Security提高-集成JWT

注意：请先看《springboot从0开始搭建rbac的security权限认证》再看本篇

1.引入jwt依赖

<!-- JWT -->
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.9.1</version>
        </dependency>

2.在application.properties添加JWT的配置

# JWT??
jwt:
  # JWT??????
  tokenHeader: Authorization
  # JWT ???????
  secret: wrs-secret
  # JWT ?????(60*60*24)
  expiration: 604800
  # JWT???????
  tokenHead: Bearer
spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://localhost:3306/user_db?useSSL=false&serverTimezone=Hongkong&useUnicode=true&characterEncoding=utf8&autoReconnect=true
    username: root
    password: 123456
server:
  port: 9999

3.书写JWT工具类

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
​
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
​
@Component
public class JwtTokenUtil {
    // 用户名的key
    private static final String CLAIM_KEY_USERNAME = "sub";
    // jwt创建时间
    private static final String CLAIM_KEY_CREATED = "created";
​
    /**
     * 去application.yml拿jwt密钥和jwt失效时间
     */
    @Value("${jwt.secret}")
    private String secret;
    @Value("${jwt.expiration}")
    private Long expiration;
​
    /**
     * 根据用户信息生成Token
     *
     * @param userDetails
     * @return
     */
    public String generateToken(UserDetails userDetails) {
        HashMap<String, Object> claims = new HashMap<>();
        claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }
​
    /**
     * 从Token中获取username
     * @param token
     * @return
     */
    public String getUsernameFromToken(String token) {
        String username;
        try {
            Claims claims = getClaimsFromToken(token);
            username = claims.getSubject();
        } catch (Exception e) {
            username = null;
        }
        return username;
    }
​
    /**
     * 从Token中获取荷载
     * @param token
     * @return
     */
    private Claims getClaimsFromToken(String token) {
        Claims claims = null;
        try {
            claims = Jwts.parser()
                    .setSigningKey(secret)
                    .parseClaimsJws(token)
                    .getBody();
        } catch (Exception e) {
            e.printStackTrace();
        }
        return claims;
    }
​
    /**
     * 验证Token是否有效
     * @param token
     * @param userDetails
     * @return
     */
    public boolean validateToken(String token, UserDetails userDetails) {
        String username = getUsernameFromToken(token);
        return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
    }
​
    /**
     * 判断Token是否失效
     * @param token
     * @return
     */
    private boolean isTokenExpired(String token) {
        Date expireDate = getExpiredDateFromToken(token);
        return expireDate.before(new Date());
    }
​
    /**
     * 从Token中获取过期时间
     * @param token
     * @return
     */
    private Date getExpiredDateFromToken(String token) {
        Claims claims = getClaimsFromToken(token);
        return claims.getExpiration();
    }
​
    /**
     * 根据荷载生成JWT Token
     *
     * @param claims
     * @return
     */
    private String generateToken(Map<String, Object> claims) {
        return Jwts.builder()
                .setClaims(claims)
                .setExpiration(generateExpirationDate())
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }
​
    /**
     * 生成Token失效时间
     *
     * @return
     */
    private Date generateExpirationDate() {
        return new Date(System.currentTimeMillis() + expiration * 1000);
    }
}

4.书写JWT的过滤器

import com.zhuoyue.util.JwtTokenUtil;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.web.filter.OncePerRequestFilter;
​
import javax.annotation.Resource;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
​
public class JwtAuthorizationTokenFilter extends OncePerRequestFilter {
​
    @Value("${jwt.tokenHeader}")
    private String tokenHeader;
    @Value("${jwt.tokenHead}")
    private String tokenHead;
    @Resource
    private JwtTokenUtil jwtTokenUtil;
    @Resource
    private UserDetailsService userDetailsService;
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException, NumberFormatException {
        // 获取Header
        String authHeader = request.getHeader(tokenHeader);
        // 存在token但不是tokenHead开头
        if (null != authHeader && authHeader.startsWith(tokenHead)) {
            // 字段截取authToken
            String authToken = authHeader.substring(tokenHead.length());
            // 根据authToken获取username
            String username = jwtTokenUtil.getUsernameFromToken(authToken);
            // token存在用户名但未登录
            if (null != username && null == SecurityContextHolder.getContext().getAuthentication()) {
                // 登录
                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
                // 验证token是否有效，如果有效，将他重新放到用户对象里。
                if (jwtTokenUtil.validateToken(authToken, userDetails)) {
                    UsernamePasswordAuthenticationToken authenticationToken =
                            new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                    // 重新设置到用户对象里
                    authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                    SecurityContextHolder.getContext().setAuthentication(authenticationToken);
                }
            }
        }
        // 放行
        chain.doFilter(request, response);
    }
}

5.书写未登录拦截

import com.fasterxml.jackson.databind.ObjectMapper;
import com.zhuoyue.common.RespBean;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
​
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
​
@Component
public class RestAuthorizationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e)
            throws IOException, ServletException {
        // 通过response设置编码格式
        response.setCharacterEncoding("UTF-8");
        // 设置ContentType
        response.setContentType("application/json");
        // 输出流
        PrintWriter out = response.getWriter();
        RespBean bean = RespBean.error("未登录，请登录！");
        bean.setCode(401);
        out.write(new ObjectMapper().writeValueAsString(bean));
        out.flush();
        out.close();
    }
}

6.书写权限不足拦截

import com.fasterxml.jackson.databind.ObjectMapper;
import com.zhuoyue.common.RespBean;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;
​
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
​
​
@Component
public class RestfulAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e)
            throws IOException, ServletException {
        // 通过response设置编码格式
        response.setCharacterEncoding("UTF-8");
        // 设置ContentType
        response.setContentType("application/json");
        // 输出流
        RespBean bean = RespBean.error("权限不足，请联系管理员！");
        PrintWriter out = response.getWriter();
        bean.setCode(403);
        out.write(new ObjectMapper().writeValueAsString(bean));
        out.flush();
        out.close();
    }
}

