Jwt,Spring Security,Spring Cloud OAuth2,Spring Cloud Security

最新推荐文章于 2022-06-14 21:51:08 发布
最新推荐文章于 2022-06-14 21:51:08 发布
阅读量191 收藏 1
点赞数
分类专栏: springcloud spring security jwt
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zhaomengxia123/article/details/101205493
版权

首先pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>1.5.3.RELEASE</version>
		<relativePath/> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.springsecurityjwt</groupId>
	<artifactId>springsecurityjwt</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>springsecurityjwt</name>
	<description>Demo project for Spring Boot</description>

	<properties>
		<java.version>1.8</java.version>
		<!--<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>-->
		<!--<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>-->
        <security-jwt.version>1.0.9.RELEASE</security-jwt.version>
		<hutool.version>4.5.0</hutool.version>
        <jjwt.version>0.9.0</jjwt.version>
    </properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-jpa</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-redis</artifactId>
		</dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-oauth2</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-jwt</artifactId>
            <version>${security-jwt.version}</version>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>${jjwt.version}</version>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-swagger2</artifactId>
			<version>2.7.0</version>
		</dependency>
		<dependency>
			<groupId>io.springfox</groupId>
			<artifactId>springfox-swagger-ui</artifactId>
			<version>2.7.0</version>
		</dependency>
		<!-- 超级工具类 hutool -->
		<dependency>
			<groupId>cn.hutool</groupId>
			<artifactId>hutool-all</artifactId>
			<version>${hutool.version}</version>
		</dependency>
	</dependencies>

	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>org.springframework.cloud</groupId>
				<artifactId>spring-cloud-dependencies</artifactId>
				<version>Dalston.RC1</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>
	<repositories>
		<repository>
			<id>spring-milestones</id>
			<name>Spring Milestones</name>
			<url>https://repo.spring.io/milestone</url>
			<snapshots>
				<enabled>false</enabled>
			</snapshots>
		</repository>
	</repositories>


</project>

测试数据

/*
Navicat MySQL Data Transfer

Source Server         : 本机mysql
Source Server Version : 50713
Source Host           : localhost:3306
Source Database       : zmx

Target Server Type    : MYSQL
Target Server Version : 50713
File Encoding         : 65001

Date: 2019-09-23 15:14:09
*/

SET FOREIGN_KEY_CHECKS=0;

-- ----------------------------
-- Table structure for menu
-- ----------------------------
DROP TABLE IF EXISTS `menu`;
CREATE TABLE `menu` (
  `menu_id` bigint(20) NOT NULL,
  `permission` varchar(255) DEFAULT NULL,
  `url` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`menu_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- ----------------------------
-- Records of menu
-- ----------------------------
INSERT INTO `menu` VALUES ('4', '所有权限', '/test');

-- ----------------------------
-- Table structure for role
-- ----------------------------
DROP TABLE IF EXISTS `role`;
CREATE TABLE `role` (
  `role_id` bigint(20) NOT NULL,
  `role_name` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- ----------------------------
-- Records of role
-- ----------------------------
INSERT INTO `role` VALUES ('2', '管理员');

-- ----------------------------
-- Table structure for role_menu
-- ----------------------------
DROP TABLE IF EXISTS `role_menu`;
CREATE TABLE `role_menu` (
  `role_menu_id` bigint(20) NOT NULL,
  `menu_id` bigint(20) NOT NULL,
  `role_id` bigint(20) NOT NULL,
  PRIMARY KEY (`role_menu_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- ----------------------------
-- Records of role_menu
-- ----------------------------
INSERT INTO `role_menu` VALUES ('5', '4', '2');
INSERT INTO `role_menu` VALUES ('6', '4', '2');

