Springboot+Spring-Security+JWT+Redis实现restful Api的权限管理以及token管理

最新推荐文章于 2025-06-16 16:13:20 发布
最新推荐文章于 2025-06-16 16:13:20 发布
阅读量2k 收藏 12
点赞数
CC 4.0 BY-SA版权
原文链接:https://blog.youkuaiyun.com/ech13an/article/details/80779973
本文详细介绍如何使用SpringBoot、SpringSecurity和JWT实现基于Token的权限管理,包括统一处理无权限请求、JWT工具类封装、用户实体类及DAO层设计、权限框架配置等关键步骤。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

版权声明:本文为博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。
本文链接: https://blog.youkuaiyun.com/ech13an/article/details/80779973

前言

其实挺早就想写一篇关于jwt的博文去好好总结一下之前踩过的坑了,但是事情有点太多了,一直没抽出时间来写,刚好现在有点时间可以好好静下来写一遍(可能)有点质量的博文吧,毕竟一直都是看别人的博文去学习,我也好好写一遍吧哈哈。既然如果偶然搜到这篇文章的话,我相信大家应该都了解了什么是jwt,比较想知道怎么使用springboot+spring-security去实现,当然也可以使用shiro,其实道理都差不多,可能看到标题可能会有疑问,为什么会有一个redis呢?这是我学习有关jwt相关知识的时候产生的一些问题,以及自己对这方面问题的一些解决方案,接下来的文章我会详细跟大家讨论一下的,欢迎大家也可以一起讨论一下。(刚开始写博客,写的不好多多包涵)

看完这篇文章之后你可以知道

  1. 如何使用springboot,springSecurity,jwt实现基于token的权限管理
  2. 统一处理无权限请求的结果

JWT

再稍微提一提jwt吧,在前段时间有个小项目是前后端分离的,所以需要用到基于token的权限管理机制,所以就了解到了jwt这一个方案。不过关于这个方案,似乎没有一个如何管理已经生产的token的方法(如果有的话欢迎告知,我还不知道呢。。)一旦生成了一个token,就无法对该token进行任何操作,无法使该token失效,只有等到该token到了过期的时间点才失效,这样就会有一个很大的隐患。然后搜索了挺多相关的资料以及经过相当长一段时间的思考决定使用redis去管理已经生成的token,下面会详细说一下。

整理一下思路

创建一个新工程时,我们需要思考一下我们接下来需要的一些步骤,需要做什么,怎么做。

  • 搭建springboot工程
  • 导入springSecurity跟jwt的依赖
  • 用户的实体类
  • dao层
  • service层(真正开发时再写,这里就直接调用dao层操作数据库)
  • 实现UserDetailsService接口
  • 实现UserDetails接口
  • 验证用户登录信息的拦截器
  • 验证用户权限的拦截器
  • springSecurity配置
  • 认证的Controller以及测试的controller
  • 测试
  • 享受成功的喜悦

创建一个springboot工程

建议使用maven去构建项目。

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>

    

    
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17

实体类User

创建一个演示的实体类User,包含最基本的用户名跟密码,至于role干嘛用后面会提到

@Entity
@Table(name = "jd_user")
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    @Column(name = "id")
    private Integer id;

@Column(name = "username")
private String username;

@Column(name = "password")
private String password;

@Column(name = "role")
private String role;

// getter and setter...

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

JWT工具类

这里jwt我选择的是jjwt,至于为什么,可能是因为我用的比较顺手吧_(:3」∠)_

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.0</version>
</dependency>

 

 
  • 1
  • 2
  • 3
  • 4
  • 5

JwtTokenUtils

jwt工具类,对jjwt封装一下方便调用

public class JwtTokenUtils {

<span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token keyword">final</span> String TOKEN_HEADER <span class="token operator">=</span> <span class="token string">"Authorization"</span><span class="token punctuation">;</span>
<span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token keyword">final</span> String TOKEN_PREFIX <span class="token operator">=</span> <span class="token string">"Bearer "</span><span class="token punctuation">;</span>

<span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> String SECRET <span class="token operator">=</span> <span class="token string">"jwtsecretdemo"</span><span class="token punctuation">;</span>
<span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> String ISS <span class="token operator">=</span> <span class="token string">"echisan"</span><span class="token punctuation">;</span>

<span class="token comment">// 过期时间是3600秒,既是1个小时</span>
<span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">long</span> EXPIRATION <span class="token operator">=</span> <span class="token number">3600</span>L<span class="token punctuation">;</span>

<span class="token comment">// 选择了记住我之后的过期时间为7天</span>
<span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">long</span> EXPIRATION_REMEMBER <span class="token operator">=</span> <span class="token number">604800</span>L<span class="token punctuation">;</span>

<span class="token comment">// 创建token</span>
<span class="token keyword">public</span> <span class="token keyword">static</span> String <span class="token function">createToken</span><span class="token punctuation">(</span>String username<span class="token punctuation">,</span> <span class="token keyword">boolean</span> isRememberMe<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">long</span> expiration <span class="token operator">=</span> isRememberMe <span class="token operator">?</span> EXPIRATION_REMEMBER <span class="token operator">:</span> EXPIRATION<span class="token punctuation">;</span>
    <span class="token keyword">return</span> Jwts<span class="token punctuation">.</span><span class="token function">builder</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">signWith</span><span class="token punctuation">(</span>SignatureAlgorithm<span class="token punctuation">.</span>HS512<span class="token punctuation">,</span> SECRET<span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">setIssuer</span><span class="token punctuation">(</span>ISS<span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">setSubject</span><span class="token punctuation">(</span>username<span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">setIssuedAt</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">Date</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">setExpiration</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">Date</span><span class="token punctuation">(</span>System<span class="token punctuation">.</span><span class="token function">currentTimeMillis</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token operator">+</span> expiration <span class="token operator">*</span> <span class="token number">1000</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">compact</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 从token中获取用户名</span>
<span class="token keyword">public</span> <span class="token keyword">static</span> String <span class="token function">getUsername</span><span class="token punctuation">(</span>String token<span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token function">getTokenBody</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">getSubject</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 是否已过期</span>
<span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token keyword">boolean</span> <span class="token function">isExpiration</span><span class="token punctuation">(</span>String token<span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token function">getTokenBody</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">getExpiration</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">before</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">Date</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token keyword">private</span> <span class="token keyword">static</span> Claims <span class="token function">getTokenBody</span><span class="token punctuation">(</span>String token<span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> Jwts<span class="token punctuation">.</span><span class="token function">parser</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">setSigningKey</span><span class="token punctuation">(</span>SECRET<span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">parseClaimsJws</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">getBody</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43

