Good morning, everyone!
之前我們已經說過用Shiro和JWT來實作身份認證和用戶授權,今天我們再來說一下Security和JWT的組合拳,
簡介
先贅述一下身份認證和用戶授權:
- 用戶認證(
Authentication):系統通過校驗用戶提供的用戶名和密碼來驗證該用戶是否為系統中的合法主體,即是否可以訪問該系統; - 用戶授權(
Authorization):系統為用戶分配不同的角色,以獲取對應的權限,即驗證該用戶是否有權限執行該操作;
Web應用的安全性包括用戶認證和用戶授權兩個部分,而Spring Security(以下簡稱Security)基于Spring框架,正好可以完整解決該問題,
它的真正強大之處在于它可以輕松擴展以滿足自定義要求,
原理
Security可以看做是由一組filter過濾器鏈組成的權限認證,它的整個作業流程如下所示:

圖中綠色認證方式是可以配置的,橘黃色和藍色的位置不可更改:
FilterSecurityInterceptor:最后的過濾器,它會決定當前的請求可不可以訪問ControllerExceptionTranslationFilter:例外過濾器,接收到例外訊息時會引導用戶進行認證;
實戰
專案準備
我們使用Spring Boot框架來集成,
1.pom檔案引入的依賴
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter</artifactid>
</dependency>
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-web</artifactid>
<exclusions>
<exclusion>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-tomcat</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-undertow</artifactid>
</dependency>
<dependency>
<groupid>mysql</groupid>
<artifactid>mysql-connector-java</artifactid>
</dependency>
<dependency>
<groupid>com.baomidou</groupid>
<artifactid>mybatis-plus-boot-starter</artifactid>
<version>3.4.0</version>
</dependency>
<dependency>
<groupid>org.projectlombok</groupid>
<artifactid>lombok</artifactid>
</dependency>
<!-- 阿里JSON決議器 -->
<dependency>
<groupid>com.alibaba</groupid>
<artifactid>fastjson</artifactid>
<version>1.2.74</version>
</dependency>
<dependency>
<groupid>joda-time</groupid>
<artifactid>joda-time</artifactid>
<version>2.10.6</version>
</dependency>
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-test</artifactid>
</dependency>
2.application.yml配置
spring:
application:
name: securityjwt
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/cheetah?characterEncoding=utf-8&useSSL=false&serverTimezone=UTC
username: root
password: 123456
server:
port: 8080
mybatis:
mapper-locations: classpath:mapper/*.xml
type-aliases-package: com.itcheetah.securityjwt.entity
configuration:
map-underscore-to-camel-case: true
rsa:
key:
pubKeyFile: C:\Users\Desktop\jwt\id_key_rsa.pub
priKeyFile: C:\Users\Desktop\jwt\id_key_rsa
3.SQL檔案
/**
* sys_user_info
**/
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for sys_user_info
-- ----------------------------
DROP TABLE IF EXISTS `sys_user_info`;
CREATE TABLE `sys_user_info` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`username` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
SET FOREIGN_KEY_CHECKS = 1;
/**
* product_info
**/
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for product_info
-- ----------------------------
DROP TABLE IF EXISTS `product_info`;
CREATE TABLE `product_info` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`price` decimal(10, 4) NULL DEFAULT NULL,
`create_date` datetime(0) NULL DEFAULT NULL,
`update_date` datetime(0) NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
SET FOREIGN_KEY_CHECKS = 1;
引入依賴
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-security</artifactid>
</dependency>
<!--Token生成與決議-->
<dependency>
<groupid>io.jsonwebtoken</groupid>
<artifactid>jjwt</artifactid>
<version>0.9.1</version>
</dependency>
引入之后啟動專案,會有如圖所示:

