controller:
@ApiOperation("通过openid进行微信登录")
@GetMapping("wxLogin/{openid}")
public Result wxLogin(@PathVariable(value = "openid",required = true) String openid)
{
String token = wxUserService.wxLogin(openid);
if(StringUtils.isEmpty(token))
{
return Result.fail().message("openid有误");
}
return Result.success().data("token",token);
}
service(这里的认证管理器authenticationManager需要进行懒加载@Lazy):
package com.guigusuqi.app.service.impl;
import com.guigusuqi.app.config.WxCodeAuthenticationToken;
import com.guigusuqi.app.entity.LoginWxUser;
import com.guigusuqi.app.entity.WxUser;
import com.guigusuqi.app.mapper.WxUserMapper;
import com.guigusuqi.app.service.WxUserService;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.guigusuqi.commonutils.utils.JWTUtils;
import com.guigusuqi.commonutils.utils.RedisCache;
import com.guigusuqi.commonutils.vo.Result;
import net.bytebuddy.asm.Advice;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.annotation.Primary;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Service;
import javax.annotation.Resource;
/**
* <p>
* 服务实现类
* </p>
*
* @author suqi
* @since 2022-04-06
*/
@Service
public class WxUserServiceImpl extends ServiceImpl<WxUserMapper, WxUser> implements WxUserService
{
@Resource
private WxUserMapper wxUserMapper;
@Lazy
@Resource
private AuthenticationManager authenticationManager;
@Resource
private RedisCache redisCache;
@Override
public WxUser getUserInfoByOpenId(String openid)
{
return wxUserMapper.getUserInfoByOpenId(openid);
}
@Override
public String wxLogin(String openid)
{
// 用户验证
Authentication authentication = null;
//通过openid进行一个授权,这里需要修改userDetailService为微信小程序认证的方式
try {
/**
* 1.通过WxCodeAuthenticationToken类将openid封装成WxCodeAuthenticationToken,principal=openid
* 2.WxCodeAuthenticationSecurityConfig设置WxUserDetailsServiceImpl和wxCodeAuthenticationProvider
*
* 4.WxCodeAuthenticationProvider.supports,如果传过来的authentication是WxCodeAuthenticationToken就启用该provider
* 5.WxUserDetailsServiceImpl通过openid从数据库中查询wxuser,返回封装的loginUser(=userDetail)
* 6.WxCodeAuthenticationProvider进行authenticate授权,直接将userDetailsService返回的userdetail返回
* 7.通过返回的loginWxUser获取openid,保存在jwt中
*/
authentication = authenticationManager.authenticate(new WxCodeAuthenticationToken(openid));
} catch (Exception e) {
throw new RuntimeException(e.getMessage());
}
//如果authenticationManager认证通过,拿到这个当前登录用户信息
LoginWxUser loginWxUser = (LoginWxUser) authentication.getPrincipal();
//通过loginWxUser获取openid,创建token
String token = JWTUtils.createToken(loginWxUser.getUser().getOpenid());
//保存在redis中
redisCache.setCacheObject("TOKEN_"+token,loginWxUser.getUser());
return token;
}
}
1.通过WxCodeAuthenticationToken类将openid封装成WxCodeAuthenticationToken
package com.guigusuqi.app.config;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
/**
* 将openid封装成authentication
*/
public class WxCodeAuthenticationToken extends AbstractAuthenticationToken
{
/**
* 在 UsernamePasswordAuthenticationToken 中该字段代表登录的用户名,
* 在这里就代表登录的微信openid
*/
private final Object principal;
/**
* 构建一个没有鉴权的 CodeAuthenticationToken
*/
public WxCodeAuthenticationToken(Object principal)
{
super(null);
this.principal = principal;
setAuthenticated(false);
}
/**
* 构建拥有鉴权的 SmsCodeAuthenticationToken,小程序中不需要
*/
public WxCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
// must use super, as we override
super.setAuthenticated(true);
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return this.principal;
