SpringSecurity+JWT结合保驾护航Restful API
标签(空格分隔): springsecurity jwt
角色设置
- 用户权限表结构(关系型数据库)
角色权限表
CREATE TABLE `role` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT 'id',
`name` varchar(50) DEFAULT NULL COMMENT 'name',
`descn` varchar(50) DEFAULT NULL COMMENT 'descn',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8 COMMENT='角色表';
CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT 'id',
`username` varchar(50) DEFAULT NULL COMMENT 'username',
`password` varchar(100) DEFAULT NULL COMMENT 'password',
`status` varchar(1024) DEFAULT NULL COMMENT 'status',
`descn` varchar(1024) DEFAULT NULL COMMENT 'descd',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8 COMMENT='用户表';
CREATE TABLE `user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT 'id',
`user_id` int(11) DEFAULT NULL COMMENT '用户表_id',
`role_id` int(11) DEFAULT NULL COMMENT '角色表_id',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=utf8 COMMENT='用户角色表';
- dao实现
@Entity
@Data
public class User {
@Id
@GeneratedValue
private Integer id;
/** 用户名 .*/
private String username;
/** 密码 .*/
private String password;
/** 状态 .*/
private String status;
/** 描述 .*/
private String descn;
}
@Entity
@Data
public class Role {
@Id
@GeneratedValue
private Integer id;
/** 用户类型 .*/
private String name;
/** 权限说明.*/
private String descn;
}
@Entity
@Data
@Table(name = "user_role")
public class UserRole {
@Id
@GeneratedValue
private Integer id;
/** 用户id .*/
private Integer userId;
/** 权限id .*/
private Integer roleId;
}
public interface UserRepository extends JpaRepository<User,Integer> {
/** 用户名查询用户信息.*/
User findByUsername(String userName);
}
public interface RoleRepository extends JpaRepository<Role,Integer> {
/** 查询结果 .*/
List<Role> findByIdIn(List<Integer> ids);
}
public interface UserRoleRepository extends JpaRepository<UserRole,Integer>{
/** 查询结果 .*/
List<UserRole> findByUserId(Integer userId);
}
- 业务实现
由于看的博客中的数据库貌似是mongo,本人不太熟悉非关系型数据库,所以用户权限的获取,比较复杂,通过用户id关联查询获取.jpa的方案用这个获取用户权限集合有点稍微复杂了一点,可能是我jpa用的太浅薄了.
<!--服务接口-->
public interface UserRoleService {
/** 结果封装 .*/
List<Integer> findByUserRole(List<UserRole> userRoles);
/** 结果查询 .*/
List<UserRole> findByUserId(Integer userid);
}
public interface RoleService {
/** 组装用户权限 .*/
List<String> findByRole(List<Role> roles);
/** 根据id集合查找结果 .*/
List<Role> findById(List<Integer> ids);
}
<!--实现类-->
@Service
public class UserRoleServiceImpl implements UserRoleService {
@Autowired
private UserRoleRepository repository;
@Override
public List<Integer> findByUserRole(List<UserRole> userRoles) {
List<Integer> result = new ArrayList<>();
for(UserRole userRole : userRoles){
result.add(userRole.getRoleId());
}
return result;
}
@Override
public List<UserRole> findByUserId(Integer userid) {
return repository.findByUserId(userid);
}
}
@Service
public class RoleServiceImpl implements RoleService{
@Autowired
private RoleRepository repository;
@Override
public List<String> findByRole(List<Role> roles) {
List<String> result = new ArrayList<>();
for (Role role : roles){
result.add(role.getName());
}
return result;
}
@Override
public List<Role> findById(List<Integer> ids) {
return repository.findByIdIn(ids);
}
}
JWT
JWT是一种用于双方之间传递安全信息的简洁的、URL安全的表述性声明规范。JWT作为一个开放的标准(RFC 7519),定义了一种简洁的,自包含的方法用于通信双方之间以Json对象的形式安全的传递信息。因为数字签名的存在,这些信息是可信的,JWT可以使用HMAC算法或者是RSA的公私秘钥对进行签名。
- jwtuser 安全模块模型
@Data
public class JwtUser implements UserDetails{
private final String username;
private final String password;
private final Collection<? extends GrantedAuthority> authorities;