其中用戶名為user,密碼為上圖中的字串,
SecurityConfig類
//開啟全域方法安全性
@EnableGlobalMethodSecurity(prePostEnabled=true, securedEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//認證失敗處理類
@Autowired
private AuthenticationEntryPointImpl unauthorizedHandler;
//提供公鑰私鑰的配置類
@Autowired
private RsaKeyProperties prop;
@Autowired
private UserInfoService userInfoService;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// CSRF禁用,因為不使用session
.csrf().disable()
// 認證失敗處理類
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
// 基于token,所以不需要session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
// 過濾請求
.authorizeRequests()
.antMatchers(
HttpMethod.GET,
"/*.html",
"/**/*.html",
"/**/*.css",
"/**/*.js"
).permitAll()
// 除上面外的所有請求全部需要鑒權認證
.anyRequest().authenticated()
.and()
.headers().frameOptions().disable();
// 添加JWT filter
httpSecurity.addFilter(new TokenLoginFilter(super.authenticationManager(), prop))
.addFilter(new TokenVerifyFilter(super.authenticationManager(), prop));
}
//指定認證物件的來源
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userInfoService)
//從前端傳遞過來的密碼就會被加密,所以從資料庫
//查詢到的密碼必須是經過加密的,而這個程序都是
//在用戶注冊的時候進行加密的,
.passwordEncoder(passwordEncoder());
}
//密碼加密
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
攔截規則
anyRequest:匹配所有請求路徑access:SpringEl運算式結果為true時可以訪問anonymous:匿名可以訪問- `denyAll:用戶不能訪問
fullyAuthenticated:用戶完全認證可以訪問(非remember-me下自動登錄)hasAnyAuthority:如果有引數,引數表示權限,則其中任何一個權限可以訪問hasAnyRole:如果有引數,引數表示角色,則其中任何一個角色可以訪問hasAuthority:如果有引數,引數表示權限,則其權限可以訪問hasIpAddress:如果有引數,引數表示IP地址,如果用戶IP和引數匹配,則可以訪問hasRole:如果有引數,引數表示角色,則其角色可以訪問permitAll:用戶可以任意訪問rememberMe:允許通過remember-me登錄的用戶訪問authenticated:用戶登錄后可訪問
認證失敗處理類
/**
* 回傳未授權
*/
@Component
public class AuthenticationEntryPointImpl implements AuthenticationEntryPoint, Serializable {
private static final long serialVersionUID = -8970718410437077606L;
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e)
throws IOException {
int code = HttpStatus.UNAUTHORIZED;
String msg = "認證失敗,無法訪問系統資源,請先登陸";
ServletUtils.renderString(response, JSON.toJSONString(AjaxResult.error(code, msg)));
}
}
認證流程
自定義認證過濾器
public class TokenLoginFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
private RsaKeyProperties prop;
public TokenLoginFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {
this.authenticationManager = authenticationManager;
this.prop = prop;
}
/**
* @author cheetah
* @description 登陸驗證
* @date 2021/6/28 16:17
* @Param [request, response]
* @return org.springframework.security.core.Authentication
**/
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
try {
UserPojo sysUser = new ObjectMapper().readValue(request.getInputStream(), UserPojo.class);
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(sysUser.getUsername(), sysUser.getPassword());
return authenticationManager.authenticate(authRequest);
}catch (Exception e){
try {
response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
PrintWriter out = response.getWriter();
Map resultMap = new HashMap();
resultMap.put("code", HttpServletResponse.SC_UNAUTHORIZED);
resultMap.put("msg", "用戶名或密碼錯誤!");
out.write(new ObjectMapper().writeValueAsString(resultMap));
out.flush();
out.close();
}catch (Exception outEx){
outEx.printStackTrace();
}
throw new RuntimeException(e);
}
}
/**
* @author cheetah
* @description 登陸成功回呼
* @date 2021/6/28 16:17
* @Param [request, response, chain, authResult]
* @return void
**/
public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
UserPojo user = new UserPojo();
user.setUsername(authResult.getName());
user.setRoles((List<rolepojo>)authResult.getAuthorities());
//通過私鑰進行加密:token有效期一天
String token = JwtUtils.generateTokenExpireInMinutes(user, prop.getPrivateKey(), 24 * 60);
response.addHeader("Authorization", "Bearer "+token);
try {
response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = response.getWriter();
Map resultMap = new HashMap();
resultMap.put("code", HttpServletResponse.SC_OK);
resultMap.put("msg", "認證通過!");
resultMap.put("token", token);
out.write(new ObjectMapper().writeValueAsString(resultMap));
out.flush();
out.close();
}catch (Exception outEx){
outEx.printStackTrace();
}
}
}
流程
Security默認登錄路徑為/login,當我們呼叫該介面時,它會呼叫上邊的attemptAuthentication方法;




