Spring Security网络上很多前后端分离的示例很多都不是完全的前后分离,而且大家实现的方式各不相同,有的是靠自己写拦截器去自己校验权限的,有的页面是使用themleaf来实现的不是真正的前后分离,看的越多对Spring Security越来越疑惑,此篇文章要用最简单的示例实现出真正的前后端完全分离的权限校验实现。
1. pom.xml
主要依赖是
spring-boot-starter-security和jwt。
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-webartifactId>
dependency>
<dependency>
<groupId>org.springframework.bootgroupId>
<artifactId>spring-boot-starter-securityartifactId>
dependency>
<dependency>
<groupId>io.jsonwebtokengroupId>
<artifactId>jjwt-apiartifactId>
<version>${jjwt.version}version>
dependency>
<dependency>
<groupId>io.jsonwebtokengroupId>
<artifactId>jjwt-implartifactId>
<version>${jjwt.version}version>
dependency>
<dependency>
<groupId>io.jsonwebtokengroupId>
<artifactId>jjwt-jacksonartifactId>
<version>${jjwt.version}version>
dependency>
<dependency>
<groupId>org.apache.commonsgroupId>
<artifactId>commons-lang3artifactId>
<version>3.9version>
dependency>
<dependency>
<groupId>org.projectlombokgroupId>
<artifactId>lombokartifactId>
<optional>trueoptional>
dependency>
2. User
@Data
@ToString
@NoArgsConstructor
@AllArgsConstructor
public class User implements UserDetails {
private Long id;
private String username;
private String password;
private Boolean enabled;
private List authorities;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return this.authorities;
}
@Override
public String getPassword() {
return this.password;
}
@Override
public String getUsername() {
return this.username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return this.enabled;
}
}
3. UserDetailsService
@RequiredArgsConstructor
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public User loadUserByUsername(String username) {
List authorities = Arrays.asList(
new SimpleGrantedAuthority("user:add"),
new SimpleGrantedAuthority("user:view"),
new SimpleGrantedAuthority("user:update"));
User user = new User(1L, username, passwordEncoder.encode("123456"), true, authorities);
if (user == null) {
throw new UsernameNotFoundException("用户名或者密码错误");
}
return user;
}
}
4. TokenProvider
/**
* JWT Token提供器
*/
@Slf4j
@Component
public class TokenProvider implements InitializingBean {
public static final String AUTHORITIES_KEY = "auth";
private JwtParser jwtParser;
private JwtBuilder jwtBuilder;
@Override
public void afterPropertiesSet() {
// 必须使用最少88位的Base64对该令牌进行编码
String secret = "必须使用最少88位的Base64对该令牌进行编码,一般是配置在application.yml中,需要预先定义好";
byte[] keyBytes = Decoders.BASE64.decode(secret);
Key key = Keys.hmacShaKeyFor(keyBytes);
jwtParser = Jwts.parserBuilder().setSigningKey(key).build();
jwtBuilder = Jwts.builder().signWith(key, SignatureAlgorithm.HS512);
}
public String createToken(Authentication authentication) {
// 获取权限列表
String authorities = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.joining(","));
return jwtBuilder
// 加入ID确保生成的 Token 都不一致
.setId(UUID.randomUUID().toString())
// 权限列表
.claim(AUTHORITIES_KEY, authorities)
// username
.setSubject(authentication.getName())
// 过期时间
.setExpiration(DateUtils.addDays(new Date(), 1))
.compact();
}
/**
* 从token中获取认证信息
* @param token
* @return
*/
public Authentication getAuthentication(String token) {
Claims claims = jwtParser.parseClaimsJws(token).getBody();
Object authoritiesStr = claims.get(AUTHORITIES_KEY);
Collection<? extends GrantedAuthority> authorities =
authoritiesStr != null ?
