刚开始学习的时候,一直没有找到springsecurity+jwt较好的博客教程,导致我学了很长时间都没学会,后来不断的研究,写下此随笔,供大家参考!
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
LoginFilter loginFilter;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
//.formLogin()
.and()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated();
http.addFilterBefore(loginFilter, UsernamePasswordAuthenticationFilter.class);
}
}
@Component
public class LoginFilter extends OncePerRequestFilter {
@Autowired
JwtUtil jwtUtil;
@Autowired
PasswordEncoder passwordEncoder;
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
System.out.println("OncePerRequestFilter");
String token = httpServletRequest.getHeader("token");
System.out.println(token);
if(!jwtUtil.validateToken(token)){
System.out.println("验证失败");
}else {
UserDetails userDetails = loadUserByUsername("admin");
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
List<GrantedAuthority> authorityList = new ArrayList<>();
/* 此处查询数据库得到角色权限列表,这里可以用Redis缓存以增加查询速度 */
authorityList.add(new SimpleGrantedAuthority("ROLE_USER"));
return new org.springframework.security.core.userdetails.User(username, passwordEncoder.encode("123456"), authorityList);
}
}