UserRepository

写一个根据用户名获取用户的方法,后续会用到

public interface UserRepository extends CrudRepository<User, Integer> {
    User findByUsername(String username);
}

 

 
  • 1
  • 2
  • 3

UserDetailsServiceImpl

使用springSecurity需要实现UserDetailsService接口供权限框架调用,该方法只需要实现一个方法就可以了,那就是根据用户名去获取用户,那就是上面repository定义的方法了,这里直接调用了。

@Service
public class UserDetailsServiceImpl implements UserDetailsService {

<span class="token annotation punctuation">@Autowired</span>
<span class="token keyword">private</span> UserRepository userRepository<span class="token punctuation">;</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> UserDetails <span class="token function">loadUserByUsername</span><span class="token punctuation">(</span>String s<span class="token punctuation">)</span> <span class="token keyword">throws</span> UsernameNotFoundException <span class="token punctuation">{</span>
    User user <span class="token operator">=</span> userRepository<span class="token punctuation">.</span><span class="token function">findByUsername</span><span class="token punctuation">(</span>s<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">return</span> <span class="token keyword">new</span> <span class="token class-name">JwtUser</span><span class="token punctuation">(</span>user<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

由于接口方法需要返回一个UserDetails类型的接口,所以这边就再写一个类去实现一下这个接口。

JwtUser

实现这个接口需要实现几个方法

public class JwtUser implements UserDetails {

<span class="token keyword">private</span> Integer id<span class="token punctuation">;</span>
<span class="token keyword">private</span> String username<span class="token punctuation">;</span>
<span class="token keyword">private</span> String password<span class="token punctuation">;</span>
<span class="token keyword">private</span> Collection<span class="token operator">&lt;</span><span class="token operator">?</span> <span class="token keyword">extends</span> <span class="token class-name">GrantedAuthority</span><span class="token operator">&gt;</span> authorities<span class="token punctuation">;</span>

<span class="token keyword">public</span> <span class="token function">JwtUser</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token punctuation">}</span>

<span class="token comment">// 写一个能直接使用user创建jwtUser的构造器</span>
<span class="token keyword">public</span> <span class="token function">JwtUser</span><span class="token punctuation">(</span>User user<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    id <span class="token operator">=</span> user<span class="token punctuation">.</span><span class="token function">getId</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    username <span class="token operator">=</span> user<span class="token punctuation">.</span><span class="token function">getUsername</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    password <span class="token operator">=</span> user<span class="token punctuation">.</span><span class="token function">getPassword</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    authorities <span class="token operator">=</span> Collections<span class="token punctuation">.</span><span class="token function">singleton</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">SimpleGrantedAuthority</span><span class="token punctuation">(</span>user<span class="token punctuation">.</span><span class="token function">getRole</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 获取权限信息,目前博主只会拿来存角色。。</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> Collection<span class="token operator">&lt;</span><span class="token operator">?</span> <span class="token keyword">extends</span> <span class="token class-name">GrantedAuthority</span><span class="token operator">&gt;</span> <span class="token function">getAuthorities</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> authorities<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> String <span class="token function">getPassword</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> password<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> String <span class="token function">getUsername</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> username<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 账号是否未过期,默认是false,记得要改一下</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">boolean</span> <span class="token function">isAccountNonExpired</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token boolean">true</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 账号是否未锁定,默认是false,记得也要改一下</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">boolean</span> <span class="token function">isAccountNonLocked</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token boolean">true</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 账号凭证是否未过期,默认是false,记得还要改一下</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">boolean</span> <span class="token function">isCredentialsNonExpired</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token boolean">true</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 这个有点抽象不会翻译,默认也是false,记得改一下</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">boolean</span> <span class="token function">isEnabled</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token boolean">true</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 我自己重写打印下信息看的</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> String <span class="token function">toString</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token string">"JwtUser{"</span> <span class="token operator">+</span>
            <span class="token string">"id="</span> <span class="token operator">+</span> id <span class="token operator">+</span>
            <span class="token string">", username='"</span> <span class="token operator">+</span> username <span class="token operator">+</span> <span class="token string">'\''</span> <span class="token operator">+</span>
            <span class="token string">", password='"</span> <span class="token operator">+</span> password <span class="token operator">+</span> <span class="token string">'\''</span> <span class="token operator">+</span>
            <span class="token string">", authorities="</span> <span class="token operator">+</span> authorities <span class="token operator">+</span>
            <span class="token string">'}'</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70

配置拦截器

可以说到目前为止这是最复杂的一个步骤,其实搞清楚了还是挺简单的,网上挺多人都更倾向于使用shiro,但是偶尔也要尝试一下新东西的嘛,但是当时我在摸索的时候遇到挺多坑,当时也已经到了思考人生的地步了 框架不是为了简化开发吗!为什么!明明jwt加上权限框架是双倍的快乐!为什么会这样!(╯°口°)╯(┴—┴

