欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

基于Spring Security前后端分離的權(quán)限控制系統(tǒng)問題

 更新時(shí)間:2021年06月20日 15:10:49   作者:廢物大師兄  
本文給大家分享基于Spring Security前后端分離的權(quán)限控制系統(tǒng)問題,需要了解權(quán)限如何加載,權(quán)限匹配規(guī)則和登錄的實(shí)現(xiàn)代碼,對Spring Security權(quán)限控制系統(tǒng)相關(guān)知識感興趣的朋友一起看看吧

前后端分離的項(xiàng)目,前端有菜單(menu),后端有API(backendApi),一個(gè)menu對應(yīng)的頁面有N個(gè)API接口來支持,本文介紹如何基于Spring Security前后端分離的權(quán)限控制系統(tǒng)問題。

話不多說,入正題。一個(gè)簡單的權(quán)限控制系統(tǒng)需要考慮的問題如下:

  1. 權(quán)限如何加載
  2. 權(quán)限匹配規(guī)則
  3. 登錄

1. 引入maven依賴

<?xml version="1.0" encoding="UTF-8"?>
  <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.1</version>
        <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>com.example</groupId>
     <artifactId>demo5</artifactId>
     <version>0.0.1-SNAPSHOT</version>
     <name>demo5</name>
 
     <properties>
         <java.version>1.8</java.version>
     </properties>
 
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-redis</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
 
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
             <version>0.9.1</version>
         </dependency>
 
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>fastjson</artifactId>
             <version>1.2.76</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
             <version>3.12.0</version>
         </dependency>
         <dependency>
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
             <version>1.15</version>
         </dependency>
 
         <dependency>
             <groupId>mysql</groupId>
             <artifactId>mysql-connector-java</artifactId>
             <scope>runtime</scope>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
             <optional>true</optional>
         </dependency>
     </dependencies>
 
     <build>
         <plugins>
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
                 <configuration>
                     <excludes>
                         <exclude>
                             <groupId>org.projectlombok</groupId>
                             <artifactId>lombok</artifactId>
                         </exclude>
                     </excludes>
                 </configuration>
             </plugin>
         </plugins>
     </build>
 
 </project>

application.properties配置

server.port=8080
 server.servlet.context-path=/demo
 
 spring.datasource.driver-class-name=com.mysql.jdbc.Driver
 spring.datasource.url=jdbc:mysql://localhost:3306/demo?useUnicode=true&characterEncoding=utf8
 spring.datasource.username=root
 spring.datasource.password=123456
 
spring.jpa.database=mysql
 spring.jpa.open-in-view=true
 spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true
 spring.jpa.show-sql=true
 
 spring.redis.host=192.168.28.31
 spring.redis.port=6379
 spring.redis.password=123456

2. 建表并生成相應(yīng)的實(shí)體類

SysUser.java

package com.example.demo5.entity;
  
  import lombok.Getter;
  import lombok.Setter;
 
 import javax.persistence.*;
  import java.io.Serializable;
  import java.time.LocalDate;
  import java.util.Set;
 
 /**
  * 用戶表
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @Setter
 @Getter
 @Entity
 @Table(name = "sys_user")
 public class SysUserEntity implements Serializable {
 
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     @Column(name = "id")
     private Integer id;
 
     @Column(name = "username")
     private String username;
 
     @Column(name = "password")
     private String password;
 
     @Column(name = "mobile")
     private String mobile;
 
     @Column(name = "enabled")
     private Integer enabled;
 
     @Column(name = "create_time")
     private LocalDate createTime;
 
     @Column(name = "update_time")
     private LocalDate updateTime;
 
     @OneToOne
     @JoinColumn(name = "dept_id")
     private SysDeptEntity dept;
 
     @ManyToMany
     @JoinTable(name = "sys_user_role",
             joinColumns = {@JoinColumn(name = "user_id", referencedColumnName = "id")},
             inverseJoinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "id")})
     private Set<SysRoleEntity> roles;
 
 }

SysDept.java

部門相當(dāng)于用戶組,這里簡化了一下,用戶組沒有跟角色管理

package com.example.demo5.entity;
  
  import lombok.Data;
  
  import javax.persistence.*;
  import java.io.Serializable;
  import java.util.Set;
  
  /**
  * 部門表
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @Data
 @Entity
 @Table(name = "sys_dept")
 public class SysDeptEntity implements Serializable {
 
