目錄標題

• 原理架構圖
• demo的項目結構
• JwtTokenUtil
• RestAuthenticationEntryPoint 和 RestfulAccessDeniedHandler
• MyUserDetailsService
• JwtAuthenticationTokenFilter
• SecurityConfig
• Controller
• Postman 測試

為了方便，未采用是從數據庫讀取的方式。工具類都是別人那偷的（滑稽。

原理架構圖

demo的項目結構

• JwtTokenUtil : JwtToken生成的工具類
• RestAuthenticationEntryPoint : 當未登錄或者token失效訪問接口時，自定義的返回結果
• RestfulAccessDeniedHandler : 當訪問接口沒有權限時，自定義的返回結果
• JwtAuthenticationTokenFilter : JWT登錄授權過濾器
• SecurityConfig：SpringSecurity 的配置類
• User ： 實現 UserDetails 接口 ，主要功能是 保存用戶的賬號密碼以及角色列表
• MyUserDetailsService：實現了 UserDetailsService 接口的 loadUserByUsername 方法 ，主要是進行登錄信息驗證，在輸入賬戶密碼進行登錄的時候，會進入這個類進行驗證信息。

由于類比較多，一般建議創建的流程：
1、創建 JwtTokenUtil
2、創建 RestAuthenticationEntryPoint 和 RestfulAccessDeniedHandler
3、創建 MyUserDetailsService
4、創建 JwtAuthenticationTokenFilter
5、配置 Security信息 SecurityConfig

JwtTokenUtil

import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Component;import java.util.Date; import java.util.HashMap; import java.util.Map;/*** @Description: JwtToken生成的工具類* @Author: zlf* @Date: 2021/3/30*/ @Component public class JwtTokenUtil {private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class);private static final String CLAIM_KEY_USERNAME = "sub";private static final String CLAIM_KEY_CREATED = "created";@Value("${jwt.secret}")private String secret;@Value("${jwt.expiration}")private Long expiration;/*** 根據負責生成JWT的token*/private String generateToken(Map<String, Object> claims) {return Jwts.builder().setClaims(claims).setExpiration(generateExpirationDate()).signWith(SignatureAlgorithm.HS512, secret).compact();}/*** 從token中獲取JWT中的負載*/private Claims getClaimsFromToken(String token) {Claims claims = null;try {claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();} catch (Exception e) {LOGGER.info("JWT格式驗證失敗:{}",token);}return claims;}/*** 生成token的過期時間*/private Date generateExpirationDate() {return new Date(System.currentTimeMillis() + expiration * 1000);}/*** 從token中獲取登錄用戶名*/public String getUserNameFromToken(String token) {String username;try {Claims claims = getClaimsFromToken(token);username = claims.getSubject();} catch (Exception e) {username = null;}return username;}/*** 驗證token是否還有效** @param token 客戶端傳入的token* @param userDetails 從數據庫中查詢出來的用戶信息*/public boolean validateToken(String token, UserDetails userDetails) {String username = getUserNameFromToken(token);return username.equals(userDetails.getUsername()) && !isTokenExpired(token);}/*** 判斷token是否已經失效*/private boolean isTokenExpired(String token) {Date expiredDate = getExpiredDateFromToken(token);return expiredDate.before(new Date());}/*** 從token中獲取過期時間*/private Date getExpiredDateFromToken(String token) {Claims claims = getClaimsFromToken(token);return claims.getExpiration();}/*** 根據用戶信息生成token*/public String generateToken(UserDetails userDetails) {Map<String, Object> claims = new HashMap<>();claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());claims.put(CLAIM_KEY_CREATED, new Date());return generateToken(claims);}/*** 判斷token是否可以被刷新*/public boolean canRefresh(String token) {return !isTokenExpired(token);}/*** 刷新token*/public String refreshToken(String token) {Claims claims = getClaimsFromToken(token);claims.put(CLAIM_KEY_CREATED, new Date());return generateToken(claims);} }

RestAuthenticationEntryPoint 和 RestfulAccessDeniedHandler

import cn.hutool.json.JSONUtil; import com.zlf.Api.CommonResult; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/** * @Description: 當未登錄或者token失效訪問接口時，自定義的返回結果 * @Author: zlf * @Date: 2021/3/30 */ @Component public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {System.out.println("--- --- 未登錄");response.setCharacterEncoding("UTF-8");response.setContentType("application/json");response.getWriter().println(JSONUtil.parse(CommonResult.unauthorized("失敗")));response.getWriter().flush();} } import cn.hutool.json.JSONUtil; import com.zlf.Api.CommonResult; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/** * @Description: 當訪問接口沒有權限時，自定義的返回結果 * @Author: zlf * @Date: 2021/3/30 */ @Component public class RestfulAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request,HttpServletResponse response,AccessDeniedException e) throws IOException, ServletException {response.setCharacterEncoding("UTF-8");response.setContentType("application/json");response.getWriter().println(JSONUtil.parse(CommonResult.forbidden(e.getMessage())));response.getWriter().flush();} }

MyUserDetailsService

import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.stereotype.Component;import java.util.ArrayList; import java.util.List;/*** Created with IntelliJ IDEA.** @Auther: zlf* @Date: 2021/03/30/23:38* @Description:*/ @Component public class MyUserDetailsService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {// 這邊可以通過username去獲取數據庫中的用戶信息 如果沒有拋出異常List<GrantedAuthority> authorityList = new ArrayList<>();/* 此處查詢數據庫得到角色權限列表，這里可以用Redis緩存以增加查詢速度 */System.out.println("--- ---- 判斷");authorityList.add(new SimpleGrantedAuthority("ROLE_USER")); // 角色 需要以 ROLE_ 開頭return new org.springframework.security.core.userdetails.User(username, new BCryptPasswordEncoder().encode("123456"), authorityList);} }

