SpringBoot整合SpringSecurity-阿里云开发者社区

主页:写程序的小王叔叔的博客欢迎来访👀

支持:点赞收藏关注

1、说明

SpringSecurity是一个用于Java 企业级应用程序的安全框架,主要包含用户认证和用户授权两个方面.相比较Shiro而言,Security功能更加的强大,它可以很容易地扩展以满足更多安全控制方面的需求,但也相对它的学习成本会更高,两种框架各有利弊.实际开发中还是要根据业务和项目的需求来决定使用哪一种.

JWT是在Web应用中安全传递信息的规范,从本质上来说是Token的演变,是一种生成加密用户身份信息的Token,特别适用于分布式单点登陆的场景,无需在服务端保存用户的认证信息,而是直接对Token进行校验获取用户信息,使单点登录更为简单灵活.

2、项目环境

SpringBoot版本:2.1.6

SpringSecurity版本: 5.1.5

MyBatis-Plus版本: 3.1.0

JDK版本:1.8

数据表(SQL文件在项目中): 数据库中测试号的密码进行了加密,密码皆为123456：

Maven依赖如下：

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><scope>runtime</scope></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><!--Security依赖 --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><!-- MybatisPlus 核心库 --><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.1.0</version></dependency><!-- 引入阿里数据库连接池 --><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.6</version></dependency><!-- StringUtilS工具 --><dependency><groupId>org.apache.commons</groupId><artifactId>commons-lang3</artifactId><version>3.5</version></dependency><!-- JSON工具 --><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>1.2.45</version></dependency><!-- JWT依赖 --><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-jwt</artifactId><version>1.0.9.RELEASE</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.0</version></dependency></dependencies>

配置如下:

# 配置端口server:  port: 8764spring:# 配置数据源  datasource:    driver-class-name: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://localhost:3306/sans_security?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8&zeroDateTimeBehavior=convertToNull&useSSL=false
    username: root
    password: 123456    type: com.alibaba.druid.pool.DruidDataSource
# JWT配置jwt:# 密匙KEY  secret: JWTSecret
# HeaderKEY  tokenHeader: Authorization
# Token前缀字符  tokenPrefix: Sans-
# 过期时间 单位秒 1天后过期=86400 7天后过期=604800  expiration: 86400# 配置不需要认证的接口  antMatchers: /index/**,/login/**,/favicon.ico
# Mybatis-plus相关配置mybatis-plus:# xml扫描，多个目录用逗号或者分号分隔（告诉 Mapper 所对应的 XML 文件位置）  mapper-locations: classpath:mapper/*.xml
# 以下配置均有默认值,可以不设置  global-config:    db-config:#主键类型 AUTO:"数据库ID自增" INPUT:"用户输入ID",ID_WORKER:"全局唯一ID (数字类型唯一ID)", UUID:"全局唯一ID UUID";      id-type: AUTO
#字段策略 IGNORED:"忽略判断" NOT_NULL:"非 NULL 判断") NOT_EMPTY:"非空判断"      field-strategy: NOT_EMPTY
#数据库类型      db-type: MYSQL
  configuration:# 是否开启自动驼峰命名规则映射:从数据库列名到Java属性驼峰命名的类似映射    map-underscore-to-camel-case: true# 返回map时true:当查询数据为空时字段返回为null,false:不加这个查询数据为空时，字段将被隐藏    call-setters-on-nulls: true# 这个配置会将执行的sql打印出来，在开发或测试的时候可以用    log-impl: org.apache.ibatis.logging.stdout.StdOutImpl

3、编写项目基础类

Entity,Dao,Service,及等SpringSecurity用户的Entity,Service类等在这里省略,请参考源码

编写JWT工具类

/*** JWT工具类*/@Slf4jpublicclassJWTTokenUtil {
publicstaticStringcreateAccessToken(SelfUserEntityselfUserEntity){
// 登陆成功生成JWTStringtoken=Jwts.builder()
// 放入用户名和用户ID                .setId(selfUserEntity.getUserId()+"")
// 主题                .setSubject(selfUserEntity.getUsername())
// 签发时间                .setIssuedAt(newDate())
// 签发者                .setIssuer("sans")
// 自定义属性 放入用户拥有权限                .claim("authorities", JSON.toJSONString(selfUserEntity.getAuthorities()))
// 失效时间                .setExpiration(newDate(System.currentTimeMillis() +JWTConfig.expiration))
// 签名算法和密钥                .signWith(SignatureAlgorithm.HS512, JWTConfig.secret)
                .compact();
returntoken;
    }
}