-- ----------------------------
-- Table structure for user
-- ----------------------------
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `user_id` bigint(20) NOT NULL AUTO_INCREMENT,
  `avatar` varchar(255) DEFAULT NULL,
  `email` varchar(255) DEFAULT NULL,
  `password` varchar(255) DEFAULT NULL,
  `phone` varchar(255) DEFAULT NULL,
  `realname` varchar(255) DEFAULT NULL,
  `sex` varchar(255) DEFAULT NULL,
  `username` varchar(255) DEFAULT NULL,
  `authorities` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;

-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO `user` VALUES ('1', null, null, '123456', null, null, null, 'admin', null);
INSERT INTO `user` VALUES ('2', null, null, '$2a$10$wk3UUqG2IvU67w9Lj/EUOO7lEOB9AMqcXMZO.Lqz2K3NA4WXppNSe', null, null, null, 'user', null);
INSERT INTO `user` VALUES ('3', null, null, '$2a$10$LhBOkwQe9EqqDWezMxm62eyrfUL.9SZnpmBXPDW3zEYaQH1Hwsr8G', null, null, null, 'zhao', null);

-- ----------------------------
-- Table structure for user_role
-- ----------------------------
DROP TABLE IF EXISTS `user_role`;
CREATE TABLE `user_role` (
  `user_role_id` bigint(20) NOT NULL,
  `role_id` bigint(20) NOT NULL,
  `user_id` bigint(20) NOT NULL,
  PRIMARY KEY (`user_role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- ----------------------------
-- Records of user_role
-- ----------------------------
INSERT INTO `user_role` VALUES ('3', '2', '1');

 

第一种

一、增加JWT认证功能

用户在调用登录接口,输入用户名和密码之后,如果通过便认证通过。传统的方法是在认证通过之后,创建session并返回客户端cookie。这里采用JWT来处理用户密码的认证。区别在于,认证通过之后服务器生成的是token,将token返回给客户端,客户端以后的所有请求都需要在http头中指定该token。服务器接收请求后,会对token的合法性进行验证。

验证的内容包括:1.内容是一个正确的JWT格式2.检查签名3.检查权限4.处理登录

这一步需要创建一个JWTLoginFilter该类继承UsernamePasswordAuthenticationFilter,核心功能是在验证用户名密码正确之后,生成一个token,并将token返回给客户端

JWTLoginFilter.java

package com.springsecurityjwt.springsecurityjwt.filter;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.springsecurityjwt.springsecurityjwt.constant.ConstantKey;
import com.springsecurityjwt.springsecurityjwt.exception.ExceptionEnum;
import com.springsecurityjwt.springsecurityjwt.exception.UnifiedException;
import com.springsecurityjwt.springsecurityjwt.model.User;
import com.springsecurityjwt.springsecurityjwt.model.UserPrincipal;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;

/**
 * 验证用户名密码正确之后,生成一个token,并将token返回给客户端,该方法继承自UsernamePasswordAuthenticationFilter。
 * 重写其中的两个方法attemptAuthentication :接收并解析用户凭证。
 * successfulAuthentication :用户成功登录后,这个方法会被调用,我们在这个方法里生成token。
 *
 * @Author zhaomengxia
 * @create 2019/9/20 14:38
 */
public class JWTLoginFilter extends UsernamePasswordAuthenticationFilter {

    private AuthenticationManager authenticationManager;
    private static final String JWT_SECRET = ConstantKey.SIGNING_KEY;// JWT密匙
    /**
     * 由字符串生成加密key
     *
     * @return
     */
    public static SecretKey generalKey() {
        String stringKey = JWT_SECRET;
        byte[] encodedKey = Base64.decodeBase64(stringKey);
        SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");
        return key;
    }
    public JWTLoginFilter(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }


    //接收并解析用户凭证
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        try {
            User user = new ObjectMapper().readValue(request.getInputStream(), User.class);

            return authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(
                            user.getUsername(),
                            user.getPassword(),
                            new ArrayList<>())
            );
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request,
                                            HttpServletResponse response,
                                            FilterChain chain,
                                            Authentication authResult) throws IOException, ServletException {