回到正题,到底要怎么配置呢?使用过shiro的人会知道,鉴权的话需要自己实现一个realm,重写两个方法,第一是用户验证,第二是鉴权。在spring-security中也不例外,这边需要实现两个过滤器。使用JWTAuthenticationFilter去进行用户账号的验证,使用JWTAuthorizationFilter去进行用户权限的验证。

JWTAuthenticationFilter

JWTAuthenticationFilter继承于UsernamePasswordAuthenticationFilter
该拦截器用于获取用户登录的信息,只需创建一个token并调用authenticationManager.authenticate()让spring-security去进行验证就可以了,不用自己查数据库再对比密码了,这一步交给spring去操作。
这个操作有点像是shiro的subject.login(new UsernamePasswordToken()),验证的事情交给框架。
献上这一部分的代码。

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

<span class="token keyword">private</span> AuthenticationManager authenticationManager<span class="token punctuation">;</span>

<span class="token keyword">public</span> <span class="token function">JWTAuthenticationFilter</span><span class="token punctuation">(</span>AuthenticationManager authenticationManager<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">this</span><span class="token punctuation">.</span>authenticationManager <span class="token operator">=</span> authenticationManager<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> Authentication <span class="token function">attemptAuthentication</span><span class="token punctuation">(</span>HttpServletRequest request<span class="token punctuation">,</span>
                                            HttpServletResponse response<span class="token punctuation">)</span> <span class="token keyword">throws</span> AuthenticationException <span class="token punctuation">{</span>

    <span class="token comment">// 从输入流中获取到登录的信息</span>
    <span class="token keyword">try</span> <span class="token punctuation">{</span>
        LoginUser loginUser <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">ObjectMapper</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">readValue</span><span class="token punctuation">(</span>request<span class="token punctuation">.</span><span class="token function">getInputStream</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> LoginUser<span class="token punctuation">.</span><span class="token keyword">class</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token keyword">return</span> authenticationManager<span class="token punctuation">.</span><span class="token function">authenticate</span><span class="token punctuation">(</span>
                <span class="token keyword">new</span> <span class="token class-name">UsernamePasswordAuthenticationToken</span><span class="token punctuation">(</span>loginUser<span class="token punctuation">.</span><span class="token function">getUsername</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> loginUser<span class="token punctuation">.</span><span class="token function">getPassword</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token keyword">new</span> <span class="token class-name">ArrayList</span><span class="token operator">&lt;</span><span class="token operator">&gt;</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
        <span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span><span class="token class-name">IOException</span> e<span class="token punctuation">)</span> <span class="token punctuation">{</span>
        e<span class="token punctuation">.</span><span class="token function">printStackTrace</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token keyword">return</span> null<span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

<span class="token comment">// 成功验证后调用的方法</span>
<span class="token comment">// 如果验证成功,就生成token并返回</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">successfulAuthentication</span><span class="token punctuation">(</span>HttpServletRequest request<span class="token punctuation">,</span>
                                        HttpServletResponse response<span class="token punctuation">,</span>
                                        FilterChain chain<span class="token punctuation">,</span>
                                        Authentication authResult<span class="token punctuation">)</span> <span class="token keyword">throws</span> IOException<span class="token punctuation">,</span> ServletException <span class="token punctuation">{</span>

	<span class="token comment">// 查看源代码会发现调用getPrincipal()方法会返回一个实现了`UserDetails`接口的对象</span>
	<span class="token comment">// 所以就是JwtUser啦</span>
    JwtUser jwtUser <span class="token operator">=</span> <span class="token punctuation">(</span>JwtUser<span class="token punctuation">)</span> authResult<span class="token punctuation">.</span><span class="token function">getPrincipal</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    System<span class="token punctuation">.</span>out<span class="token punctuation">.</span><span class="token function">println</span><span class="token punctuation">(</span><span class="token string">"jwtUser:"</span> <span class="token operator">+</span> jwtUser<span class="token punctuation">.</span><span class="token function">toString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    String token <span class="token operator">=</span> JwtTokenUtils<span class="token punctuation">.</span><span class="token function">createToken</span><span class="token punctuation">(</span>jwtUser<span class="token punctuation">.</span><span class="token function">getUsername</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token boolean">false</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">// 返回创建成功的token</span>
    <span class="token comment">// 但是这里创建的token只是单纯的token</span>
    <span class="token comment">// 按照jwt的规定,最后请求的格式应该是 `Bearer token`</span>
    response<span class="token punctuation">.</span><span class="token function">setHeader</span><span class="token punctuation">(</span><span class="token string">"token"</span><span class="token punctuation">,</span> JwtTokenUtils<span class="token punctuation">.</span>TOKEN_PREFIX <span class="token operator">+</span> token<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 这是验证失败时候调用的方法</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">unsuccessfulAuthentication</span><span class="token punctuation">(</span>HttpServletRequest request<span class="token punctuation">,</span> HttpServletResponse response<span class="token punctuation">,</span> AuthenticationException failed<span class="token punctuation">)</span> <span class="token keyword">throws</span> IOException<span class="token punctuation">,</span> ServletException <span class="token punctuation">{</span>
    response<span class="token punctuation">.</span><span class="token function">getWriter</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">write</span><span class="token punctuation">(</span><span class="token string">"authentication failed, reason: "</span> <span class="token operator">+</span> failed<span class="token punctuation">.</span><span class="token function">getMessage</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49

JWTAuthorizationFilter

验证成功当然就是进行鉴权了,每一次需要权限的请求都需要检查该用户是否有该权限去操作该资源,当然这也是框架帮我们做的,那么我们需要做什么呢?很简单,只要告诉spring-security该用户是否已登录,是什么角色,拥有什么权限就可以了。
JWTAuthenticationFilter继承于BasicAuthenticationFilter,至于为什么要继承这个我也不太清楚了,这个我也是网上看到的其中一种实现,实在springSecurity苦手,不过我觉得不继承这个也没事呢(实现以下filter接口或者继承其他filter实现子类也可以吧)只要确保过滤器的顺序,JWTAuthorizationFilterJWTAuthenticationFilter后面就没问题了。