编写暂无权限处理类

@ComponentpublicclassUserAuthAccessDeniedHandlerimplementsAccessDeniedHandler{
@Overridepublicvoidhandle(HttpServletRequestrequest, HttpServletResponseresponse, AccessDeniedExceptionexception){
ResultUtil.responseJson(response,ResultUtil.resultCode(403,"未授权"));
    }
}

编写登录失败处理类

@Slf4j@ComponentpublicclassUserLoginFailureHandlerimplementsAuthenticationFailureHandler {
@OverridepublicvoidonAuthenticationFailure(HttpServletRequestrequest, HttpServletResponseresponse, AuthenticationExceptionexception){
// 这些对于操作的处理类可以根据不同异常进行不同处理if (exceptioninstanceofUsernameNotFoundException){
log.info("【登录失败】"+exception.getMessage());
ResultUtil.responseJson(response,ResultUtil.resultCode(500,"用户名不存在"));
        }
if (exceptioninstanceofLockedException){
log.info("【登录失败】"+exception.getMessage());
ResultUtil.responseJson(response,ResultUtil.resultCode(500,"用户被冻结"));
        }
if (exceptioninstanceofBadCredentialsException){
log.info("【登录失败】"+exception.getMessage());
ResultUtil.responseJson(response,ResultUtil.resultCode(500,"用户名密码不正确"));
        }
ResultUtil.responseJson(response,ResultUtil.resultCode(500,"登录失败"));
    }
}

编写登录成功处理类

@Slf4j@ComponentpublicclassUserLoginSuccessHandlerimplementsAuthenticationSuccessHandler {
@OverridepublicvoidonAuthenticationSuccess(HttpServletRequestrequest, HttpServletResponseresponse, Authenticationauthentication){
// 组装JWTSelfUserEntityselfUserEntity= (SelfUserEntity) authentication.getPrincipal();
Stringtoken=JWTTokenUtil.createAccessToken(selfUserEntity);
token=JWTConfig.tokenPrefix+token;
// 封装返回参数Map<String,Object>resultData=newHashMap<>();
resultData.put("code","200");
resultData.put("msg", "登录成功");
resultData.put("token",token);
ResultUtil.responseJson(response,resultData);
    }
}

编写登出成功处理类

@ComponentpublicclassUserLogoutSuccessHandlerimplementsLogoutSuccessHandler {
@OverridepublicvoidonLogoutSuccess(HttpServletRequestrequest, HttpServletResponseresponse, Authenticationauthentication){
Map<String,Object>resultData=newHashMap<>();
resultData.put("code","200");
resultData.put("msg", "登出成功");
SecurityContextHolder.clearContext();
ResultUtil.responseJson(response,ResultUtil.resultSuccess(resultData));
    }
}

4、编写Security核心类

编写自定义登录验证类

@ComponentpublicclassUserAuthenticationProviderimplementsAuthenticationProvider {
@AutowiredprivateSelfUserDetailsServiceselfUserDetailsService;
@AutowiredprivateSysUserServicesysUserService;
@OverridepublicAuthenticationauthenticate(Authenticationauthentication) throwsAuthenticationException {
// 获取表单输入中返回的用户名StringuserName= (String) authentication.getPrincipal();
// 获取表单中输入的密码Stringpassword= (String) authentication.getCredentials();
// 查询用户是否存在SelfUserEntityuserInfo=selfUserDetailsService.loadUserByUsername(userName);
if (userInfo==null) {
thrownewUsernameNotFoundException("用户名不存在");
        }
// 我们还要判断密码是否正确，这里我们的密码使用BCryptPasswordEncoder进行加密的if (!newBCryptPasswordEncoder().matches(password, userInfo.getPassword())) {
thrownewBadCredentialsException("密码不正确");
        }
// 还可以加一些其他信息的判断，比如用户账号已停用等判断if (userInfo.getStatus().equals("PROHIBIT")){
thrownewLockedException("该用户已被冻结");
        }
// 角色集合Set<GrantedAuthority>authorities=newHashSet<>();
// 查询用户角色List<SysRoleEntity>sysRoleEntityList=sysUserService.selectSysRoleByUserId(userInfo.getUserId());
for (SysRoleEntitysysRoleEntity: sysRoleEntityList){
authorities.add(newSimpleGrantedAuthority("ROLE_"+sysRoleEntity.getRoleName()));
        }
userInfo.setAuthorities(authorities);
// 进行登录returnnewUsernamePasswordAuthenticationToken(userInfo, password, authorities);
    }
@Overridepublicbooleansupports(Class<?>authentication) {
returntrue;
    }
}

