SpringSecurity+Jwt做前后端分离权限认证

Posted 雾晴

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SpringSecurity+Jwt做前后端分离权限认证相关的知识,希望对你有一定的参考价值。

说在前面的话

这里是接上一篇,万字长文 基于SpringBoot整合SpringSecurity的认证授权(角色+权限) 真案列、有数据库、有源码,上一篇写的很细但是不是前后端分离,这一篇把前后端分离补上,数据库和Mapper模块都和前面的一致就不累述了,以下都是我自己的理解,如果什么地方有问题,请各位前辈指出,感激不尽。

项目目录

其实变化也不大,就新增了拦截器和Service,以及一个工具类,当然配置文件中变换还是蛮大的,

Jwt工具类(新增)

嗯,在本文中会用到Jwt,关于Jwt嗯,因为我学习的时候没有写文章,后面可能会出一篇,好吧又给自己挖一个坑,这里我就默认大家会JWT了,当然这个项目的源码我也会在后面分享出来的。
首先是编写Jwt工具类,如下

package work.zx.unitl;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONArray;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import work.zx.entity.UserVo;

import java.util.Date;
import java.util.List;

public class JwtUtil {

    // 主题
    private static final String SUBJECT = "zx";

    // jwt的token有效期,
    //private static final long EXPIRITION = 1000L * 60 * 60 * 24 * 7;//7天
    private static final long EXPIRITION = 1000L * 60 * 30;   // 半小时

    // 加密key(黑客没有该值无法篡改token内容)
    private static final String APPSECRET_KEY = "zxdc";

    // 用户url权限列表key
    private static final String AUTH_CLAIMS = "auth";


    /**
     * TODO  生成token
     *
     * @param user
     * @return java.lang.String
     * @date 2020/7/6 0006 9:26
     */
    public static String generateToken(UserVo user) {
        String token = Jwts
                .builder()
                // 主题
                .setSubject(SUBJECT)
                // 添加jwt自定义值
                .claim(AUTH_CLAIMS, user.getAutk())
                .claim("username", user.getUsername())
                .claim("userId", user.getUid())
                .setIssuedAt(new Date())
                // 过期时间
                .setExpiration(new Date(System.currentTimeMillis() + EXPIRITION))
                // 加密方式,加密key
                .signWith(SignatureAlgorithm.HS256, APPSECRET_KEY).compact();
        return token;
    }

    /**
     * 获取用户Id
     *
     * @param token
     * @return
     */
    public static String getUserId(String token) {
        Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
        return claims.get("userId").toString();
    }

    /**
     * 获取用户名
     *
     * @param token
     * @return
     */
    public static String getUsername(String token) {
        Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
        return claims.get("username").toString();
    }

    /**
     * 获取用户角色的权限列表, 没有返回空
     *
     * @param token
     * @return
     */
    public static List<SimpleGrantedAuthority> getUserAuth(String token) {
        Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
        List auths = (List) claims.get(AUTH_CLAIMS);
        String json = JSONArray.toJSONString(auths);

        return JSON.parseArray(json, SimpleGrantedAuthority.class);
    }

    /**
     * 验证是否过期
     *
     * @param token
     * @return
     */
    public static boolean isExpiration(String token) {
        Claims claims = Jwts.parser().setSigningKey(APPSECRET_KEY).parseClaimsJws(token).getBody();
        System.out.println("过期时间: " + claims.getExpiration());
        return claims.getExpiration().before(new Date());
    }

}

登录拦截器

这个不是必须的,也可以自己写一个登录接口,然后认证成功后将权限信息生成Token传给前端,我项目中就是使用的这种方式,这个dome我还是把登录拦截器弄出来了。
源码如下,

package work.zx.Config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.servlet.HandlerExceptionResolver;
import work.zx.dao.PermissionMapper;
import work.zx.dao.RoleMapper;
import work.zx.dao.UserMapper;
import work.zx.entity.Permission;
import work.zx.entity.Role;
import work.zx.entity.UserVo;
import work.zx.filter.JWTLoginFilter;
import work.zx.filter.JWTValidFilter;
import work.zx.service.AuthenticationProviderImpl;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    @Qualifier("handlerExceptionResolver")
    private HandlerExceptionResolver resolver;
    //用户表
    @Autowired
    private UserMapper userMapper;
    
    //角色表
    @Autowired
    private RoleMapper roleMapper;

    //资源表
    @Autowired
    private PermissionMapper permissionMapper;
    
    
    @Bean
    public PasswordEncoder getPw(){
        return new BCryptPasswordEncoder();
    }


    @Autowired
    private AuthenticationProviderImpl authenticationProvider;

    /**
     * TODO 授权
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {


        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry eiur = http.authorizeRequests();
        eiur
                // 登录接口不需要权限控制,可删除,目前该接口不在权限列表中
                .antMatchers("/auth/login", "POST").permitAll()

                // 设置JWT过滤器
                .and()
                .addFilter(new JWTValidFilter(authenticationManager(), resolver))
                .addFilter(new JWTLoginFilter(authenticationManager(), resolver)).csrf().disable()

                // 剔除session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        // 开启跨域访问
        http.cors().disable();
        // 开启模拟请求,比如API POST测试工具的测试,不开启时,API POST为报403错误
        http.csrf().disable();
        // iframe 跳转错误处理 Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'
        http.headers().frameOptions().disable();