Arrays.stream(authoritiesStr.toString().split(","))
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList()) : Collections.emptyList();
User principal = new User(claims.getSubject(), "******", authorities);
return new UsernamePasswordAuthenticationToken(principal, token, authorities);
}
}
5. AccessDeniedHandler
@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
// 当用户在没有授权的情况下访问受保护的REST资源时,将调用此方法发送403 Forbidden响应
response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
}
6. AuthenticationEntryPoint
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException {
// 当用户尝试访问安全的REST资源而不提供任何凭据时,将调用此方法发送401响应
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException == null ? "Unauthorized" : authException.getMessage());
}
}
7. TokenFilter
@Slf4j
@Component
public class TokenFilter extends GenericFilterBean {
private TokenProvider tokenProvider;
public TokenFilter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
String bearerToken = httpServletRequest.getHeader("Authorization");
String token = null;
if (!StringUtils.isEmpty(bearerToken) && bearerToken.startsWith("Bearer")) {
token = bearerToken.replace("Bearer", "");
}
if (!StringUtils.isEmpty(token)) {
Authentication authentication = tokenProvider.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(servletRequest, servletResponse);
}
}
8. WebMvcConfigurer
@Configuration
@EnableWebMvc
public class WebMvcConfigurerAdapter implements WebMvcConfigurer {
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
9. TokenConfigurer
@RequiredArgsConstructor
public class TokenConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
private TokenProvider tokenProvider;
public TokenConfigurer(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
public void configure(HttpSecurity http) {
TokenFilter customFilter = new TokenFilter(tokenProvider);
http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
}
}
10. SecurityConfig
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CorsFilter corsFilter;
@Autowired
private TokenProvider tokenProvider;
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtAccessDeniedHandler jwtAccessDeniedHandler;
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// 去除 ROLE_ 前缀
return new GrantedAuthorityDefaults("");
}
@Bean
public PasswordEncoder passwordEncoder() {
// 密码加密方式
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// 禁用 CSRF
.csrf().disable()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
// 授权异常
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.accessDeniedHandler(jwtAccessDeniedHandler)
// 防止iframe 造成跨域
.and()
.headers()
.frameOptions()
.disable()
// 不创建会话
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// 静态资源等等
.antMatchers(
HttpMethod.GET,
"/*.html",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/webSocket/**"
).permitAll()
// swagger 文档
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/*/api-docs").permitAll()
// 文件
.antMatchers("/avatar/**").permitAll()
.antMatchers("/file/**").permitAll()
// 阿里巴巴 druid
.antMatchers("/druid/**").permitAll()
// 放行OPTIONS请求
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// 不需要认证的接口
.antMatchers("/auth/login").permitAll()