        String token = null;
        try {
            Collection<? extends GrantedAuthority> authorities = authResult.getAuthorities();

            List roleList = new ArrayList();

            for (GrantedAuthority grantedAuthority :
                    authorities) {
                roleList.add(grantedAuthority.getAuthority());
            }
            Calendar calendar = Calendar.getInstance();
            Date now = calendar.getTime();
            //设置签发时间  当前时间
            calendar.setTime(new Date());

            calendar.add(Calendar.HOUR, 10);//设置10个小时
            Date time = calendar.getTime();
            SecretKey secretKey = generalKey();
            token = Jwts.builder().setSubject(authResult.getName() + "-" + roleList)
                    .setIssuedAt(now)//签发时间
                    .setExpiration(time)//token有效时长
                    .signWith(SignatureAlgorithm.HS256,secretKey)
                    .compact();
            response.addHeader("Authorization", "Bearer " + token);
            System.out.println("Bearer " + token);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

二、授权验证

拿到token之后,请求接口会携带这个token,服务端要验证这个token的合法性。创建一个类JwtAuthenticationFilter并继承BasicAuthenticationFilter。在doFilterInternal方法中,从http头的Authorization项读取token数据,然后使用Jwts包提供的方法校验token的合法性。如果校验通过,就说明这是一个取得授权的合法请求。

JwtAuthenticationFilter.java

package com.springsecurityjwt.springsecurityjwt.filter;

import com.springsecurityjwt.springsecurityjwt.constant.ConstantKey;
import com.springsecurityjwt.springsecurityjwt.exception.TokenException;
import com.springsecurityjwt.springsecurityjwt.service.impl.GrantedAuthorityImpl;
import io.jsonwebtoken.*;
import org.apache.tomcat.util.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;


/**
 * @Author zhaomengxia  这个模块中登录有两种一种是使用spring specurity框架提供的默认登录url localhost:18081/login
 * 使用JwtAuthenticationTwoFilter这一个,注意WebSecurityConfig类里将 .addFilter(new JWTLoginFilter(authenticationManager()))
 *             和 .addFilter(new JwtAuthenticationTwoFilter(authenticationManager()))两个的注释放开,将 http.addFilterBefore(jwtAuthenticationTwoFilter(),UsernamePasswordAuthenticationFilter.class);注释
 *另一种是采用自己写的登录接口 url为http://localhost:18081/user/login 是将WebSecurityConfig中的http.addFilterBefore(jwtAuthenticationTwoFilter(),UsernamePasswordAuthenticationFilter.class);注释放开,将另外两个注释,本项目中是采用这一种方法
 * @create 2019/9/20 15:10
 */
public class JwtAuthenticationFilter extends BasicAuthenticationFilter {

    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
    // 指定签名的时候使用的签名算法,也就是header那部分,jjwt已经将这部分内容封装好了。

    private static final String JWT_SECRET = ConstantKey.SIGNING_KEY;// JWT密匙

    public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        String header = request.getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer")) {
            chain.doFilter(request, response);
            return;
        }

        UsernamePasswordAuthenticationToken authenticationToken=  getAuthention(request);
        SecurityContextHolder.getContext().setAuthentication(authenticationToken);
        chain.doFilter(request, response);
    }


    private UsernamePasswordAuthenticationToken getAuthention(HttpServletRequest servletRequest){

        long start=System.currentTimeMillis();
        String token=servletRequest.getHeader("Authorization");
        if (token==null||token.isEmpty()){
            throw new TokenException("Token 不能为空!");
        }
        String stringKey = JWT_SECRET;
        String user=null;
        try {
        user= Jwts.parser()
                .setSigningKey(Base64.decodeBase64(stringKey))
                .parseClaimsJws(token.replace("Bearer ", ""))
                .getBody()
                .getSubject();
        long end=System.currentTimeMillis();
        logger.info("执行时间:{}",end-start+"ms");

