zoukankan      html  css  js  c++  java
  • 基于 Spring Security 的前后端分离的权限控制系统

    话不多说,入正题。一个简单的权限控制系统需要考虑的问题如下:

    1. 权限如何加载
    2. 权限匹配规则
    3. 登录

    1.  引入maven依赖

     1 <?xml version="1.0" encoding="UTF-8"?>
     2 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     3          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     4     <modelVersion>4.0.0</modelVersion>
     5     <parent>
     6         <groupId>org.springframework.boot</groupId>
     7         <artifactId>spring-boot-starter-parent</artifactId>
     8         <version>2.5.1</version>
     9         <relativePath/> <!-- lookup parent from repository -->
    10     </parent>
    11     <groupId>com.example</groupId>
    12     <artifactId>demo5</artifactId>
    13     <version>0.0.1-SNAPSHOT</version>
    14     <name>demo5</name>
    15 
    16     <properties>
    17         <java.version>1.8</java.version>
    18     </properties>
    19 
    20     <dependencies>
    21         <dependency>
    22             <groupId>org.springframework.boot</groupId>
    23             <artifactId>spring-boot-starter-data-jpa</artifactId>
    24         </dependency>
    25         <dependency>
    26             <groupId>org.springframework.boot</groupId>
    27             <artifactId>spring-boot-starter-data-redis</artifactId>
    28         </dependency>
    29         <dependency>
    30             <groupId>org.springframework.boot</groupId>
    31             <artifactId>spring-boot-starter-security</artifactId>
    32         </dependency>
    33         <dependency>
    34             <groupId>org.springframework.boot</groupId>
    35             <artifactId>spring-boot-starter-web</artifactId>
    36         </dependency>
    37 
    38         <dependency>
    39             <groupId>io.jsonwebtoken</groupId>
    40             <artifactId>jjwt</artifactId>
    41             <version>0.9.1</version>
    42         </dependency>
    43 
    44         <dependency>
    45             <groupId>com.alibaba</groupId>
    46             <artifactId>fastjson</artifactId>
    47             <version>1.2.76</version>
    48         </dependency>
    49         <dependency>
    50             <groupId>org.apache.commons</groupId>
    51             <artifactId>commons-lang3</artifactId>
    52             <version>3.12.0</version>
    53         </dependency>
    54         <dependency>
    55             <groupId>commons-codec</groupId>
    56             <artifactId>commons-codec</artifactId>
    57             <version>1.15</version>
    58         </dependency>
    59 
    60         <dependency>
    61             <groupId>mysql</groupId>
    62             <artifactId>mysql-connector-java</artifactId>
    63             <scope>runtime</scope>
    64         </dependency>
    65         <dependency>
    66             <groupId>org.projectlombok</groupId>
    67             <artifactId>lombok</artifactId>
    68             <optional>true</optional>
    69         </dependency>
    70     </dependencies>
    71 
    72     <build>
    73         <plugins>
    74             <plugin>
    75                 <groupId>org.springframework.boot</groupId>
    76                 <artifactId>spring-boot-maven-plugin</artifactId>
    77                 <configuration>
    78                     <excludes>
    79                         <exclude>
    80                             <groupId>org.projectlombok</groupId>
    81                             <artifactId>lombok</artifactId>
    82                         </exclude>
    83                     </excludes>
    84                 </configuration>
    85             </plugin>
    86         </plugins>
    87     </build>
    88 
    89 </project>

    application.properties配置

     1 server.port=8080
     2 server.servlet.context-path=/demo
     3 
     4 spring.datasource.driver-class-name=com.mysql.jdbc.Driver
     5 spring.datasource.url=jdbc:mysql://localhost:3306/demo?useUnicode=true&characterEncoding=utf8
     6 spring.datasource.username=root
     7 spring.datasource.password=123456
     8 
     9 spring.jpa.database=mysql
    10 spring.jpa.open-in-view=true
    11 spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true
    12 spring.jpa.show-sql=true
    13 
    14 spring.redis.host=192.168.28.31
    15 spring.redis.port=6379
    16 spring.redis.password=123456

    2.  建表并生成相应的实体类

    SysUser.java

     1 package com.example.demo5.entity;
     2 
     3 import lombok.Getter;
     4 import lombok.Setter;
     5 
     6 import javax.persistence.*;
     7 import java.io.Serializable;
     8 import java.time.LocalDate;
     9 import java.util.Set;
    10 
    11 /**
    12  * 用户表
    13  * @Author ChengJianSheng
    14  * @Date 2021/6/12
    15  */
    16 @Setter
    17 @Getter
    18 @Entity
    19 @Table(name = "sys_user")
    20 public class SysUserEntity implements Serializable {
    21 
    22     @Id
    23     @GeneratedValue(strategy = GenerationType.AUTO)
    24     @Column(name = "id")
    25     private Integer id;
    26 
    27     @Column(name = "username")
    28     private String username;
    29 
    30     @Column(name = "password")
    31     private String password;
    32 
    33     @Column(name = "mobile")
    34     private String mobile;
    35 
    36     @Column(name = "enabled")
    37     private Integer enabled;
    38 
    39     @Column(name = "create_time")
    40     private LocalDate createTime;
    41 
    42     @Column(name = "update_time")
    43     private LocalDate updateTime;
    44 
    45     @OneToOne
    46     @JoinColumn(name = "dept_id")
    47     private SysDeptEntity dept;
    48 
    49     @ManyToMany
    50     @JoinTable(name = "sys_user_role",
    51             joinColumns = {@JoinColumn(name = "user_id", referencedColumnName = "id")},
    52             inverseJoinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "id")})
    53     private Set<SysRoleEntity> roles;
    54 
    55 }
    