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

<span class="token keyword">public</span> <span class="token function">JWTAuthorizationFilter</span><span class="token punctuation">(</span>AuthenticationManager authenticationManager<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">super</span><span class="token punctuation">(</span>authenticationManager<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">doFilterInternal</span><span class="token punctuation">(</span>HttpServletRequest request<span class="token punctuation">,</span>
                                HttpServletResponse response<span class="token punctuation">,</span>
                                FilterChain chain<span class="token punctuation">)</span> <span class="token keyword">throws</span> IOException<span class="token punctuation">,</span> ServletException <span class="token punctuation">{</span>

    String tokenHeader <span class="token operator">=</span> request<span class="token punctuation">.</span><span class="token function">getHeader</span><span class="token punctuation">(</span>JwtTokenUtils<span class="token punctuation">.</span>TOKEN_HEADER<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">// 如果请求头中没有Authorization信息则直接放行了</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>tokenHeader <span class="token operator">==</span> null <span class="token operator">||</span> <span class="token operator">!</span>tokenHeader<span class="token punctuation">.</span><span class="token function">startsWith</span><span class="token punctuation">(</span>JwtTokenUtils<span class="token punctuation">.</span>TOKEN_PREFIX<span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        chain<span class="token punctuation">.</span><span class="token function">doFilter</span><span class="token punctuation">(</span>request<span class="token punctuation">,</span> response<span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token keyword">return</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
    <span class="token comment">// 如果请求头中有token,则进行解析,并且设置认证信息</span>
    SecurityContextHolder<span class="token punctuation">.</span><span class="token function">getContext</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">setAuthentication</span><span class="token punctuation">(</span><span class="token function">getAuthentication</span><span class="token punctuation">(</span>tokenHeader<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">super</span><span class="token punctuation">.</span><span class="token function">doFilterInternal</span><span class="token punctuation">(</span>request<span class="token punctuation">,</span> response<span class="token punctuation">,</span> chain<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token comment">// 这里从token中获取用户信息并新建一个token</span>
<span class="token keyword">private</span> UsernamePasswordAuthenticationToken <span class="token function">getAuthentication</span><span class="token punctuation">(</span>String tokenHeader<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    String token <span class="token operator">=</span> tokenHeader<span class="token punctuation">.</span><span class="token function">replace</span><span class="token punctuation">(</span>JwtTokenUtils<span class="token punctuation">.</span>TOKEN_PREFIX<span class="token punctuation">,</span> <span class="token string">""</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    String username <span class="token operator">=</span> JwtTokenUtils<span class="token punctuation">.</span><span class="token function">getUsername</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>username <span class="token operator">!=</span> null<span class="token punctuation">)</span><span class="token punctuation">{</span>
        <span class="token keyword">return</span> <span class="token keyword">new</span> <span class="token class-name">UsernamePasswordAuthenticationToken</span><span class="token punctuation">(</span>username<span class="token punctuation">,</span> null<span class="token punctuation">,</span> <span class="token keyword">new</span> <span class="token class-name">ArrayList</span><span class="token operator">&lt;</span><span class="token operator">&gt;</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
    <span class="token keyword">return</span> null<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32

配置SpringSecurity

到这里基本操作都写好啦,现在就需要我们将这些辛苦写好的“组件”组合到一起发挥作用了,那就需要配置了。需要开启一下注解@EnableWebSecurity然后再继承一下WebSecurityConfigurerAdapter就可以啦,springboot就是可以为所欲为~

@EnableWebSecurity
// 至于为什么要配置这个,嘿嘿,卖个关子
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

<span class="token annotation punctuation">@Autowired</span>
<span class="token comment">// 因为UserDetailsService的实现类实在太多啦,这里设置一下我们要注入的实现类</span>
<span class="token annotation punctuation">@Qualifier</span><span class="token punctuation">(</span><span class="token string">"userDetailsServiceImpl"</span><span class="token punctuation">)</span>
<span class="token keyword">private</span> UserDetailsService userDetailsService<span class="token punctuation">;</span>

<span class="token comment">// 加密密码的,安全第一嘛~</span>
<span class="token annotation punctuation">@Bean</span>
<span class="token keyword">public</span> BCryptPasswordEncoder <span class="token function">bCryptPasswordEncoder</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token keyword">new</span> <span class="token class-name">BCryptPasswordEncoder</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">configure</span><span class="token punctuation">(</span>AuthenticationManagerBuilder auth<span class="token punctuation">)</span> <span class="token keyword">throws</span> Exception <span class="token punctuation">{</span>
    auth<span class="token punctuation">.</span><span class="token function">userDetailsService</span><span class="token punctuation">(</span>userDetailsService<span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">passwordEncoder</span><span class="token punctuation">(</span><span class="token function">bCryptPasswordEncoder</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Override</span>
<span class="token keyword">protected</span> <span class="token keyword">void</span> <span class="token function">configure</span><span class="token punctuation">(</span>HttpSecurity http<span class="token punctuation">)</span> <span class="token keyword">throws</span> Exception <span class="token punctuation">{</span>
    http<span class="token punctuation">.</span><span class="token function">cors</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">and</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">csrf</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">disable</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">authorizeRequests</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token comment">// 测试用资源,需要验证了的用户才能访问</span>
            <span class="token punctuation">.</span><span class="token function">antMatchers</span><span class="token punctuation">(</span><span class="token string">"/tasks/**"</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">authenticated</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token comment">// 其他都放行了</span>
            <span class="token punctuation">.</span><span class="token function">anyRequest</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">permitAll</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">and</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">addFilter</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">JWTAuthenticationFilter</span><span class="token punctuation">(</span><span class="token function">authenticationManager</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
            <span class="token punctuation">.</span><span class="token function">addFilter</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">JWTAuthorizationFilter</span><span class="token punctuation">(</span><span class="token function">authenticationManager</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
            <span class="token operator">/</span><span class="token operator">/</span> 不需要session
            <span class="token punctuation">.</span><span class="token function">sessionManagement</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">sessionCreationPolicy</span><span class="token punctuation">(</span>SessionCreationPolicy<span class="token punctuation">.</span>STATELESS<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@Bean</span>
CorsConfigurationSource <span class="token function">corsConfigurationSource</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">final</span> UrlBasedCorsConfigurationSource source <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">UrlBasedCorsConfigurationSource</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    source<span class="token punctuation">.</span><span class="token function">registerCorsConfiguration</span><span class="token punctuation">(</span><span class="token string">"/**"</span><span class="token punctuation">,</span> <span class="token keyword">new</span> <span class="token class-name">CorsConfiguration</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">applyPermitDefaultValues</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">return</span> source<span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43

