SpringSecurity整合jwt
1.pom.xml
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.6.4</version><relativePath/> <!-- lookup parent from repository --></parent><groupId>com.yl</groupId><artifactId>jwt</artifactId><version>0.0.1-SNAPSHOT</version><name>jwt</name><description>Demo project for Spring Boot</description><properties><java.version>11</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.1</version></dependency><dependency><groupId>javax.xml.bind</groupId><artifactId>jaxb-api</artifactId><version>2.3.0</version></dependency><dependency><groupId>com.sun.xml.bind</groupId><artifactId>jaxb-impl</artifactId><version>2.3.0</version></dependency><dependency><groupId>com.sun.xml.bind</groupId><artifactId>jaxb-core</artifactId><version>2.3.0</version></dependency><dependency><groupId>javax.activation</groupId><artifactId>activation</artifactId><version>1.1.1</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>
2.用户实体类
package com.yl.jwt.model;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;import java.util.Collection;import java.util.List;public class User implements UserDetails {private String username;private String password;private List<GrantedAuthority> authorities;@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return null;}@Overridepublic String getPassword() {return password;}@Overridepublic String getUsername() {return username;}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}public void setUsername(String username) {this.username = username;}public void setPassword(String password) {this.password = password;}public void setAuthorities(List<GrantedAuthority> authorities) {this.authorities = authorities;}}
3. 自定义认证拦截器,登录成功,则返回token
package com.yl.jwt.filter;import com.fasterxml.jackson.databind.ObjectMapper;import com.yl.jwt.model.User;import io.jsonwebtoken.Jwts;import io.jsonwebtoken.SignatureAlgorithm;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;import org.springframework.security.web.util.matcher.AntPathRequestMatcher;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.io.PrintWriter;import java.util.Collection;import java.util.Date;import java.util.HashMap;import java.util.Map;//登录成功返回token,登录失败返回错误信息public class JwtLoginFilter extends AbstractAuthenticationProcessingFilter {public JwtLoginFilter(String defaultFilterProcessesUrl, AuthenticationManager authenticationManager) {super(new AntPathRequestMatcher(defaultFilterProcessesUrl));setAuthenticationManager(authenticationManager);}@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {User user = new ObjectMapper().readValue(request.getInputStream(),User.class);return getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(),user.getPassword()));}//登陆成功@Overrideprotected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {//获取当前用户的角色Collection<? extends GrantedAuthority> authorities = authResult.getAuthorities();StringBuilder sb = new StringBuilder();for (GrantedAuthority authority : authorities) {sb.append(authorities + ",");}// 构造tokenString token = Jwts.builder().claim("authorities",sb).setSubject(authResult.getName()).setExpiration(new Date(System.currentTimeMillis() + 60 * 60 * 1000)).signWith(SignatureAlgorithm.HS512,"admin@123").compact();Map<String,Object> map = new HashMap<>();map.put("token",token);map.put("msg","login success");response.setContentType("application/json;charset=utf-8");PrintWriter writer = response.getWriter();writer.write(new ObjectMapper().writeValueAsString(map));writer.flush();writer.close();}//登录失败@Overrideprotected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {Map<String,Object> map = new HashMap<>();map.put("msg","login fail");response.setContentType("application/json;charset=utf-8");PrintWriter writer = response.getWriter();writer.write(new ObjectMapper().writeValueAsString(map));writer.flush();writer.close();}}
4. 自定义校验拦截器,校验用户每次发请求时携带的token是否正确
package com.yl.jwt.filter;import io.jsonwebtoken.Claims;import io.jsonwebtoken.Jws;import io.jsonwebtoken.Jwts;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.AuthorityUtils;import org.springframework.security.core.context.SecurityContext;import org.springframework.security.core.context.SecurityContextHolder;import org.springframework.web.filter.GenericFilterBean;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import java.io.IOException;import java.util.List;//用于校验每次用户访问接口时携带的token正不正确public class JwtFilter extends GenericFilterBean {@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest)request;//从请求头获取token,注意:前端在传的时候也应当放在请求头里String authorization = req.getHeader("authorization");Jws<Claims> jws = Jwts.parser().setSigningKey("admin@123").parseClaimsJws(authorization.replaceAll("Bearer", ""));Claims body = jws.getBody();String username = body.getSubject();List<GrantedAuthority> authorities = AuthorityUtils.commaSeparatedStringToAuthorityList((String) body.get("authorities"));UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username,null,authorities);SecurityContextHolder.getContext().setAuthentication(token);filterChain.doFilter(request,response);}}
5. security的配置
package com.yl.jwt.config;import com.yl.jwt.filter.JwtFilter;import com.yl.jwt.filter.JwtLoginFilter;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;import org.springframework.security.crypto.password.PasswordEncoder;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@BeanPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication().withUser("root").password("$2a$10$O8G0X/sUPAA76MV7U3BwY.3Uo8/QMBcqK678Rwkoz.fowbce.CLtO") //123.roles("root").and().withUser("admin").password("$2a$10$O8G0X/sUPAA76MV7U3BwY.3Uo8/QMBcqK678Rwkoz.fowbce.CLtO") //123.roles("admin");}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/root").hasRole("root").antMatchers("/admin").hasRole("admin").antMatchers("/login").permitAll().anyRequest().authenticated().and().addFilterBefore(new JwtLoginFilter("/login",authenticationManager()), UsernamePasswordAuthenticationFilter.class).addFilterBefore(new JwtFilter(),UsernamePasswordAuthenticationFilter.class).csrf().disable();}}
6. controller
package com.yl.jwt.controller;import org.springframework.web.bind.annotation.GetMapping;import org.springframework.web.bind.annotation.RestController;@RestControllerpublic class HelloController {@GetMapping("/hello")public String hello() {return "hello";}@GetMapping("/admin")public String admin() {return "hello admin";}@GetMapping("/root")public String root() {return "hello root";}}
7. 测试
1.没携带token访问接口
2.以json格式传参,登录获取token
3.携带token访问接口
版权说明 : 本文为转载文章, 版权归原作者所有 版权申明
原文链接 : https://blog.csdn.net/weixin_41359273/article/details/123617681
内容来源于网络,如有侵权,请联系作者删除!