    SysDept.java

    部门相当于用户组,这里简化了一下,用户组没有跟角色管理

     1 package com.example.demo5.entity;
     2 
     3 import lombok.Data;
     4 
     5 import javax.persistence.*;
     6 import java.io.Serializable;
     7 import java.util.Set;
     8 
     9 /**
    10  * 部门表
    11  * @Author ChengJianSheng
    12  * @Date 2021/6/12
    13  */
    14 @Data
    15 @Entity
    16 @Table(name = "sys_dept")
    17 public class SysDeptEntity implements Serializable {
    18 
    19     @Id
    20     @GeneratedValue(strategy = GenerationType.AUTO)
    21     @Column(name = "id")
    22     private Integer id;
    23 
    24     /**
    25      * 部门名称
    26      */
    27     @Column(name = "name")
    28     private String name;
    29 
    30     /**
    31      * 父级部门ID
    32      */
    33     @Column(name = "pid")
    34     private Integer pid;
    35 
    36 //    @ManyToMany(mappedBy = "depts")
    37 //    private Set<SysRoleEntity> roles;
    38 }

    SysMenu.java

    菜单相当于权限

     1 package com.example.demo5.entity;
     2 
     3 import lombok.Data;
     4 import lombok.Getter;
     5 import lombok.Setter;
     6 
     7 import javax.persistence.*;
     8 import java.io.Serializable;
     9 import java.util.Set;
    10 
    11 /**
    12  * 菜单表
    13  * @Author ChengJianSheng
    14  * @Date 2021/6/12
    15  */
    16 @Setter
    17 @Getter
    18 @Entity
    19 @Table(name = "sys_menu")
    20 public class SysMenuEntity implements Serializable {
    21 
    22     @Id
    23     @GeneratedValue(strategy = GenerationType.AUTO)
    24     @Column(name = "id")
    25     private Integer id;
    26 
    27     /**
    28      * 资源编码
    29      */
    30     @Column(name = "code")
    31     private String code;
    32 
    33     /**
    34      * 资源名称
    35      */
    36     @Column(name = "name")
    37     private String name;
    38 
    39     /**
    40      * 菜单/按钮URL
    41      */
    42     @Column(name = "url")
    43     private String url;
    44 
    45     /**
    46      * 资源类型(1:菜单,2:按钮)
    47      */
    48     @Column(name = "type")
    49     private Integer type;
    50 
    51     /**
    52      * 父级菜单ID
    53      */
    54     @Column(name = "pid")
    55     private Integer pid;
    56 
    57     /**
    58      * 排序号
    59      */
    60     @Column(name = "sort")
    61     private Integer sort;
    62 
    63     @ManyToMany(mappedBy = "menus")
    64     private Set<SysRoleEntity> roles;
    65 
    66 }

    SysRole.java

     1 package com.example.demo5.entity;
     2 
     3 import lombok.Data;
     4 import lombok.Getter;
     5 import lombok.Setter;
     6 
     7 import javax.persistence.*;
     8 import java.io.Serializable;
     9 import java.util.Set;
    10 
    11 /**
    12  * 角色表
    13  * @Author ChengJianSheng
    14  * @Date 2021/6/12
    15  */
    16 @Setter
    17 @Getter
    18 @Entity
    19 @Table(name = "sys_role")
    20 public class SysRoleEntity implements Serializable {
    21 
    22     @Id
    23     @GeneratedValue(strategy = GenerationType.AUTO)
    24     @Column(name = "id")
    25     private Integer id;
    26 
    27     /**
    28      * 角色名称
    29      */
    30     @Column(name = "name")
    31     private String name;
    32 
    33     @ManyToMany(mappedBy = "roles")
    34     private Set<SysUserEntity> users;
    35 
    36     @ManyToMany
    37     @JoinTable(name = "sys_role_menu",
    38             joinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "id")},
    39             inverseJoinColumns = {@JoinColumn(name = "menu_id", referencedColumnName = "id")})
    40     private Set<SysMenuEntity> menus;
    41 
    42 //    @ManyToMany
    43 //    @JoinTable(name = "sys_dept_role",
    44 //            joinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "id")},
    45 //            inverseJoinColumns = {@JoinColumn(name = "dept_id", referencedColumnName = "id")})
    46 //    private Set<SysDeptEntity> depts;
    47 
    48 }
    

    注意,不要使用@Data注解,因为@Data包含@ToString注解

    不要随便打印SysUser,例如:System.out.println(sysUser); 任何形式的toString()调用都不要有,否则很有可能造成循环调用,死递归。想想看,SysUser里面要查SysRole,SysRole要查SysMenu,SysMenu又要查SysRole。除非不用懒加载。

    3.  自定义UserDetails

    虽然可以使用Spring Security自带的User,但是笔者还是强烈建议自定义一个UserDetails,后面可以直接将其序列化成json缓存到redis中