// 所有请求都需要认证
.anyRequest().authenticated()
.and().apply(securityConfigurerAdapter());
}
private TokenConfigurer securityConfigurerAdapter() {
return new TokenConfigurer(tokenProvider);
}
}
11. AuthController
@RestController
@RequestMapping("/auth")
public class AuthController {
@Autowired
private TokenProvider tokenProvider;
@Autowired
private AuthenticationManagerBuilder authenticationManagerBuilder;
@RequestMapping("/login")
public String login() {
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken("monday", "123456");
// 会调用 UserDetailsService.loadUserByUsername
Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
String token = tokenProvider.createToken(authentication);
return token;
}
}
12. UserController
@RestController
@RequestMapping("/user")
public class UserController {
@RequestMapping("/add")
@PreAuthorize("hasAnyRole(\'user:add\')")
public String add() {
return "user:add";
}
@RequestMapping("/update")
@PreAuthorize("hasAnyRole(\'user:update\')")
public String update() {
return "user:update";
}
@RequestMapping("/view")
@PreAuthorize("hasAnyRole(\'user:view\')")
public String view() {
return "user:view";
}
@RequestMapping("/delete")
@PreAuthorize("hasAnyRole(\'user:delete\')")
public String delete() {
return "user:delete";
}
}
访问有权限的接口。
访问没有权限的接口被拒绝。
13. Spring Security 认证和授权原理
- 用户登录会调用UserDetailsService对用户名和密码进行检查,返回用户名、密码、权限字符串列表,认证成功后就会将用户信息放在安全上下文中SecurityContext。
- 当用户访问带有权限的接口,Spring Security会调用TokenFilter获取到token,解析token并存入到安全上下文SecurityContext中,然后检查@PreAuthorize(“hasAnyRole(\’user:add\’)”)配置的权限字符串是否在SecurityContext中用户的authorities列表中,如果在表示有权限放行,如果不在表示没有权限,则执行AccessDeniedHandler返回。
内容出处:,
声明:本网站所收集的部分公开资料来源于互联网,转载的目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。如果您发现网站上有侵犯您的知识产权的作品,请与我们取得联系,我们会及时修改或删除。文章链接:http://www.yixao.com/procedure/23071.html
赞 (0)
打赏
微信扫一扫
支付宝扫一扫
微信扫一扫
支付宝扫一扫
2021年前端开发变化趋势浅析
上一篇
2021-05-10 09:13
Python在selenium里面注入JavaScript程序的方法
下一篇
2021-05-10 09:40
相关推荐
-
斐波那契数列:python实现和可视化
1 说明 ==== 1.1 斐波那契数列的介绍。 1.2 斐波那契数列是上帝的指纹,大自然中随处可见,目前广泛应用到黄金分割线的布局美和股市等预测等等。 1.3 斐波那契数列的py…
-
20条非常实用的Python代码实例
据说Python之父-Guido Van Rossum打算让CPython更快,速度直接翻五倍,这是实实在在的好消息。 Python一直以来被诟病速度慢,影响开发效率,希望这次Gu…
-
Nginx:SSL的安装和配置
证书申请: 比如:阿里云提供期限为1年的免费证书。 SSL模块安装 查看是否已经安装了http_ssl_module模块 # 如未出现configure arguments: –w…
-
mysql主键重复则更新,不重复则插入
mysql主键重复则更新,不重复则插入 一,建表 CREATE TABLE `test_01` ( `id` int NOT NULL , `name` varchar(6) DE…
-
TypeScript实现八大排序与搜索算法
前言 我们在页面上渲染数据时,通常会根据特定规则来对数据进行一个排序,然后再将其渲染到页面展示给用户。哪么对数据进行排序有很多种方式,哪一种效率高?哪一种稳定性好?那一种占用内存小…
-
基于网传的shell脚本,进行简单优化
近日看到网上流传的脚本集合,看了一下,写得都非常好。不过个人感觉有几个例子写得有点啰嗦,所以做了一点优化,算抛砖引玉吧,一起探讨交流,部分脚本如下: 第一题,文本格式化: 请把下面…
-
在web开发中,为什么前端比后端更得到转行程序员的青睐
Web开发分类与区别 在软件开发行业中,通常会将web开发分成Web前端开发和Web后端开发。参照这两个分类,因此就有了Web前端开发工程师Web后端开发工程师。通常面试过程中,说…
-
Apple In App Purchase(IAP) 实战
之前和 Flutter 开发的同学整了很久的 IAP,坑实在是太多了,所以需要一条条的来解释,如果有和我一样的倒霉鬼,希望通过这一篇集合的文章让大家在开发阶段更加顺利。 注:本文不…
-
微信小程序登录授权—解密encryptedData
1.过程: 微信小程序授权的时候在服务端如果需要保持用户昵称、头像等数据, 则一般在小程序端将加密的数据encryptedData传到服务端进行解密, 再将数据存入数据库。 2. …
-
iView实现table渲染html标签内容
在应用Vue进行项目开发过程中,应用this.$refs[name].resetFields();实现表单搜索元素重置时发现失效。经检查发现是form-item绑定的属性prop与包裹元素el-input绑定值不一致造成的。