2021最新Spring Security知識梳理

一、SpringSecurity 框架簡介

Spring 是非常流行和成功的 Java 應用開發框架，Spring Security 正是 Spring 家族中的成員。Spring Security 基于 Spring 框架，提供了一套 Web 應用安全性的完整解決方案。 正如你可能知道的關于安全方面的兩個主要區域是“認證”和“授權”（或者訪問控制），一般來說，Web 應用的安全性包括用戶認證（Authentication）和用戶授權（Authorization）兩個部分，這兩點也是 Spring Security 重要核心功能。

1、用戶認證指的是：驗證某個用戶是否為系統中的合法主體，也就是說用戶能否訪問該系統。用戶認證一般要求用戶提供用戶名和密碼。系統通過校驗用戶名和密碼來完成認證過程。通俗點說就是系統認為用戶是否能登錄。

2、用戶授權指的是驗證某個用戶是否有權限執行某個操作。在一個系統中，不同用戶所具有的權限是不同的。比如對一個文件來說，有的用戶只能進行讀取，而有的用戶可以進行修改。一般來說，系統會為不同的用戶分配不同的角色，而每個角色則對應一系列的權限。通俗點講就是系統判斷用戶是否有權限去做某些事情。

整理了spring全家桶學習筆記，spring家族成員的學習資料都系統整理好了，需要的話可以直接點擊領取

二、SpringSecurity與shiro

1、SpringSecurity特點

（1）和 Spring 無縫整合。

（2）全面的權限控制。

（3）專門為 Web 開發而設計。

• 舊版本不能脫離 Web 環境使用。
• 新版本對整個框架進行了分層抽取，分成了核心模塊和 Web 模塊。單獨
• 引入核心模塊就可以脫離 Web 環境。
• 重量級

2、shiro特點

Apache 旗下的輕量級權限控制框架。

（1）輕量級

Shiro 主張的理念是把復雜的事情變簡單。針對對性能有更高要求的互聯網應用有更好表現。

（2）通用性

好處：不局限于 Web 環境，可以脫離 Web 環境使用。

缺陷：在 Web 環境下一些特定的需求需要手動編寫代碼定制。

3、SpringSecurity與shiro總結

相對于 Shiro，在 SSM 中整合 Spring Security 都是比較麻煩的操作，所以，SpringSecurity 雖然功能比 Shiro 強大，但是使用反而沒有 Shiro 多（Shiro 雖然功能沒有Spring Security 多，但是對于大部分項目而言，Shiro 也夠用了）。自從有了 Spring Boot 之后，Spring Boot 對于 Spring Security 提供了自動化配置方案，可以使用更少的配置來使用 Spring Security。因此，一般來說，常見的安全管理技術棧的組合是這樣的：

（1）SSM + Shiro

（2）Spring Boot/Spring Cloud + Spring Security

以上只是一個推薦的組合而已，如果單純從技術上來說，無論怎么組合，都是可以運行的。

三、Spring Security過濾器

1、Spring Security中常見過濾器

FilterSecurityInterceptor：是一個方法級的權限過濾器, 基本位于過濾鏈的最底部。

ExceptionTranslationFilter：是個異常過濾器，用來處理在認證授權過程中拋出的異常。

UsernamePasswordAuthenticationFilter ：對/login 的 POST 請求做攔截，校驗表單中用戶

名，密碼。

2、15種過濾器

SpringSecurity 采用的是責任鏈的設計模式，它有一條很長的過濾器鏈。現在對這條過濾器鏈的 15 個過濾器進行說明:

（1） WebAsyncManagerIntegrationFilter：將 Security 上下文與 Spring Web 中用于處理異步請求映射的 WebAsyncManager 進行集成。

（2） SecurityContextPersistenceFilter：在每次請求處理之前將該請求相關的安全上下文信息加載到 SecurityContextHolder 中，然后在該次請求處理完成之后，將SecurityContextHolder 中關于這次請求的信息存儲到一個“倉儲”中，然后將SecurityContextHolder 中的信息清除，例如Session 中維護一個用戶的安全信息就是這個過濾器處理的。

（3） HeaderWriterFilter：用于將頭信息加入響應中。

（4） CsrfFilter：用于處理跨站請求偽造。

（5）LogoutFilter：用于處理退出登錄。

（6）UsernamePasswordAuthenticationFilter：用于處理基于表單的登錄請求，從表單中獲取用戶名和密碼。默認情況下處理來自 /login 的請求。從表單中獲取用戶名和密碼時，默認使用的表單 name 值為 username 和 password，這兩個值可以通過設置這個過濾器的 usernameParameter 和 passwordParameter 兩個參數的值進行修改。