     1 package com.example.demo5.domain;
     2 
     3 import lombok.Setter;
     4 import org.springframework.security.core.GrantedAuthority;
     5 import org.springframework.security.core.authority.SimpleGrantedAuthority;
     6 import org.springframework.security.core.userdetails.User;
     7 import org.springframework.security.core.userdetails.UserDetails;
     8 
     9 import java.util.Collection;
    10 import java.util.Set;
    11 
    12 /**
    13  * @Author ChengJianSheng
    14  * @Date 2021/6/12
    15  * @see User
    16  * @see org.springframework.security.core.userdetails.User
    17  */
    18 @Setter
    19 public class MyUserDetails implements UserDetails {
    20 
    21     private String username;
    22     private String password;
    23     private boolean enabled;
    24 //    private Collection<? extends GrantedAuthority> authorities;
    25     private Set<SimpleGrantedAuthority> authorities;
    26 
    27     public MyUserDetails(String username, String password, boolean enabled, Set<SimpleGrantedAuthority> authorities) {
    28         this.username = username;
    29         this.password = password;
    30         this.enabled = enabled;
    31         this.authorities = authorities;
    32     }
    33 
    34     @Override
    35     public Collection<? extends GrantedAuthority> getAuthorities() {
    36         return authorities;
    37     }
    38 
    39     @Override
    40     public String getPassword() {
    41         return password;
    42     }
    43 
    44     @Override
    45     public String getUsername() {
    46         return username;
    47     }
    48 
    49     @Override
    50     public boolean isAccountNonExpired() {
    51         return true;
    52     }
    53 
    54     @Override
    55     public boolean isAccountNonLocked() {
    56         return true;
    57     }
    58 
    59     @Override
    60     public boolean isCredentialsNonExpired() {
    61         return true;
    62     }
    63 
    64     @Override
    65     public boolean isEnabled() {
    66         return enabled;
    67     }
    68 }

     都自定义UserDetails了,当然要自己实现UserDetailsService了。这里当时偷懒直接用自带的User,后面放缓存的时候才知道不方便。

     1 package com.example.demo5.service;
     2 
     3 import com.example.demo5.entity.SysMenuEntity;
     4 import com.example.demo5.entity.SysRoleEntity;
     5 import com.example.demo5.entity.SysUserEntity;
     6 import com.example.demo5.repository.SysUserRepository;
     7 import org.apache.commons.lang3.StringUtils;
     8 import org.springframework.security.core.authority.SimpleGrantedAuthority;
     9 import org.springframework.security.core.userdetails.User;
    10 import org.springframework.security.core.userdetails.UserDetails;
    11 import org.springframework.security.core.userdetails.UserDetailsService;
    12 import org.springframework.security.core.userdetails.UsernameNotFoundException;
    13 import org.springframework.stereotype.Service;
    14 
    15 import javax.annotation.Resource;
    16 import java.util.Set;
    17 import java.util.stream.Collectors;
    18 
    19 /**
    20  * @Author ChengJianSheng
    21  * @Date 2021/6/12
    22  */
    23 @Service
    24 public class MyUserDetailsService implements UserDetailsService {
    25     @Resource
    26     private SysUserRepository sysUserRepository;
    27 
    28     @Override
    29     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    30         SysUserEntity sysUserEntity = sysUserRepository.findByUsername(username);
    31         Set<SysRoleEntity> roleSet = sysUserEntity.getRoles();
    32         Set<SimpleGrantedAuthority> authorities = roleSet.stream().flatMap(role->role.getMenus().stream())
    33                 .filter(menu-> StringUtils.isNotBlank(menu.getCode()))
    34                 .map(SysMenuEntity::getCode)
    35                 .map(SimpleGrantedAuthority::new)
    36                 .collect(Collectors.toSet());
    37         User user = new User(sysUserEntity.getUsername(), sysUserEntity.getPassword(), authorities);
    38         return user;
    39     }
    40 }
    

    算了,还是改过来吧

     1 package com.example.demo5.service;
     2 
     3 import com.example.demo5.domain.MyUserDetails;
     4 import com.example.demo5.entity.SysMenuEntity;
     5 import com.example.demo5.entity.SysRoleEntity;
     6 import com.example.demo5.entity.SysUserEntity;
     7 import com.example.demo5.repository.SysUserRepository;
     8 import org.apache.commons.lang3.StringUtils;
     9 import org.springframework.security.core.authority.SimpleGrantedAuthority;
    10 import org.springframework.security.core.userdetails.User;
    11 import org.springframework.security.core.userdetails.UserDetails;
    12 import org.springframework.security.core.userdetails.UserDetailsService;
    13 import org.springframework.security.core.userdetails.UsernameNotFoundException;
    14 import org.springframework.stereotype.Service;
    15 
    16 import javax.annotation.Resource;
    17 import java.util.Set;
    18 import java.util.stream.Collectors;
    19 
    20 /**
    21  * @Author ChengJianSheng
    22  * @Date 2021/6/12
    23  */
    24 @Service
    25 public class MyUserDetailsService implements UserDetailsService {
    26     @Resource
    27     private SysUserRepository sysUserRepository;
    28 
    29     @Override
    30     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    31         SysUserEntity sysUserEntity = sysUserRepository.findByUsername(username);
    32         Set<SysRoleEntity> roleSet = sysUserEntity.getRoles();
    33         Set<SimpleGrantedAuthority> authorities = roleSet.stream().flatMap(role->role.getMenus().stream())
    34                 .filter(menu-> StringUtils.isNotBlank(menu.getCode()))
    35                 .map(SysMenuEntity::getCode)
    36                 .map(SimpleGrantedAuthority::new)
    37                 .collect(Collectors.toSet());
    38 //        return new User(sysUserEntity.getUsername(), sysUserEntity.getPassword(), authorities);
    39         return new MyUserDetails(sysUserEntity.getUsername(), sysUserEntity.getPassword(), 1==sysUserEntity.getEnabled(), authorities);
    40     }
    41 }
    