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     @Column(name = "id")
     private Integer id;
 
     /**
      * 部門名稱
      */
     @Column(name = "name")
     private String name;
 
     /**
      * 父級部門ID
      */
     @Column(name = "pid")
     private Integer pid;
 
 //    @ManyToMany(mappedBy = "depts")
 //    private Set<SysRoleEntity> roles;
 }

SysMenu.java

菜單相當(dāng)于權(quán)限

package com.example.demo5.entity;
  
  import lombok.Data;
  import lombok.Getter;
  import lombok.Setter;
  
  import javax.persistence.*;
  import java.io.Serializable;
 import java.util.Set;
 
 /**
  * 菜單表
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @Setter
 @Getter
 @Entity
 @Table(name = "sys_menu")
 public class SysMenuEntity implements Serializable {
 
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     @Column(name = "id")
     private Integer id;
 
     /**
      * 資源編碼
      */
     @Column(name = "code")
     private String code;
 
     /**
      * 資源名稱
      */
     @Column(name = "name")
     private String name;
 
     /**
      * 菜單/按鈕URL
      */
     @Column(name = "url")
     private String url;
 
     /**
      * 資源類型(1:菜單,2:按鈕)
      */
     @Column(name = "type")
     private Integer type;
 
     /**
      * 父級菜單ID
      */
     @Column(name = "pid")
     private Integer pid;
 
     /**
      * 排序號
      */
     @Column(name = "sort")
     private Integer sort;
 
     @ManyToMany(mappedBy = "menus")
     private Set<SysRoleEntity> roles;
 
 }

SysRole.java

package com.example.demo5.entity;
  
  import lombok.Data;
  import lombok.Getter;
  import lombok.Setter;
  
  import javax.persistence.*;
  import java.io.Serializable;
  import java.util.Set;
 
 /**
  * 角色表
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @Setter
 @Getter
 @Entity
 @Table(name = "sys_role")
 public class SysRoleEntity implements Serializable {
 
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     @Column(name = "id")
     private Integer id;
 
     /**
      * 角色名稱
      */
     @Column(name = "name")
     private String name;
 
     @ManyToMany(mappedBy = "roles")
     private Set<SysUserEntity> users;
 
     @ManyToMany
     @JoinTable(name = "sys_role_menu",
             joinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "id")},
             inverseJoinColumns = {@JoinColumn(name = "menu_id", referencedColumnName = "id")})
     private Set<SysMenuEntity> menus;
 
 //    @ManyToMany
 //    @JoinTable(name = "sys_dept_role",
 //            joinColumns = {@JoinColumn(name = "role_id", referencedColumnName = "id")},
 //            inverseJoinColumns = {@JoinColumn(name = "dept_id", referencedColumnName = "id")})
 //    private Set<SysDeptEntity> depts;
 
 }

注意,不要使用@Data注解,因?yàn)锧Data包含@ToString注解

不要隨便打印SysUser,例如:System.out.println(sysUser); 任何形式的toString()調(diào)用都不要有,否則很有可能造成循環(huán)調(diào)用,死遞歸。想想看,SysUser里面要查SysRole,SysRole要查SysMenu,SysMenu又要查SysRole。除非不用懶加載。

3. 自定義UserDetails

雖然可以使用Spring Security自帶的User,但是筆者還是強(qiáng)烈建議自定義一個(gè)UserDetails,后面可以直接將其序列化成json緩存到redis中

package com.example.demo5.domain;
  
  import lombok.Setter;
  import org.springframework.security.core.GrantedAuthority;
  import org.springframework.security.core.authority.SimpleGrantedAuthority;
  import org.springframework.security.core.userdetails.User;
  import org.springframework.security.core.userdetails.UserDetails;
  
  import java.util.Collection;
 import java.util.Set;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/6/12
  * @see User
  * @see org.springframework.security.core.userdetails.User
  */
 @Setter
 public class MyUserDetails implements UserDetails {
 
     private String username;
     private String password;
     private boolean enabled;
 //    private Collection<? extends GrantedAuthority> authorities;
     private Set<SimpleGrantedAuthority> authorities;
 
     public MyUserDetails(String username, String password, boolean enabled, Set<SimpleGrantedAuthority> authorities) {
         this.username = username;
         this.password = password;
         this.enabled = enabled;
         this.authorities = authorities;
     }
 