（7）DefaultLoginPageGeneratingFilter：如果沒有配置登錄頁面，那系統初始化時就會配置這個過濾器，并且用于在需要進行登錄時生成一個登錄表單頁面。

（8）BasicAuthenticationFilter：檢測和處理 http basic 認證。

（9）RequestCacheAwareFilter：用來處理請求的緩存。

（10）SecurityContextHolderAwareRequestFilter：主要是包裝請求對象 request。

（11）AnonymousAuthenticationFilter：檢測 SecurityContextHolder 中是否存在Authentication 對象，如果不存在為其提供一個匿名 Authentication。

（12）SessionManagementFilter：管理 session 的過濾器

（13）ExceptionTranslationFilter：處理 AccessDeniedException 和AuthenticationException 異常。

（14）FilterSecurityInterceptor：可以看做過濾器鏈的出口。

（15）RememberMeAuthenticationFilter：當用戶沒有登錄而直接訪問資源時, 從 cookie里找出用戶的信息, 如果 Spring Security 能夠識別出用戶提供的 remember me cookie，用戶將不必填寫用戶名和密碼, 而是直接登錄進入系統，該過濾器默認不開啟。

3、SpringSecurity 基本流程

Spring Security 采取過濾鏈實現認證與授權，只有當前過濾器通過，才能進入下一個過濾器：

綠色部分是認證過濾器，需要我們自己配置，可以配置多個認證過濾器。認證過濾器可以使用 Spring Security 提供的認證過濾器，也可以自定義過濾器（例如：短信驗證）。認證過濾器要在 configure(HttpSecurity http)方法中配置，沒有配置不生效。

下面會重點介紹以下三個過濾器： UsernamePasswordAuthenticationFilter 過濾器：該過濾器會攔截前端提交的 POST 方式的登錄表單請求，并進行身份認證。ExceptionTranslationFilter 過濾器：該過濾器不需要我們配置，對于前端提交的請求會直接放行，捕獲后續拋出的異常并進行處理（例如：權限訪問限制）。FilterSecurityInterceptor 過濾器：該過濾器是過濾器鏈的最后一個過濾器，根據資源權限配置來判斷當前請求是否有權限訪問對應的資源。如果訪問受限會拋出相關異常，并 由 ExceptionTranslationFilter 過濾器進行捕獲和處理。

4、SpringSecurity 認證流程

認證流程是在 UsernamePasswordAuthenticationFilter 過濾器中處理的，具體流程如下所示：

四、PasswordEncoder 接口

// 表示把參數按照特定的解析規則進行解析 String encode(CharSequence rawPassword);// 表示驗證從存儲中獲取的編碼密碼與編碼后提交的原始密碼是否匹配。如果密碼匹 配，則返回 true；如果不匹配，則返回 false。第一個參數表示需要被解析的密碼。第二個 參數表示存儲的密碼。 boolean matches(CharSequence rawPassword, String encodedPassword);// 表示如果解析的密碼能夠再次進行解析且達到更安全的結果則返回 true，否則返回 false。默認返回 false。 default boolean upgradeEncoding(String encodedPassword) {return false; }復制代碼

BCryptPasswordEncoder 是 Spring Security 官方推薦的密碼解析器，平時多使用這個解析器。 BCryptPasswordEncoder 是對 bcrypt 強散列方法的具體實現。是基于 Hash 算法實現的單向加密。可以通過 strength 控制加密強度，默認 10。

五、SpringBoot整合Spring Security入門

1、pom.xml

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.2.1.RELEASE</version><relativePath/> <!-- lookup parent from repository --></parent><groupId>com.guor</groupId><artifactId>securityProject</artifactId><version>0.0.1-SNAPSHOT</version><name>securityProject</name><description>Demo project for Spring Boot</description><properties><java.version>1.8</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><!--mybatis-plus--><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.0.5</version></dependency><!--mysql--><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId></dependency><!--lombok用來簡化實體類--><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project> 復制代碼

2、application.properties

server.port=8111 #spring.security.user.name=root #spring.security.user.password=root#mysql數據庫連接 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver spring.datasource.url=jdbc:mysql://localhost:3306/security?serverTimezone=GMT%2B8 spring.datasource.username=root spring.datasource.password=root 復制代碼