    4.  自定义各种Handler

    登录成功

     1 package com.example.demo5.handler;
     2 
     3 import com.alibaba.fastjson.JSON;
     4 import com.example.demo5.domain.MyUserDetails;
     5 import com.example.demo5.domain.RespResult;
     6 import com.example.demo5.util.JwtUtils;
     7 import com.fasterxml.jackson.databind.ObjectMapper;
     8 import org.springframework.beans.factory.annotation.Autowired;
     9 import org.springframework.data.redis.core.StringRedisTemplate;
    10 import org.springframework.security.core.Authentication;
    11 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
    12 import org.springframework.stereotype.Component;
    13 
    14 import javax.servlet.ServletException;
    15 import javax.servlet.http.HttpServletRequest;
    16 import javax.servlet.http.HttpServletResponse;
    17 import java.io.IOException;
    18 import java.io.PrintWriter;
    19 import java.util.concurrent.TimeUnit;
    20 
    21 /**
    22  * 登录成功
    23  */
    24 @Component
    25 public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    26 
    27     private static ObjectMapper objectMapper = new ObjectMapper();
    28 
    29     @Autowired
    30     private StringRedisTemplate stringRedisTemplate;
    31 
    32     @Override
    33     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
    34         MyUserDetails user = (MyUserDetails) authentication.getPrincipal();
    35         String username = user.getUsername();
    36         String token = JwtUtils.createToken(username);
    37         stringRedisTemplate.opsForValue().set("TOKEN:" + token, JSON.toJSONString(user), 60, TimeUnit.MINUTES);
    38 
    39         response.setContentType("application/json;charset=utf-8");
    40         PrintWriter writer = response.getWriter();
    41         writer.write(objectMapper.writeValueAsString(new RespResult<>(1, "success", token)));
    42         writer.flush();
    43         writer.close();
    44     }
    45 }

    登录失败

     1 package com.example.demo5.handler;
     2 
     3 import com.example.demo5.domain.RespResult;
     4 import com.fasterxml.jackson.databind.ObjectMapper;
     5 import org.springframework.security.core.AuthenticationException;
     6 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
     7 import org.springframework.stereotype.Component;
     8 
     9 import javax.servlet.ServletException;
    10 import javax.servlet.http.HttpServletRequest;
    11 import javax.servlet.http.HttpServletResponse;
    12 import java.io.IOException;
    13 import java.io.PrintWriter;
    14 
    15 /**
    16  * 登录失败
    17  */
    18 @Component
    19 public class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
    20 
    21     private static ObjectMapper objectMapper = new ObjectMapper();
    22 
    23     @Override
    24     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
    25         response.setContentType("application/json;charset=utf-8");
    26         PrintWriter writer = response.getWriter();
    27         writer.write(objectMapper.writeValueAsString(new RespResult<>(0, exception.getMessage(), null)));
    28         writer.flush();
    29         writer.close();
    30     }
    31 }

    未登录

     1 package com.example.demo5.handler;
     2 
     3 import com.example.demo5.domain.RespResult;
     4 import com.fasterxml.jackson.databind.ObjectMapper;
     5 import org.springframework.security.core.AuthenticationException;
     6 import org.springframework.security.web.AuthenticationEntryPoint;
     7 import org.springframework.stereotype.Component;
     8 
     9 import javax.servlet.ServletException;
    10 import javax.servlet.http.HttpServletRequest;
    11 import javax.servlet.http.HttpServletResponse;
    12 import java.io.IOException;
    13 import java.io.PrintWriter;
    14 
    15 /**
    16  * 未认证(未登录)统一处理
    17  * @Author ChengJianSheng
    18  * @Date 2021/5/7
    19  */
    20 @Component
    21 public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
    22 
    23     private static ObjectMapper objectMapper = new ObjectMapper();
    24 
    25     @Override
    26     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
    27         response.setContentType("application/json;charset=utf-8");
    28         PrintWriter writer = response.getWriter();
    29         writer.write(objectMapper.writeValueAsString(new RespResult<>(0, "未登录,请先登录", null)));
    30         writer.flush();
    31         writer.close();
    32     }
    33 }

    未授权

     1 package com.example.demo5.handler;
     2 
     3 import com.example.demo5.domain.RespResult;
     4 import com.fasterxml.jackson.databind.ObjectMapper;
     5 import org.springframework.security.access.AccessDeniedException;
     6 import org.springframework.security.web.access.AccessDeniedHandler;
     7 import org.springframework.stereotype.Component;
     8 
     9 import javax.servlet.ServletException;
    10 import javax.servlet.http.HttpServletRequest;
    11 import javax.servlet.http.HttpServletResponse;
    12 import java.io.IOException;
    13 import java.io.PrintWriter;
    14 
    15 @Component
    16 public class MyAccessDeniedHandler implements AccessDeniedHandler {
    17 
    18     private static ObjectMapper objectMapper = new ObjectMapper();
    19 
    20     @Override
    21     public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
    22         response.setContentType("application/json;charset=utf-8");
    23         PrintWriter writer = response.getWriter();
    24         writer.write(objectMapper.writeValueAsString(new RespResult<>(0, "抱歉,您没有权限访问", null)));
    25         writer.flush();
    26         writer.close();
    27     }
    28 }