public JwtUser(String username, String password,Collection<? extends GrantedAuthority> authorities) {
this.username = username;
this.password = password;
this.authorities=authorities;
}
@JsonIgnore
@Override
public boolean isAccountNonExpired() {
return true;
}
@JsonIgnore
@Override
public boolean isAccountNonLocked() {
return true;
}
@JsonIgnore
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@JsonIgnore
@Override
public boolean isEnabled() {
return true;
}
}
- JWT service
jwt实现类 用于用户信息的验证
@Service
public class JwtUserDetailsServiceImpl implements UserDetailsService{
@Autowired
private UserRepository userRepository;
@Autowired
private RoleService roleService;
@Autowired
private UserRoleService userRoleService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
if (user == null) {
throw new UsernameNotFoundException(String.format("No user found with username '%s'.", username));
} else {
return new JwtUser(user.getUsername(), user.getPassword(), getRoles(user.getId()).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
}
}
/**
* 用户权限集合获取
* @param userId
* @return
*/
private List<String> getRoles(Integer userId){
List<String> result = roleService.findByRole(roleService.findById(userRoleService.findByUserRole(userRoleService.findByUserId(userId))));
return result;
}
}
- JWT TOKEN 生成参数
<!--yml采用配置方案-->
jwttoken:
secrect: aaaaa
expirationtime: 432_000_000
token_prefix: "Bearer "
header_string: Authorization
<!--参数获取-->
@Data
@ConfigurationProperties(prefix = "jwttoken")
@Component
public class JwtTokenConfig {
/** token 过期时间 .*/
private Long expirationtime;
/** jwttoken 密钥 .*/
private String secrect;
/** token 前缀 .*/
private String token_prefix;
/** 存放token 头部key .*/
private String header_string;
}
- JWT TOKEN 生成与验证
@Component
public class JwtTokenUtil implements Serializable{
@Autowired
private JwtTokenConfig jwtTokenConfig;
/**
* 数据声明生成令牌
* @param claims 数据声明
* @return 令牌
*/
private String generateToken(Map<String,Object> claims){
Date expirationDate = new Date(System.currentTimeMillis()+jwtTokenConfig.getExpirationtime());
return Jwts.builder().setClaims(claims).setExpiration(expirationDate).
signWith(SignatureAlgorithm.HS512,jwtTokenConfig.getSecrect()).compact();
}
/**
* 从令牌中获取数据声明
* @param token 令牌
* @return 声明
*/
private Claims getClaimsFromToken(String token){
Claims claims;
try {
claims = Jwts.parser().setSigningKey(jwtTokenConfig.getSecrect()).parseClaimsJws(token).getBody();
} catch (Exception e) {
claims = null;
}
return claims;
}
/**
* 令牌生成
* @param userDetails
* @return
*/
public String generateToken(UserDetails userDetails){
Map<String,Object> claims = new HashMap<>();
claims.put("sub",userDetails.getUsername());
claims.put("created",new Date());
return generateToken(claims);
}
/**
* 令牌中获取用户名
* @param token
* @return
*/
public String getUsernameFromToken(String token){
String username;
try {
Claims claims = getClaimsFromToken(token);
username = claims.getSubject();
}catch (Exception e){
username = null;
}
return username;
}
/**
* 判断令牌是否过期
*
* @param token 令牌
* @return 是否过期
*/
public Boolean isTokenExpired(String token) {
try {
Claims claims = getClaimsFromToken(token);
Date expiration = claims.getExpiration();
return expiration.before(new Date());
} catch (Exception e) {
return false;
}
}
/**
* 刷新令牌
*
* @param token 原令牌
* @return 新令牌
*/
public String refreshToken(String token) {
String refreshedToken;
try {
Claims claims = getClaimsFromToken(token);
claims.put("created", new Date());
refreshedToken = generateToken(claims);
} catch (Exception e) {
