本文主要通过整合SpringSecurity和JWT实现后台用户的登录和授权功能,同时改造Swagger-UI的配置使其可以自动记住登录令牌进行发送。
项目使用框架介绍
SpringSecurity
JWT
JWT是JSON WEB TOKEN的缩写,它是基于 RFC 7519 标准定义的一种可以安全传输的的JSON对象,由于使用了数字签名,所以是可信任和安全的。
JWT的组成
- JWT token的格式:header.payload.signature
- header中用于存放签名的生成算法
{"alg": "HS"}
- payload中用于存放用户名、token的生成时间和过期时间
{"sub":"admin","created":,"exp":1489684781}
- signature为以header和payload生成的签名,一旦header和payload被篡改,验证将失败
| //secret为加密算法的密钥 | |
| String signature = HMACSHA(base64UrlEncode(header) + "." +base64UrlEncode(payload),secret) |
JWT实例
这是一个JWT的字符串
eyJhbGciOiJIUzUxMiJ.eyJzdWIiOiJhZG1pbiIsImNyZWF0ZWQiOjE1NTY3NzkxMjUzMDksImV4cCI6MTU1NzM4MzkyNX0.d-iki0193X0bBOETf2UN3r3PotNIEAV7mzIxxeI5IxFyzzkOZxS0PGfF_SK6wxCv2K8S0cZjMkv6b5bCqc0VBw
可以在该网站上获得解析结果:
JWT实现认证和授权的原理
- 用户调用登录接口,登录成功后获取到JWT的token;
- 之后用户每次调用接口都在http的header中添加一个叫Authorization的头,值为JWT的token;
- 后台程序通过对Authorization头中信息的解码及数字签名校验来获取其中的用户信息,从而实现认证和授权。
Hutool
Hutool是一个丰富的Java开源工具包,它帮助我们简化每一行代码,减少每一个方法,mall项目采用了此工具包。
项目使用表说明
- u_admin:用户表
- u_role:角色表
- u_permission:权限表
- u_admin_role_relation:用户和角色关系表,用户与角色是多对多关系
- u_role_permission_relation:角色和权限关系表,角色与权限是多对多关系
- u_admin_permission_relation:用户和权限关系表(除角色中定义的权限以外的加减权限),加权限是指用户比角色多出的权限,减权限是指用户比角色少的权限
整合SpringSecurity及JWT
在pom.xml中添加项目依赖
| <!--SpringSecurity依赖配置--> | |
| <dependency> | |
| <groupId>org.springframework.boot</groupId> | |
| <artifactId>spring-boot-starter-security</artifactId> | |
| </dependency> | |
| <!--Hutool Java工具包--> | |
| <dependency> | |
| <groupId>cn.hutool</groupId> | |
| <artifactId>hutool-all</artifactId> | |
| <version>.5.7</version> | |
| </dependency> | |
| <!--JWT(Json Web Token)登录支持--> | |
| <dependency> | |
| <groupId>io.jsonwebtoken</groupId> | |
| <artifactId>jjwt</artifactId> | |
| <version>.9.0</version> | |
| </dependency> |
添加JWT token的工具类
用于生成和解析JWT token的工具类
相关API方法说明:
- generateToken(UserDetails userDetails) :用于根据登录用户信息生成token
- getUserNameFromToken(String token):从token中获取登录用户的信息
- validateToken(String token, UserDetails userDetails):判断token是否还有效
| /** | |
| * JwtToken生成的工具类 | |
| */ | |
| public class JwtTokenUtil { | |
| private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class); | |
| private static final String CLAIM_KEY_USERNAME = "sub"; | |
| private static final String CLAIM_KEY_CREATED = "created"; | |
| ("${jwt.secret}") | |
| private String secret; | |
| ("${jwt.expiration}") | |
| private Long expiration; | |
| /** | |
| * 根据负责生成JWT的token | |
| */ private String generateToken(Map<String, Object> claims) { | |
| return Jwts.builder() | |
| .setClaims(claims) | |
| .setExpiration(generateExpirationDate()) | |
| .signWith(SignatureAlgorithm.HS, secret) | |
| .compact(); | |
| } | |
| /** | |
| * 从token中获取JWT中的负载 | |
| */ private Claims getClaimsFromToken(String token) { | |
| Claims claims = null; | |
| try { | |
| claims = Jwts.parser() | |
| .setSigningKey(secret) | |
| .parseClaimsJws(token) | |
| .getBody(); | |
| } catch (Exception e) { | |
| LOGGER.info("JWT格式验证失败:{}",token); | |
| } | |
| return claims; | |
| } | |
| /** | |
| * 生成token的过期时间 | |
| */ private Date generateExpirationDate() { | |
| return new Date(System.currentTimeMillis() + expiration *); | |
| } | |
| /** | |
| * 从token中获取登录用户名 | |