        if (user!=null){
            String[] split=user.split("-")[1].split(",");
            ArrayList<GrantedAuthority> authorities=new ArrayList<>();
            for (int i=0;i<split.length;i++){
                authorities.add(new GrantedAuthorityImpl(split[i]));
            }
            return new UsernamePasswordAuthenticationToken(user,null,authorities);
        }
        } catch (ExpiredJwtException e) {
            logger.error("Token已过期: {} " + e);
            throw new TokenException("Token已过期");
        } catch (UnsupportedJwtException e) {
            logger.error("Token格式错误: {} " + e);
            throw new TokenException("Token格式错误");
        } catch (MalformedJwtException e) {
            logger.error("Token没有被正确构造: {} " + e);
            throw new TokenException("Token没有被正确构造");
        } catch (SignatureException e) {
            logger.error("签名失败: {} " + e);
            throw new TokenException("签名失败");
        } catch (IllegalArgumentException e) {
            logger.error("非法参数异常: {} " + e);
            throw new TokenException("非法参数异常");
        }

        return null;

    }
}

三、Spring Security

通过配置Spring Security将上面的方法组合在一起。

WebSecurityConfig.java
package com.springsecurityjwt.springsecurityjwt.config;

import com.springsecurityjwt.springsecurityjwt.filter.JWTLoginFilter;
import com.springsecurityjwt.springsecurityjwt.filter.JwtAuthenticationFilter;
import com.springsecurityjwt.springsecurityjwt.filter.JwtAuthenticationTwoFilter;
import com.springsecurityjwt.springsecurityjwt.handler.Http401AuthenticationEntryPoint;
import com.springsecurityjwt.springsecurityjwt.service.impl.CustomAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * @Author zhaomengxia
 * @create 2019/9/16 14:00
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{


    @Bean
    public JwtAuthenticationTwoFilter jwtAuthenticationTwoFilter(){
        return new JwtAuthenticationTwoFilter();
    }

    private static final String[] AUTH_WHITELIST = {
            // -- register url
            "/user/signup",
            "/user/addTask",
            // -- swagger ui
            "/v2/api-docs",
            "/swagger-resources",
            "/swagger-resources/**",
            "/configuration/ui",
            "/configuration/security",
            "/swagger-ui.html",
            "/user/login",
            "/login",
            "/webjars/**"
            // other public endpoints of your API may be appended to this array
    };

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        LogoutConfigurer<HttpSecurity> httpSecurityLogoutConfigurer=http.cors().and()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(AUTH_WHITELIST).permitAll()
                .anyRequest().authenticated()
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(new Http401AuthenticationEntryPoint("Basic realm=\"MyApp\""))
                .and()
                .addFilter(new JWTLoginFilter(authenticationManager()))
                .addFilter(new JwtAuthenticationFilter(authenticationManager()))
                .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login")
                .permitAll();

        //http.addFilterBefore(jwtAuthenticationTwoFilter(),UsernamePasswordAuthenticationFilter.class);
    }


    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(new CustomAuthenticationProvider(userDetailsService,bCryptPasswordEncoder));
    }
}

第一种
1.启动SpringsecurityjwtApplication.java类

2.在postman测试,注册一个用户
url:localhost:18081/user/signup
post
header: key--Content-Type ,values--application/json
body:{
       "username":"user",
       "password":"123456"
     }
3. 在postman登录
url: localhost:18081/login    //spring specurity框架提供的默认登录url
post
header: key--Content-Type ,values--application/json
body:{
    "username":"user",
    "password":"123456"
}

token值是 postman返回结果的header里的key--Authorization对应values
  
4. 浏览器访问 http://localhost:18081/swagger-ui.html#
   根据拿到的Authorization对应values
   放到swagger查询用户信息接口http://localhost:18081/user/findByUserName,Authorization,放token
   接着userName对应输入admin
   点击Try it out即可,根据返回结果 可以测试得出拿到的token可用不可用

