【20200220】SpringBoot jjwt security完美解决restful接口无状态鉴权 - 《乐谷技术学习笔记（可公开）》

一，绒球
二，登录过滤器
三，认证
四，调用

springboot本身已经提供了很好的spring security的支持，我们只需要实现（或者重写）一部分接口来实现我们的个性化设置即可。此处浅显易懂，没有深入原理（后面文章替换，有需要的小伙伴稍等等~~~）。
思路：
1.通过弹簧安全做授权拦截操作
2.通过JWT根据用户信息生成令牌以供后面调用
3.将生成的令牌放到HttpServletResponse的头信息中
4.使用的时候从response头中获取令牌放在request头中提交到后台做认证即可
5. 交替超时时间10天

一，绒球

常规还是先上pom，因为pom可以很直观的看到本项目用了些东西，我这个项目使用了很多的包，这里贴出了核心的几个，其他大部分的都会自动引用。

<dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
        </dependency>

二，登录过滤器

我们采用倒推法，用到什么找什么，这也比较符合XP编程的思想，不写多（无）余（用）的代码，既然要做认证，很明显需要一个过滤器来处理所有需要拦截1.
用户名PasswordAuthenticationFilter是安全性自己提供的过滤器，我们重写其中的成功方法（successfulAuthentication）来处理我们自己的逻辑，当然根据自己的情况，某些登录失败处理，重写（unsuccessfulAuthentication）即可
。1。成功地中用到一个令牌认证处理程序，即令牌认证处理类，该类的主要方法就是借用jwt的机制来生成令牌，以供后面登录授权使用
。2.往响应头信息中放入参数为“授权”，估值“ Bearer” + token的值

package com.mos.eboot.tools.jwt;
import com.mos.eboot.tools.util.FastJsonUtils;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class JWTLoginFilter extends UsernamePasswordAuthenticationFilter{
    static final String TOKEN_PREFIX = "Bearer";
    static final String HEADER_STRING = "Authorization";
    private AuthenticationSuccessHandler successHandler;
    public JWTLoginFilter() {
    }
    public JWTLoginFilter(AuthenticationManager authManager) {
        setAuthenticationManager(authManager);
    }
    @Override
    protected void successfulAuthentication(HttpServletRequest req, HttpServletResponse res, FilterChain chain, Authentication auth) throws IOException, ServletException {
        TokenAuthenticationHandler tokenAuthenticationHandler = new TokenAuthenticationHandler();
        Object obj = auth.getPrincipal();
        if(obj != null) {
            UserDetails userDetails = (UserDetails)obj;
            String token = tokenAuthenticationHandler.generateToken(FastJsonUtils.toJSONNoConfig(userDetails));
            res.addHeader(HEADER_STRING, TOKEN_PREFIX + " " + token);
        }
        if(successHandler != null) {
            successHandler.onAuthenticationSuccess(req, res, auth);
        }
    }
    public void setSuccessHandler(AuthenticationSuccessHandler successHandler) {
        this.successHandler = successHandler;
    }
}

JWTAuthenticationToken

package com.mos.eboot.tools.jwt;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import static java.util.Collections.emptyList;
public class JWTAuthenticationToken extends UsernamePasswordAuthenticationToken{
    private static final long serialVersionUID = 1L;
    public JWTAuthenticationToken(Object principal) {
        super(principal,null,emptyList());
    }
    @Override
    public Object getCredentials() {
        return super.getCredentials();
    }
    @Override
    public Object getPrincipal() {
        return super.getPrincipal();
    }
}

