
Spring Boot:整合Spring Security
11-20 582
综合概述 Spring SecuritySpring 社区的一个顶级项目,也是 Spring Boot 官方推荐使用的安全框架。除了常规的认证(Authentication)和授权(Authorization)之外,Spring Security还提供了诸如ACLs,LDAP,JAAS,CAS等高级特性以满足复杂场景下的安全需求。另外,就目前而言,SpringSecurity和Shiro也是当前广大应用使用比较广泛的两个安全框架。 Spring Security 应用级别的安全主要包含两个主要部.
springboot3整合SpringSecurity实现登录校验与权限认证(万字超详细讲解)
2301_78646673的博客
12-11 1万+
用户提交登录请求Spring Security 将请求交给 UsernamePasswordAuthenticationFilter 过滤器处理。UsernamePasswordAuthenticationFilter 获取请求中的用户名和密码,并生成一个 AuthenticationToken 对象,将其交给 AuthenticationManager 进行认证。
SpringBootSecurity(一)网页版登录入门介绍
Alex
05-18 679
Web应用安全管理 Web应用的安全管理,主要包括两个方面的内容,一个是用户身份的认证,即用户登录的设计,二是用户授权,即一个用户在一个应用系统中能够执行哪些操作的权限管理。权限管理的设计一般使用角色来管理,即给一个用户赋予哪些角色,这个用户就具有哪些权限。 Spring框架体系中,经典的安全体系框架是Security。关于系统的安全管理及各种设计,Spring Security已经大体上都实现了,只需要一些配置和引用就能够正常使用。SpringBoot使用Security更加的简单,因为SpringB
如何在Spring Boot集成Spring Security
12-14
Spring Boot项目中集成Spring Security非常简单,只需要在项目中增加Spring Boot Security的依赖即可。下面是一个基础的Spring Boot Security登录验证的示例: 1.在pom.xml文件中添加Spring Boot Security依赖: ```xml <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> ``` 2.创建一个WebSecurityConfig类,用于配置Spring Security: ```java @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } } ``` 3.在上面的代码中,我们配置了一个基本的登录验证,只有经过身份验证的用户才能访问应用程序的其他部分。我们还定义了一个用户“user”,密码为“password”,并将其分配给“USER”角色。 4.在应用程序中,我们还需要一个登录页面。在templates文件夹中创建一个名为“login.html”的文件,添加以下内容: ```html <!DOCTYPE html> <html xmlns:th="http://www.thymeleaf.org"> <head> <meta charset="UTF-8" /> <title>Login</title> </head> <body> <h1>Login</h1> <form th:action="@{/login}" method="post"> <div><label>Username: <input type="text" name="username" /></label></div> <div><label>Password: <input type="password" name="password" /></label></div> <<div><input type="submit" value="Sign In" /></div> </form> </body> </html> ``` 5.最后,在应用程序的控制器中添加一个映射到登录页面的请求处理程序: ```java @Controller public class HomeController { @RequestMapping(value = {"/", "/home"}) public String home() { return "home"; } @RequestMapping(value = "/login") public String login() { return "login"; } } ``` 这样,我们就完成了一个基本的Spring Boot Security登录验证的配置。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

二进制诗人

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值