3、SecurityConfig

package com.guor.security.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;public class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();String password = passwordEncoder.encode("123");auth.inMemoryAuthentication().withUser("zs").password(password).roles("admin");}@BeanPasswordEncoder password() {return new BCryptPasswordEncoder();} } 復制代碼 package com.guor.security.config;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl; import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository; import org.springframework.security.web.csrf.CookieCsrfTokenRepository;import javax.sql.DataSource;@Configuration public class UserSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserService userService;//注入數據源@Autowiredprivate DataSource dataSource;//配置對象@Beanpublic PersistentTokenRepository persistentTokenRepository() {JdbcTokenRepositoryImpl jdbcTokenRepository = new JdbcTokenRepositoryImpl();jdbcTokenRepository.setDataSource(dataSource);//jdbcTokenRepository.setCreateTableOnStartup(true);return jdbcTokenRepository;}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userService(userService).passwordEncoder(password());}@BeanPasswordEncoder password() {return new BCryptPasswordEncoder();}@Overrideprotected void configure(HttpSecurity http) throws Exception {//退出http.logout().logoutUrl("/logout").logoutSuccessUrl("/test/hello").permitAll();//配置沒有權限訪問跳轉自定義頁面http.exceptionHandling().accessDeniedPage("/unauth.html");http.formLogin() //自定義自己編寫的登錄頁面.loginPage("/on.html") //登錄頁面設置.loginProcessingUrl("/user/login") //登錄訪問路徑.defaultSuccessUrl("/success.html").permitAll() //登錄成功之后，跳轉路徑.failureUrl("/unauth.html").and().authorizeRequests().antMatchers("/","/test/hello","/user/login").permitAll() //設置哪些路徑可以直接訪問，不需要認證//當前登錄用戶，只有具有admins權限才可以訪問這個路徑//1 hasAuthority方法// .antMatchers("/test/index").hasAuthority("admins")//2 hasAnyAuthority方法// .antMatchers("/test/index").hasAnyAuthority("admins,manager")//3 hasRole方法 ROLE_sale.antMatchers("/test/index").hasRole("sale").anyRequest().authenticated().and().rememberMe().tokenRepository(persistentTokenRepository()).tokenValiditySeconds(60)//設置有效時長，單位秒.userDetailsService(userService);// .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());// .and().csrf().disable(); //關閉csrf防護} } 復制代碼

4、啟動類

package com.guor.security;import org.mybatis.spring.annotation.MapperScan; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;@SpringBootApplication @MapperScan("com.guor.security.mapper") @EnableGlobalMethodSecurity(securedEnabled=true,prePostEnabled = true) public class SecurityProjectApplication {public static void main(String[] args) {SpringApplication.run(SecurityProjectApplication.class, args);}} 復制代碼

5、User

package com.guor.security.entity;import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor;@Data public class User {private Integer id;private String username;private String password; } 復制代碼

6、UserService

package com.guor.security.service;import com.guor.security.entity.User; import com.guor.security.mapper.UsersMapper; import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.stereotype.Service;import java.util.List;@Service public class UserServiceImpl implements UserService {@Autowiredprivate UserMapper userMapper;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {//調用usersMapper方法，根據用戶名查詢數據庫QueryWrapper<Users> wrapper = new QueryWrapper();// where username=?wrapper.eq("username",username);User user = userMapper.selectOne(wrapper);//判斷if(user == null) {//數據庫沒有用戶名，認證失敗throw new UsernameNotFoundException("用戶名不存在！");}List<GrantedAuthority> auths =AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_sale");//從查詢數據庫返回users對象，得到用戶名和密碼，返回return new User(user.getUsername(),new BCryptPasswordEncoder().encode(user.getPassword()),auths);} } 復制代碼

7、UserMapper

package com.guor.security.mapper;import com.guor.security.entity.User; import com.baomidou.mybatisplus.core.mapper.BaseMapper; import org.springframework.stereotype.Repository;@Repository public interface UserMapper extends BaseMapper<User> { } 復制代碼

8、UserController

package com.guor.security.controller;import com.guor.security.entity.User; import org.springframework.security.access.annotation.Secured; import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.access.prepost.PostFilter; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;import java.util.ArrayList; import java.util.List;@RestController @RequestMapping("/test") public class UserController {@GetMapping("hello")public String hello() {return "hello security";}@GetMapping("index")public String index() {return "hello index";}@GetMapping("update")//@Secured({"ROLE_sale","ROLE_manager"})//@PreAuthorize("hasAnyAuthority('admins')")@PostAuthorize("hasAnyAuthority('admins')")public String update() {System.out.println("update......");return "hello update";}@GetMapping("getAll")@PostAuthorize("hasAnyAuthority('admins')")@PostFilter("filterObject.username == 'admin1'")public List<Users> getAllUser(){ArrayList<Users> list = new ArrayList<>();list.add(new Users(11,"admin1","6666"));list.add(new Users(21,"admin2","888"));System.out.println(list);return list;}}復制代碼