编写自定义PermissionEvaluator注解验证

@ComponentpublicclassUserPermissionEvaluatorimplementsPermissionEvaluator {
@AutowiredprivateSysUserServicesysUserService;
@OverridepublicbooleanhasPermission(Authenticationauthentication, ObjecttargetUrl, Objectpermission) {
// 获取用户信息SelfUserEntityselfUserEntity=(SelfUserEntity) authentication.getPrincipal();
// 查询用户权限(这里可以将权限放入缓存中提升效率)Set<String>permissions=newHashSet<>();
List<SysMenuEntity>sysMenuEntityList=sysUserService.selectSysMenuByUserId(selfUserEntity.getUserId());
for (SysMenuEntitysysMenuEntity:sysMenuEntityList) {
permissions.add(sysMenuEntity.getPermission());
        }
// 权限对比if (permissions.contains(permission.toString())){
returntrue;
        }
returnfalse;
    }
@OverridepublicbooleanhasPermission(Authenticationauthentication, SerializabletargetId, StringtargetType, Objectpermission) {
returnfalse;
    }
}

编写SpringSecurity核心配置类

@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(prePostEnabled=true) //开启权限注解,默认是关闭的publicclassSecurityConfigextendsWebSecurityConfigurerAdapter {
/*** 自定义登录成功处理器*/@AutowiredprivateUserLoginSuccessHandleruserLoginSuccessHandler;
/*** 自定义登录失败处理器*/@AutowiredprivateUserLoginFailureHandleruserLoginFailureHandler;
/*** 自定义注销成功处理器*/@AutowiredprivateUserLogoutSuccessHandleruserLogoutSuccessHandler;
/*** 自定义暂无权限处理器*/@AutowiredprivateUserAuthAccessDeniedHandleruserAuthAccessDeniedHandler;
/*** 自定义未登录的处理器*/@AutowiredprivateUserAuthenticationEntryPointHandleruserAuthenticationEntryPointHandler;
/*** 自定义登录逻辑验证器*/@AutowiredprivateUserAuthenticationProvideruserAuthenticationProvider;
@BeanpublicBCryptPasswordEncoderbCryptPasswordEncoder(){
returnnewBCryptPasswordEncoder();
    }
/*** 注入自定义PermissionEvaluator*/@BeanpublicDefaultWebSecurityExpressionHandleruserSecurityExpressionHandler(){
DefaultWebSecurityExpressionHandlerhandler=newDefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(newUserPermissionEvaluator());
returnhandler;
    }
/*** 配置登录验证逻辑*/@Overrideprotectedvoidconfigure(AuthenticationManagerBuilderauth){
//这里可启用我们自己的登陆验证逻辑auth.authenticationProvider(userAuthenticationProvider);
    }
@Overrideprotectedvoidconfigure(HttpSecurityhttp) throwsException {
http.authorizeRequests()
//不进行权限验证的请求或资源(从配置文件中读取)               .antMatchers(JWTConfig.antMatchers.split(",")).permitAll()
//其他的需要登陆后才能访问                .anyRequest().authenticated()
                .and()
//配置未登录自定义处理类                .httpBasic().authenticationEntryPoint(userAuthenticationEntryPointHandler)
                .and()
//配置登录地址                .formLogin()
                .loginProcessingUrl("/login/userLogin")
//配置登录成功自定义处理类                .successHandler(userLoginSuccessHandler)
//配置登录失败自定义处理类                .failureHandler(userLoginFailureHandler)
                .and()
//配置登出地址                .logout()
                .logoutUrl("/login/userLogout")
//配置用户登出自定义处理类                .logoutSuccessHandler(userLogoutSuccessHandler)
                .and()
//配置没有权限自定义处理类                .exceptionHandling().accessDeniedHandler(userAuthAccessDeniedHandler)
                .and()
// 开启跨域                .cors()
                .and()
// 取消跨站请求伪造防护                .csrf().disable();
// 基于Token不需要sessionhttp.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 禁用缓存http.headers().cacheControl();
// 添加JWT过滤器http.addFilter(newJWTAuthenticationTokenFilter(authenticationManager()));
    }
}