用postman测试 localhost:18081/login    //spring specurity框架提供的默认登录url

结果

第二种

一、添加类

JwtTokenProvider.java  用户名密码验证通过之后,返回token的
package com.springsecurityjwt.springsecurityjwt.filter;

import com.springsecurityjwt.springsecurityjwt.constant.ConstantKey;
import io.jsonwebtoken.*;
import org.apache.tomcat.util.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;

/**
 * @Author zhaomengxia
 * @create 2019/9/23 13:30
 */
@Component
public class JwtTokenProvider {
    private static final String JWT_SECRET = ConstantKey.SIGNING_KEY;// JWT密匙
    private static final Logger logger = LoggerFactory.getLogger(JwtTokenProvider.class);
    /**
     * 由字符串生成加密key
     *
     * @return
     */
    public static SecretKey generalKey() {
        String stringKey = JWT_SECRET;
        byte[] encodedKey = Base64.decodeBase64(stringKey);
        SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");
        return key;
    }
    public String successfulAuthentication(HttpServletResponse response,
                                            Authentication authResult) throws IOException, ServletException {

        String token = null;
        String authentication=null;
        try {
            Collection<? extends GrantedAuthority> authorities = authResult.getAuthorities();

            List roleList = new ArrayList();

            for (GrantedAuthority grantedAuthority :
                    authorities) {
                roleList.add(grantedAuthority.getAuthority());
            }
            Calendar calendar = Calendar.getInstance();
            Date now = calendar.getTime();
            //设置签发时间  当前时间
            calendar.setTime(new Date());

            calendar.add(Calendar.HOUR, 10);//设置10个小时
            Date time = calendar.getTime();
            SecretKey secretKey = generalKey();
            token = Jwts.builder().setSubject(authResult.getName() + "-" + roleList)
                    .setIssuedAt(now)//签发时间
                    .setExpiration(time)//token有效时长
                    .signWith(SignatureAlgorithm.HS256,secretKey)
                    .compact();
            authentication="Bearer " + token;
            response.addHeader("Authorization", authentication);
            System.out.println(authentication);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return authentication;
    }
    public String getUserIdFromJWT(String token) {
        Claims claims = Jwts.parser()
                .setSigningKey(JWT_SECRET)
                .parseClaimsJws(token)
                .getBody();

        String[] s=claims.getSubject().split("-");

        return s[0];
    }

    public boolean validateToken(String authToken) {
        try {
            Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(authToken);
            return true;
        } catch (SignatureException ex) {
            logger.error("Invalid JWT signature");
        } catch (MalformedJwtException ex) {
            logger.error("Invalid JWT token");
        } catch (ExpiredJwtException ex) {
            logger.error("Expired JWT token");
        } catch (UnsupportedJwtException ex) {
            logger.error("Unsupported JWT token");
        } catch (IllegalArgumentException ex) {
            logger.error("JWT claims string is empty.");
        }
        return false;
    }
}

二、拿到token之后,每次请求验证token的

JwtAuthenticationTwoFilter.java
package com.springsecurityjwt.springsecurityjwt.filter;

import com.springsecurityjwt.springsecurityjwt.service.impl.UserDetailsServiceImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * @Author zhaomengxia
 * @create 2019/9/23 13:48
 */
public class JwtAuthenticationTwoFilter extends OncePerRequestFilter {
    @Autowired
    private JwtTokenProvider tokenProvider;

    @Autowired
    private UserDetailsServiceImpl userDetailsService;
    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationTwoFilter.class);

    public JwtAuthenticationTwoFilter() {
    }


    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        try {
            String jwt = getJwtFromRequest(request);

            if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
                String userName = tokenProvider.getUserIdFromJWT(jwt);