7.修改UserService添加login接口

import com.zhuoyue.common.RespBean;
import org.springframework.security.core.userdetails.UserDetailsService;
​
public interface UserService extends UserDetailsService {
​
    RespBean login(String username,String password);
}

8.书写Uservice的实现类UserServiceImpl

import com.zhuoyue.common.RespBean;
import com.zhuoyue.mapper.PerssionMapper;
import com.zhuoyue.mapper.UserMapper;
import com.zhuoyue.po.PerssionPO;
import com.zhuoyue.po.UserPO;
import com.zhuoyue.servcie.UserService;
import com.zhuoyue.util.JwtTokenUtil;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
​
import javax.annotation.Resource;
import java.util.HashMap;
import java.util.List;
import java.util.stream.Collectors;
​
@Service
public class UserServiceImpl implements UserService {
    @Resource
    private PasswordEncoder passwordEncoder;
    @Value("${jwt.tokenHead}")
    private String tokenHead;
    @Resource
    private UserMapper userMapper;
    @Resource
    private JwtTokenUtil jwtTokenUtil;
​
    @Override
    public RespBean login(String username, String password) {
        UserDetails userDetails = loadUserByUsername(username);
        if (userDetails == null)return RespBean.error("登录失败！");
        if (passwordEncoder.matches(password,userDetails.getPassword())){
            if (userDetails.isEnabled()){
                UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(authenticationToken);
                String token = jwtTokenUtil.generateToken(userDetails);
                HashMap<Object, Object> map = new HashMap<>();
                map.put("token",token);
                map.put("tokenHead",tokenHead);
                return RespBean.success("登录成功！",map);
            }
            return RespBean.error("账号已被禁用请联系管理员");
        }
        return RespBean.error("用户名或密码错误！");
    }
​
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        UserPO userPO = userMapper.findUserByUserName(s);
        if (userPO==null)return null;
        List<PerssionPO> all = userMapper.findPerssionByUserName(s);
        List<GrantedAuthority> collect = all.stream().map(perssionPO -> new SimpleGrantedAuthority(perssionPO.getCode())).collect(Collectors.toList());
        userPO.setAuthorities(collect);
        return userPO;
    }
}

9.修改security的配置类

import com.zhuoyue.mapper.PerssionMapper;
import com.zhuoyue.po.PerssionPO;
import com.zhuoyue.servcie.UserService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
​
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
​
import javax.annotation.Resource;
import java.util.List;
​
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Resource
    private RestAuthorizationEntryPoint restAuthorizationEntryPoint;
    @Resource
    private RestfulAccessDeniedHandler restfulAccessDeniedHandler;
    @Resource
    private UserService userService;
    @Resource
    private PerssionMapper perssionMapper;
​
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
    @Bean
    public JwtAuthorizationTokenFilter jwtAuthorizationTokenFilter() {
        return new JwtAuthorizationTokenFilter();
    }
​
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
    }
    /**
     * 放行路径
     * @param web
     * @throws Exception
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                "/captcha",
                "/login",
                "/logout",
                "/css/**",
                "/js/**",
                "/index.html",
                "favicon.ico",
                "/doc.html",
                "/webjars/**",
                "/swagger-resources/**",
                "/v2/api-docs/**"
                );
    }
​
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 使用JWT,不需要csrf
        http.csrf().disable()
                // 使用JWT,不需要session
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                // 禁用缓存
                .headers()
                .cacheControl();
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry requests = http.authorizeRequests();
        List<PerssionPO> mapperAll = perssionMapper.findAll();
        mapperAll.forEach(perssionPO ->
                requests.antMatchers(perssionPO.getUrl()).hasAuthority(perssionPO.getCode()));
        //requests.anyRequest().denyAll().and().headers().cacheControl();
        requests.anyRequest().permitAll();
        // 添加JWT 登录授权过滤器
        http.addFilterBefore(jwtAuthorizationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
        // 添加自定义未授权和未登录结果返回
        http.exceptionHandling()
                .accessDeniedHandler(restfulAccessDeniedHandler)
                .authenticationEntryPoint(restAuthorizationEntryPoint);
    }
​
​
}

10.书写测试Controller

import com.zhuoyue.common.RespBean;
import com.zhuoyue.mapper.UserMapper;
import com.zhuoyue.po.UserPO;
import com.zhuoyue.servcie.UserService;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
​
import javax.annotation.Resource;
import java.security.Principal;
​
@RestController
public class TestController {
    @Resource
    private UserService userService;
    @Resource
    private UserMapper userMapper;
    @PostMapping("/login")
    public RespBean login(String username,String password){
        return userService.login(username,password);
    }
    @PostMapping("/r/r")
    public String r(){
        return "我是r,我不要权限";
    }
    @PostMapping("/r/r1")
    public String r1(){
        return "我是r1,我需要p1权限";
    }
    @PostMapping("/r/r2")
    public String r2(){
        return "我是r2,我需要p3权限";
    }
    @PostMapping("/r/r3")
    public String r3(){
        return "我是r3,我不需要权限";
    }
​
    @GetMapping("/r/info")
    public UserPO getAdminInfo(Principal principal) {
        if (principal != null) {
            String username = principal.getName();
            UserPO user = userMapper.findUserByUserName(username);
            // 将用户名密码设置null，安全性。
            user.setPassword(null);
            return user;
        }
        return null;
    }
}