    }


}

授权拦截器(新增)

当然这里是我这样叫,这里是拿到请求中携带的token,将token中权限部分取出来,然后保存到Security的Authentication授权管理器中,给我们后面注入那个AuthenticationProviderImpl,

package work.zx.filter;

import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.SignatureException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.HandlerExceptionResolver;
import work.zx.unitl.JwtUtil;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;

public class JWTValidFilter extends BasicAuthenticationFilter {

    // 异常处理类
    private HandlerExceptionResolver resolver;

    /**
     * SecurityConfig 配置中创建该类实例
     */
    public JWTValidFilter(AuthenticationManager authenticationManager, HandlerExceptionResolver resolver) {
        // 获取授权管理
        super(authenticationManager);
        // 获取异常处理类
        this.resolver = resolver;
    }


    /**
     * 拦截请求
     *
     * @param request
     * @param response
     * @param chain
     * @throws IOException
     * @throws ServletException
     */
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        // 获取token, 没有token直接放行
        System.out.println("开始授权验证");
        String token = request.getHeader("token");

        if (StringUtils.isEmpty(token) || "null".equals(token)) {
            super.doFilterInternal(request, response, chain);
            // 获取token, 没有token直接放行
            return;
        }

        // 有token进行权限验证
        List<SimpleGrantedAuthority> userAuthList = null;
        String username = null;
        try {
            //  权限列表
            userAuthList = JwtUtil.getUserAuth(token);
            //  获取账号
            username = JwtUtil.getUsername(token);

        } catch (SignatureException ex) {
            resolver.resolveException(request, response, null, new Exception( "JWT签名与本地计算签名不匹配"));
            return;
        } catch (ExpiredJwtException ex) {
            resolver.resolveException(request, response, null, new Exception( "登录过期"));
            return;
        } catch (Exception e) {
            resolver.resolveException(request, response, null, new Exception( "JWT解析错误"));
            return;
        }

        //  添加账户的权限信息,和账号是否为空,然后保存到Security的Authentication授权管理器中
        if (!StringUtils.isEmpty(username) && userAuthList != null) {
            SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(username, null, userAuthList));
        }

        super.doFilterInternal(request, response, chain);
    }

}

AuthenticationProviderImpl

这个类实现了AuthenticationProvider接口,这个接口就两个方法
Authentication authenticate(Authentication authentication) throws AuthenticationException;
源码注释中说 这个是做身份认证的,传入一个身份验证请求对象。当然这些方法的调用就是SpringSecurity自己的事儿了,我们只需要重写即可使用,其实我自己也还没弄清楚。

package work.zx.service;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import work.zx.dao.PermissionMapper;
import work.zx.dao.RoleMapper;
import work.zx.dao.UserMapper;
import work.zx.entity.Permission;
import work.zx.entity.Role;
import work.zx.entity.UserVo;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

@Component
public class AuthenticationProviderImpl implements AuthenticationProvider {

    //用户表
    @Autowired
    private UserMapper userMapper;

    //角色表
    @Autowired
    private RoleMapper roleMapper;

    //资源表
    @Autowired
    private PermissionMapper permissionMapper;


    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        //拿到登录传过来的信息
        String username = (String) authentication.getPrincipal();

        String password = (String) authentication.getCredentials();

        //存放权限的
        Collection<SimpleGrantedAuthority> authorities = new ArrayList<>();

        UserVo userVo = userMapper.selectBYUserName(username);

        if (userVo == null || !password.equals(userVo.getPassword())) {
            System.out.println("用户名或者密码输入错误");
            throw new UsernameNotFoundException("用户名或者密码输入错误");
        }


        //拿到用户角色
        List<Role> roles = roleMapper.selectByUserId(userVo.getUid());
        for (Role role : roles) {
            authorities.add(new SimpleGrantedAuthority(role.getRoleName()));
            //拿到用户具有的权限
            List<Permission> permissionList = permissionMapper.selectByRoleId(role.getRid());
            for (Permission permission : permissionList) {
                //添加到
                authorities.add(new SimpleGrantedAuthority(permission.getStr()));
            }
        }
        userVo.setAutk(authorities);

        authentication = new AbstractAuthenticationToken(new ArrayList<>()) {

            @Override
            public Object getCredentials() {
                return userVo.getPassword();
            }

            @Override
            public Object getPrincipal() {
                return userVo;
            }

        };

        authentication.setAuthenticated(true);

        return authentication;
    }



    @Override
    public boolean supports(Class<?> authentication) {

        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
    }

}

SpringSecurity配置文件

package work.zx.Config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;

import org.springframework.security.authenticationSpringSecurity+JWT实现前后端分离的使用#yyds干货盘点#

SpringBoot+SpringSecurity前后端分离+Jwt的权限认证(改造记录)

SpringBoot + MyBatis-plus + SpringSecurity + JWT实现用户无状态请求验证(前后端分离)

Spring boot+Spring security+JWT实现前后端分离登录认证及权限控制

spring boot整合jwt 实现前后端分离登录认证及授权

前后端分离学习笔记 ---[跨域问题,JWT,路由守卫,Axios设置请求拦截和响应拦截]