令牌认证处理程序

package com.mos.eboot.tools.jwt;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.io.Serializable;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
/**
 * @author 小尘哥
 */
public class TokenAuthenticationHandler implements Serializable {
    private static final long serialVersionUID = 1L;
    private static final String CLAIM_KEY_CREATED = "created";
    private static final String CLAIM_KEY_SUBJECT = "subject";
    private static final String DEFAULT_SECRET = "eboot@secret";
    private static final Long DEFAULT_EXPIRATION = 864000L;
    private String secret = DEFAULT_SECRET;
    private Long EXPIRATION = DEFAULT_EXPIRATION;
    public TokenAuthenticationHandler() {
    }
    public String getSubjectFromToken(String token) {
        String subject;
        try {
            final Claims claims = getClaimsFromToken(token);
            subject = claims.get(CLAIM_KEY_SUBJECT).toString();
        } catch (Exception e) {
            subject = null;
        }
        return subject;
    }
    private Claims getClaimsFromToken(String token) {
        Claims claims;
        try {
            claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
        } catch (Exception e) {
            claims = null;
        }
        return claims;
    }
    private Date generateExpirationDate() {
        return new Date(System.currentTimeMillis() + EXPIRATION * 1000);
    }
    public String generateToken(String subject) {
        Map<String, Object> claims = new HashMap<String, Object>();
        claims.put(CLAIM_KEY_CREATED, new Date());
        claims.put(CLAIM_KEY_SUBJECT, subject);
        return generateToken(claims);
    }
    String generateToken( Map<String, Object> claims) {
        return Jwts.builder().setClaims(claims).setExpiration(generateExpirationDate())
                .signWith(SignatureAlgorithm.HS512, secret).compact();
    }
}

三，认证

从头信息中取回授权，然后解析出个人信息，如果个人信息不为空，则将个人信息加密后再加入授权域。

package com.mos.eboot.tools.jwt;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class JWTAuthenticationFilter extends GenericFilterBean {
    static final String HEADER_STRING = "Authorization";
    static final String TOKEN_PREFIX = "Bearer";
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest)request;
        String token = req.getHeader(HEADER_STRING);
        if(StringUtils.isNotBlank(token) && token.startsWith(TOKEN_PREFIX)) {
            TokenAuthenticationHandler tokenAuthenticationHandler = new TokenAuthenticationHandler();
            String subject = tokenAuthenticationHandler.getSubjectFromToken(token.replace(TOKEN_PREFIX, ""));
            if(StringUtils.isNotBlank(subject)) {
                SecurityContextHolder.getContext().setAuthentication(new JWTAuthenticationToken(subject));
            }
        }
        filterChain.doFilter(request,response);
    }
}

四，调用

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/**").authenticated()
                .antMatchers(HttpMethod.POST, "/login").permitAll().anyRequest().permitAll().and()
                .addFilterBefore(loginFilter(), UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }
//注入登录校验类
    @Bean
    public JWTLoginFilter loginFilter() throws Exception {
        JWTLoginFilter loginFilter = new JWTLoginFilter(authenticationManager());
        loginFilter.setSuccessHandler(loginAuthenticationSuccessHandler);
        loginFilter.setAuthenticationFailureHandler((request, response, exception) -> {
            response.setContentType("application/json");
            response.getWriter().write(FastJsonUtils
                    .toJSONString(new ResultModel(ResultStatus.FAIL.getCode(), exception.getMessage())));
        });
        return loginFilter;
    }
    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService());
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        authenticationProvider.setHideUserNotFoundExceptions(false);
        return authenticationProvider;
    }
    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        return new UserService();
    }
//重写密码加密方法
    @Bean
    public Md5PasswordEncoder passwordEncoder() {
        Md5PasswordEncoder passwordEncoder = new Md5PasswordEncoder();
        passwordEncoder.setIterations(1);
        return passwordEncoder;
    }

实现UserDetailsService接口，定义自己的获取用户登录方法实现类

package com.mos.eboot.api.config.support;
import com.mos.eboot.api.platform.api.ISysUserService;
import com.mos.eboot.platform.entity.SysUser;
import com.mos.eboot.tools.result.ResultModel;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import javax.annotation.Resource;
/**
 * @author 小尘哥
 */
@Service("userService")
public class UserService implements IUserService {
    @Resource
    private ISysUserService sysUserService;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return sysUserService.getByUsername(username);
    }
}