所以我們要自定義UserInfoService繼承UserDetailsService實作loadUserByUsername方法;
public interface UserInfoService extends UserDetailsService {
}
@Service
@Transactional
public class UserInfoServiceImpl implements UserInfoService {
@Autowired
private SysUserInfoMapper userInfoMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserPojo user = userInfoMapper.queryByUserName(username);
return user;
}
}
其中的loadUserByUsername回傳的是UserDetails型別,所以UserPojo繼承UserDetails類
@Data
public class UserPojo implements UserDetails {
private Integer id;
private String username;
private String password;
private Integer status;
private List<rolepojo> roles;
@JsonIgnore
@Override
public Collection<!--? extends GrantedAuthority--> getAuthorities() {
//理想型回傳 admin 權限,可自已處理這塊
List<simplegrantedauthority> auth = new ArrayList<>();
auth.add(new SimpleGrantedAuthority("ADMIN"));
return auth;
}
@Override
public String getPassword() {
return this.password;
}
@Override
public String getUsername() {
return this.username;
}
/**
* 賬戶是否過期
**/
@JsonIgnore
@Override
public boolean isAccountNonExpired() {
return true;
}
/**
* 是否禁用
*/
@JsonIgnore
@Override
public boolean isAccountNonLocked() {
return true;
}
/**
* 密碼是否過期
*/
@JsonIgnore
@Override
public boolean isCredentialsNonExpired() {
return true;
}
/**
* 是否啟用
*/
@JsonIgnore
@Override
public boolean isEnabled() {
return true;
}
}
當認證通過之后會在SecurityContext中設定Authentication物件,回呼呼叫successfulAuthentication方法回傳token資訊,

整體流程圖如下

鑒權流程
自定義token過濾器
public class TokenVerifyFilter extends BasicAuthenticationFilter {
private RsaKeyProperties prop;
public TokenVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {
super(authenticationManager);
this.prop = prop;
}
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) {
//如果攜帶錯誤的token,則給用戶提示請登錄!
chain.doFilter(request, response);
} else {
//如果攜帶了正確格式的token要先得到token
String token = header.replace("Bearer ", "");
//通過公鑰進行解密:驗證tken是否正確
Payload<userpojo> payload = JwtUtils.getInfoFromToken(token, prop.getPublicKey(), UserPojo.class);
UserPojo user = payload.getUserInfo();
if(user!=null){
UsernamePasswordAuthenticationToken authResult = new UsernamePasswordAuthenticationToken(user.getUsername(), null, user.getAuthorities());
//將認證資訊存到安全背景關系中
SecurityContextHolder.getContext().setAuthentication(authResult);
chain.doFilter(request, response);
}
}
}
}
當我們訪問時需要在header中攜帶token資訊

至于關于文中JWT生成token和RSA生成公鑰、私鑰的部分,可在原始碼中查看,回復“sjwt”可獲取完整原始碼呦!
以上就是今天的全部內容了,如果你有不同的意見或者更好的idea,歡迎聯系阿Q,添加阿Q可以加入技術交流群參與討論呦!
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/288831.html
標籤:Java
上一篇:如何合理的設計系統容量?
