使用form表單登錄
使用JWT維護用戶狀態(tài)
site.yuyanjia.springbootsecuritydemo.config.JwtWebSecurityConfig
- 有點看不懂網(wǎng)上很多文章都是寫spring security使用jwt登錄的著淆,個人理解jwt不應(yīng)該是維護用戶信息的嗎劫狠,和session功能類似拴疤,屬于登錄后的事物。
- session將用戶信息維護在服務(wù)端嘉熊。
- jwt將用戶信息維護再客戶端遥赚,服務(wù)端校驗成功后,信任用戶信息阐肤。
提示
- 為了方便查看凫佛,還是將很多自定類寫成了內(nèi)部類,根據(jù)需要自行拆分孕惜。
- 關(guān)鍵點都寫在注釋中愧薛,都是關(guān)于jwt的注釋,spring security的請查看其他文章
- 兩個類
JwtWebSecurityConfig.java
, JwtUtil.java
代碼
JwtWebSecurityConfig
package site.yuyanjia.springbootsecuritydemo.config;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.access.vote.UnanimousBased;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.expression.WebExpressionVoter;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import site.yuyanjia.springbootsecuritydemo.dao.WebUserDao;
import site.yuyanjia.springbootsecuritydemo.security.WebUserDetail;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Set;
/**
* jwt 安全配置
* <p>
* 基于form表單
*
* @author seer
* @date 2020/7/16 10:01
*/
@Configuration
@EnableWebSecurity
@SuppressWarnings("all")
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(JwtWebSecurityConfig.class);
/**
* 成功
*/
private static final String SUCCESS = "{\"result_code\": \"00000\", \"result_msg\": \"處理成功\"}";
/**
* 失敗
*/
private static final String FAILED = "{\"result_code\": \"99999\", \"result_msg\": \"處理失敗\"}";
/**
* 登錄過期
*/
private static final String LOGIN_EXPIRE = "{\"result_code\": \"10001\", \"result_msg\": \"登錄過期\"}";
/**
* 權(quán)限限制
*/
private static final String ROLE_LIMIT = "{\"result_code\": \"10002\", \"result_msg\": \"權(quán)限不足\"}";
/**
* 登錄 URL
*/
private static final String LOGIN_URL = "/authc/login";
/**
* 登出 URL
*/
private static final String LOGOUT_URL = "/authc/logout";
/**
* 授權(quán) URL
*/
private static final String AUTH_URL = "/authc/";
/**
* 授權(quán) URL 正則
*/
private static final String AUTH_URL_REG = AUTH_URL + "**";
/**
* 登錄用戶名參數(shù)名
*/
private static final String LOGIN_NAME = "username";
/**
* 登錄密碼參數(shù)名
*/
private static final String LOGIN_PWD = "password";
/**
* 記住登錄參數(shù)名
*/
private static final String REMEMBER_ME = "rememberMe";
/**
* token有效時間10天
* 框架實現(xiàn) {@link RememberMeConfigurer#tokenValiditySeconds}
* 此處使用redis實現(xiàn)
*/
private static final Long TOKEN_VALID_DAYS = 10L;
@Autowired
private UserDetailsService webUserDetailsService;
@Autowired
private WebUserDao webUserDao;
@Autowired
private RedisTemplate redisTemplate;
/**
* cors跨域
*
* @return object
*/
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.addAllowedOrigin("*");
corsConfiguration.addAllowedHeader("*");
corsConfiguration.addAllowedMethod("*");
corsConfiguration.setAllowCredentials(true);
corsConfiguration.setMaxAge(3600L);
corsConfiguration.addExposedHeader("access-control-allow-methods");
corsConfiguration.addExposedHeader("access-control-allow-headers");
corsConfiguration.addExposedHeader("access-control-allow-origin");
corsConfiguration.addExposedHeader("access-control-max-age");
corsConfiguration.addExposedHeader("X-Frame-Options");
UrlBasedCorsConfigurationSource configurationSource = new UrlBasedCorsConfigurationSource();
configurationSource.registerCorsConfiguration(AUTH_URL_REG, corsConfiguration);
return configurationSource;
}
/**
* http安全配置
* <p>
* 使用原生form表單登錄 {@link org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter}
* 使用jwt 維護用戶狀態(tài) {@link JwtSecurityContextRepository}
* 登錄成功生成jwt {@link DefinedAuthenticationSuccessHandler}
* <p>
* {@link SecurityContextPersistenceFilter}
* {@link SessionManagementFilter}
