郑州哪里做网站汉狮,举报网站制度建设方面,全国新闻媒体发稿平台,成都广告公司简介本节内容#xff1a;实现登录拦截器#xff0c;除了登录接口之外所有接口访问都要携带Token#xff0c;并且对Token合法性进行验证#xff0c;实现登录状态的保持。
核心内容#xff1a; 1、要实现登录拦截器#xff0c;从Request请求中获取token#xff0c;从缓存中获…本节内容实现登录拦截器除了登录接口之外所有接口访问都要携带Token并且对Token合法性进行验证实现登录状态的保持。
核心内容 1、要实现登录拦截器从Request请求中获取token从缓存中获取Token并验证登录是否过期若验证通过则放行 2、实现对拦截器配置SpringBoot 安全模块使用HttpSecurity 来完成请求安全管理。通过该对象可配置不进行鉴权的url(如登录、注册这些接口)配置自定义的登录拦截器配置安全认证失败的公共处理类、配置退出登录请求执行完的后续处理类、配置CORS过滤器等。
1、鉴权拦截器
JwtAuthenticationTokenFilter.java
Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {Autowiredprivate TokenService tokenService;Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)throws ServletException, IOException {//从缓存中获取用户信息LoginUser loginUser tokenService.getLoginUser(request);if (StringUtils.isNotNull(loginUser) StringUtils.isNull(SecurityContextHolder.getContext().getAuthentication())) {// 该方法用来刷新token有效期tokenService.verifyToken(loginUser);UsernamePasswordAuthenticationToken authenticationToken new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));//设置到线程变量中SecurityContextHolder.getContext().setAuthentication(authenticationToken);}chain.doFilter(request, response);}
}
2、SecurityConfig配置
与上一节的内容差不多只是对HttpSecurity进行更详细的配置
/*** spring security配置** author */
EnableGlobalMethodSecurity(prePostEnabled true, securedEnabled true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {/*** 自定义用户认证逻辑*/Autowiredprivate UserDetailsService userDetailsService;/*** 认证失败处理类*/Autowiredprivate AuthenticationEntryPointImpl unauthorizedHandler;/*** 退出处理类*/Autowiredprivate LogoutSuccessHandlerImpl logoutSuccessHandler;/*** token认证过滤器*/Autowiredprivate JwtAuthenticationTokenFilter authenticationTokenFilter;/*** 跨域过滤器*/Autowiredprivate CorsFilter corsFilter;/*** 允许匿名访问的地址*/Autowiredprivate PermitAllUrlProperties permitAllUrl;/*** 解决 无法直接注入 AuthenticationManager** return* throws Exception*/BeanOverridepublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}/*** anyRequest | 匹配所有请求路径* access | SpringEl表达式结果为true时可以访问* anonymous | 匿名可以访问* denyAll | 用户不能访问* fullyAuthenticated | 用户完全认证可以访问非remember-me下自动登录* hasAnyAuthority | 如果有参数参数表示权限则其中任何一个权限可以访问* hasAnyRole | 如果有参数参数表示角色则其中任何一个角色可以访问* hasAuthority | 如果有参数参数表示权限则其权限可以访问* hasIpAddress | 如果有参数参数表示IP地址如果用户IP和参数匹配则可以访问* hasRole | 如果有参数参数表示角色则其角色可以访问* permitAll | 用户可以任意访问* rememberMe | 允许通过remember-me登录的用户访问* authenticated | 用户登录后可访问*/Overrideprotected void configure(HttpSecurity httpSecurity) throws Exception {// 注解标记允许匿名访问的urlExpressionUrlAuthorizationConfigurerHttpSecurity.ExpressionInterceptUrlRegistry registry httpSecurity.authorizeRequests();permitAllUrl.getUrls().forEach(url - registry.antMatchers(url).permitAll());httpSecurity// CSRF禁用因为不使用session.csrf().disable()// 禁用HTTP响应标头.headers().cacheControl().disable().and()// 认证失败处理类.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()// 基于token所以不需要session.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()// 过滤请求.authorizeRequests()// 对于登录login 注册register 验证码captchaImage 允许匿名访问.antMatchers(/swagger-ui.html,/login, /register, /captchaImage).permitAll()// 静态资源可匿名访问.antMatchers(HttpMethod.GET, /, /*.html, /**/*.html, /**/*.css, /**/*.js, /**/attachment/**, /profile/**).permitAll().antMatchers(/swagger-ui.html ,/v2/api-docs,/swagger-resources, /swagger-resources/**, /webjars/**, /*/api-docs, /druid/**).permitAll()// 除上面外的所有请求全部需要鉴权认证.anyRequest().authenticated().and().headers().frameOptions().disable();// 添加Logout filterhttpSecurity.logout().logoutUrl(/logout).logoutSuccessHandler(logoutSuccessHandler);// 添加JWT filterhttpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);// 添加CORS filterhttpSecurity.addFilterBefore(corsFilter, JwtAuthenticationTokenFilter.class);httpSecurity.addFilterBefore(corsFilter, LogoutFilter.class);}/*** 强散列哈希加密实现*/Beanpublic BCryptPasswordEncoder bCryptPasswordEncoder() {return new BCryptPasswordEncoder();}/*** 身份认证接口*/Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());}