    Session过期

     1 package com.example.demo5.handler;
     2 
     3 import com.example.demo5.domain.RespResult;
     4 import com.fasterxml.jackson.databind.ObjectMapper;
     5 import org.springframework.security.web.session.SessionInformationExpiredEvent;
     6 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
     7 
     8 import javax.servlet.ServletException;
     9 import javax.servlet.http.HttpServletResponse;
    10 import java.io.IOException;
    11 import java.io.PrintWriter;
    12 
    13 public class MyExpiredSessionStrategy implements SessionInformationExpiredStrategy {
    14 
    15     private static ObjectMapper objectMapper = new ObjectMapper();
    16 
    17     @Override
    18     public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
    19         String msg = "登录超时或已在另一台机器登录,您被迫下线!";
    20         RespResult respResult = new RespResult(0, msg, null);
    21         HttpServletResponse response = event.getResponse();
    22         response.setContentType("application/json;charset=utf-8");
    23         PrintWriter writer = response.getWriter();
    24         writer.write(objectMapper.writeValueAsString(respResult));
    25         writer.flush();
    26         writer.close();
    27     }
    28 }

    退出成功

     1 package com.example.demo5.handler;
     2 
     3 import com.fasterxml.jackson.databind.ObjectMapper;
     4 import org.springframework.beans.factory.annotation.Autowired;
     5 import org.springframework.data.redis.core.StringRedisTemplate;
     6 import org.springframework.security.core.Authentication;
     7 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
     8 import org.springframework.stereotype.Component;
     9 
    10 import javax.servlet.ServletException;
    11 import javax.servlet.http.HttpServletRequest;
    12 import javax.servlet.http.HttpServletResponse;
    13 import java.io.IOException;
    14 import java.io.PrintWriter;
    15 
    16 @Component
    17 public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
    18 
    19     private static ObjectMapper objectMapper = new ObjectMapper();
    20 
    21     @Autowired
    22     private StringRedisTemplate stringRedisTemplate;
    23 
    24     @Override
    25     public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    26         String token = request.getHeader("token");
    27         stringRedisTemplate.delete("TOKEN:" + token);
    28 
    29         response.setContentType("application/json;charset=utf-8");
    30         PrintWriter printWriter = response.getWriter();
    31         printWriter.write(objectMapper.writeValueAsString("logout success"));
    32         printWriter.flush();
    33         printWriter.close();
    34     }
    35 }
    

    5.  Token处理

    现在由于前后端分离,服务端不再维持Session,于是需要token来作为访问凭证

    token工具类

     1 package com.example.demo5.util;
     2 
     3 import io.jsonwebtoken.*;
     4 
     5 import java.util.Date;
     6 import java.util.HashMap;
     7 import java.util.Map;
     8 import java.util.function.Function;
     9 
    10 /**
    11  * @Author ChengJianSheng
    12  * @Date 2021/5/7
    13  */
    14 public class JwtUtils {
    15 
    16     private static long TOKEN_EXPIRATION = 24 * 60 * 60 * 1000;
    17     private static String TOKEN_SECRET_KEY = "123456";
    18 
    19     /**
    20      * 生成Token
    21      * @param subject   用户名
    22      * @return
    23      */
    24     public static String createToken(String subject) {
    25         long currentTimeMillis = System.currentTimeMillis();
    26         Date currentDate = new Date(currentTimeMillis);
    27         Date expirationDate = new Date(currentTimeMillis + TOKEN_EXPIRATION);
    28 
    29         //  存放自定义属性,比如用户拥有的权限
    30         Map<String, Object> claims = new HashMap<>();
    31 
    32         return Jwts.builder()
    33                 .setClaims(claims)
    34                 .setSubject(subject)
    35                 .setIssuedAt(currentDate)
    36                 .setExpiration(expirationDate)
    37                 .signWith(SignatureAlgorithm.HS512, TOKEN_SECRET_KEY)
    38                 .compact();
    39     }
    40 
    41     public static String extractUsername(String token) {
    42         return extractClaim(token, Claims::getSubject);
    43     }
    44 
    45     public static boolean isTokenExpired(String token) {
    46         return extractExpiration(token).before(new Date());
    47     }
    48 
    49     public static Date extractExpiration(String token) {
    50         return extractClaim(token, Claims::getExpiration);
    51     }
    52 
    53     public static <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
    54         final Claims claims = extractAllClaims(token);
    55         return claimsResolver.apply(claims);
    56     }
    57 
    58     private static Claims extractAllClaims(String token) {
    59         return Jwts.parser().setSigningKey(TOKEN_SECRET_KEY).parseClaimsJws(token).getBody();
    60     }
    61 
    62 }