* 默認使用 {@link HttpSessionSecurityContextRepository} 基于session管理用戶信息
* <p>
* jwt不基于服務(wù)端狀態(tài)衫画,
* 自定義{@link JwtSecurityContextRepository}維護用戶信息
*
* @param http http
* @throws Exception exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf().disable();
http
.exceptionHandling()
.accessDeniedHandler(new DefinedAccessDeniedHandler())
.authenticationEntryPoint(new DefinedAuthenticationEntryPoint());
http
.authorizeRequests()
.accessDecisionManager(accessDecisionManager())
.withObjectPostProcessor(new DefindeObjectPostProcessor());
http
.authorizeRequests()
.antMatchers(AUTH_URL_REG).authenticated()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().permitAll();
http
.formLogin()
.usernameParameter(LOGIN_NAME)
.passwordParameter(LOGIN_PWD)
.loginProcessingUrl(LOGIN_URL)
.successHandler(new DefinedAuthenticationSuccessHandler())
.failureHandler(new DefindeAuthenticationFailureHandler());
http
.logout()
.logoutUrl(LOGOUT_URL)
.invalidateHttpSession(true)
.invalidateHttpSession(true)
.logoutSuccessHandler(new DefinedLogoutSuccessHandler());
// 詳見注釋
http
.addFilterAt(new SecurityContextPersistenceFilter(new JwtSecurityContextRepository()), SecurityContextPersistenceFilter.class)
.addFilterAt(new SessionManagementFilter(new JwtSecurityContextRepository()), SessionManagementFilter.class);
}
/**
* 配置登錄驗證
*
* @param auth auth
* @throws Exception exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(webUserDetailsService);
auth.authenticationProvider(new AuthenticationProvider() {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String loginUsername = authentication.getName();
String loginPassword = (String) authentication.getCredentials();
log.info("用戶登錄毫炉,用戶名 [{}],密碼 [{}]", loginUsername, loginPassword);
WebUserDetail webUserDetail = (WebUserDetail) webUserDetailsService.loadUserByUsername(loginUsername);
// 此處自定義密碼加密處理規(guī)則
if (!loginPassword.equals(webUserDetail.getPassword())) {
throw new DisabledException("用戶登錄削罩,密碼錯誤");
}
return new UsernamePasswordAuthenticationToken(webUserDetail, webUserDetail.getPassword(), webUserDetail.getAuthorities());
}
/**
* 支持使用此方法驗證
*
* @param aClass aClass
* @return 沒有特殊處理瞄勾,返回true,否則不會用這個配置進行驗證
*/
@Override
public boolean supports(Class<?> aClass) {
return true;
}
});
}
/**
* 決策管理
* {@link AffirmativeBased} 有一個贊成即可通過
* {@link UnanimousBased} 不適用同權(quán)限歸屬多角色場景
*
* @return object
*/
private AccessDecisionManager accessDecisionManager() {
List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<>();
decisionVoters.add(new WebExpressionVoter());
decisionVoters.add(new UrlRoleVoter());
AffirmativeBased based = new AffirmativeBased(decisionVoters);
return based;
}
class DefindeObjectPostProcessor implements ObjectPostProcessor<FilterSecurityInterceptor> {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(O object) {
object.setSecurityMetadataSource(new DefinedFilterInvocationSecurityMetadataSource());
return object;
}
}
/**
* {@link org.springframework.security.access.vote.RoleVoter}
*/
class UrlRoleVoter implements AccessDecisionVoter<Object> {
@Override
public boolean supports(ConfigAttribute attribute) {
if (null == attribute.getAttribute()) {
return false;
}
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
@Override
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
if (null == authentication) {
return ACCESS_DENIED;
}
int result = ACCESS_ABSTAIN;
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (ConfigAttribute attribute : attributes) {
if (this.supports(attribute)) {
result = ACCESS_DENIED;