}
@Override
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException
{
if (isAuthenticated)
{
throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
2.WxCodeAuthenticationSecurityConfig设置wxCodeAuthenticationProvider,wxCodeAuthenticationProvider设置WxUserDetailsServiceImpl
package com.guigusuqi.app.config;
import com.guigusuqi.app.service.impl.WxUserDetailsServiceImpl;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.stereotype.Component;
import javax.annotation.Resource;
@Configuration
public class WxCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>
{
@Resource
private WxUserDetailsServiceImpl userDetailsService;
@Resource
private WxCodeAuthenticationProvider wxCodeAuthenticationProvider;
@Override
public void configure(HttpSecurity http) throws Exception
{
wxCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(wxCodeAuthenticationProvider);
}
}
3.SecurityConfig自动注入WxCodeAuthenticationSecurityConfig并应用wxCodeAuthenticationSecurityConfig
package com.guigusuqi.admin.config;
import com.guigusuqi.app.config.WxCodeAuthenticationProvider;
import com.guigusuqi.app.config.WxCodeAuthenticationSecurityConfig;
import com.guigusuqi.app.service.impl.WxUserDetailsServiceImpl;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.annotation.Resource;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)//开启权限注解
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
@Resource
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
@Resource
private WxCodeAuthenticationSecurityConfig wxCodeAuthenticationSecurityConfig;
@Resource
private WxUserDetailsServiceImpl userDetailsService;
@Resource
private WxCodeAuthenticationProvider wxCodeAuthenticationProvider;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder();
}
/**
* anyRequest | 匹配所有请求路径
* access | SpringEl表达式结果为true时可以访问
* anonymous | 匿名可以访问
* denyAll | 用户不能访问
* fullyAuthenticated | 用户完全认证可以访问(非remember-me下自动登录)
* hasAnyAuthority | 如果有参数,参数表示权限,则其中任何一个权限可以访问
* hasAnyRole | 如果有参数,参数表示角色,则其中任何一个角色可以访问
* hasAuthority | 如果有参数,参数表示权限,则其权限可以访问
* hasIpAddress | 如果有参数,参数表示IP地址,如果用户IP和参数匹配,则可以访问
* hasRole | 如果有参数,参数表示角色,则其角色可以访问
* permitAll | 用户可以任意访问
* rememberMe | 允许通过remember-me登录的用户访问
* authenticated | 用户登录后可访问
*/
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.apply(wxCodeAuthenticationSecurityConfig);
http //关闭防止csrf攻击
.csrf().disable()
//不通过session获取SecurityContext
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.authorizeRequests()
//登录接口可以不用登录进行访问
// .antMatchers("/login").permitAll()
// .antMatchers("/druid/**").permitAll()
// .antMatchers("/doc.html","/webjars/**","/img.icons/**","/swagger-resources/**","/v2/api-docs").permitAll() //允许所有人访问knife4j
// //authenticated()要求在执行该请求时,必须已经登录了应用。
// //如果用户没有认证的话,Spring Security的Filter将会捕获该请求,并将用户重定向到应用的登录页面。
// .antMatchers("/info").authenticated()
// .antMatchers("/act/**").authenticated()
// .antMatchers("/wxLogin").anonymous()
// .antMatchers("/wxcallback").anonymous()
// .antMatchers("/getUserInfo/**").anonymous()
// .antMatchers("/doc.html","/webjars/**","/img.icons/**","/swagger-resources/**","/v2/api-docs").permitAll() //允许所有人访问knife4j
//其他接口需要LoginServiceImpl的login方法的authenticate进行认证
.anyRequest().permitAll();
// //类似于使用了aop思想的拦截器
// http //把token校验过滤器添加到过滤器链中
// .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
http.cors();
}
}
4. WxCodeAuthenticationProvider.supports,如果传过来的authentication是WxCodeAuthenticationToken就启用该provider,