    前后端约定登录成功以后,将token放到header中。于是,我们需要过滤器来处理请求Header中的token,为此定义一个TokenFilter

     1 package com.example.demo5.filter;
     2 
     3 import com.alibaba.fastjson.JSON;
     4 import com.example.demo5.domain.MyUserDetails;
     5 import org.apache.commons.lang3.StringUtils;
     6 import org.springframework.beans.factory.annotation.Autowired;
     7 import org.springframework.data.redis.core.StringRedisTemplate;
     8 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
     9 import org.springframework.security.core.context.SecurityContextHolder;
    10 import org.springframework.stereotype.Component;
    11 import org.springframework.web.filter.OncePerRequestFilter;
    12 
    13 import javax.servlet.FilterChain;
    14 import javax.servlet.ServletException;
    15 import javax.servlet.http.HttpServletRequest;
    16 import javax.servlet.http.HttpServletResponse;
    17 import java.io.IOException;
    18 import java.util.concurrent.TimeUnit;
    19 
    20 /**
    21  * @Author ChengJianSheng
    22  * @Date 2021/6/17
    23  */
    24 @Component
    25 public class TokenFilter extends OncePerRequestFilter {
    26 
    27     @Autowired
    28     private StringRedisTemplate stringRedisTemplate;
    29 
    30     @Override
    31     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    32         String token = request.getHeader("token");
    33         System.out.println("请求头中带的token: " + token);
    34         String key = "TOKEN:" + token;
    35         if (StringUtils.isNotBlank(token)) {
    36             String value = stringRedisTemplate.opsForValue().get(key);
    37             if (StringUtils.isNotBlank(value)) {
    38 //                String username = JwtUtils.extractUsername(token);
    39                 MyUserDetails user = JSON.parseObject(value, MyUserDetails.class);
    40                 if (null != user && null == SecurityContextHolder.getContext().getAuthentication()) {
    41                     UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
    42                     SecurityContextHolder.getContext().setAuthentication(authenticationToken);
    43 
    44                     //  刷新token
    45                     //  如果生存时间小于10分钟,则再续1小时
    46                     long time = stringRedisTemplate.getExpire(key);
    47                     if (time < 600) {
    48                         stringRedisTemplate.expire(key, (time + 3600), TimeUnit.SECONDS);
    49                     }
    50                 }
    51             }
    52         }
    53 
    54         chain.doFilter(request, response);
    55     }
    56 }

    token过滤器做了两件事,一是获取header中的token,构造UsernamePasswordAuthenticationToken放入上下文中。权限可以从数据库中再查一遍,也可以直接从之前的缓存中获取。二是为token续期,即刷新token。 

    由于我们采用jwt生成token,因此没法中途更改token的有效期,只能将其放到Redis中,通过更改Redis中key的生存时间来控制token的有效期。

    6.  访问控制

    首先来定义资源

     1 package com.example.demo5.controller;
     2 
     3 import org.springframework.security.access.prepost.PreAuthorize;
     4 import org.springframework.web.bind.annotation.GetMapping;
     5 import org.springframework.web.bind.annotation.RequestMapping;
     6 import org.springframework.web.bind.annotation.RestController;
     7 
     8 /**
     9  * @Author ChengJianSheng
    10  * @Date 2021/6/12
    11  */
    12 @RestController
    13 @RequestMapping("/hello")
    14 public class HelloController {
    15 
    16     @PreAuthorize("@myAccessDecisionService.hasPermission('hello:sayHello')")
    17     @GetMapping("/sayHello")
    18     public String sayHello() {
    19         return "hello";
    20     }
    21 
    22     @PreAuthorize("@myAccessDecisionService.hasPermission('hello:sayHi')")
    23     @GetMapping("/sayHi")
    24     public String sayHi() {
    25         return "hi";
    26     }
    27 }

    资源的访问控制我们通过判断是否有相应的权限字符串

     1 package com.example.demo5.service;
     2 
     3 import org.springframework.security.core.Authentication;
     4 import org.springframework.security.core.GrantedAuthority;
     5 import org.springframework.security.core.authority.SimpleGrantedAuthority;
     6 import org.springframework.security.core.context.SecurityContextHolder;
     7 import org.springframework.security.core.userdetails.UserDetails;
     8 import org.springframework.stereotype.Component;
     9 
    10 import java.util.Set;
    11 import java.util.stream.Collectors;
    12 
    13 @Component("myAccessDecisionService")
    14 public class MyAccessDecisionService {
    15 
    16     public boolean hasPermission(String permission) {
    17         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    18         Object principal = authentication.getPrincipal();
    19         if (principal instanceof UserDetails) {
    20             UserDetails userDetails = (UserDetails) principal;
    21 //            SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority(permission);
    22             Set<String> set = userDetails.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toSet());
    23             return set.contains(permission);
    24         }
    25         return false;
    26     }
    27 }
    

    7.  配置WebSecurity

     1 package com.example.demo5.config;
     2 
     3 import com.example.demo5.filter.TokenFilter;
     4 import com.example.demo5.handler.*;
     5 import com.example.demo5.service.MyUserDetailsService;
     6 import org.springframework.beans.factory.annotation.Autowired;
     7 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
     8 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
     9 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    10 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    11 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    12 import org.springframework.security.config.http.SessionCreationPolicy;
    13 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    14 import org.springframework.security.crypto.password.PasswordEncoder;
    15 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
    16 
    17 /**
    18  * @Author ChengJianSheng
    19  * @Date 2021/6/12
    20  */
    21 @EnableGlobalMethodSecurity(prePostEnabled = true)
    22 @EnableWebSecurity
    23 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    24 
    25     @Autowired
    26     private MyUserDetailsService myUserDetailsService;
    27     @Autowired
    28     private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
    29     @Autowired
    30     private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
    31     @Autowired
    32     private TokenFilter tokenFilter;
    33 
    34     @Override
    35     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    36         auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
    37     }
    38 
    39     @Override
    40     protected void configure(HttpSecurity http) throws Exception {
    41         http.formLogin()
    42 //                .usernameParameter("username")
    43 //                .passwordParameter("password")
    44 //                .loginPage("/login.html")
    45                 .successHandler(myAuthenticationSuccessHandler)
    46                 .failureHandler(myAuthenticationFailureHandler)
    47                 .and()
    48                 .logout().logoutSuccessHandler(new MyLogoutSuccessHandler())
    49                 .and()
    50                 .authorizeRequests()
    51                 .antMatchers("/demo/login").permitAll()
    52 //                .antMatchers("/css/**", "/js/**", "/**/images/*.*").permitAll()
    53 //                .regexMatchers(".+[.]jpg").permitAll()
    54 //                .mvcMatchers("/hello").servletPath("/demo").permitAll()
    55                 .anyRequest().authenticated()
    56                 .and()
    57                 .exceptionHandling()
    58                 .accessDeniedHandler(new MyAccessDeniedHandler())
    59                 .authenticationEntryPoint(new MyAuthenticationEntryPoint())
    60                 .and()
    61                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    62                 .maximumSessions(1)
    63                 .maxSessionsPreventsLogin(false)
    64                 .expiredSessionStrategy(new MyExpiredSessionStrategy());
    65 
    66         http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
    67 
    68         http.csrf().disable();
    69     }
    70 
    71     public PasswordEncoder passwordEncoder() {
    72         return new BCryptPasswordEncoder();
    73     }
    74 
    75     public static void main(String[] args) {
    76         System.out.println(new BCryptPasswordEncoder().encode("123456"));
    77     }
    78 }