                /*
                    Note that you could also encode the user's username and roles inside JWT claims
                    and create the UserDetails object by parsing those claims from the JWT.
                    That would avoid the following database hit. It's completely up to you.
                 */
                UserDetails userDetails = userDetailsService.loadUserByUserName(userName);
                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
        } catch (Exception ex) {
            logger.error("Could not set user authentication in security context", ex);
        }

        filterChain.doFilter(request, response);
    }

    private String getJwtFromRequest(HttpServletRequest request) {
        String bearerToken = request.getHeader(HttpHeaders.AUTHORIZATION);
        if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
            return bearerToken.substring(7, bearerToken.length());
        }
        return null;
    }
}

三、Spring Security的配置

WebSecurityConfig.java
package com.springsecurityjwt.springsecurityjwt.config;

import com.springsecurityjwt.springsecurityjwt.filter.JWTLoginFilter;
import com.springsecurityjwt.springsecurityjwt.filter.JwtAuthenticationFilter;
import com.springsecurityjwt.springsecurityjwt.filter.JwtAuthenticationTwoFilter;
import com.springsecurityjwt.springsecurityjwt.handler.Http401AuthenticationEntryPoint;
import com.springsecurityjwt.springsecurityjwt.service.impl.CustomAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * @Author zhaomengxia
 * @create 2019/9/16 14:00
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{


    @Bean
    public JwtAuthenticationTwoFilter jwtAuthenticationTwoFilter(){
        return new JwtAuthenticationTwoFilter();
    }

    private static final String[] AUTH_WHITELIST = {
            // -- register url
            "/user/signup",
            "/user/addTask",
            // -- swagger ui
            "/v2/api-docs",
            "/swagger-resources",
            "/swagger-resources/**",
            "/configuration/ui",
            "/configuration/security",
            "/swagger-ui.html",
            "/user/login",
            "/login",
            "/webjars/**"
            // other public endpoints of your API may be appended to this array
    };

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        LogoutConfigurer<HttpSecurity> httpSecurityLogoutConfigurer=http.cors().and()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(AUTH_WHITELIST).permitAll()
                .anyRequest().authenticated()
                .and()
                .exceptionHandling()
                   .authenticationEntryPoint(new Http401AuthenticationEntryPoint("Basic realm=\"MyApp\""))
                .and()
//                .addFilter(new JWTLoginFilter(authenticationManager()))
//                .addFilter(new JwtAuthenticationFilter(authenticationManager()))
                .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login")
                .permitAll();

        http.addFilterBefore(jwtAuthenticationTwoFilter(),UsernamePasswordAuthenticationFilter.class);
    }


    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(new CustomAuthenticationProvider(userDetailsService,bCryptPasswordEncoder));
    }
}

1.添加JwtTokenProvider.java和JwtAuthenticationTwoFilter.java并继承OncePerRequestFilter类
2.启动SpringsecurityjwtApplication.java类
3.浏览器访问http://localhost:18081/swagger-ui.html#
4.在swagger  注册一个用户信息
5.在swagger 调用http://localhost:18081/user/login这个接口登录,Authorization随便填,用户名密码输入正确即可登陆成功,在Response Body下面即可获得token(accessToken对应的值)

6.在swagger 将5拿到的token用来测试接口http://localhost:18081/user/findByUserName,Authorization放token, 接着userName对应输入刚第4步注册的用户名,即可测试token可用不可用

第5步登录

第6步测试

源代码及数据

https://github.com/zhaomengxia/springboot_mybatis.git 

项目中该模块的位置

 