AuthController

连配置都搞定了,那么问题来了,没有账号密码呢。所以写一个注册的控制器,这个就不是难事啦

@RestController
@RequestMapping("/auth")
public class AuthController {

<span class="token comment">// 为了减少篇幅就不写service接口了</span>
<span class="token annotation punctuation">@Autowired</span>
<span class="token keyword">private</span> UserRepository userRepository<span class="token punctuation">;</span>

<span class="token annotation punctuation">@Autowired</span>
<span class="token keyword">private</span> BCryptPasswordEncoder bCryptPasswordEncoder<span class="token punctuation">;</span>

<span class="token annotation punctuation">@PostMapping</span><span class="token punctuation">(</span><span class="token string">"/register"</span><span class="token punctuation">)</span>
<span class="token keyword">public</span> String <span class="token function">registerUser</span><span class="token punctuation">(</span><span class="token annotation punctuation">@RequestBody</span> Map<span class="token generics function"><span class="token punctuation">&lt;</span>String<span class="token punctuation">,</span>String<span class="token punctuation">&gt;</span></span> registerUser<span class="token punctuation">)</span><span class="token punctuation">{</span>
    User user <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">User</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    user<span class="token punctuation">.</span><span class="token function">setUsername</span><span class="token punctuation">(</span>registerUser<span class="token punctuation">.</span><span class="token function">get</span><span class="token punctuation">(</span><span class="token string">"username"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">// 记得注册的时候把密码加密一下</span>
    user<span class="token punctuation">.</span><span class="token function">setPassword</span><span class="token punctuation">(</span>bCryptPasswordEncoder<span class="token punctuation">.</span><span class="token function">encode</span><span class="token punctuation">(</span>registerUser<span class="token punctuation">.</span><span class="token function">get</span><span class="token punctuation">(</span><span class="token string">"password"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    user<span class="token punctuation">.</span><span class="token function">setRole</span><span class="token punctuation">(</span><span class="token string">"ROLE_USER"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    User save <span class="token operator">=</span> userRepository<span class="token punctuation">.</span><span class="token function">save</span><span class="token punctuation">(</span>user<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">return</span> save<span class="token punctuation">.</span><span class="token function">toString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22

等等!注册是有了,那登录在哪呢?我们看一下UsernamePasswordAuthenticationFilter的源代码

	public UsernamePasswordAuthenticationFilter() {
		super(new AntPathRequestMatcher("/login", "POST"));
	}

 

 
  • 1
  • 2
  • 3

可以看出来默认是/login,所以登录直接使用这个路径就可以啦~当然也可以自定义
只需要在JWTAuthenticationFilter的构造方法中加入下面那一句话就可以啦

 public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
        super.setFilterProcessesUrl("/auth/login");
    }

 

 
  • 1
  • 2
  • 3
  • 4

所以现在认证的路径统一了一下也是挺好的~看起来相当舒服了
注册:/auth/register
登录:/auth/login

TaskController

当然注册登录都完成了,那就是写一个测试控制器,一个需要权限的控制器去测试了,为了控制一下文章篇幅,写了一个比较简单的控制器作为演示

@RestController
@RequestMapping("/tasks")
public class TaskController {

<span class="token annotation punctuation">@GetMapping</span>
<span class="token keyword">public</span> String <span class="token function">listTasks</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token string">"任务列表"</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@PostMapping</span>
<span class="token keyword">public</span> String <span class="token function">newTasks</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token string">"创建了一个新的任务"</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@PutMapping</span><span class="token punctuation">(</span><span class="token string">"/{taskId}"</span><span class="token punctuation">)</span>
<span class="token keyword">public</span> String <span class="token function">updateTasks</span><span class="token punctuation">(</span><span class="token annotation punctuation">@PathVariable</span><span class="token punctuation">(</span><span class="token string">"taskId"</span><span class="token punctuation">)</span>Integer id<span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token string">"更新了一下id为:"</span><span class="token operator">+</span>id<span class="token operator">+</span><span class="token string">"的任务"</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token annotation punctuation">@DeleteMapping</span><span class="token punctuation">(</span><span class="token string">"/{taskId}"</span><span class="token punctuation">)</span>
<span class="token keyword">public</span> String <span class="token function">deleteTasks</span><span class="token punctuation">(</span><span class="token annotation punctuation">@PathVariable</span><span class="token punctuation">(</span><span class="token string">"taskId"</span><span class="token punctuation">)</span>Integer id<span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">return</span> <span class="token string">"删除了id为:"</span><span class="token operator">+</span>id<span class="token operator">+</span><span class="token string">"的任务"</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24