}添加TokenService
根据登录用户信息创建token并实现对token的管理token缓存、清理、过期处理等
package com.luo.chengrui.labs.lab04.service;import com.luo.chengrui.labs.lab04.model.LoginUser;
import com.luo.chengrui.labs.lab04.utils.IpUtils;
import com.luo.chengrui.labs.lab04.utils.ServletUtils;
import com.luo.chengrui.labs.lab04.utils.StringUtils;
import com.luo.chengrui.labs.lab04.utils.UUID;
import eu.bitwalker.useragentutils.UserAgent;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.springframework.stereotype.Service;import javax.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;/*** token验证处理** author ruoyi*/
Service
public class TokenService {// 令牌自定义标识Value(${token.header})private String header;// 令牌秘钥Value(${token.secret})private String secret;// 令牌有效期默认30分钟Value(${token.expireTime})private int expireTime;protected static final String LOGIN_USER_KEY LOGIN_USER_KEY;public static final String TOKEN_PREFIX Bearer ;/*** 登录用户*/public static final String LOGIN_TOKEN_KEY login_tokens:;protected static final long MILLIS_SECOND 1000;protected static final long MILLIS_MINUTE 60 * MILLIS_SECOND;private static final Long MILLIS_MINUTE_TEN 20 * 60 * 1000L;private static final MapString,LoginUser tokenCache new HashMap();public String getHeader() {return header;}/*** 获取用户身份信息** return 用户信息*/public LoginUser getLoginUser(HttpServletRequest request) {// 获取请求携带的令牌String token getToken(request);if (StringUtils.isNotEmpty(token)) {try {Claims claims parseToken(token);// 解析对应的权限以及用户信息String uuid (String) claims.get(LOGIN_USER_KEY);String userKey getTokenKey(uuid);LoginUser user tokenCache.get(userKey);return user;} catch (Exception e) {}}return null;}/*** 设置用户身份信息*/public void setLoginUser(LoginUser loginUser) {if (StringUtils.isNotNull(loginUser) StringUtils.isNotEmpty(loginUser.getToken())) {refreshToken(loginUser);}}/*** 删除用户身份信息*/public void delLoginUser(String token) {if (StringUtils.isNotEmpty(token)) {String userKey getTokenKey(token);tokenCache.remove(userKey);}}/*** 创建令牌** param loginUser 用户信息* return 令牌*/public String createToken(LoginUser loginUser) {String token UUID.fastUUID().toString();loginUser.setToken(token);setUserAgent(loginUser);refreshToken(loginUser);MapString, Object claims new HashMap();claims.put(LOGIN_USER_KEY, token);return createToken(claims);}/*** 验证令牌有效期相差不足20分钟自动刷新缓存** param loginUser* return 令牌*/public void verifyToken(LoginUser loginUser) {long expireTime loginUser.getExpireTime();long currentTime System.currentTimeMillis();if (expireTime - currentTime MILLIS_MINUTE_TEN) {refreshToken(loginUser);}}/*** 刷新令牌有效期** param loginUser 登录信息*/public void refreshToken(LoginUser loginUser) {loginUser.setLoginTime(System.currentTimeMillis());loginUser.setExpireTime(loginUser.getLoginTime() expireTime * MILLIS_MINUTE);// 根据uuid将loginUser缓存String userKey getTokenKey(loginUser.getToken());tokenCache.put(userKey, loginUser);}/*** 设置用户代理信息** param loginUser 登录信息*/public void setUserAgent(LoginUser loginUser) {UserAgent userAgent UserAgent.parseUserAgentString(ServletUtils.getRequest().getHeader(User-Agent));String ip IpUtils.getIpAddr();loginUser.setIpaddr(ip);loginUser.setBrowser(userAgent.getBrowser().getName());loginUser.setOs(userAgent.getOperatingSystem().getName());}/*** 从数据声明生成令牌** param claims 数据声明* return 令牌*/private String createToken(MapString, Object claims) {String token Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, secret).compact();return token;}/*** 从令牌中获取数据声明** param token 令牌* return 数据声明*/private Claims parseToken(String token) {return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();}/*** 从令牌中获取用户名** param token 令牌* return 用户名*/public String getUsernameFromToken(String token) {Claims claims parseToken(token);return claims.getSubject();}/*** 获取请求token** param request* return token*/private String getToken(HttpServletRequest request) {String token request.getHeader(header);if (StringUtils.isNotEmpty(token) token.startsWith(TOKEN_PREFIX)) {token token.replace(TOKEN_PREFIX, );}return token;}private String getTokenKey(String uuid) {return LOGIN_TOKEN_KEY uuid;}