六、微服務認證與授權實現思路

1、如果是基于 Session，那么 Spring-security 會對 cookie 里的 sessionid 進行解析，找到服務器存儲的 session 信息，然后判斷當前用戶是否符合請求的要求。

2、如果是 token，則是解析出 token，然后將當前請求加入到 Spring-security 管理的權限信息中去。

如果系統的模塊眾多，每個模塊都需要進行授權與認證，所以我們選擇基于 token 的形式進行授權與認證，用戶根據用戶名密碼認證成功，然后獲取當前用戶角色的一系列權限值，并以用戶名為 key，權限列表為 value 的形式存入 redis 緩存中，根據用戶名相關信息生成 token 返回，瀏覽器將 token 記錄到 cookie 中，每次調用 api 接口都默認將 token 攜帶到 header 請求頭中，Spring-security 解析 header 頭獲取 token 信息，解析 token 獲取當前用戶名，根據用戶名就可以從 redis中獲取權限列表，這樣 Spring-security 就能夠判斷當前請求是否有權限訪問。

七、微服務代碼實例

1、父工程pom.xml

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><modules><module>common</module><module>infrastructure</module><module>service</module></modules><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.2.1.RELEASE</version><relativePath/> <!-- lookup parent from repository --></parent><groupId>com.atguigu</groupId><artifactId>acl_parent</artifactId><packaging>pom</packaging><version>0.0.1-SNAPSHOT</version><name>acl_parent</name><description>Demo project for Spring Boot</description><properties><java.version>1.8</java.version><mybatis-plus.version>3.0.5</mybatis-plus.version><velocity.version>2.0</velocity.version><swagger.version>2.7.0</swagger.version><jwt.version>0.7.0</jwt.version><fastjson.version>1.2.28</fastjson.version><gson.version>2.8.2</gson.version><json.version>20170516</json.version><cloud-alibaba.version>0.2.2.RELEASE</cloud-alibaba.version></properties><dependencyManagement><dependencies><!--Spring Cloud--><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-dependencies</artifactId><version>Hoxton.RELEASE</version><type>pom</type><scope>import</scope></dependency><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-alibaba-dependencies</artifactId><version>${cloud-alibaba.version}</version><type>pom</type><scope>import</scope></dependency><!--mybatis-plus 持久層--><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>${mybatis-plus.version}</version></dependency><!-- velocity 模板引擎, Mybatis Plus 代碼生成器需要 --><dependency><groupId>org.apache.velocity</groupId><artifactId>velocity-engine-core</artifactId><version>${velocity.version}</version></dependency><dependency><groupId>com.google.code.gson</groupId><artifactId>gson</artifactId><version>${gson.version}</version></dependency><!--swagger--><dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger2</artifactId><version>${swagger.version}</version></dependency><!--swagger ui--><dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger-ui</artifactId><version>${swagger.version}</version></dependency><!-- JWT --><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>${jwt.version}</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>${fastjson.version}</version></dependency><dependency><groupId>org.json</groupId><artifactId>json</artifactId><version>${json.version}</version></dependency></dependencies></dependencyManagement><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project> 復制代碼

2、common模塊

common模塊pom.xml

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><parent><artifactId>acl_parent</artifactId><groupId>com.atguigu</groupId><version>0.0.1-SNAPSHOT</version></parent><modelVersion>4.0.0</modelVersion><artifactId>common</artifactId><packaging>pom</packaging><modules><module>service_base</module><module>spring_security</module></modules><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId><scope>provided </scope></dependency><!--mybatis-plus--><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><scope>provided </scope></dependency><!--lombok用來簡化實體類：需要安裝lombok插件--><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><scope>provided </scope></dependency><!--swagger--><dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger2</artifactId><scope>provided </scope></dependency><dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger-ui</artifactId><scope>provided </scope></dependency><!-- redis --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId></dependency><!-- spring2.X集成redis所需common-pool2--><dependency><groupId>org.apache.commons</groupId><artifactId>commons-pool2</artifactId><version>2.6.0</version></dependency></dependencies></project> 復制代碼