for (GrantedAuthority authority : authorities) {
if (attribute.getAttribute().equals(authority.getAuthority())) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
/**
* 權(quán)限驗證數(shù)據(jù)源
* <p>
* 此處實現(xiàn)
* 從數(shù)據(jù)庫中獲取URL對應(yīng)的role信息
*/
class DefinedFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
@Override
public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
String requestUrl = ((FilterInvocation) o).getRequestUrl();
// 不需要授權(quán)的URL 無需查詢歸屬角色
if (!requestUrl.startsWith(AUTH_URL)) {
return SecurityConfig.createList();
}
List<String> roleIds = webUserDao.listRoleByUrl(requestUrl);
return SecurityConfig.createList(roleIds.toArray(new String[0]));
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> aClass) {
return FilterInvocation.class.isAssignableFrom(aClass);
}
}
/**
* 權(quán)限拒絕handler
*/
class DefinedAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("權(quán)限不足 [{}]", accessDeniedException.getMessage());
}
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write(ROLE_LIMIT);
}
}
/**
* 授權(quán)入口
* 登錄過期
*/
class DefinedAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("登錄過期 [{}]", authException.getMessage());
}
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write(LOGIN_EXPIRE);
}
}
/**
* 授權(quán)成功handler
*/
class DefinedAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Collection<? extends GrantedAuthority> roles = authentication.getAuthorities();
// jwt token
String token = JwtUtil.generateToken(authentication.getName(), roles);
log.info("用戶登錄成功 {} {} {}", authentication.getName(), authentication.getAuthorities(), token);
response.setHeader(JwtUtil.HEADER, token);
// 獲取登錄成功信息
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write(SUCCESS);
}
}
/**
* 授權(quán)失敗handler
*/
class DefindeAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
log.info("用戶登錄失敗 [{}]", exception.getMessage());
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write(FAILED);
}
}
/**
* 注銷成功hanlder
*/
class DefinedLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
log.info("注銷成功 [{}]", null != authentication ? authentication.getName() : null);
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.getWriter().write(SUCCESS);
}
}
/**
* JwtSecurityContextRepository
*/
class JwtSecurityContextRepository implements SecurityContextRepository {
@Override
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
HttpServletRequest request = requestResponseHolder.getRequest();
String authToken = request.getHeader(JwtUtil.HEADER);
if (null == authToken) {
if (log.isDebugEnabled()) {
log.debug("No SecurityContext was available, A new one will be created.");
}
return SecurityContextHolder.createEmptyContext();
}
if (!JwtUtil.isValid(authToken)) {
if (log.isDebugEnabled()) {
log.debug("jwt 無效");
}
return SecurityContextHolder.createEmptyContext();
}
String username = JwtUtil.getUserName(authToken);
Set<SimpleGrantedAuthority> roleSet = JwtUtil.getRoles(authToken);
if (log.isDebugEnabled()) {
log.debug("jwt username {} {}", username, roleSet);
}
SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
JwtAuthenticationToken authenticationToken = new JwtAuthenticationToken(username, roleSet);
securityContext.setAuthentication(authenticationToken);
return securityContext;
}
@Override
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) {
if (log.isDebugEnabled()) {
log.debug("jwt 無需服務(wù)端保存狀態(tài)");
}
}
/**
* Allows the repository to be queried as to whether it contains a security context
* for the current request.