zmx8023zmj
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
spring boot java jwt,Spring Boot+Spring Security+Jwt
weixin_32645173的博客
03-11 106
一: RestApi接口增加JWT认证功能用户填入用户名密码后,与数据库里存储的用户信息进行比对,如果通过,则认证成功。传统的方法是在认证通过后,创建sesstion,并给客户端返回cookie。现在我们采用JWT来处理用户名密码的认证。区别在于,认证通过后,服务器生成一个token,将token返回给客户端,客户端以后的所有请求都需要在http头中指定该token。服务器接收的请求后,会对tok...
Spring Security默认登录页面
ttaannkkee的博客
06-29 7196
使用Spring Security作为权限管理模块的小伙伴们一定醉心于其极少的配置即可满足权限管理需求,以及比springMVC更简洁的filter配置。 在刚开始技术验证的demo阶段相信很多人试过在什么都不配置的时候,只写个接口然后访问是会自动跳转到默认的登录页面"/login"。 按常理,一般人会好奇,这个登录页面在哪儿?应该是个模板引擎提供的模板,并且应该有个ModeAndView绑定的页面。 但实际上并不是。这个默认登录页面其实极其暴力简单。是一个默认filter里面直接写入response
Security+jwt 实现无状态认证,前后端分离(附带网页案例及完整源码)
dingdingdandan
06-14 2334
本章主要实现Spring Security自定义用户认证功能,jwt 实现token无状态认证。 - 使用JWT来传输数据,实际上传输的是一个字符串,这个字符串就是所谓的json web token字符串。 - jwt认证和传统的session和cookie模式相比,由于token认证实现了无状态,不再依赖session和cookie,所以无需要考虑伪造cookie等跨域攻击。............
security jwt
zhangCheng的博客
12-31 471
一、JWT原理 jwt实际上就是一个编码和加密后的字符串,分为三部分: 1、header 声明类型和加密算法 { "typ": "JWT", "alg": "HS256" } 2、playload(主体信息) 按信息类型分为: <1>、标准中注册的声明(Registered claims): jwt提供的固定的声明信息,比如 iss: jwt 签发者 sub: jwt 所面向的用户 aud: 接收 jwt 的一方 exp: jwt 的过期时间,这个过期时
Non-resolvable import POM: Failure to find org.springframework.cloud:spring-cloud-dependencies:pom:
Orcas
12-04 1万+
错误: Non-resolvable import POM: Failure to find org.springframework.cloud:spring-cloud-dependencies:pom:Greenwich.M1 in http://maven.aliyun.com/nexus/content/groups/public was cached in the local repos...
SpringCloud+SpringBoot+OAuth2+Spring Security+Redis实现的微服务统一认证授权.doc
04-01
SpringCloud+SpringBoot+OAuth2+Spring Security+Redis实现的微服务统一认证授权
springcloud整合oauth2和jwt
04-09
Spring Cloud中,我们可以使用Spring Security OAuth2模块来实现OAuth2的授权服务器和资源服务器。 1. **OAuth2流程**: - 授权请求:客户端(如浏览器或移动应用)引导用户到授权服务器进行登录。 - 用户授权...
Spring Cloud 集成OAuth2实现身份认证和单点登录
07-20
Spring Cloud中,使用`ResourceServerConfigurerAdapter`进行配置,通常需要配置访问令牌的解析方式,如JWT(JSON Web Tokens)或者OAuth2的Resource Server端点。 单点登录(SSO)允许用户在一个系统登录后,...
Springboot整合Spring security+Oauth2+JWT搭建认证服务器,网关,微服务之间权限认证及授权
03-24
Springboot整合Spring security+Oauth2+JWT搭建认证服务器,网关,微服务之间权限认证及授权。 OAuth2是一个关于授权的开放标准,核心思路是通过各类认证手段(具体什么手段OAuth2不关心)认证用户身份,并颁发...
Spring Cloud OAuth2案例
01-19
Spring Cloud OAuth2 是一个基于 Spring Boot 和 Spring Security 的授权服务器实现,它为微服务架构提供了安全的认证和授权服务。这个案例将深入讲解如何在实际项目中应用 OAuth2,以确保用户数据的安全,并允许第...
使用winsw将spring boot项目部署成为系统服务实现开机自动运行