3、common模塊 -> SpringSecurity子模塊

（1）核心配置類

Spring Security 的核心配置就是繼承 WebSecurityConfigurerAdapter 并注解@EnableWebSecurity 的配置。這個配置指明了用戶名密碼的處理方式、請求路徑、登錄登出控制等和安全相關的配置

package com.atguigu.security.config;import com.atguigu.security.filter.TokenAuthFilter; import com.atguigu.security.filter.TokenLoginFilter; import com.atguigu.security.security.DefaultPasswordEncoder; import com.atguigu.security.security.TokenLogoutHandler; import com.atguigu.security.security.TokenManager; import com.atguigu.security.security.UnauthEntryPoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService;@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class TokenWebSecurityConfig extends WebSecurityConfigurerAdapter {private TokenManager tokenManager;private RedisTemplate redisTemplate;private DefaultPasswordEncoder defaultPasswordEncoder;private UserDetailsService userDetailsService;@Autowiredpublic TokenWebSecurityConfig(UserDetailsService userDetailsService, DefaultPasswordEncoder defaultPasswordEncoder,TokenManager tokenManager, RedisTemplate redisTemplate) {this.userDetailsService = userDetailsService;this.defaultPasswordEncoder = defaultPasswordEncoder;this.tokenManager = tokenManager;this.redisTemplate = redisTemplate;}/*** 配置設置* @param http* @throws Exception*///設置退出的地址和token，redis操作地址@Overrideprotected void configure(HttpSecurity http) throws Exception {http.exceptionHandling().authenticationEntryPoint(new UnauthEntryPoint())//沒有權限訪問.and().csrf().disable().authorizeRequests().anyRequest().authenticated().and().logout().logoutUrl("/admin/acl/index/logout")//退出路徑.addLogoutHandler(new TokenLogoutHandler(tokenManager,redisTemplate)).and().addFilter(new TokenLoginFilter(authenticationManager(), tokenManager, redisTemplate)).addFilter(new TokenAuthFilter(authenticationManager(), tokenManager, redisTemplate)).httpBasic();}//調用userDetailsService和密碼處理@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(defaultPasswordEncoder);}//不進行認證的路徑，可以直接訪問@Overridepublic void configure(WebSecurity web) throws Exception {web.ignoring().antMatchers("/api/**");} } 復制代碼

（2）實體類

package com.atguigu.security.entity;import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data;import java.io.Serializable;@Data @ApiModel(description = "用戶實體類") public class User implements Serializable {private static final long serialVersionUID = 1L;@ApiModelProperty(value = "微信openid")private String username;@ApiModelProperty(value = "密碼")private String password;@ApiModelProperty(value = "昵稱")private String nickName;@ApiModelProperty(value = "用戶頭像")private String salt;@ApiModelProperty(value = "用戶簽名")private String token;} 復制代碼

（3）過濾器

package com.atguigu.security.filter;import com.atguigu.security.security.TokenManager; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.Collection; import java.util.List;public class TokenAuthFilter extends BasicAuthenticationFilter {private TokenManager tokenManager;private RedisTemplate redisTemplate;public TokenAuthFilter(AuthenticationManager authenticationManager,TokenManager tokenManager,RedisTemplate redisTemplate) {super(authenticationManager);this.tokenManager = tokenManager;this.redisTemplate = redisTemplate;}@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {//獲取當前認證成功用戶權限信息UsernamePasswordAuthenticationToken authRequest = getAuthentication(request);//判斷如果有權限信息，放到權限上下文中if(authRequest != null) {SecurityContextHolder.getContext().setAuthentication(authRequest);}chain.doFilter(request,response);}private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {//從header獲取tokenString token = request.getHeader("token");if(token != null) {//從token獲取用戶名String username = tokenManager.getUserInfoFromToken(token);//從redis獲取對應權限列表List<String> permissionValueList = (List<String>)redisTemplate.opsForValue().get(username);Collection<GrantedAuthority> authority = new ArrayList<>();for(String permissionValue : permissionValueList) {SimpleGrantedAuthority auth = new SimpleGrantedAuthority(permissionValue);authority.add(auth);}return new UsernamePasswordAuthenticationToken(username,token,authority);}return null;}}復制代碼 package com.atguigu.security.filter;import com.atguigu.security.entity.SecurityUser; import com.atguigu.security.entity.User; import com.atguigu.security.security.TokenManager; import com.atguigu.utils.utils.R; import com.atguigu.utils.utils.ResponseUtil; import com.fasterxml.jackson.databind.ObjectMapper; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList;public class TokenLoginFilter extends UsernamePasswordAuthenticationFilter {private TokenManager tokenManager;private RedisTemplate redisTemplate;private AuthenticationManager authenticationManager;public TokenLoginFilter(AuthenticationManager authenticationManager, TokenManager tokenManager, RedisTemplate redisTemplate) {this.authenticationManager = authenticationManager;this.tokenManager = tokenManager;this.redisTemplate = redisTemplate;this.setPostOnly(false);this.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/admin/acl/login","POST"));}//1 獲取表單提交用戶名和密碼@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)throws AuthenticationException {//獲取表單提交數據try {User user = new ObjectMapper().readValue(request.getInputStream(), User.class);return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(),user.getPassword(),new ArrayList<>()));} catch (IOException e) {e.printStackTrace();throw new RuntimeException();}}//2 認證成功調用的方法@Overrideprotected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)throws IOException, ServletException {//認證成功，得到認證成功之后用戶信息SecurityUser user = (SecurityUser)authResult.getPrincipal();//根據用戶名生成tokenString token = tokenManager.createToken(user.getCurrentUserInfo().getUsername());//把用戶名稱和用戶權限列表放到redisredisTemplate.opsForValue().set(user.getCurrentUserInfo().getUsername(),user.getPermissionValueList());//返回tokenResponseUtil.out(response, R.ok().data("token",token));}//3 認證失敗調用的方法protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)throws IOException, ServletException {ResponseUtil.out(response, R.error());} }復制代碼