5、编写JWT拦截类

编写JWT接口请求校验拦截器

/*** JWT接口请求校验拦截器* 请求接口时会进入这里验证Token是否合法和过期* @Author Sans* @CreateTime 2019/10/5 16:41*/@Slf4jpublicclassJWTAuthenticationTokenFilterextendsBasicAuthenticationFilter {
publicJWTAuthenticationTokenFilter(AuthenticationManagerauthenticationManager) {
super(authenticationManager);
    }
@OverrideprotectedvoiddoFilterInternal(HttpServletRequestrequest, HttpServletResponseresponse, FilterChainfilterChain) throwsServletException, IOException {
// 获取请求头中JWT的TokenStringtokenHeader=request.getHeader(JWTConfig.tokenHeader);
if (null!=tokenHeader&&tokenHeader.startsWith(JWTConfig.tokenPrefix)) {
try {
// 截取JWT前缀Stringtoken=tokenHeader.replace(JWTConfig.tokenPrefix, "");
// 解析JWTClaimsclaims=Jwts.parser()
                        .setSigningKey(JWTConfig.secret)
                        .parseClaimsJws(token)
                        .getBody();
// 获取用户名Stringusername=claims.getSubject();
StringuserId=claims.getId();
if(!StringUtils.isEmpty(username)&&!StringUtils.isEmpty(userId)) {
// 获取角色List<GrantedAuthority>authorities=newArrayList<>();
Stringauthority=claims.get("authorities").toString();
if(!StringUtils.isEmpty(authority)){
List<Map<String,String>>authorityMap=JSONObject.parseObject(authority, List.class);
for(Map<String,String>role : authorityMap){
if(!StringUtils.isEmpty(role)) {
authorities.add(newSimpleGrantedAuthority(role.get("authority")));
                            }
                        }
                    }
//组装参数SelfUserEntityselfUserEntity=newSelfUserEntity();
selfUserEntity.setUsername(claims.getSubject());
selfUserEntity.setUserId(Long.parseLong(claims.getId()));
selfUserEntity.setAuthorities(authorities);
UsernamePasswordAuthenticationTokenauthentication=newUsernamePasswordAuthenticationToken(selfUserEntity, userId, authorities);
SecurityContextHolder.getContext().setAuthentication(authentication);
                }
            } catch (ExpiredJwtExceptione){
log.info("Token过期");
            } catch (Exceptione) {
log.info("Token无效");
            }
        }
filterChain.doFilter(request, response);
return;
    }
}

6、权限注解和hasPermission权限扩展

Security允许我们在定义URL方法访问所应有的注解权限时使用SpringEL表达式,在定义所需的访问权限时如果对应的表达式返回结果为true则表示拥有对应的权限,反之则没有权限,会进入到我们配置的UserAuthAccessDeniedHandler(暂无权限处理类)中进行处理.这里举一些例子,代码中注释有对应的描述。

表达式

@PreAuthorize("hasRole('ADMIN')")
@RequestMapping(value="/info",method=RequestMethod.GET)
publicMap<String,Object>userLogin(){
Map<String,Object>result=newHashMap<>();
SelfUserEntityuserDetails=SecurityUtil.getUserInfo();
result.put("title","管理端信息");
result.put("data",userDetails);
returnResultUtil.resultSuccess(result);
    }
@PreAuthorize("hasAnyRole('ADMIN','USER')")
@RequestMapping(value="/list",method=RequestMethod.GET)
publicMap<String,Object>list(){
Map<String,Object>result=newHashMap<>();
List<SysUserEntity>sysUserEntityList=sysUserService.list();
result.put("title","拥有用户或者管理员角色都可以查看");
result.put("data",sysUserEntityList);
returnResultUtil.resultSuccess(result);
    }
@PreAuthorize("hasRole('ADMIN') and hasRole('USER')")
@RequestMapping(value="/menuList",method=RequestMethod.GET)
publicMap<String,Object>menuList(){
Map<String,Object>result=newHashMap<>();
List<SysMenuEntity>sysMenuEntityList=sysMenuService.list();
result.put("title","拥有用户和管理员角色都可以查看");
result.put("data",sysMenuEntityList);
returnResultUtil.resultSuccess(result);
    }