| */ public String getUserNameFromToken(String token) { | |
| String username; | |
| try { | |
| Claims claims = getClaimsFromToken(token); | |
| username = claims.getSubject(); | |
| } catch (Exception e) { | |
| username = null; | |
| } | |
| return username; | |
| } | |
| /** | |
| * 验证token是否还有效 | |
| * | |
| * @param token 客户端传入的token | |
| * @param userDetails 从数据库中查询出来的用户信息 | |
| */ public boolean validateToken(String token, UserDetails userDetails) { | |
| String username = getUserNameFromToken(token); | |
| return username.equals(userDetails.getUsername()) && !isTokenExpired(token); | |
| } | |
| /** | |
| * 判断token是否已经失效 | |
| */ private boolean isTokenExpired(String token) { | |
| Date expiredDate = getExpiredDateFromToken(token); | |
| return expiredDate.before(new Date()); | |
| } | |
| /** | |
| * 从token中获取过期时间 | |
| */ private Date getExpiredDateFromToken(String token) { | |
| Claims claims = getClaimsFromToken(token); | |
| return claims.getExpiration(); | |
| } | |
| /** | |
| * 根据用户信息生成token | |
| */ public String generateToken(UserDetails userDetails) { | |
| Map<String, Object> claims = new HashMap<>(); | |
| claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername()); | |
| claims.put(CLAIM_KEY_CREATED, new Date()); | |
| return generateToken(claims); | |
| } | |
| /** | |
| * 判断token是否可以被刷新 | |
| */ public boolean canRefresh(String token) { | |
| return !isTokenExpired(token); | |
| } | |
| /** | |
| * 刷新token | |
| */ public String refreshToken(String token) { | |
| Claims claims = getClaimsFromToken(token); | |
| claims.put(CLAIM_KEY_CREATED, new Date()); | |
| return generateToken(claims); | |
| } | |
| } |
添加SpringSecurity的配置类
| /** | |
| * SpringSecurity的配置 | |
| */ | |
| public class SecurityConfig extends WebSecurityConfigurerAdapter { | |
| private UmsAdminService adminService; | |
| private RestfulAccessDeniedHandler restfulAccessDeniedHandler; | |
| private RestAuthenticationEntryPoint restAuthenticationEntryPoint; | |
| protected void configure(HttpSecurity httpSecurity) throws Exception { | |
| httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf | |
| .disable() | |
| .sessionManagement()// 基于token,所以不需要session | |
| .sessionCreationPolicy(SessionCreationPolicy.STATELESS) | |
| .and() | |
| .authorizeRequests() | |
| .antMatchers(HttpMethod.GET, // 允许对于网站静态资源的无授权访问 | |
| "/", | |
| "/*.html", | |
| "/favicon.ico", | |
| "/**/*.html", | |
| "/**/*.css", | |
| "/**/*.js", | |
| "/swagger-resources/**", | |
| "/v/api-docs/**" | |
| ) | |
| .permitAll() | |
| .antMatchers("/admin/login", "/admin/register")// 对登录注册要允许匿名访问 | |
| .permitAll() | |
| .antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求 | |
| .permitAll() | |
| // .antMatchers("/**")//测试时全部运行访问 | |
| // .permitAll() | |
| .anyRequest()// 除上面外的所有请求全部需要鉴权认证 | |
| .authenticated(); | |
| // 禁用缓存 | |
| httpSecurity.headers().cacheControl(); | |
| // 添加JWT filter | |
| httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class); | |
| //添加自定义未授权和未登录结果返回 | |
| httpSecurity.exceptionHandling() | |
| .accessDeniedHandler(restfulAccessDeniedHandler) | |
| .authenticationEntryPoint(restAuthenticationEntryPoint); | |
| } | |