（4）security

package com.atguigu.security.security;import com.atguigu.utils.utils.MD5; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Component;@Component public class DefaultPasswordEncoder implements PasswordEncoder {public DefaultPasswordEncoder() {this(-1);}public DefaultPasswordEncoder(int strength) {}//進行MD5加密@Overridepublic String encode(CharSequence charSequence) {return MD5.encrypt(charSequence.toString());}//進行密碼比對@Overridepublic boolean matches(CharSequence charSequence, String encodedPassword) {return encodedPassword.equals(MD5.encrypt(charSequence.toString()));} }復制代碼 package com.atguigu.security.security;import com.atguigu.utils.utils.R; import com.atguigu.utils.utils.ResponseUtil; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.logout.LogoutHandler;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; //退出處理器 public class TokenLogoutHandler implements LogoutHandler {private TokenManager tokenManager;private RedisTemplate redisTemplate;public TokenLogoutHandler(TokenManager tokenManager,RedisTemplate redisTemplate) {this.tokenManager = tokenManager;this.redisTemplate = redisTemplate;}@Overridepublic void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {//1 從header里面獲取token//2 token不為空，移除token，從redis刪除tokenString token = request.getHeader("token");if(token != null) {//移除tokenManager.removeToken(token);//從token獲取用戶名String username = tokenManager.getUserInfoFromToken(token);redisTemplate.delete(username);}ResponseUtil.out(response, R.ok());} } 復制代碼 package com.atguigu.security.security;import io.jsonwebtoken.CompressionCodecs; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.stereotype.Component;import java.util.Date;@Component public class TokenManager {//token有效時長private long tokenEcpiration = 24*60*60*1000;//編碼秘鑰private String tokenSignKey = "123456";//1 使用jwt根據用戶名生成tokenpublic String createToken(String username) {String token = Jwts.builder().setSubject(username).setExpiration(new Date(System.currentTimeMillis()+tokenEcpiration)).signWith(SignatureAlgorithm.HS512, tokenSignKey).compressWith(CompressionCodecs.GZIP).compact();return token;}//2 根據token字符串得到用戶信息public String getUserInfoFromToken(String token) {String userinfo = Jwts.parser().setSigningKey(tokenSignKey).parseClaimsJws(token).getBody().getSubject();return userinfo;}//3 刪除tokenpublic void removeToken(String token) { } } 復制代碼 package com.atguigu.security.security;import com.atguigu.utils.utils.R; import com.atguigu.utils.utils.ResponseUtil; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;public class UnauthEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {ResponseUtil.out(httpServletResponse, R.error());} } 復制代碼

