Spring security+JWT实现认证授权
spring security官网链接:https://spring.io/projects/spring-security
JWT官网链接:https://jwt.io/
spring security介绍
Spring Security是一个功能强大且高度可定制的身份验证和访问控制框架。它是用于保护基于Spring的应用程序的实际标准。
Spring Security是一个框架,致力于为Java应用程序提供身份验证和授权。像所有Spring项目一样,Spring Security的真正强大之处在于可以轻松扩展以满足自定义要求
特征
对身份验证和授权的全面且可扩展的支持
防止攻击,例如会话固定,点击劫持,跨站点请求伪造等
核心
spring security提供一组过滤链,项目启动后进行自动配置,主要过滤流程如下:
客户端请求——>OncePerRequestFilter——>SecurityContextPersistenceFilter——>HeaderWriterFilter——>CsrfFilter——>LogoutFilter——>UsernmaePasswordAuthenticationFilter——>RequestCacheAwareFilter——>SecurityContextHolderAwareRequestFilter——>AnonymousAuthenticationFilter——>ExceptionTranslationFilter——>FilterSecurityInterceptor
简单来说:
1、客户端发起请求,spring security过滤链拦截
2、LogoutFilter判断是否是登出路径,如果是进入logoutHandler,如果登出成功则到logoutSuccessHandler登出成功,如果失败则进入ExceptionTranslationFilter,否则进入用户登录认证
3、UsernamePasswordAuthenticationFilter进行登录过滤器操作,如果登录失败则到AuthenticationFailureHandler登录失败处理。如果登录成功则到AuthenticationSuccessHandler登录成功处理器处理(只有是登录请求才能进入当前过滤器)
4、最后FilterSecurityInterceptor拿到uri,根据uri去找对应的鉴权管理器,鉴权成功进入控制层Controller,否则进入AccessDeniedHandler鉴权失败处理器处理
配置代码实现
spring security配置类代码:
package cn.xgb.com.xgb_business.config;
import cn.xgb.com.xgb_business.component.JwtAuthenticationTokenFilter;
import cn.xgb.com.xgb_business.component.RestAuthenticationEntryPoint;
import cn.xgb.com.xgb_business.component.RestfulAccessDeniedHandler;
import cn.xgb.com.xgb_business.sys.bo.AdminUserDetails;
import cn.xgb.com.xgb_business.sys.entity.SysPermission;
import cn.xgb.com.xgb_business.sys.entity.SysUserVo;
import cn.xgb.com.xgb_business.sys.mapper.SysUserMapper;
import cn.xgb.com.xgb_business.sys.service.ISysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import java.util.List;
/**
* ClassName: SecurityConfig
* Description:
* date: 2020/7/1 10:15
*
* @author xu
* @since JDK 1.8
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ISysUserService sysUserService;
@Autowired
private SysUserMapper userMapper;
@Autowired
RestfulAccessDeniedHandler restfulAccessDeniedHandler;
@Autowired
RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.sessionManagement()//基于token,所以不需要session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET,
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/swagger-resources/**",
"/v2/api-docs/**")
.permitAll()
.antMatchers("/admin/login","/admin/register")//对登录注册要允许匿名访问
.permitAll()
.antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求
.permitAll()
.antMatchers("/**")
.permitAll()
.anyRequest()
.authenticated();
//禁用缓存
http.headers().cacheControl();
//添加JWT 过滤
http.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
//添加自定义未授权和未登录结果返回
http.exceptionHandling().accessDeniedHandler(restfulAccessDeniedHandler)
.authenticationEntryPoint(restAuthenticationEntryPoint);
}
/**
* Description: 配置认证授权用户并进行加密
* @author: xu
* @date: 2020/7/22 8:57
* @param:
* @return:
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){return new BCryptPasswordEncoder(); }
@Bean
public UserDetailsService userDetailsService(){
//获取用户登录信息
return username -> {
SysUserVo admin = userMapper.selectByUserName(username);
if(admin!=null){
if(admin.getSupplyId()!=null&&admin.getSupplyId()==1L){
List<SysPermission> permissionList = sysUserService.listPerms();
return new AdminUserDetails(admin,permissionList);
}
List<SysPermission> permissions = sysUserService.listUserPerms(admin.getId());
return new AdminUserDetails(admin,permissions);
}
throw new UsernameNotFoundException("用户活密码错误");
};
}
@Bean
public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){return new JwtAuthenticationTokenFilter();}
/**
* Description: 允许跨域调用过滤器
* @author: xu
* @date: 2020/7/24 10:57
* @param:
* @return:
*/
@Bean
public CorsFilter corsFilter(){
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.setAllowCredentials(true);
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return new CorsFilter(source);
}
}
其中configure(HttpSecurity http)是核心,内部封装整个认证和授权过程。
配置JWT(JSON web Token)
在UsernamePasswordAurhenticationFilter过滤器之前添加自行实现的JWT拦截
http.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
jwt介绍
JSON Web令牌(JWT)是一个开放标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间安全地将信息作为JSON对象传输。由于此信息是经过数字签名的,因此可以进行验证和信任。可以使用秘密(使用HMAC算法)或使用RSA或ECDSA的公钥/私钥对对JWT进行签名。
jwt结构
jWt token的格式:header.payload.signature
- header的格式(算法、token的类型):
{“alg”: “HS512”,“typ”: “JWT”} - payload的格式(用户名、创建时间、生成时间):
{“sub”: “wang”,“created”:1482134234,“exp”:2323423234} - signature的生成算法:
HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(payload),secret)
结果调试
Spring security 权限控制
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
}
**
- AuthenticationManagerBuilder实现认证和授权管理
- UserDetails定义的用户接口有开发者自行实现
**
至此,配置完成
总结
spring security配置关键在于configure(HttpSecurity http)
方法
扩展用户鉴权异常处理方式accessDeniedHandler(未授权),authenticationEntryPoint(未登录)。
token认证校验方式,使用jwt扩展UsernamePasswordAuthenticationFilter用户认证并生成token,另外,spring security的处理器大部分是重定向,但是我们不一般接口都是返回json,那么就需要重写处理器