}
CORS处理器CorsFilterConfiguration
Component
public class CorsFilterConfiguration {Beanpublic CorsFilter corsFilter() {CorsConfiguration config new CorsConfiguration();config.setAllowCredentials(true);// 设置访问源地址config.addAllowedOriginPattern(*);// 设置访问源请求头config.addAllowedHeader(*);// 设置访问源请求方法config.addAllowedMethod(*);// 有效期 1800秒config.setMaxAge(1800L);// 添加映射路径拦截一切请求UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration(/**, config);// 返回新的CorsFilterreturn new CorsFilter(source);}
}
鉴权失败处理类AuthenticationEntryPointImpl
/*** 认证失败处理类 返回未授权** author ruoyi*/
Component
public class AuthenticationEntryPointImpl implements AuthenticationEntryPoint, Serializable
{private static final long serialVersionUID -8970718410437077606L;Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e)throws IOException{int code HttpStatus.UNAUTHORIZED;String msg String.format(请求访问%s认证失败无法访问系统资源, request.getRequestURI());ServletUtils.renderString(response, JSON.toJSONString(AjaxResult.error(code, msg)));}
}
退出登录处理类LogoutSuccessHandlerImpl
退出登录时清除缓存token信息。记录退出日志登录
Configuration
public class LogoutSuccessHandlerImpl implements LogoutSuccessHandler
{Autowiredprivate TokenService tokenService;/*** 退出处理** return*/Overridepublic void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)throws IOException, ServletException{LoginUser loginUser tokenService.getLoginUser(request);if (StringUtils.isNotNull(loginUser)){String userName loginUser.getUsername();// 删除用户缓存记录tokenService.delLoginUser(loginUser.getToken());//TODO 记录退出日志}ServletUtils.renderString(response, JSON.toJSONString(AjaxResult.success(退出成功)));}
}LoginService改造
要保持登录状态需将token添加到缓存中。
Service
public class LoginService {// 令牌自定义标识Value(${token.header})private String header;// 令牌秘钥Value(${token.secret})private String secret;// 令牌有效期默认30分钟Value(${token.expireTime})private int expireTime;Resourceprivate AuthenticationManager authenticationManager;Autowiredprivate TokenService tokenService;public String login(String username, String password) {// 用户验证Authentication authentication null;try {UsernamePasswordAuthenticationToken authenticationToken new UsernamePasswordAuthenticationToken(username, password);AuthenticationContextHolder.setContext(authenticationToken);authentication authenticationManager.authenticate(authenticationToken);} catch (Exception e) {throw new RuntimeException(用户名或密码错误);} finally {AuthenticationContextHolder.clearContext();}LoginUser loginUser (LoginUser) authentication.getPrincipal();// 生成tokenreturn tokenService.createToken(loginUser);}}接口测试
没有获取token时接口访问返回统一的鉴权异常处理信息 2、用户登录接口访问成功返回token 3、接口添加token参数后访问成功
补充在所有swagger接口上添加Header参数的配置方法 在SwaggerConfiguration 类的 createRestApi()方法中添加以下代码
Beanpublic Docket createRestApi() {//全局设置Hread参数方法测试ParameterBuilder ticketPar new ParameterBuilder();ListParameter pars new ArrayListParameter();ticketPar.name(Authorization).description(user ticket).modelRef(new ModelRef(string)).parameterType(header).required(false).build(); //header中的ticket参数非必填传空也可以pars.add(ticketPar.build()); //根据每个方法名也知道当前方法在设置什么参数// 创建 Docket 对象return new Docket(DocumentationType.SWAGGER_2) // 文档类型使用 Swagger2.apiInfo(this.apiInfo()) // 设置 API 信息// 扫描 Controller 包路径获得 API 接口.select().apis(RequestHandlerSelectors.basePackage(com.luo.chengrui.labs.lab04.controller)).paths(PathSelectors.any())// 构建出 Docket 对象.build().globalOperationParameters(pars);}