4、common模塊 -> service_base

（1）RedisConfig

package com.atguigu.utils;import com.fasterxml.jackson.annotation.JsonAutoDetect; import com.fasterxml.jackson.annotation.PropertyAccessor; import com.fasterxml.jackson.databind.ObjectMapper; import org.springframework.cache.CacheManager; import org.springframework.cache.annotation.CachingConfigurerSupport; import org.springframework.cache.annotation.EnableCaching; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.data.redis.cache.RedisCacheConfiguration; import org.springframework.data.redis.cache.RedisCacheManager; import org.springframework.data.redis.connection.RedisConnectionFactory; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.data.redis.serializer.Jackson2JsonRedisSerializer; import org.springframework.data.redis.serializer.RedisSerializationContext; import org.springframework.data.redis.serializer.RedisSerializer; import org.springframework.data.redis.serializer.StringRedisSerializer;import java.time.Duration;@EnableCaching //開啟緩存 @Configuration //配置類 public class RedisConfig extends CachingConfigurerSupport {@Beanpublic RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory factory) {RedisTemplate<String, Object> template = new RedisTemplate<>();RedisSerializer<String> redisSerializer = new StringRedisSerializer();Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);ObjectMapper om = new ObjectMapper();om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);jackson2JsonRedisSerializer.setObjectMapper(om);template.setConnectionFactory(factory);//key序列化方式template.setKeySerializer(redisSerializer);//value序列化template.setValueSerializer(jackson2JsonRedisSerializer);//value hashmap序列化template.setHashValueSerializer(jackson2JsonRedisSerializer);return template;}@Beanpublic CacheManager cacheManager(RedisConnectionFactory factory) {RedisSerializer<String> redisSerializer = new StringRedisSerializer();Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);//解決查詢緩存轉換異常的問題ObjectMapper om = new ObjectMapper();om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);jackson2JsonRedisSerializer.setObjectMapper(om);// 配置序列化（解決亂碼的問題）,過期時間600秒RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig().entryTtl(Duration.ofSeconds(600)).serializeKeysWith(RedisSerializationContext.SerializationPair.fromSerializer(redisSerializer)).serializeValuesWith(RedisSerializationContext.SerializationPair.fromSerializer(jackson2JsonRedisSerializer)).disableCachingNullValues();RedisCacheManager cacheManager = RedisCacheManager.builder(factory).cacheDefaults(config).build();return cacheManager;} } 復制代碼

（2）SwaggerConfig

package com.atguigu.utils;import com.google.common.base.Predicates; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import springfox.documentation.builders.ApiInfoBuilder; import springfox.documentation.builders.PathSelectors; import springfox.documentation.service.ApiInfo; import springfox.documentation.service.Contact; import springfox.documentation.spi.DocumentationType; import springfox.documentation.spring.web.plugins.Docket; import springfox.documentation.swagger2.annotations.EnableSwagger2;@Configuration//配置類 @EnableSwagger2 //swagger注解 public class SwaggerConfig {@Beanpublic Docket webApiConfig(){return new Docket(DocumentationType.SWAGGER_2).groupName("webApi").apiInfo(webApiInfo()).select()//.paths(Predicates.not(PathSelectors.regex("/admin/.*"))).paths(Predicates.not(PathSelectors.regex("/error.*"))).build();}private ApiInfo webApiInfo(){return new ApiInfoBuilder().title("網站-課程中心API文檔").description("本文檔描述了課程中心微服務接口定義").version("1.0").contact(new Contact("java", "http://atguigu.com", "1123@qq.com")).build();} } 復制代碼

（3）工具類

package com.atguigu.utils.utils;import java.security.MessageDigest; import java.security.NoSuchAlgorithmException;public final class MD5 {public static String encrypt(String strSrc) {try {char hexChars[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8','9', 'a', 'b', 'c', 'd', 'e', 'f' };byte[] bytes = strSrc.getBytes();MessageDigest md = MessageDigest.getInstance("MD5");md.update(bytes);bytes = md.digest();int j = bytes.length;char[] chars = new char[j * 2];int k = 0;for (int i = 0; i < bytes.length; i++) {byte b = bytes[i];chars[k++] = hexChars[b >>> 4 & 0xf];chars[k++] = hexChars[b & 0xf];}return new String(chars);} catch (NoSuchAlgorithmException e) {e.printStackTrace();throw new RuntimeException("MD5加密出錯！！+" + e);}}public static void main(String[] args) {System.out.println(MD5.encrypt("111111"));}}復制代碼 package com.atguigu.utils.utils;import com.fasterxml.jackson.databind.ObjectMapper; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType;import javax.servlet.http.HttpServletResponse; import java.io.IOException;public class ResponseUtil {public static void out(HttpServletResponse response, R r) {ObjectMapper mapper = new ObjectMapper();response.setStatus(HttpStatus.OK.value());response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);try {mapper.writeValue(response.getWriter(), r);} catch (IOException e) {e.printStackTrace();}} } 復制代碼 package com.atguigu.utils.utils;import lombok.Data; import java.util.HashMap; import java.util.Map;//統一返回結果的類 @Data public class R {private Boolean success;private Integer code;private String message;private Map<String, Object> data = new HashMap<String, Object>();//把構造方法私有private R() {}//成功靜態方法public static R ok() {R r = new R();r.setSuccess(true);r.setCode(20000);r.setMessage("成功");return r;}//失敗靜態方法public static R error() {R r = new R();r.setSuccess(false);r.setCode(20001);r.setMessage("失敗");return r;}public R success(Boolean success){this.setSuccess(success);return this;}public R message(String message){this.setMessage(message);return this;}public R code(Integer code){this.setCode(code);return this;}public R data(String key, Object value){this.data.put(key, value);return this;}public R data(Map<String, Object> map){this.setData(map);return this;} } 復制代碼