    注意,我们将自定义的TokenFilter放到UsernamePasswordAuthenticationFilter之前

    所有过滤器的顺序可以查看 org.springframework.security.config.annotation.web.builders.FilterComparator 或者 org.springframework.security.config.annotation.web.builders.FilterOrderRegistration

    8.  看效果

    9.  补充:手机号+短信验证码登录

    参照org.springframework.security.authentication.UsernamePasswordAuthenticationToken写一个短信认证Token

     1 package com.example.demo5.filter;
     2 
     3 import org.springframework.security.authentication.AbstractAuthenticationToken;
     4 import org.springframework.security.core.GrantedAuthority;
     5 import org.springframework.security.core.SpringSecurityCoreVersion;
     6 import org.springframework.util.Assert;
     7 
     8 import java.util.Collection;
     9 
    10 /**
    11  * @Author ChengJianSheng
    12  * @Date 2021/5/12
    13  */
    14 public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
    15 
    16     private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
    17 
    18     private final Object principal;
    19 
    20     private Object credentials;
    21 
    22     public SmsCodeAuthenticationToken(Object principal, Object credentials) {
    23         super(null);
    24         this.principal = principal;
    25         this.credentials = credentials;
    26         setAuthenticated(false);
    27     }
    28 
    29     public SmsCodeAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
    30         super(authorities);
    31         this.principal = principal;
    32         this.credentials = credentials;
    33         super.setAuthenticated(true);
    34     }
    35 
    36     @Override
    37     public Object getCredentials() {
    38         return credentials;
    39     }
    40 
    41     @Override
    42     public Object getPrincipal() {
    43         return principal;
    44     }
    45 
    46     @Override
    47     public void setAuthenticated(boolean authenticated) {
    48         Assert.isTrue(!authenticated, "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
    49         super.setAuthenticated(false);
    50     }
    51 
    52     @Override
    53     public void eraseCredentials() {
    54         super.eraseCredentials();
    55     }
    56 }
    

    参照org.springframework.security.authentication.dao.DaoAuthenticationProvider写一个自己的短信认证Provider

     1 package com.example.demo5.filter;
     2 
     3 import com.example.demo.service.MyUserDetailsService;
     4 import org.apache.commons.lang3.StringUtils;
     5 import org.springframework.security.authentication.AuthenticationProvider;
     6 import org.springframework.security.authentication.BadCredentialsException;
     7 import org.springframework.security.core.Authentication;
     8 import org.springframework.security.core.AuthenticationException;
     9 import org.springframework.security.core.userdetails.UserDetails;
    10 
    11 /**
    12  * @Author ChengJianSheng
    13  * @Date 2021/5/12
    14  */
    15 public class SmsAuthenticationProvider implements AuthenticationProvider {
    16 
    17     private MyUserDetailsService myUserDetailsService;
    18 
    19     @Override
    20     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    21         //  校验验证码
    22         additionalAuthenticationChecks((SmsCodeAuthenticationToken) authentication);
    23 
    24         //  校验手机号
    25         String mobile = authentication.getPrincipal().toString();
    26 
    27         UserDetails userDetails = myUserDetailsService.loadUserByMobile(mobile);
    28 
    29         if (null == userDetails) {
    30             throw new BadCredentialsException("手机号不存在");
    31         }
    32 
    33         //  创建认证成功的Authentication对象
    34         SmsCodeAuthenticationToken result = new SmsCodeAuthenticationToken(userDetails, userDetails.getAuthorities());
    35         result.setDetails(authentication.getDetails());
    36 
    37         return result;
    38     }
    39 
    40     protected void additionalAuthenticationChecks(SmsCodeAuthenticationToken authentication) throws AuthenticationException {
    41         if (authentication.getCredentials() == null) {
    42             throw new BadCredentialsException("验证码不能为空");
    43         }
    44         String mobile = authentication.getPrincipal().toString();
    45         String smsCode = authentication.getCredentials().toString();
    46 
    47         //  从Session或者Redis中获取相应的验证码
    48         String smsCodeInSessionKey = "SMS_CODE_" + mobile;
    49 //        String verificationCode = sessionStrategy.getAttribute(servletWebRequest, smsCodeInSessionKey);
    50 //        String verificationCode = stringRedisTemplate.opsForValue().get(smsCodeInSessionKey);
    51         String verificationCode = "1234";
    52 
    53         if (StringUtils.isBlank(verificationCode)) {
    54             throw new BadCredentialsException("短信验证码不存在,请重新发送!");
    55         }
    56         if (!smsCode.equalsIgnoreCase(verificationCode)) {
    57             throw new BadCredentialsException("验证码错误!");
    58         }
    59 
    60         //todo  清除Session或者Redis中获取相应的验证码
    61     }
    62 
    63     @Override
    64     public boolean supports(Class<?> authentication) {
    65         return (SmsCodeAuthenticationToken.class.isAssignableFrom(authentication));
    66     }
    67 
    68     public MyUserDetailsService getMyUserDetailsService() {
    69         return myUserDetailsService;
    70     }
    71 
    72     public void setMyUserDetailsService(MyUserDetailsService myUserDetailsService) {
    73         this.myUserDetailsService = myUserDetailsService;
    74     }
    75 }