通过自定义provider进行认证
WxCodeAuthenticationProvider进行authenticate授权,直接将userDetailsService返回的userdetail返回
package com.guigusuqi.app.config;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
@Component
public class WxCodeAuthenticationProvider implements AuthenticationProvider
{
private UserDetailsService userDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
//将前端传递的authentication转换为WxCodeAuthenticationToken
WxCodeAuthenticationToken wxCodeAuthenticationToken = (WxCodeAuthenticationToken) authentication;
//通过authentication获取openid
String openid = (String) wxCodeAuthenticationToken.getPrincipal();
//获取数据库的信息,如果openid获得的用户为空,WxUserDetailsServiceImpl直接报错
UserDetails userDetails = userDetailsService.loadUserByUsername(openid);
// 走到这里鉴权成功,应当重新 new 一个拥有鉴权的 authenticationResult 返回
WxCodeAuthenticationToken authenticationResult = new WxCodeAuthenticationToken(userDetails,userDetails.getAuthorities());
return authenticationResult;
}
@Override
public boolean supports(Class<?> authentication)
{
// 判断 authentication 是不是 WxCodeAuthenticationToken 的子类或子接口,是的话就使用该provider
return WxCodeAuthenticationToken.class.isAssignableFrom(authentication);
}
public UserDetailsService getUserDetailsService() {
return userDetailsService;
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}
5.WxUserDetailsServiceImpl通过openid从数据库中查询wxuser,返回封装的loginUser(=userDetail)
package com.guigusuqi.app.service.impl;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import com.guigusuqi.app.entity.LoginWxUser;
import com.guigusuqi.app.entity.WxUser;
import com.guigusuqi.app.service.WxUserService;
import org.springframework.context.annotation.Primary;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import javax.annotation.Resource;
import java.util.List;
import java.util.Objects;
@Service
@Primary
public class WxUserDetailsServiceImpl implements UserDetailsService
{
@Resource
private WxUserService wxUserService;
@Override
public UserDetails loadUserByUsername(String openid) throws UsernameNotFoundException
{
WxUser user = wxUserService.getUserInfoByOpenId(openid);
if(Objects.isNull(user))
{
throw new RuntimeException("该用户不存在");
}
//通过用户id查询权限集合
//List<String> permsList = sysMenuMapper.selectPermsByUserId(user.getUserId());
return new LoginWxUser(user);//认证成功之后,把用户信息封装在LoginUser中
}
}
7.通过返回的loginWxUser获取openid,保存在jwt中
//通过loginWxUser获取openid,创建token
String token = JWTUtils.createToken(loginWxUser.getUser().getOpenid());
//保存在redis中
redisCache.setCacheObject("TOKEN_"+token,loginWxUser.getUser());
8.securityConfig设置拦截器wxAuthenticationTokenFilter
package com.guigusuqi.admin.config;
import com.guigusuqi.app.config.WxAuthenticationTokenFilter;
import com.guigusuqi.app.config.WxCodeAuthenticationProvider;
import com.guigusuqi.app.config.WxCodeAuthenticationSecurityConfig;
import com.guigusuqi.app.service.impl.WxUserDetailsServiceImpl;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.annotation.Resource;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)//开启权限注解
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
// @Resource
// private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
@Resource
private WxAuthenticationTokenFilter wxAuthenticationTokenFilter;
@Resource
private WxCodeAuthenticationSecurityConfig wxCodeAuthenticationSecurityConfig;
@Resource
private WxUserDetailsServiceImpl userDetailsService;
@Resource
