其他
认证和授权:前后端分离状态下使用Spring Security实现安全访问控制
/**
* 未登录时访问受限资源的处理方式
*/
public class UnLoginHandler implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
ObjectMapper mapper = new ObjectMapper();
ObjectNode objectNode = mapper.createObjectNode();
if(authException instanceof BadCredentialsException){
//账号或密码错误
objectNode.put("code", "501");
objectNode.put("message", "账号或者密码错误");
}else {
objectNode.put("code", "500");
objectNode.put("message", "未登录或token无效");
}
response.setHeader("Content-Type", "application/json;charset=UTF-8");
response.getWriter().print(objectNode);
}
}
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...省略其他配置,公众号Java精选,有惊喜
//安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
...省略其他配置
//设置未登录或登录失败时访问资源的处理方式
http.exceptionHandling().authenticationEntryPoint(new UnLoginHandler());
...
}
}
/**
* 当前登录的用户没有权限访问资源时的处理器
*/
public class NoAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
ObjectMapper mapper = new ObjectMapper();
ObjectNode objectNode = mapper.createObjectNode();
objectNode.put("code","500");
objectNode.put("message","访问失败,权限不够");
response.setHeader("Content-Type","application/json;charset=UTF-8");
response.getWriter().print(objectNode);
}
}
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...省略其他配置
//安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
...省略其他配置
//设置权限不足,无法访问当前资源时的处理方式
http.exceptionHandling().accessDeniedHandler(new NoAccessDeniedHandler());
...
}
}
@RestController
@RequestMapping("/authenticate")
public class AuthenticationController {
private final static ObjectMapper MAPPER=new ObjectMapper();
//注入springsecurity的认证管理器
@Autowired
private AuthenticationManager authenticationManager;
/**
* 创建token
* @return
*/
@PostMapping("/applyToken")
public JsonNode applyToken(@RequestBody UserDto userDto){
ObjectNode tokenNode = MAPPER.createObjectNode();
//1.创建UsernamePasswordAuthenticationToken对象
UsernamePasswordAuthenticationToken authenticationToken=new UsernamePasswordAuthenticationToken(userDto.getUsername(),userDto.getPassword());
//2.交给认证管理器进行认证
Authentication authenticate = authenticationManager.authenticate(authenticationToken);
if(null!=authenticate){
//认证成功,生成token返回给前端
String token = JwtUtils.createToken(userDto.getUsername());
if(StringUtils.isEmpty(token)){
tokenNode.put("code","401");
tokenNode.put("message","生成token失败");
}else {
tokenNode.put("code","200");
tokenNode.put("token", token);
tokenNode.put("message","success");
}
tokenNode.put("code","200");
tokenNode.put("token", JwtUtils.createToken(userDto.getUsername()));
tokenNode.put("message","success");
return tokenNode;
}else{
tokenNode.put("code","401");
tokenNode.put("message","登录失败");
}
return tokenNode;
}
}
/**
* 验证请求携带的token是否有效
*/
@Component
public class TokenVerifyFilter extends GenericFilterBean {
@Autowired
private UserDetailsService userDetailsService;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
try {
HttpServletRequest request = (HttpServletRequest) servletRequest;
//从请求头中获取token
String token = request.getHeader("Authorization-Token");
if (StringUtils.hasText(token)) {
//从token中解析用户名
String username = JwtUtils.getUserInfo(token);
//查询当前用户
if(!StringUtils.isEmpty(username)){
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if(null!=userDetails){
//查询不到表示用户不存在
//从token中获取用户信息封装成 UsernamePasswordAuthenticationToken
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(token, "", userDetails.getAuthorities());
//设置用户信息
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
}
} catch (Exception e) {
//登录发生异常,但要继续走其余过滤器的逻辑
e.printStackTrace();
}
//继续执行springsecurity的过滤器
filterChain.doFilter(servletRequest, servletResponse);
}
}
/**
* 配置springsecurity
*/
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//用户配置,
@Bean
public UserDetailsService userDetailsService(){
//在内存中配置用户
InMemoryUserDetailsManager manager=new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("lyy").password("123").authorities("ROLE_P1").build());
manager.createUser(User.withUsername("zs").password("456").authorities("ROLE_P2").build());
return manager;
}
//配置自定义的对token进行验证的过滤器
@Autowired
private TokenVerifyFilter tokenVerifyFilter;
//密码加密方式配置
@Bean
public PasswordEncoder passwordEncoder(){
return NoOpPasswordEncoder.getInstance();
}
//安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
//匹配路径时越具体的路径要先匹配
http.authorizeRequests().antMatchers("/","/index.html").permitAll();
//放行申请token的url
http.authorizeRequests().antMatchers("/authenticate/**").permitAll();
//需要p1权限才能访问
http.authorizeRequests().antMatchers("/resource/r1").hasRole("P1");
//需要p2权限才能访问
http.authorizeRequests().antMatchers("/resource/r2").hasRole("P2")
.antMatchers("/resource/r3").hasRole("P3");//需要p3权限才能访问
http.authorizeRequests().anyRequest().authenticated();
http.formLogin().disable();//禁用表单登录
//设置未登录或登录失败时访问资源的处理方式
http.exceptionHandling().authenticationEntryPoint(new UnLoginHandler());
//设置权限不足,无法访问当前资源时的处理方式
http.exceptionHandling().accessDeniedHandler(new NoAccessDeniedHandler());
http.addFilterBefore(tokenVerifyFilter, UsernamePasswordAuthenticationFilter.class);
//设置不使用session,无状态
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
/**
* 配置认证管理器:
* @return
* @throws Exception
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
作者:程序晓猿
https://www.cnblogs.com/chengxuxiaoyuan/p/14020326.html
END
往期精彩架构师如何高效的学习技术?
Spring Cloud 使用 @RefreshScope 注解配置动态刷新
Spring Boot 启动时自动执行代码的几种方式,还有谁不会??
try-catch 语句真的会影响性能吗?
关注后端面试那些事,回复【2022面经】
获取最新大厂Java面经