zhaomengxia123的博客
09-20 924
在windows系统无论是gradle够接还是maven构建的Spring Boot项目打包之后的jar包,运行时采用命令窗口,但是只要cmd窗口关闭,或电脑注销项目也就关闭了。用winsw可以帮助我们实现打包的项目jar包会在系统启动的时候自动运行。 一、打包 首先pom文件中必须有如下图配置,之后maven项目打包,最后jar包是在target目录下面 <...
Zookeeper Windows集群搭建
zhaomengxia123的博客
09-05 144
首先我们在自己本地将解压,这里解压之后有配置过一些东西,具体请移步dubbo和zookeeper。另外新建两个文件夹,将zookeeper-3.4.14文件中的信息全部复制到新建的zookeeper2和zookeeper3文件下。具体的修改之后的三者的区别请往下看。 上诉三个文件夹是同一个安装包解压后的文件信息,修改的具体内容及三者的不同看下面。 zookeeper-3....
SpringMVC中使用@RequestBody,@ResponseBody注解实现Java对象和XML/JSON数据自动转换(上)
热门推荐
NowOrNever
09-09 5万+
配合@ResponseBody注解,以及HTTP Request Header中的Accept属性,Controller返回的Java对象可以自动被转换成对应的XML或者JSON数据。
启动报错Caused by: java.lang.ClassNotFoundException: org.springframework.http.HttpHeaders
进击的小白
02-22 3800
现象 项目启动报错. Caused by: java.lang.NoClassDefFoundError: org/springframework/http/HttpHeaders at org.springframework.data.elasticsearch.client.ClientConfigurationBuilder.<init>(ClientConfigurationBuilder.java:52) ~[spring-data-elasticsearch-4.0.4.RE
Controller中的方法利用ip跨域访问
weixin_30477797的博客
08-31 387
1、首先配置applicationhost.config文件 右击IIS,点击显示所有应用程序即可找到此config文件。 找到<binding protocol="http" bindingInformation="*:60074:localhost" />节点,在下面配置一条,将localhost换成ip地址。 2、新建一个类,如下 public class corsA...
Spring Security权限控制 + JWT Token 认证
猫吻鱼的博客
11-02 3万+
文章目录一、 前言1. spring-security中核心概念2. Spring Security的核心拦截器二、 实践 一、 前言 1. spring-security中核心概念 类名 概念 AuthenticationManager 用户认证的管理类,所有的认证请求(比如login)都会通过提交一个token给AuthenticationManager的authenticat...
PyCharm安装所需要的第三方库
zhaomengxia123的博客
01-20 1213
PyCharm安装所需要的第三方库 file--->settings--->project interpreter 如果安装失败,可以多次进行多次安装。
spring cloud 微服务之间添加自定义的header头
笨鸟不会飞
07-23 6179
spring cloud 微服务之间添加自定义的header头spring cloud 微服务之间添加自定义的header头创建注册中心创建生产者创建消费者验证结果 spring cloud 微服务之间添加自定义的header头 在我们的微服务开发过程中,有时候我们在调用其他微服务的时候,我们希望把一些参数放在header中,而不是作为参数往下传,这样的场景我们该如何解决呢? 创建注册中心 首先我...
SpringSecurity整合jwt权限认证全流程解析
小楼夜听雨的博客
12-16 2939
目录 JWT 代码 依赖 jwt工具类 实体类和Service 配置类 过滤器 异常处理 流程分析 总体分析 登录校验过滤器分析 权限认证过滤器分析 配置文件 JWT 本文代码截取自实际项目。 jwt(Json Web Token),一个token,令牌。 简单流程: 用户登录成功后,后端返回一个token,也就是颁发给用户一个凭证。之后每一次访问,前端都需要携带这个token,后端通过token来解析出当前访问对象。 优点 1、一定程度上解放了后端,后端不需要.
spring securityspring security Oauth2
最新发布
03-31
Spring Security是一个基于Spring Framework的安全框架,提供了一套安全性保护措施,包括身份认证、授权、防止攻击等...Spring Security Oauth2还提供了一些特性,如JWT令牌支持、集成Spring CloudSpring Boot等。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值