private WxCodeAuthenticationProvider wxCodeAuthenticationProvider;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder();
}
/**
* anyRequest | 匹配所有请求路径
* access | SpringEl表达式结果为true时可以访问
* anonymous | 匿名可以访问
* denyAll | 用户不能访问
* fullyAuthenticated | 用户完全认证可以访问(非remember-me下自动登录)
* hasAnyAuthority | 如果有参数,参数表示权限,则其中任何一个权限可以访问
* hasAnyRole | 如果有参数,参数表示角色,则其中任何一个角色可以访问
* hasAuthority | 如果有参数,参数表示权限,则其权限可以访问
* hasIpAddress | 如果有参数,参数表示IP地址,如果用户IP和参数匹配,则可以访问
* hasRole | 如果有参数,参数表示角色,则其角色可以访问
* permitAll | 用户可以任意访问
* rememberMe | 允许通过remember-me登录的用户访问
* authenticated | 用户登录后可访问
*/
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.apply(wxCodeAuthenticationSecurityConfig);
http //关闭防止csrf攻击
.csrf().disable()
//不通过session获取SecurityContext
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.authorizeRequests()
//登录接口可以不用登录进行访问
// .antMatchers("/login").permitAll()
// .antMatchers("/druid/**").permitAll()
// .antMatchers("/doc.html","/webjars/**","/img.icons/**","/swagger-resources/**","/v2/api-docs").permitAll() //允许所有人访问knife4j
// //authenticated()要求在执行该请求时,必须已经登录了应用。
// //如果用户没有认证的话,Spring Security的Filter将会捕获该请求,并将用户重定向到应用的登录页面。
// .antMatchers("/info").authenticated()
// .antMatchers("/act/**").authenticated()
.antMatchers("/wxLogin/**").anonymous()
// .antMatchers("/wxcallback").anonymous()
// .antMatchers("/getUserInfo/**").anonymous()
.antMatchers("/doc.html","/webjars/**","/img.icons/**","/swagger-resources/**","/v2/api-docs").permitAll() //允许所有人访问knife4j
//其他接口需要OncePerRequestFilter子类设置把authenticationToken设置到SecurityContextHolder中才能通过认证
//(1.登录,2.拦截器填充authenticationToken到securityContextHolder中)
//SecurityContextHolder.getContext().setAuthentication(authenticationToken);
.anyRequest().authenticated();
// //类似于使用了aop思想的拦截器
http //把token校验过滤器添加到过滤器链中
.addFilterBefore(wxAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
http.cors();
}
}
package com.guigusuqi.app.config;
import com.alibaba.fastjson.JSON;
import com.guigusuqi.app.entity.LoginWxUser;
import com.guigusuqi.app.service.WxUserService;
import com.guigusuqi.commonutils.code.ErrorCode;
import com.guigusuqi.commonutils.vo.Result;
import org.apache.commons.lang3.StringUtils;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.annotation.Resource;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Objects;
/**
* 自定义一个过滤器,这个过滤器会去获取请求头中的token,对token进行解析取出其中的userId。
* 使用userId去redis中获取对应的LoginUser对象。然后封装Authentication对象存入SecurityContextHolder
*
* 作用:只是为了校验token,如果token不存在是通过SecurityConfig.configure进行拦截的
*/
@Component
public class WxAuthenticationTokenFilter extends OncePerRequestFilter
{
@Resource
@Lazy
private WxUserService wxUserService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException
{
//获取token
String token = request.getHeader("Authorization");
if(StringUtils.isEmpty(token))
{
filterChain.doFilter(request,response);
return;
}
LoginWxUser loginWxUser = wxUserService.checkAndParseToken(token);
if(Objects.isNull(loginWxUser))
{
Result result = Result.fail().code(ErrorCode.NO_LOGIN.getCode()).message(ErrorCode.NO_LOGIN.getMsg());
response.setContentType("application/json;charset=utf-8");
response.getWriter().print(JSON.toJSONString(result));
return;
}
//封装Authentication对象存入SecurityContextHolder
//TODO 获取权限信息封装到Authentication中
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginWxUser, null, loginWxUser.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
//放行
filterChain.doFilter(request,response);
}
}