测试

到这里基本操作都做好了,可以去测试一下了,这里使用的是postman比较直观明了了。下面先注册一下账号,这里返回了插入了数据库之后的用户实体,所以注册是成功了

注册
注册成功

接下来先测试一下先不登录访问一下我们的tasks,这里理所当然403无权限访问了
未登录403

然后终于能登录了,接下来尝试一下登录之后再次访问tasks看看是什么结果
登录
发送了登录请求之后查看响应头,能看到我们生成后的token,那就是登录成功了
登录成功
接下来只需要把该响应头添加到我们的请求头上去,这里需要把Bearer[空格]去掉,注意Bearer后的空格也要去掉,因为postman再选了BearerToken之后会自动在token前面再加一个Bearer
设置请求头
再次访问一下tasks,结果理想当然的是成功啦~
成功请求

初期总结

到这里我们一个基础的Springboot+SpringSecurity+Jwt已经搭建好了。
到这里一个基本的jwt已经实现了,但是总觉得哪里不对呢,写了这么多才只是登录成功了?权限管理呢?token管理呢?
确实,看一下上面的代码。在实现UserDetails接口的时候写了一些奇怪的东西,就是这个getAuthorities方法啦。
这是springSecurity用来获取用户权限的方法。
在User类中写得role在这里就能排上用场了,这里将要实现的权限管理是基于角色的权限管理,再细颗粒的博主就不会啦哈哈哈,但还是可以看一看的。

    // 写一个能直接使用user创建jwtUser的构造器
    public JwtUser(User user) {
        id = user.getId();
        username = user.getUsername();
        password = user.getPassword();
        // 这里只存储了一个角色的名字
        authorities = Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
    }

// 获取权限信息
@Override
public Collection&lt;? extends GrantedAuthority&gt; getAuthorities() {
    return authorities;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

在springSecurity里建议角色名称改成ROLE_统一前缀的角色,例如ROLE_USER,ROLE_ADMIN,ROLE_XXX,至于为什么,后面会提到的,先不急,这里先这样干着。

基于角色的权限管理

到底怎么基于角色的权限管理呢,这个只需要告诉权限框架该用户拥有什么角色就可以了。但是吧要怎么告诉框架我什么角色呢。我们理一下如何实现基于角色的权限管理的思路

  1. 用户验证成功,根据用户名以及过期时间生成token
  2. 权限验证,假如能从token中获取用户名就该token验证成功
  3. 创建一个UsernamePasswordAuthenticationToken该token包含用户的角色信息,而不是一个空的ArrayList,查看一下源代码是有以下一个构造方法的。
	public UsernamePasswordAuthenticationToken(Object principal, Object credentials,
			Collection<? extends GrantedAuthority> authorities) {
		super(authorities);
		this.principal = principal;
		this.credentials = credentials;
		super.setAuthenticated(true); // must use super, as we override
	}

 

 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

好了,接下来要怎么办呢,可以往上滚动一下,再看一眼JWTAuthorizationFilter中鉴权的逻辑

  1. 检查请求头中是否存在Authorization,如果没有直接放,如果有就对token进行解析
  2. 解析token,检查是否能从token中取出username,如果有就算成功了
  3. 再根据该username创建一个UsernamePasswordAuthenticationToken对象就算成功了

可这发现根本就不关role什么事啊 沉思

	User user = userRepository.findByUsername("username");
	String role = user.getRole();

 

 
  • 1
  • 2

这里写图片描述 这还不简单!这不就完事了嘛!

可这不现实啊,每一次请求都要查询一下数据库这种开销这么大的操作当然是不行的。
思考一下,为什么是使用jwt而不是一个简简单单的UUID作为token呢。
jwt是由三部分组成的:

  1. 第一部分我们称它为头部(header)
  2. 第二部分我们称其为载荷(payload)
  3. 第三部分是签证(signature)

我们这里准备使用它的第二部分,使用payload去存储我们的用户角色信息,由于第一第二部分都是公开的,任何人都能知道里面的信息,不建议存储一些比较敏感的数据,但是存放角色信息还是没有问题的。

改造一下JwtTokenUtils

    // 添加角色的key
    private static final String ROLE_CLAIMS = "rol";

// 修改一下创建token的方法
public static String createToken(String username, String role, boolean isRememberMe) {
    long expiration = isRememberMe ? EXPIRATION_REMEMBER : EXPIRATION;
    HashMap&lt;String, Object&gt; map = new HashMap&lt;&gt;();
    map.put(ROLE_CLAIMS, role);
    return Jwts.builder()
            .signWith(SignatureAlgorithm.HS512, SECRET)
            // 这里要早set一点,放到后面会覆盖别的字段
            .setClaims(map)
            .setIssuer(ISS)
            .setSubject(username)
            .setIssuedAt(new Date())
            .setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
            .compact();
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

修改JWTAuthenticationFilter

    JwtUser jwtUser = (JwtUser) authResult.getPrincipal();
    boolean isRemember = rememberMe.get() == 1;

String role = "";
// 因为在JwtUser中存了权限信息,可以直接获取,由于只有一个角色就这么干了
Collection&lt;? extends GrantedAuthority&gt; authorities = jwtUser.getAuthorities();
for (GrantedAuthority authority : authorities){
    role = authority.getAuthority();
}
// 根据用户名,角色创建token
String token = JwtTokenUtils.createToken(jwtUser.getUsername(), role, isRemember);
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

修改JWTAuthorizationFilter

    // 这里从token中获取用户信息并新建一个token
    private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader) {
        String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, "");
        String username = JwtTokenUtils.getUsername(token);
        String role = JwtTokenUtils.getUserRole(token);
        if (username != null){
            return new UsernamePasswordAuthenticationToken(username, null, 
                    Collections.singleton(new SimpleGrantedAuthority(role))
            );
        }
        return null;
    }

