前后端分离与分布式环境下,session不好使了,这时要着重使用令牌了
这时利用框架提供的两个父类
UsernamePasswordAuthenticationFilter 用于登录验证
BasicAuthenticationFilter 用于令牌验证

登录验证过滤器 UsernamePasswordAuthenticationFilter

  1. /**
  2.  * 认证过滤器
  3.  *
  4.  * @author YUDI
  5.  * @date 2020/4/10
  6.  */
  7. public class LoginFilter extends UsernamePasswordAuthenticationFilter {
  9.     private AuthenticationManager authenticationManager;
  11.     private RsaKeyProperties prop;
  13.     public LoginFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {
  14.         this.authenticationManager = authenticationManager;
  15.         this.prop = prop;
  16.         // /login为内置接口
  17.         this.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/login", "POST"));
  18.     }
  20.     /**
  21.      * 处理登录请求的方法
  22.      *
  23.      * @param request
  24.      * @param response
  25.      * @return
  26.      * @throws AuthenticationException
  27.      */
  28.     @Override
  29.     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  30.         try {
  31.             //将前端传入的参数转换成实体类对象
  32.             User user = new ObjectMapper().readValue(request.getInputStream(), User.class);
  33.             //账号密码登录 将访问UserDetailsService的方法
  34.             UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword());
  35.             //认证通过 
  36.             return authenticationManager.authenticate(authRequest);
  37.         } catch (Exception e) {
  38.             try {
  39.                 response.setContentType("application/json;charset=utf-8");
  40.                 //没有认证的编码
  41.                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
  42.                 PrintWriter out = response.getWriter();
  43.                 Map<String, Object> resultMap = new HashMap<>(2);
  44.                 resultMap.put("code", HttpServletResponse.SC_UNAUTHORIZED);
  45.                 resultMap.put("msg", "用户名或密码错误");
  46.                 out.write(new ObjectMapper().writeValueAsString(resultMap));
  47.                 out.flush();
  48.                 out.close();
  49.             } catch (Exception outEx) {
  50.                 throw new RuntimeException(outEx);
  51.             }
  52.             throw new RuntimeException(e);
  53.         }
  54.     }
  56.     /**
  57.      * 认证成功之后执行的方法(在响应头里颁发令牌)
  58.      *
  59.      * @param request
  60.      * @param response
  61.      * @param chain
  62.      * @param authResult
  63.      * @throws IOException
  64.      * @throws ServletException
  65.      */
  66.     @Override
  67.     public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
  68.         User user = new User();
  69.         user.setUsername(authResult.getName());
  70.         //设置权限
  71.         user.setPermissions((List<Permission>) authResult.getAuthorities());
  72.         //设置令牌有效期 时间单位为分钟
  73.         String token = JwtUtils.generateTokenExpireInMinutes(user, prop.getPrivateKey(), 24 * 60);
  74.         response.addHeader("Authorization", "Bearer " + token);
  75.         try {
  76.             response.setContentType("application/json;charset=utf-8");
  77.             //没有认证的编码
  78.             response.setStatus(HttpServletResponse.SC_OK);
  79.             PrintWriter out = response.getWriter();
  80.             Map<String, Object> resultMap = new HashMap<>();
  81.             resultMap.put("code", HttpServletResponse.SC_OK);
  82.             resultMap.put("msg", "认证通过");
  83.             out.write(new ObjectMapper().writeValueAsString(resultMap));
  84.             out.flush();
  85.             out.close();
  86.         } catch (Exception outEx) {
  87.             outEx.printStackTrace();
  88.         }
  89.     }
  91. }

令牌过滤器 BasicAuthenticationFilter

/**
 * 验证认证过滤器
 *
 * @author YUDI
 * @date 2020/4/10
 */
public class JwtVerifyFilter extends BasicAuthenticationFilter {

    private RsaKeyProperties prop;

    public JwtVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {
        super(authenticationManager);
        this.prop = prop;
    }

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        String header = request.getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer ")) {
            //如果携带错误格式的token,则给用户提示请登录!
            response.setContentType("application/json;charset=utf-8");
            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
            PrintWriter out = response.getWriter();
            Map<String, Object> resultMap = new HashMap<>();
            resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);
            resultMap.put("msg", "没有登录或权限不够");
            out.write(new ObjectMapper().writeValueAsString(resultMap));
            out.flush();
            out.close();
            chain.doFilter(request, response);
        } else {
            //如果携带了正确格式的token要先得到token
            String token = header.replace("Bearer ", "");
            //验证token是否正确
            Payload<User> payload = JwtUtils.getInfoFromToken(token, prop.getPublicKey(), User.class);
            //根据令牌得到用户信息
            User user = payload.getUserInfo();
            if (user != null) {
                UsernamePasswordAuthenticationToken authResult = new UsernamePasswordAuthenticationToken(user.getUsername(), token, user.getAuthorities());
                //授权
                SecurityContextHolder.getContext().setAuthentication(authResult);
                chain.doFilter(request, response);
            } else {
                response.setContentType("application/json;charset=utf-8");
                PrintWriter out = response.getWriter();
                Map<String, Object> resultMap = new HashMap<>();
                resultMap.put("msg", "token有误");
                out.write(new ObjectMapper().writeValueAsString(resultMap));
                out.flush();
                out.close();
                chain.doFilter(request, response);
            }

        }

    }


}

security配置类

在这个配置类里 配置前面两个过滤器,如果作为资源服务则只需要配置令牌过滤器即可

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyUserDetailsServiceImpl userDetailsService;

    @Autowired
    private RsaKeyProperties prop;

    //配置BCrypt加密方案
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    //配置用户信息和权限
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //使用数据库动态添加
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Override
    //配置拦截请求资源
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().disable();
        //关闭打开的csrf保护
        http.csrf().disable();

        //如何权限控制 给每一条路径分配一个权限名称 账号只要管理该名称 就可以访问权限

        //url含有order的需要认证才能访问 fullyAuthenticated方法
        http.authorizeRequests()
                .antMatchers("/order/**").fullyAuthenticated()
                .and()
                //配置过滤器
                .addFilter(new LoginFilter(super.authenticationManager(), prop))
                .addFilter(new JwtVerifyFilter(super.authenticationManager(), prop))
                //禁用session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    }

}