     @Override
     public Collection<? extends GrantedAuthority> getAuthorities() {
         return authorities;
     }
 
     @Override
     public String getPassword() {
         return password;
     }
 
     @Override
     public String getUsername() {
         return username;
     }
 
     @Override
     public boolean isAccountNonExpired() {
         return true;
     }
 
     @Override
     public boolean isAccountNonLocked() {
         return true;
     }
 
     @Override
     public boolean isCredentialsNonExpired() {
         return true;
     }
 
     @Override
     public boolean isEnabled() {
         return enabled;
     }
 }

都自定義UserDetails了,當(dāng)然要自己實(shí)現(xiàn)UserDetailsService了。這里當(dāng)時(shí)偷懶直接用自帶的User,后面放緩存的時(shí)候才知道不方便。

package com.example.demo5.service;
  
  import com.example.demo5.entity.SysMenuEntity;
  import com.example.demo5.entity.SysRoleEntity;
  import com.example.demo5.entity.SysUserEntity;
  import com.example.demo5.repository.SysUserRepository;
  import org.apache.commons.lang3.StringUtils;
  import org.springframework.security.core.authority.SimpleGrantedAuthority;
  import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @Service
 public class MyUserDetailsService implements UserDetailsService {
     @Resource
     private SysUserRepository sysUserRepository;
 
     @Override
     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
         SysUserEntity sysUserEntity = sysUserRepository.findByUsername(username);
         Set<SysRoleEntity> roleSet = sysUserEntity.getRoles();
         Set<SimpleGrantedAuthority> authorities = roleSet.stream().flatMap(role->role.getMenus().stream())
                 .filter(menu-> StringUtils.isNotBlank(menu.getCode()))
                 .map(SysMenuEntity::getCode)
                 .map(SimpleGrantedAuthority::new)
                 .collect(Collectors.toSet());
         User user = new User(sysUserEntity.getUsername(), sysUserEntity.getPassword(), authorities);
         return user;
     }
 }

算了,還是改過來吧

package com.example.demo5.service;
  
  import com.example.demo5.domain.MyUserDetails;
  import com.example.demo5.entity.SysMenuEntity;
  import com.example.demo5.entity.SysRoleEntity;
  import com.example.demo5.entity.SysUserEntity;
  import com.example.demo5.repository.SysUserRepository;
  import org.apache.commons.lang3.StringUtils;
  import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @Service
 public class MyUserDetailsService implements UserDetailsService {
     @Resource
     private SysUserRepository sysUserRepository;
 
     @Override
     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
         SysUserEntity sysUserEntity = sysUserRepository.findByUsername(username);
         Set<SysRoleEntity> roleSet = sysUserEntity.getRoles();
         Set<SimpleGrantedAuthority> authorities = roleSet.stream().flatMap(role->role.getMenus().stream())
                 .filter(menu-> StringUtils.isNotBlank(menu.getCode()))
                 .map(SysMenuEntity::getCode)
                 .map(SimpleGrantedAuthority::new)
                 .collect(Collectors.toSet());
 //        return new User(sysUserEntity.getUsername(), sysUserEntity.getPassword(), authorities);
         return new MyUserDetails(sysUserEntity.getUsername(), sysUserEntity.getPassword(), 1==sysUserEntity.getEnabled(), authorities);
     }
 }

4. 自定義各種Handler

登錄成功

package com.example.demo5.handler;
  
  import com.alibaba.fastjson.JSON;
  import com.example.demo5.domain.MyUserDetails;
  import com.example.demo5.domain.RespResult;
  import com.example.demo5.util.JwtUtils;
  import com.fasterxml.jackson.databind.ObjectMapper;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.concurrent.TimeUnit;
 
 /**
  * 登錄成功
  */
 @Component
 public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
 
     private static ObjectMapper objectMapper = new ObjectMapper();
 
     @Autowired
     private StringRedisTemplate stringRedisTemplate;
 
     @Override
     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
         MyUserDetails user = (MyUserDetails) authentication.getPrincipal();
         String username = user.getUsername();
         String token = JwtUtils.createToken(username);
         stringRedisTemplate.opsForValue().set("TOKEN:" + token, JSON.toJSONString(user), 60, TimeUnit.MINUTES);
 
         response.setContentType("application/json;charset=utf-8");
         PrintWriter writer = response.getWriter();
         writer.write(objectMapper.writeValueAsString(new RespResult<>(1, "success", token)));
         writer.flush();
         writer.close();
     }
 }