| protected void configure(AuthenticationManagerBuilder auth) throws Exception { | |
| auth.userDetailsService(userDetailsService()) | |
| .passwordEncoder(passwordEncoder()); | |
| } | |
| public PasswordEncoder passwordEncoder() { | |
| return new BCryptPasswordEncoder(); | |
| } | |
| public UserDetailsService userDetailsService() { | |
| //获取登录用户信息 | |
| return username -> { | |
| UmsAdmin admin = adminService.getAdminByUsername(username); | |
| if (admin != null) { | |
| List<UmsPermission> permissionList = adminService.getPermissionList(admin.getId()); | |
| return new AdminUserDetails(admin,permissionList); | |
| } | |
| throw new UsernameNotFoundException("用户名或密码错误"); | |
| }; | |
| } | |
| public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){ | |
| return new JwtAuthenticationTokenFilter(); | |
| } | |
| public AuthenticationManager authenticationManagerBean() throws Exception { | |
| return super.authenticationManagerBean(); | |
| } | |
| } |
相关依赖及方法说明
- configure(HttpSecurity httpSecurity):用于配置需要拦截的url路径、jwt过滤器及出异常后的处理器;
- configure(AuthenticationManagerBuilder auth):用于配置UserDetailsService及PasswordEncoder;
- RestfulAccessDeniedHandler:当用户没有访问权限时的处理器,用于返回JSON格式的处理结果;
- RestAuthenticationEntryPoint:当未登录或token失效时,返回JSON格式的结果;
- UserDetailsService:SpringSecurity定义的核心接口,用于根据用户名获取用户信息,需要自行实现;
- UserDetails:SpringSecurity定义用于封装用户信息的类(主要是用户信息和权限),需要自行实现;
- PasswordEncoder:SpringSecurity定义的用于对密码进行编码及比对的接口,目前使用的是BCryptPasswordEncoder;
- JwtAuthenticationTokenFilter:在用户名和密码校验前添加的过滤器,如果有jwt的token,会自行根据token信息进行登录。
添加RestfulAccessDeniedHandler
| /** | |
| * 当访问接口没有权限时,自定义的返回结果 | |
| */ | |
| public class RestfulAccessDeniedHandler implements AccessDeniedHandler{ | |
| public void handle(HttpServletRequest request, | |
| HttpServletResponse response, | |
| AccessDeniedException e) throws IOException, ServletException { | |
| response.setCharacterEncoding("UTF-"); | |
| response.setContentType("application/json"); | |
| response.getWriter().println(JSONUtil.parse(CommonResult.forbidden(e.getMessage()))); | |
| response.getWriter().flush(); | |
| } | |
| } |
添加RestAuthenticationEntryPoint
| /** | |
| * 当未登录或者token失效访问接口时,自定义的返回结果 | |
| */ | |
| public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint { | |
| public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { | |
| response.setCharacterEncoding("UTF-"); | |
| response.setContentType("application/json"); | |
| response.getWriter().println(JSONUtil.parse(CommonResult.unauthorized(authException.getMessage()))); | |
| response.getWriter().flush(); | |
| } | |
| } |
添加AdminUserDetails
| /** | |
| * SpringSecurity需要的用户详情 | |
| */public class AdminUserDetails implements UserDetails { | |
| private UmsAdmin umsAdmin; | |
| private List<UmsPermission> permissionList; | |
| public AdminUserDetails(UmsAdmin umsAdmin, List<UmsPermission> permissionList) { | |
| this.umsAdmin = umsAdmin; | |
| this.permissionList = permissionList; | |
| } | |
| public Collection<? extends GrantedAuthority> getAuthorities() { | |
| //返回当前用户的权限 | |
| return permissionList.stream() | |
| .filter(permission -> permission.getValue()!=null) | |
| .map(permission ->new SimpleGrantedAuthority(permission.getValue())) | |
| .collect(Collectors.toList()); | |
| } | |