*
* @param request the current request
* @return true if a context is found for the request, false otherwise
*/
@Override
public boolean containsContext(HttpServletRequest request) {
String authToken = request.getHeader(JwtUtil.HEADER);
return null != authToken && !authToken.isEmpty();
}
}
/**
* JwtAuthenticationToken
*/
class JwtAuthenticationToken extends AbstractAuthenticationToken {
private String username;
/**
* init
*
* @param username 用戶名
* @param authorities 角色
*/
public JwtAuthenticationToken(String username, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.username = username;
}
/**
* jwt 已做驗證 {@link JwtUtil#isValid(String)}
*
* @return object
*/
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return username;
}
/**
* jwt 已做驗證 {@link JwtUtil#isValid(String)}
*
* @return true
*/
@Override
public boolean isAuthenticated() {
return true;
}
}
}
JwtUtil
package site.yuyanjia.springbootsecuritydemo.config;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
* JwtUtil
* <p>
* TOKEN: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ5dXlhbmppYSIsImlhdCI6MTU5NDg2NTgyNSwiZXhwIjoxNTk1NDcwNjI0fQ.jrSiu-2AcTJfk5KZlecdFyjr3_JXjfNtrcAXIxyDDbE
* 組成: HEADER.PAYLOAD.SIGNATURE
* 翻譯:
* HEADER: { "alg": "HS256" }
* PAYLOAD: { "sub": "yuyanjia", "iat": 1594865825, "exp": 1595470624 }
* SIGNATURE: HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload),SECRET)
*
* @author seer
* @date 2020/7/16 8:59
*/
public class JwtUtil {
private static final Logger log = LoggerFactory.getLogger(JwtUtil.class);
/**
* token 有效時間我 7天
*/
private final static long TOKEN_LIFETIME = 1000L * 60 * 60 * 24 * 7;
/**
* 算法
*/
private final static SignatureAlgorithm ALGORITHM = SignatureAlgorithm.HS256;
/**
* 密鑰
*/
private final static String SECRET = "1234-abcd-DCBA-4321";
/**
* token head
*/
public final static String HEADER = "Authorization";
/**
* payload 角色組
*/
public final static String PAYLOAD_ROLES = "roles";
/**
* token 是否有效
*
* @param token token
* @return true 有效
*/
public static boolean isValid(String token) {
Date expiredDate;
try {
expiredDate = parseToken(token).getExpiration();
} catch (SignatureException e) {
if (log.isDebugEnabled()) {
log.debug("簽名驗證失敗");
}
return false;
}
return expiredDate.after(new Date());
}
/**
* 獲取用戶名
*
* @param token token
* @return object
*/
public static String getUserName(String token) {
Claims claims = parseToken(token);
return claims.getSubject();
}
/**
* 獲取角色
*
* @param token token
* @return object
*/
public static Set<SimpleGrantedAuthority> getRoles(String token) {
Claims claims = parseToken(token);
Object roleObj = claims.get(PAYLOAD_ROLES);
if (!(roleObj instanceof List)) {
return Collections.emptySet();
}
List<String> roles = (List<String>) roleObj;
Set<SimpleGrantedAuthority> roleSet = new HashSet<>();
for (String role : roles) {
roleSet.add(new SimpleGrantedAuthority(role));
}
return roleSet;
}
/**
* 生成token
* <p>
* sub: 用戶名
* roles: 角色數(shù)組
* <p>
* iss: jwt簽發(fā)者
* sub: jwt所面向的用戶
* aud: 接收jwt的一方
* exp: jwt的過期時間弥激,這個過期時間必須要大于簽發(fā)時間
* nbf: 定義在什么時間之前进陡,該jwt都是不可用的
* iat: jwt的簽發(fā)時間
* jti: jwt的唯一身份標識,主要用來作為一次性token,從而回避重放攻擊
*
* @param username username
* @param roles roles
* @return object
*/
public static String generateToken(String username, Collection<? extends GrantedAuthority> roles) {
Set<String> roleSet = new HashSet<>();
for (GrantedAuthority authority : roles) {
roleSet.add(authority.getAuthority());
}
String[] roleArray = roleSet.toArray(new String[0]);
Date expireDate = new Date(System.currentTimeMillis() + TOKEN_LIFETIME);
return Jwts.builder()
.setSubject(username)
.setIssuedAt(new Date())
.setExpiration(expireDate)
.signWith(ALGORITHM, SECRET)
.claim(PAYLOAD_ROLES, roleArray)
.compact();
}
/**
* 解析token
* <p>
* 驗簽失敗 {@link io.jsonwebtoken.SignatureException}
*
* @param token token
* @return object
*/
private static Claims parseToken(String token) {
return Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token)
.getBody();
}
}