5、gateway模塊

（1）pom.xml

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><parent><artifactId>infrastructure</artifactId><groupId>com.atguigu</groupId><version>0.0.1-SNAPSHOT</version></parent><modelVersion>4.0.0</modelVersion><artifactId>api_gateway</artifactId><dependencies><dependency><groupId>com.atguigu</groupId><artifactId>service_base</artifactId><version>0.0.1-SNAPSHOT</version></dependency><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId></dependency><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-gateway</artifactId></dependency><!--gson--><dependency><groupId>com.google.code.gson</groupId><artifactId>gson</artifactId></dependency><!--服務調用--><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-starter-openfeign</artifactId></dependency></dependencies> </project> 復制代碼

（2）application.properties

# 端口號 server.port=8222 # 服務名 spring.application.name=service-gateway # nacos服務地址 spring.cloud.nacos.discovery.server-addr=127.0.0.1:8848 # 使用服務發現路由 spring.cloud.gateway.discovery.locator.enabled=true# 配置路由規則 spring.cloud.gateway.routes[0].id=service-acl # 設置路由uri lb://注冊服務名稱 spring.cloud.gateway.routes[0].uri=lb://service-acl # 具體路徑規則 spring.cloud.gateway.routes[0].predicates= Path=/*/acl/** 復制代碼

（3）解決跨域

package com.atguigu.gateway.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.reactive.CorsWebFilter; import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource; import org.springframework.web.util.pattern.PathPatternParser;@Configuration public class CorsConfig {//解決跨域@Beanpublic CorsWebFilter corsWebFilter() {CorsConfiguration config = new CorsConfiguration();config.addAllowedMethod("*");config.addAllowedOrigin("*");config.addAllowedHeader("*");UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(new PathPatternParser());source.registerCorsConfiguration("/**",config);return new CorsWebFilter(source);} } 復制代碼

（4）啟動類

package com.atguigu.gateway;import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.cloud.client.discovery.EnableDiscoveryClient;@SpringBootApplication @EnableDiscoveryClient public class ApiGatewayApplication {public static void main(String[] args) {SpringApplication.run(ApiGatewayApplication.class, args);} } 復制代碼

6、service模塊

（1）pom.xml

（2）application.properties

以菜單權限管理CRUD為例：

（3）Permission

（4）PermissionController

（5）PermissionService

（6）PermissionMapper

（7）PermissionMapper.xml

（8）PermissionHelper

（9）啟動類

最后：

最近我整理了整套**《JAVA核心知識點總結》**,說實話 ,作為一名Java程序員,不論你需不需要面試都應該好好看下這份資料。拿到手總是不虧的~我的不少粉絲也因此拿到騰訊字節快手等公司的Offer

進[Java架構資源交流群] ，找管理員獲取哦-！

rn.PathPatternParser;

@Configuration
public class CorsConfig {

//解決跨域 @Bean public CorsWebFilter corsWebFilter() {CorsConfiguration config = new CorsConfiguration();config.addAllowedMethod("*");config.addAllowedOrigin("*");config.addAllowedHeader("*");UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(new PathPatternParser());source.registerCorsConfiguration("/**",config);return new CorsWebFilter(source); }

}
復制代碼

（4）啟動類

package com.atguigu.gateway;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.client.discovery.EnableDiscoveryClient;

@SpringBootApplication
@EnableDiscoveryClient
public class ApiGatewayApplication {
public static void main(String[] args) {
SpringApplication.run(ApiGatewayApplication.class, args);
}
}
復制代碼

### 6、service模塊（1）pom.xml（2）application.properties以菜單權限管理CRUD為例：（3）Permission（4）PermissionController（5）PermissionService （6）PermissionMapper（7）PermissionMapper.xml（8）PermissionHelper（9）啟動類# 最后：最近我整理了整套**《JAVA核心知識點總結》**,說實話 ,作為一名Java程序員,不論你需不需要面試都應該好好看下這份資料。拿到手總是不虧的~我的不少粉絲也因此拿到騰訊字節快手等公司的Offer> <font color=Blue size=5> 進[[Java架構資源交流群](https://jq.qq.com/?_wv=1027&k=bH7VlCjB)] ，找管理員獲取哦-！

總結

以上是生活随笔為你收集整理的2021最新Spring Security知识梳理的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。