登錄失敗

package com.example.demo5.handler;
  
  import com.example.demo5.domain.RespResult;
  import com.fasterxml.jackson.databind.ObjectMapper;
  import org.springframework.security.core.AuthenticationException;
  import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
  import org.springframework.stereotype.Component;
  
  import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 
 /**
  * 登錄失敗
  */
 @Component
 public class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
 
     private static ObjectMapper objectMapper = new ObjectMapper();
 
     @Override
     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
         response.setContentType("application/json;charset=utf-8");
         PrintWriter writer = response.getWriter();
         writer.write(objectMapper.writeValueAsString(new RespResult<>(0, exception.getMessage(), null)));
         writer.flush();
         writer.close();
     }
 }

未登錄

package com.example.demo5.handler;
  
  import com.example.demo5.domain.RespResult;
  import com.fasterxml.jackson.databind.ObjectMapper;
  import org.springframework.security.core.AuthenticationException;
  import org.springframework.security.web.AuthenticationEntryPoint;
  import org.springframework.stereotype.Component;
  
  import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 
 /**
  * 未認(rèn)證(未登錄)統(tǒng)一處理
  * @Author ChengJianSheng
  * @Date 2021/5/7
  */
 @Component
 public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
 
     private static ObjectMapper objectMapper = new ObjectMapper();
 
     @Override
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
         response.setContentType("application/json;charset=utf-8");
         PrintWriter writer = response.getWriter();
         writer.write(objectMapper.writeValueAsString(new RespResult<>(0, "未登錄,請先登錄", null)));
         writer.flush();
         writer.close();
     }
 }

未授權(quán)

package com.example.demo5.handler;
  
  import com.example.demo5.domain.RespResult;
  import com.fasterxml.jackson.databind.ObjectMapper;
  import org.springframework.security.access.AccessDeniedException;
  import org.springframework.security.web.access.AccessDeniedHandler;
  import org.springframework.stereotype.Component;
  
  import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 
 @Component
 public class MyAccessDeniedHandler implements AccessDeniedHandler {
 
     private static ObjectMapper objectMapper = new ObjectMapper();
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
         response.setContentType("application/json;charset=utf-8");
         PrintWriter writer = response.getWriter();
         writer.write(objectMapper.writeValueAsString(new RespResult<>(0, "抱歉,您沒有權(quán)限訪問", null)));
         writer.flush();
         writer.close();
     }
 }

Session過期

package com.example.demo5.handler;
  
  import com.example.demo5.domain.RespResult;
  import com.fasterxml.jackson.databind.ObjectMapper;
  import org.springframework.security.web.session.SessionInformationExpiredEvent;
  import org.springframework.security.web.session.SessionInformationExpiredStrategy;
  
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 
 public class MyExpiredSessionStrategy implements SessionInformationExpiredStrategy {
 
     private static ObjectMapper objectMapper = new ObjectMapper();
 
     @Override
     public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
         String msg = "登錄超時(shí)或已在另一臺機(jī)器登錄,您被迫下線!";
         RespResult respResult = new RespResult(0, msg, null);
         HttpServletResponse response = event.getResponse();
         response.setContentType("application/json;charset=utf-8");
         PrintWriter writer = response.getWriter();
         writer.write(objectMapper.writeValueAsString(respResult));
         writer.flush();
         writer.close();
     }
 }

退出成功

package com.example.demo5.handler;
  
  import com.fasterxml.jackson.databind.ObjectMapper;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.data.redis.core.StringRedisTemplate;
  import org.springframework.security.core.Authentication;
  import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
  import org.springframework.stereotype.Component;
  
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
 
 @Component
 public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
 
     private static ObjectMapper objectMapper = new ObjectMapper();
 
     @Autowired
     private StringRedisTemplate stringRedisTemplate;
 
     @Override
     public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
         String token = request.getHeader("token");
         stringRedisTemplate.delete("TOKEN:" + token);
 
         response.setContentType("application/json;charset=utf-8");
         PrintWriter printWriter = response.getWriter();
         printWriter.write(objectMapper.writeValueAsString("logout success"));
         printWriter.flush();
         printWriter.close();
     }
 }