 

 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

到这里基本上修改已经完成了,接下来就可以测试一下了,再配置一下springSecurity

    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .authorizeRequests()
                // 测试用资源,需要验证了的用户才能访问
                .antMatchers("/tasks/**").authenticated()
                // 需要角色为ADMIN才能删除该资源
                .antMatchers(HttpMethod.DELETE, "/tasks/**").hasAuthority("ROLE_ADMIN")
                // 其他都放行了
                .anyRequest().permitAll()
                .and()
                .addFilter(new JWTAuthenticationFilter(authenticationManager()))
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
                // 不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

 

 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

由于更新了token的生成方式,所以需要重新登录一下获取新的token

接下来可以测试了,继续使用postman对tasks资源进行删除,显然不行。
测试删除tasks
试试看获取该资源会怎么样,获取tasks资源是没有问题的。
测试获取tasks

接下来重头戏来了
先在数据库里手动将admin的角色改成ROLE_ADMIN 修改完之后再登录一下获取新的token,再去尝试一下删除tasks资源
啪啪啪 成功啦~
删除成功

到这里位置,基于角色的权限管理基本操作都做了一遍了,现在来解答一下上面挖的一些坑

  1. 为什么要以ROLE_作为前缀
  2. springSecurity中配置的注解@EnableGlobalMethodSecurity(prePostEnabled = true)是干嘛用的

第一个问题:
我们在springSecurity中配置了这样一句,意思是只有角色为ROLE_ADMIN才有权限删除该资源
.antMatchers(HttpMethod.DELETE, "/tasks/**").hasAuthority("ROLE_ADMIN")
假如我们使用了ROLE_作为前缀就能这样写了~是不是很方便呢哈哈
.antMatchers(HttpMethod.DELETE, "/tasks/**").hasRole("ADMIN")

第二个问题:
除了在springSecurity中配置访问权限,还有这种方式啦,也是十分的方便呢。但是如果要使用这用的方式就需要配置上那个注解啦,不然虽然写了下面的注解但是是不会生效的。

    @PostMapping
    @PreAuthorize("hasRole('ADMIN')")
    public String newTasks(){
        return "创建了一个新的任务";
    }

 

 
  • 1
  • 2
  • 3
  • 4
  • 5

统一结果处理

当然会有一些需求是要统一处理被403响应的事件,很简单,只要新建一个类JWTAuthenticationEntryPoint实现一下接口AuthenticationEntryPoint就可以了

public class JWTAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request,
                         HttpServletResponse response,
                         AuthenticationException authException) throws IOException, ServletException {

    response.setCharacterEncoding("UTF-8");
    response.setContentType("application/json; charset=utf-8");
    response.setStatus(HttpServletResponse.SC_FORBIDDEN);
    String reason = "统一处理,原因:"+authException.getMessage();
    response.getWriter().write(new ObjectMapper().writeValueAsString(reason));
}

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

再配置一下springSecurity

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .authorizeRequests()
                // 测试用资源,需要验证了的用户才能访问
                .antMatchers("/tasks/**").authenticated()
                .antMatchers(HttpMethod.DELETE, "/tasks/**").hasRole("ADMIN")
                // 其他都放行了
                .anyRequest().permitAll()
                .and()
                .addFilter(new JWTAuthenticationFilter(authenticationManager()))
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
                // 不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                // 加一句这个
                .exceptionHandling().authenticationEntryPoint(new JWTAuthenticationEntryPoint());
    }

 

 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18

这是统一处理后的结果
这里写图片描述

享受成功的喜悦

到这里一个较为完善的权限管理已经实现啦,如果哪里有不足或者出现错误可以告诉一下我,或者可以到GitHub上提个issue一起讨论下。

代码地址

Github: springboot-jwt-demo
代码里也有挺多的注释,可以看一看,如果觉得这篇文章帮助到你了可以到github点个小星星鼓励一下博主~

结语

至于为什么没有redis,没有token管理,因为在我写这篇文章的时候想了很多,感觉我现在的解决方案也不是特别好,如果想知道的话可以到GitHub上找我,一起讨论下。