refreshedToken = null;
}
return refreshedToken;
}
/**
* 验证令牌
*
* @param token 令牌
* @param userDetails 用户
* @return 是否有效
*/
public Boolean validateToken(String token, UserDetails userDetails) {
JwtUser user = (JwtUser) userDetails;
String username = getUsernameFromToken(token);
return (username.equals(user.getUsername()) && !isTokenExpired(token));
}
}
- JWT token 验证
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Autowired
private JwtTokenConfig jwtTokenConfig;
@Autowired
public JwtAuthenticationTokenFilter(UserDetailsService userDetailsService, JwtTokenUtil jwtTokenUtil) {
this.userDetailsService = userDetailsService;
this.jwtTokenUtil = jwtTokenUtil;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
String authHeader = request.getHeader(jwtTokenConfig.getHeader_string());
if (authHeader != null && authHeader.startsWith(jwtTokenConfig.getToken_prefix())) {
String authToken = authHeader.substring(jwtTokenConfig.getToken_prefix().length());
String username = jwtTokenUtil.getUsernameFromToken(authToken);
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
}
chain.doFilter(request, response);
}
}
SpringSecurity
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。(百度的)
- 依赖引入
<!-- spring-security 和 jwt -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.7.0</version>
</dependency>
- 请求过滤处理
通过过滤的请求的方式,其中去除掉用户关于注册和登陆的方案,用户注册密码通过BCryptPasswordEncoder进行加密。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
private EntryPointUnauthorizedHandler entryPointUnauthorizedHandler;
private RestAccessDeniedHandler restAccessDeniedHandler;
private PasswordEncoder passwordEncoder;
@Autowired
public WebSecurityConfig(UserDetailsService userDetailsService, JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter, EntryPointUnauthorizedHandler entryPointUnauthorizedHandler, RestAccessDeniedHandler restAccessDeniedHandler) {
this.userDetailsService = userDetailsService;
this.jwtAuthenticationTokenFilter = jwtAuthenticationTokenFilter;
this.entryPointUnauthorizedHandler = entryPointUnauthorizedHandler;
this.restAccessDeniedHandler = restAccessDeniedHandler;
this.passwordEncoder = new BCryptPasswordEncoder();
}
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder);
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/user/**").permitAll()
.anyRequest().authenticated()
.and().headers().cacheControl();
httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
httpSecurity.exceptionHandling().authenticationEntryPoint(entryPointUnauthorizedHandler).accessDeniedHandler(restAccessDeniedHandler);
}
}
- 用户注册业务
<!--接口-->
public interface UserService {
/**
* 用户登录
*
* @param username 用户名
* @param password 密码
* @return 操作结果
*/
String login(String username, String password);
/**
* 用户注册
*
* @param user 用户信息
* @return 操作结果
*/
String register(User user);
/**
* 刷新密钥
*
* @param oldToken 原密钥
* @return 新密钥
*/
String refreshToken(String oldToken);
}
<!--实现-->
@Service
public class UserServiceImpl implements UserService {
private AuthenticationManager authenticationManager;
private UserDetailsService userDetailsService;
private JwtTokenUtil jwtTokenUtil;
@Autowired
private UserRepository userRepository;
@Autowired
private UserRoleRepository userRoleRepository;
@Autowired
public UserServiceImpl(AuthenticationManager authenticationManager, UserDetailsService userDetailsService, JwtTokenUtil jwtTokenUtil, UserRepository userRepository) {
this.authenticationManager = authenticationManager;
this.userDetailsService = userDetailsService;
this.jwtTokenUtil = jwtTokenUtil;