JwtAuthenticationTokenFilter

import com.zlf.utils.JwtTokenUtil; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List;/** * @Description: JWT登錄授權過濾器 * @Author: zlf * @Date: 2021/3/30 */ @Component @Slf4j public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {//@Autowired//private UserDetailsService userDetailsService;@Autowiredprivate JwtTokenUtil jwtTokenUtil;@Value("${jwt.tokenHeader}")private String tokenHeader;@Value("${jwt.tokenHead}")private String tokenHead;@Autowiredprivate MyUserDetailsService userDetailsService;@Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain chain) throws ServletException, IOException {String authHeader = request.getHeader(this.tokenHeader);if (authHeader != null && authHeader.startsWith(this.tokenHead)) {String authToken = authHeader.substring(this.tokenHead.length());// The part after "Bearer "String username = jwtTokenUtil.getUserNameFromToken(authToken);log.info("checking username:{}", username);if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {UserDetails userDetails = userDetailsService.loadUserByUsername(username);if (jwtTokenUtil.validateToken(authToken, userDetails)) {UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, new BCryptPasswordEncoder().encode("123456"), userDetails.getAuthorities());authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));log.info("authenticated user:{}", username);SecurityContextHolder.getContext().setAuthentication(authentication);}}}chain.doFilter(request, response);}// public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { // List<GrantedAuthority> authorityList = new ArrayList<>(); // /* 此處查詢數據庫得到角色權限列表，這里可以用Redis緩存以增加查詢速度 */ // authorityList.add(new SimpleGrantedAuthority("ROLE_USER")); // 角色 需要以 ROLE_ 開頭 // return new org.springframework.security.core.userdetails.User(username, "123456", true, true, // true, true, authorityList); // } }

SecurityConfig

import com.zlf.component.JwtAuthenticationTokenFilter; import com.zlf.component.MyUserDetailsService; import com.zlf.component.RestAuthenticationEntryPoint; import com.zlf.component.RestfulAccessDeniedHandler; import com.zlf.entity.model.Admin; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;/*** Created with IntelliJ IDEA.** @Auther: zlf* @Date: 2021/03/30/20:45* @Description:*/ @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate MyUserDetailsService userDetailsService;@Autowiredprivate RestfulAccessDeniedHandler restfulAccessDeniedHandler;@Autowiredprivate RestAuthenticationEntryPoint restAuthenticationEntryPoint;@Autowiredprivate JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;@Overrideprotected void configure(HttpSecurity httpSecurity) throws Exception {httpSecurity.csrf()// 由于使用的是JWT，我們這里不需要csrf.disable().sessionManagement()// 基于token，所以不需要session.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers(HttpMethod.GET, // 允許對于網站靜態資源的無授權訪問"/","/*.html","/favicon.ico","/**/*.html","/**/*.css","/**/*.js","/swagger-resources/**","/v2/api-docs/**").permitAll().antMatchers("/admin/login", "/register")// 對登錄注冊要允許匿名訪問.permitAll().antMatchers(HttpMethod.OPTIONS)//跨域請求會先進行一次options請求.permitAll() // .antMatchers("/**")//測試時全部運行訪問 // .permitAll().anyRequest()// 除上面外的所有請求全部需要鑒權認證.authenticated();// 禁用緩存httpSecurity.headers().cacheControl();// 添加JWT filterhttpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);//添加自定義未授權和未登錄結果返回httpSecurity.exceptionHandling().accessDeniedHandler(restfulAccessDeniedHandler).authenticationEntryPoint(restAuthenticationEntryPoint);}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());}// @Bean // public PasswordEncoder passwordEncoder() { // return new BCryptPasswordEncoder(); // }// @Bean // public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){ // return new JwtAuthenticationTokenFilter(); // }@Bean@Overridepublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();} }

Controller

import com.zlf.entity.User; import com.zlf.utils.JwtTokenUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController;import javax.servlet.http.HttpServletRequest; import java.util.HashMap; import java.util.Map;/*** Created with IntelliJ IDEA.** @Auther: zlf* @Date: 2021/03/30/23:15* @Description:*/ @RestController public class LoginController {@Autowiredprivate JwtTokenUtil jwtTokenUtil;@Value("${jwt.tokenHead}")private String tokenHead;@PostMapping("/admin/login")public String login(@RequestBody User user, HttpServletRequest request) {/* 在這里驗證用戶名和密碼，驗證成功則生成token返回 */System.out.println("--- -- -login");System.out.println(user);return tokenHead+" "+jwtTokenUtil.generateToken(user); // 生成 Token，返回給客戶端}@PreAuthorize("hasAnyRole('USER')") // 對單個方法進行權限控制@GetMapping("/me")public String me() {// 從上下文中獲取 UserDetailsUserDetails userDetails = (UserDetails) org.springframework.security.core.context.SecurityContextHolder.getContext().getAuthentication().getPrincipal();return userDetails.getUsername() + "," + userDetails.getPassword();} }

Postman 測試

我們將登錄獲取到的 Token ，放到請求頭中。

最后放出 JWT key的配置

# 自定義jwt key jwt:tokenHeader: Authorization #JWT存儲的請求頭secret: mySecret #JWT加解密使用的密鑰expiration: 604800 #JWT的超期限時間(60*60*24)tokenHead: Bearer #JWT負載中拿到開頭

依賴

<!--Hutool Java工具包--><dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>4.5.7</version></dependency><!--JWT(Json Web Token)登錄支持--><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.0</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency>

總結

以上是生活随笔為你收集整理的SpringSecurity +Jwt 实现权限管理的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。