通常情况下使用hasRole和hasAnyRole基本可以满足大部分鉴权需求,但是有时候面对更复杂的场景上述常规表示式无法完成权限认证,Security也为我们提供了解决方案.通过hasPermission()来扩展表达式.使用hasPermission()首先要实现PermissionEvaluator接口

@ComponentpublicclassUserPermissionEvaluatorimplementsPermissionEvaluator {
@AutowiredprivateSysUserServicesysUserService;
@OverridepublicbooleanhasPermission(Authenticationauthentication, ObjecttargetUrl, Objectpermission) {
// 获取用户信息SelfUserEntityselfUserEntity=(SelfUserEntity) authentication.getPrincipal();
// 查询用户权限(这里可以将权限放入缓存中提升效率)Set<String>permissions=newHashSet<>();
List<SysMenuEntity>sysMenuEntityList=sysUserService.selectSysMenuByUserId(selfUserEntity.getUserId());
for (SysMenuEntitysysMenuEntity:sysMenuEntityList) {
permissions.add(sysMenuEntity.getPermission());
        }
// 权限对比if (permissions.contains(permission.toString())){
returntrue;
        }
returnfalse;
    }
@OverridepublicbooleanhasPermission(Authenticationauthentication, SerializabletargetId, StringtargetType, Objectpermission) {
returnfalse;
    }
}

在请求方法上添加hasPermission示例

@PreAuthorize("hasPermission('/admin/userList','sys:user:info')")
@RequestMapping(value="/userList",method=RequestMethod.GET)
publicMap<String,Object>userList(){
Map<String,Object>result=newHashMap<>();
List<SysUserEntity>sysUserEntityList=sysUserService.list();
result.put("title","拥有sys:user:info权限都可以查看");
result.put("data",sysUserEntityList);
returnResultUtil.resultSuccess(result);
    }

hasPermission可以也可以和其他表达式联合使用

@PreAuthorize("hasRole('ADMIN') and hasPermission('/admin/adminRoleList','sys:role:info')")
@RequestMapping(value="/adminRoleList",method=RequestMethod.GET)
publicMap<String,Object>adminRoleList(){
Map<String,Object>result=newHashMap<>();
List<SysRoleEntity>sysRoleEntityList=sysRoleService.list();
result.put("title","拥有ADMIN角色和sys:role:info权限可以访问");
result.put("data",sysRoleEntityList);
returnResultUtil.resultSuccess(result);
    }

7、测试

创建账户这里用户加密使用了Security推荐的bCryptPasswordEncoder方法

/*** 注册用户*/@TestpublicvoidcontextLoads() {
// 注册用户SysUserEntitysysUserEntity=newSysUserEntity();
sysUserEntity.setUsername("sans");
sysUserEntity.setPassword(bCryptPasswordEncoder.encode("123456"));
// 设置用户状态sysUserEntity.setStatus("NORMAL");
sysUserService.save(sysUserEntity);
// 分配角色 1:ADMIN 2:USERSysUserRoleEntitysysUserRoleEntity=newSysUserRoleEntity();
sysUserRoleEntity.setRoleId(2L);
sysUserRoleEntity.setUserId(sysUserEntity.getUserId());
sysUserRoleService.save(sysUserRoleEntity);
    }

登录USER角色账号,登录成功后我们会获取到身份认证的Token

访问USER角色的接口,把上一步获取到的Token设置在Headers中,Key为Authorization,我们之前实现的JWTAuthenticationTokenFilter拦截器会根据请求头中的Authorization获取并解析Token使用USER角色Token访问ADMIN角色的接口,会被拒绝,告知未授权(暂无权限会进入我们定义的UserAuthAccessDeniedHandler这个类进行处理)。更换ADMIN角色进行登录并访问ADMIN接口

⚠️注意 ~

💯本期内容就结束了，如果内容有误，麻烦大家评论区指出！

如有疑问❓可以在评论区💬或私信💬，尽我最大能力🏃‍♀️帮大家解决👨‍🏫！

如果我的文章有帮助到您，欢迎点赞+关注✔️鼓励博主🏃，您的鼓励是我分享的动力🏃🏃🏃~

SpringBoot整合SpringSecurity

1、说明

2、项目环境

3、编写项目基础类

4、编写Security核心类

5、编写JWT拦截类

6、权限注解和hasPermission权限扩展

7、测试

热门文章

最新文章

相关课程

相关电子书

相关实验场景