                                </div>
            <link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-e44c3c0e64.css" rel="stylesheet">
                </div>
</article>
IT精英999
关注
SpringBoot+SpringSecurity+JWT+Redis实现认证授权 整体思路: 基于汇客CRM项目
isiywang的博客
08-01 1414
前端提交用户名和密码到后端接口方法中,被springsecurity拦截,需要进行用户认证,首先将用户名和密码通过AuthenticationManager接口中的authenticate方法封装成一个Authentication对象但是Authentication是一个接口,要用Authentication的实现类UsernamePasswordAuthenticationToken传入用户名和密码参数封装成Authentication对象。............
基于Spring Boot 3 + Spring Security6 + JWT + Redis实现登录、token身份认证
ekskef_sef的博客
01-24 851
基于Spring Boot3实现Spring Security6 + JWT + Redis实现登录、token身份认证。系列文章指路??项目源码??
springboot整合springsecurityjwtredis实现权限控制
weixin_41207479的博客
06-28 1229
1、 添加相关依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId
Spring Boot 和 Spring Security 实现 JWT 认证
最新发布
weixin_43833540的博客
06-16 1923
Spring Security 中,UsernamePasswordAuthenticationToken 的 authorities 参数用于注入当前用户的​​权限集合​​(Collection<?JWT 是一种开放标准(RFC 7519),用于在网络应用间安全传递 JSON 格式的声明信息。JWT 在微服务、跨域单点登录(SSO)场景中优势显著。JWT 由三部分组成,以点号。
SpringSecurity+jwt+Redis实现权限控制
loveandstory的博客
05-27 2762
认证流程 ![2022-05-01_20_32.png](https://img-blog.csdnimg.cn/img_convert/e26754ff622934f41b1c0388a8121997.png#clientId=u053830b8-c837-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=546&id=u38baedfc&margin=[object Object]&na
Spring Security+jwt+redis+自定义认证逻辑 权限控制
Tian208的博客
02-23 1301
Spring Security+jwt+redis+自定义认证逻辑 权限控制
springboot整合springsecurity+jwt+redis
klz
05-02 8129
依赖 <!-- springsecurity依赖--> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> ...
springboot+jwt+spring-security.rar
05-20
在本项目中,我们主要探讨的是如何在Spring Boot框架下集成JWT(JSON Web Tokens)以及Spring Security,同时利用Redis作为存储来实现API的鉴权功能。这是一个完整的安全认证解决方案,适用于构建RESTful API服务。 ...
Spring Boot+Spring Security + JWT + Redis实现登录验证
qq_41158525的博客
07-15 2617
springboot版本:2.4.3 创建项目啥的我就不说了,大家都看这个了,相信创建项目都轻而易举了,直接进入正题; 1:添加JWTSpring Security依赖,多添加一个validation校验和lombok <!-- JWT --> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> &
ShiroJwtAPI SpringBoot + Shiro + Java-Jwt + Redis(Jedis)
02-04
ShiroJwt 前端地址: : 疑问查看 项目相关 JavaDoc: : ...RESTful API Maven集成Mybatis Generator(逆向工程) Shiro + Java-JWT实现无状态鉴权机制(令牌) 密码加密(采用AES-128 + Base6
【基于Spring Security +Jwt+验证码+Redis实现认证+授权操作(内附详细项目地址)】
qq_42529846的博客
04-25 3613
文章目录前言一、SpringSecurity是什么?二、系统流程三、具体实现1.项目准备工作2.生成验证码3.更改SpringSecurity的用户数据源4.登录接口实现5.Token过滤器6.权限校验7.系统的完善8 项目地址总结 前言 考虑到导师的项目后续需要进行权限+授权管理,所以抽空去b站上学习了一下Spring Security。在学习的基础上根据自己的理解写了这个小项目,希望能给需要的人一些启示和后期自己复习使用。 一、SpringSecurity是什么? SpringSecurity作为Sp
spring security+jwt 实现 restful api格式.
09-20
本案例采用jpa 持久化,/auth/login 获取token登入信息,把token 前添加Bearer 注意Bearer 后有个空格,放到headers 请求中.可访问其他信息
jwt + spring security 登陆验证和权限管理
04-19
一个Spring Security+JWT认证和授权的demo,此demo为Spring安全性与OAuth(1a)和OAuth2结合使用提供了支持。它提供了在Spring安全编程模型和配置下实现分布式无状态授权。
spring security + jwt + redis 实现认证 授权 动态权限
weixin_43879445的博客
04-11 2249
spring security + jwt + redis 实现认证 授权 动态权限 spring security的认证原理请看:https://blog.youkuaiyun.com/weixin_43879445/article/details/124093893 我们先看看授权的流程图: 根据特定的业务需求,security使用的功能有所不同。 我这里的主体架构是spring cloud alibaba:2.1.0 、spring cloud:hoxton.SR1 因为是微服务所以写了一个common的工具
springSecurity+JWT+Redis权限认证(完整项目代码)
gorylee的博客
12-10 3719
springboot+springsecurity+JWT+redis
SpringSecurity+JWT+Redis实现前后端分离认证与授权
weixin_52536274的博客
11-03 667
我们还要定义一个过滤器去进行JWT的验证,把自定义过滤器的优先级放到SpringSecurity的认证过滤前。正常用户执行登录操作后系统会把用户的id封装为jwt传递给前端,前端每次发起请求都会在请求头中携带jwt。我们对携带的jwt进行解析:第一种情况,如果解析失败,说明本次请求可能是注册、登录请求或用户未经过登录认证。直接放行到SpringSecurity的认证过滤器。解析成功就从Redis中取出该用户的认证信息并存入SecurityContextHolder上下文中以便后续过滤器的使用。
【实战运用】SpringSecurity+Redis+Jwt实现用户认证授权
k123456kah的博客
01-19 2940
Spring Security是一个强大且灵活的身份验证和访问控制框架,用于Java应用程序。它是基于Spring框架的一个子项目,旨在为应用程序提供安全性。Spring Security致力于为Java应用程序提供认证和授权功能。开发者可以轻松地为应用程序添加强大的安全性,以满足各种复杂的安全需求。
Springboot最全权限集成Redis-前后端分离-springsecurity-jwt-Token
qq_67801847的博客
09-09 901
为了方便Spring Boot项目的安全管理Spring Boot对Spring Security安全框架进行了整合支持,并提 供了通用的自动化配置,从而实现Spring Security安全框架中包含的多数安全管理功能。用于完成用户信息的查 询,其中username就是登录时的登录名称,登录认证时,需要自定义一个实现实现UserDetailService接 口,完成数据库查询,该接口返回UserDetail。6. 创建认证过的用户访问无权限资源时的处理器,无权限访问时,需要提示JSON。
SpringSecurity+JWT+Redis进行用户鉴权和接口权限的控制
weixin_52938172的博客
02-27 1183
SpringSecurity框架就会对账号密码进行一系列的过滤器进行验证和授权等,其中最重要的两个过滤器就是UsernamePasswordAuthenticationFilter负责登录验证,FilterSecurityInterceptor负责权限授权。
SpringBoot+Shiro+Redis+JWT 实现Restful用户权限认证
资源摘要信息:"Spring Boot + Shiro + Redis + JWT 基于 Restful 接口用户权限认证项目是一套完整的用户认证和权限管理系统。该系统结合了多种技术栈,包括Spring Boot框架、Apache Shiro权限框架、Redis缓存数据库...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值