| public String getPassword() { | |
| return umsAdmin.getPassword(); | |
| } | |
| public String getUsername() { | |
| return umsAdmin.getUsername(); | |
| } | |
| public boolean isAccountNonExpired() { | |
| return true; | |
| } | |
| public boolean isAccountNonLocked() { | |
| return true; | |
| } | |
| public boolean isCredentialsNonExpired() { | |
| return true; | |
| } | |
| public boolean isEnabled() { | |
| return umsAdmin.getStatus().equals(); | |
| } | |
| } |
添加JwtAuthenticationTokenFilter
在用户名和密码校验前添加的过滤器,如果请求中有jwt的token且有效,会取出token中的用户名,然后调用SpringSecurity的API进行登录操作。
| /** | |
| * JWT登录授权过滤器 | |
| */public class JwtAuthenticationTokenFilter extends OncePerRequestFilter { | |
| private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class); | |
| private UserDetailsService userDetailsService; | |
| private JwtTokenUtil jwtTokenUtil; | |
| private String tokenHeader; | |
| private String tokenHead; | |
| protected void doFilterInternal(HttpServletRequest request, | |
| HttpServletResponse response, | |
| FilterChain chain) throws ServletException, IOException { | |
| String authHeader = request.getHeader(this.tokenHeader); | |
| if (authHeader != null && authHeader.startsWith(this.tokenHead)) { | |
| String authToken = authHeader.substring(this.tokenHead.length());// The part after "Bearer " | |
| String username = jwtTokenUtil.getUserNameFromToken(authToken); | |
| LOGGER.info("checking username:{}", username); | |
| if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { | |
| UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); | |
| if (jwtTokenUtil.validateToken(authToken, userDetails)) { | |
| UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); | |
| authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); | |
| LOGGER.info("authenticated user:{}", username); | |
| SecurityContextHolder.getContext().setAuthentication(authentication); | |
| } | |
| } | |
| } | |
| chain.doFilter(request, response); | |
| } | |
| } |
登录注册功能实现
添加UmsAdminController类
实现了后台用户登录、注册及获取权限的接口
| /** | |
| * 后台用户管理 | |
| */ | |
| public class UmsAdminController { | |
| private UmsAdminService adminService; | |
| private String tokenHeader; | |
| private String tokenHead; | |
| public CommonResult<UmsAdmin> register( UmsAdmin umsAdminParam, BindingResult result) { | |
| UmsAdmin umsAdmin = adminService.register(umsAdminParam); | |
| if (umsAdmin == null) { | |
| CommonResult.failed(); | |
| } | |
| return CommonResult.success(umsAdmin); | |
| } | |
| public CommonResult login( UmsAdminLoginParam umsAdminLoginParam, BindingResult result) { | |
| String token = adminService.login(umsAdminLoginParam.getUsername(), umsAdminLoginParam.getPassword()); | |
| if (token == null) { | |
| return CommonResult.validateFailed("用户名或密码错误"); | |
| } | |
| Map<String, String> tokenMap = new HashMap<>(); | |
| tokenMap.put("token", token); | |
| tokenMap.put("tokenHead", tokenHead); | |
| return CommonResult.success(tokenMap); | |
| } | |
| public CommonResult<List<UmsPermission>> getPermissionList( Long adminId) { | |
| List<UmsPermission> permissionList = adminService.getPermissionList(adminId); | |
| return CommonResult.success(permissionList); | |
| } | |
| } |