this.userRepository = userRepository;
}
@Override
public String login(String username, String password) {
UsernamePasswordAuthenticationToken upToken = new UsernamePasswordAuthenticationToken(username, password);
Authentication authentication = authenticationManager.authenticate(upToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
return jwtTokenUtil.generateToken(userDetails);
}
@Override
public String register(User user) {
String username = user.getUsername();
if (userRepository.findByUsername(username) != null) {
return "用户已存在";
}
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String rawPassword = user.getPassword();
user.setPassword(encoder.encode(rawPassword));
User result = userRepository.save(user);
UserRole userRole = new UserRole();
userRole.setUserId(result.getId());
userRole.setRoleId(2);
userRoleRepository.save(userRole);
return "success";
}
@Override
public String refreshToken(String oldToken) {
String token = oldToken.substring("Bearer ".length());
if (!jwtTokenUtil.isTokenExpired(token)) {
return jwtTokenUtil.refreshToken(token);
}
return "error";
}
}
- 用户请求层
@CrossOrigin
@RestController
@RequestMapping(value = "/user", produces = "text/html;charset=UTF-8")
public class UserController {
private UserService userService;
@Autowired
public UserController(UserService userService) {
this.userService = userService;
}
/**
* 用户登录
*
* @param username 用户名
* @param password 密码
* @return 操作结果
* @throws AuthenticationException 错误信息
*/
@PostMapping(value = "/login", params = {"username", "password"})
public String getToken(String username, String password) throws AuthenticationException {
return userService.login(username, password);
}
/**
* 用户注册
*
* @param user 用户信息
* @return 操作结果
* @throws AuthenticationException 错误信息
*/
@PostMapping(value = "/register")
public String register(User user) throws AuthenticationException {
return userService.register(user);
}
/**
* 刷新密钥
*
* @param authorization 原密钥
* @return 新密钥
* @throws AuthenticationException 错误信息
*/
@GetMapping(value = "/refreshToken")
public String refreshToken(@RequestHeader String authorization) throws AuthenticationException {
return userService.refreshToken(authorization);
}
}
- 异常违规处理
@Component
public class EntryPointUnauthorizedHandler implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
}
}
@Component
public class RestAccessDeniedHandler implements AccessDeniedHandler{
@Override
public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
httpServletResponse.setStatus(HttpStatus.FORBIDDEN.value());
}
}
- 进行token验证的控制层
我们将对学生进行增删改查的请求层进行只有是用户的权限才能访问的过滤.
@PreAuthorize("hasRole('USER')")
用户权限
测试结果
- 注册用户
http://127.0.0.1:8088/user/register?username=123456789@qq.com&password=abcdef&status=1&descn=测试
用户注册
注册结果
- token获取
通过刚才的注册的用户进行token的获取.
http://localhost:8088/user/login?username=123456789@qq.com&password=abcdef
eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxMjM0NTY3ODlAcXEuY29tIiwiY3JlYXRlZCI6MTUxNjAwMDA1MDkyOCwiZXhwIjoxNTE2NDMyMDUwfQ.MUEpKmBGPSP8qfZtZ2hYduDjCMYrwjqFPgkvQIfvBwgiIaytzwKtBO02VTlJlfCyIVz0Lo2lOh0ktt4-SZgh7w
token获取
token解析
- 获取学生信息
通过请求头部添加token获取信息.
Authorization
Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxMjM0NTY3ODlAcXEuY29tIiwiY3JlYXRlZCI6MTUxNjAwMDA1MDkyOCwiZXhwIjoxNTE2NDMyMDUwfQ.MUEpKmBGPSP8qfZtZ2hYduDjCMYrwjqFPgkvQIfvBwgiIaytzwKtBO02VTlJlfCyIVz0Lo2lOh0ktt4-SZgh7w
未加token请求获取学生信息
添加token获取结果
- 借鉴博客( Spring Boot中使用使用Spring Security和JWT )
- 源码上传Git 渴望你的star
- 本篇博客撰写人: XiaoJinZi 转载请注明出处
- 学生能力有限 附上邮箱: 986209501@qq.com 不足以及误处请大佬指责
