spring security 采用 filter + token方式验证
此项目中的token是redis中的key并不是jwt工具生成的token,但是道理一样
验证过程为登陆成功后后台会给前台返回一个uuid生成的token,前端带上token请求后台,在过滤器中拿到token并在redis中查找,redis中key为token,value为用户名,如果找到则token有效, SecurityContextHolder.getContext().setAuthentication(authentication)添加用户信息,如果没找到则验证失败放行即可。
下边程序中username = username.split("//.")[0]; 这段代码是为了支持小程序端的验证,小程序的key也为token,value为 openid + “.” + session_key
@Component
public class TokenAuthenticationFilter extends OncePerRequestFilter {
@Autowired
MonkeyUserDetailsService monkeyUserDetailsService;
@Autowired
RedisService redisService;
@Value("$(defualtparams.tokenParamName)")
private String tokenParamName;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// TODO Auto-generated method stub
String token = request.getHeader("token");
if(StringUtils.isEmpty(token)){
filterChain.doFilter(request, response);
return;
}
String username = redisService.getStringInSrt(token);
if(StringUtils.isEmpty(username)){
filterChain.doFilter(request, response);
return;
}
username = username.split("//.")[0];
MonkeyUserDetails monkeyUserDetails = monkeyUserDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(monkeyUserDetails,
null,monkeyUserDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
;
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(request, response);
}
}