    参照org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter写一个短信认证处理的过滤器

     1 package com.example.demo.filter;
     2 
     3 import org.springframework.security.authentication.AuthenticationManager;
     4 import org.springframework.security.authentication.AuthenticationServiceException;
     5 import org.springframework.security.core.Authentication;
     6 import org.springframework.security.core.AuthenticationException;
     7 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
     8 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
     9 
    10 import javax.servlet.ServletException;
    11 import javax.servlet.http.HttpServletRequest;
    12 import javax.servlet.http.HttpServletResponse;
    13 import java.io.IOException;
    14 
    15 /**
    16  * @Author ChengJianSheng
    17  * @Date 2021/5/12
    18  */
    19 public class SmsAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    20 
    21     public static final String SPRING_SECURITY_FORM_MOBILE_KEY = "mobile";
    22 
    23     public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "smsCode";
    24 
    25     private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER = new AntPathRequestMatcher("/login/mobile", "POST");
    26 
    27     private String usernameParameter = SPRING_SECURITY_FORM_MOBILE_KEY;
    28 
    29     private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
    30 
    31     private boolean postOnly = true;
    32 
    33     public SmsAuthenticationFilter() {
    34         super(DEFAULT_ANT_PATH_REQUEST_MATCHER);
    35     }
    36 
    37     public SmsAuthenticationFilter(AuthenticationManager authenticationManager) {
    38         super(DEFAULT_ANT_PATH_REQUEST_MATCHER, authenticationManager);
    39     }
    40 
    41     @Override
    42     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
    43         if (postOnly && !request.getMethod().equals("POST")) {
    44             throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
    45         }
    46 
    47         String mobile = obtainMobile(request);
    48         mobile = (mobile != null) ? mobile : "";
    49         mobile = mobile.trim();
    50         String smsCode = obtainPassword(request);
    51         smsCode = (smsCode != null) ? smsCode : "";
    52 
    53         SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile, smsCode);
    54 
    55         setDetails(request, authRequest);
    56 
    57         return this.getAuthenticationManager().authenticate(authRequest);
    58     }
    59 
    60     private String obtainMobile(HttpServletRequest request) {
    61         return request.getParameter(this.usernameParameter);
    62     }
    63 
    64     private String obtainPassword(HttpServletRequest request) {
    65         return request.getParameter(this.passwordParameter);
    66     }
    67 
    68     protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) {
    69         authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
    70     }
    71 }

    在WebSecurity中进行配置

     1 package com.example.demo.config;
     2 
     3 import com.example.demo.filter.SmsAuthenticationFilter;
     4 import com.example.demo.filter.SmsAuthenticationProvider;
     5 import com.example.demo.handler.MyAuthenticationFailureHandler;
     6 import com.example.demo.handler.MyAuthenticationSuccessHandler;
     7 import com.example.demo.service.MyUserDetailsService;
     8 import org.springframework.beans.factory.annotation.Autowired;
     9 import org.springframework.security.authentication.AuthenticationManager;
    10 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
    11 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    12 import org.springframework.security.web.DefaultSecurityFilterChain;
    13 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
    14 import org.springframework.stereotype.Component;
    15 
    16 /**
    17  * @Author ChengJianSheng
    18  * @Date 2021/5/12
    19  */
    20 @Component
    21 public class SmsAuthenticationConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
    22 
    23     @Autowired
    24     private MyUserDetailsService myUserDetailsService;
    25     @Autowired
    26     private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
    27     @Autowired
    28     private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
    29 
    30     @Override
    31     public void configure(HttpSecurity http) throws Exception {
    32         SmsAuthenticationFilter smsAuthenticationFilter = new SmsAuthenticationFilter();
    33         smsAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
    34         smsAuthenticationFilter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler);
    35         smsAuthenticationFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler);
    36 
    37         SmsAuthenticationProvider smsAuthenticationProvider = new SmsAuthenticationProvider();
    38         smsAuthenticationProvider.setMyUserDetailsService(myUserDetailsService);
    39 
    40         http.authenticationProvider(smsAuthenticationProvider)
    41                 .addFilterAfter(smsAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    42     }
    43 }
    
    1 http.apply(smsAuthenticationConfig);
    
  • 相关阅读:
    软件研发:公司内部技术考试——算法编程题程序框架
    软件研发:公司内部技术考试——答题方法
    JConsole & JVisualVM远程监视Websphere服务器JVM的配置方法
    java.sql.SQLException: ORA-01578: ORACLE 数据块损坏问题解决办法
    ORA-00001: unique constraint (...) violated并不一定是数据冲突
    Linux部署Web应用程序超链接下载中文名称文件404问题解决办法
    Windows平台使用RMAN命令自动删除Oracle过期归档日志的方法
    Oracle调整内存超出限制出现ORA-27100: shared memory realm already exists问题解决办法
    linux下查看最消耗CPU、内存的进程
    RMAN正确地删除Archivelog以及设置有备库的归档删除策略
  • 原文地址:https://www.cnblogs.com/cjsblog/p/14904861.html
Copyright © 2011-2022 走看看