添加UmsAdminService接口
| /** | |
| * 后台管理员Service | |
| */public interface UmsAdminService { | |
| /** | |
| * 根据用户名获取后台管理员 | |
| */ UmsAdmin getAdminByUsername(String username); | |
| /** | |
| * 注册功能 | |
| */ UmsAdmin register(UmsAdmin umsAdminParam); | |
| /** | |
| * 登录功能 | |
| * @param username 用户名 | |
| * @param password 密码 | |
| * @return 生成的JWT的token | |
| */ String login(String username, String password); | |
| /** | |
| * 获取用户所有权限(包括角色权限和+-权限) | |
| */ List<UmsPermission> getPermissionList(Long adminId); | |
| } |
添加UmsAdminServiceImpl类
| /** | |
| * UmsAdminService实现类 | |
| */ | |
| public class UmsAdminServiceImpl implements UmsAdminService { | |
| private static final Logger LOGGER = LoggerFactory.getLogger(UmsAdminServiceImpl.class); | |
| private UserDetailsService userDetailsService; | |
| private JwtTokenUtil jwtTokenUtil; | |
| private PasswordEncoder passwordEncoder; | |
| ("${jwt.tokenHead}") | |
| private String tokenHead; | |
| private UmsAdminMapper adminMapper; | |
| private UmsAdminRoleRelationDao adminRoleRelationDao; | |
| public UmsAdmin getAdminByUsername(String username) { | |
| UmsAdminExample example = new UmsAdminExample(); | |
| example.createCriteria().andUsernameEqualTo(username); | |
| List<UmsAdmin> adminList = adminMapper.selectByExample(example); | |
| if (adminList != null && adminList.size() >) { | |
| return adminList.get(); | |
| } | |
| return null; | |
| } | |
| public UmsAdmin register(UmsAdmin umsAdminParam) { | |
| UmsAdmin umsAdmin = new UmsAdmin(); | |
| BeanUtils.copyProperties(umsAdminParam, umsAdmin); | |
| umsAdmin.setCreateTime(new Date()); | |
| umsAdmin.setStatus(); | |
| //查询是否有相同用户名的用户 | |
| UmsAdminExample example = new UmsAdminExample(); | |
| example.createCriteria().andUsernameEqualTo(umsAdmin.getUsername()); | |
| List<UmsAdmin> umsAdminList = adminMapper.selectByExample(example); | |
| if (umsAdminList.size() >) { | |
| return null; | |
| } | |
| //将密码进行加密操作 | |
| String encodePassword = passwordEncoder.encode(umsAdmin.getPassword()); | |
| umsAdmin.setPassword(encodePassword); | |
| adminMapper.insert(umsAdmin); | |
| return umsAdmin; | |
| } | |
| public String login(String username, String password) { | |
| String token = null; | |
| try { | |
| UserDetails userDetails = userDetailsService.loadUserByUsername(username); | |
| if (!passwordEncoder.matches(password, userDetails.getPassword())) { | |
| throw new BadCredentialsException("密码不正确"); | |
| } | |
| UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); | |
| SecurityContextHolder.getContext().setAuthentication(authentication); | |
| token = jwtTokenUtil.generateToken(userDetails); | |
| } catch (AuthenticationException e) { | |
| LOGGER.warn("登录异常:{}", e.getMessage()); | |
| } | |
| return token; | |
| } | |
| public List<UmsPermission> getPermissionList(Long adminId) { | |
| return adminRoleRelationDao.getPermissionList(adminId); | |
| } | |
| } |
Controller中如何操作
例如操作PmsBrandController接口中的方法添加访问权限
- 给查询接口添加pms:brand:read权限
- 给修改接口添加pms:brand:update权限
- 给删除接口添加pms:brand:delete权限
- 给添加接口添加pms:brand:create权限
例子:
| public CommonResult<List<PmsBrand>> getBrandList() { | |
| return CommonResult.success(brandService.listAllBrand()); | |
| } |