5. Token處理

現(xiàn)在由于前后端分離,服務(wù)端不再維持Session,于是需要token來作為訪問憑證

token工具類

package com.example.demo5.util;
  
  import io.jsonwebtoken.*;
  
  import java.util.Date;
  import java.util.HashMap;
  import java.util.Map;
  import java.util.function.Function;
  
 /**
  * @Author ChengJianSheng
  * @Date 2021/5/7
  */
 public class JwtUtils {
 
     private static long TOKEN_EXPIRATION = 24 * 60 * 60 * 1000;
     private static String TOKEN_SECRET_KEY = "123456";
 
     /**
      * 生成Token
      * @param subject   用戶名
      * @return
      */
     public static String createToken(String subject) {
         long currentTimeMillis = System.currentTimeMillis();
         Date currentDate = new Date(currentTimeMillis);
         Date expirationDate = new Date(currentTimeMillis + TOKEN_EXPIRATION);
 
         //  存放自定義屬性,比如用戶擁有的權(quán)限
         Map<String, Object> claims = new HashMap<>();
 
         return Jwts.builder()
                 .setClaims(claims)
                 .setSubject(subject)
                 .setIssuedAt(currentDate)
                 .setExpiration(expirationDate)
                 .signWith(SignatureAlgorithm.HS512, TOKEN_SECRET_KEY)
                 .compact();
     }
 
     public static String extractUsername(String token) {
         return extractClaim(token, Claims::getSubject);
     }
 
     public static boolean isTokenExpired(String token) {
         return extractExpiration(token).before(new Date());
     }
 
     public static Date extractExpiration(String token) {
         return extractClaim(token, Claims::getExpiration);
     }
 
     public static <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
         final Claims claims = extractAllClaims(token);
         return claimsResolver.apply(claims);
     }
 
     private static Claims extractAllClaims(String token) {
         return Jwts.parser().setSigningKey(TOKEN_SECRET_KEY).parseClaimsJws(token).getBody();
     }
 
 }

前后端約定登錄成功以后,將token放到header中。于是,我們需要過濾器來處理請求Header中的token,為此定義一個(gè)TokenFilter

package com.example.demo5.filter;
  
  import com.alibaba.fastjson.JSON;
  import com.example.demo5.domain.MyUserDetails;
  import org.apache.commons.lang3.StringUtils;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.data.redis.core.StringRedisTemplate;
  import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/6/17
  */
 @Component
 public class TokenFilter extends OncePerRequestFilter {
 
     @Autowired
     private StringRedisTemplate stringRedisTemplate;
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
         String token = request.getHeader("token");
         System.out.println("請求頭中帶的token: " + token);
         String key = "TOKEN:" + token;
         if (StringUtils.isNotBlank(token)) {
             String value = stringRedisTemplate.opsForValue().get(key);
             if (StringUtils.isNotBlank(value)) {
 //                String username = JwtUtils.extractUsername(token);
                 MyUserDetails user = JSON.parseObject(value, MyUserDetails.class);
                 if (null != user && null == SecurityContextHolder.getContext().getAuthentication()) {
                     UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                     SecurityContextHolder.getContext().setAuthentication(authenticationToken);
 
                     //  刷新token
                     //  如果生存時(shí)間小于10分鐘,則再續(xù)1小時(shí)
                     long time = stringRedisTemplate.getExpire(key);
                     if (time < 600) {
                         stringRedisTemplate.expire(key, (time + 3600), TimeUnit.SECONDS);
                     }
                 }
             }
         }
 
         chain.doFilter(request, response);
     }
 }

token過濾器做了兩件事,一是獲取header中的token,構(gòu)造UsernamePasswordAuthenticationToken放入上下文中。權(quán)限可以從數(shù)據(jù)庫中再查一遍,也可以直接從之前的緩存中獲取。二是為token續(xù)期,即刷新token。

由于我們采用jwt生成token,因此沒法中途更改token的有效期,只能將其放到Redis中,通過更改Redis中key的生存時(shí)間來控制token的有效期。

6. 訪問控制

首先來定義資源

package com.example.demo5.controller;
  
  import org.springframework.security.access.prepost.PreAuthorize;
  import org.springframework.web.bind.annotation.GetMapping;
  import org.springframework.web.bind.annotation.RequestMapping;
  import org.springframework.web.bind.annotation.RestController;
  
  /**
   * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @RestController
 @RequestMapping("/hello")
 public class HelloController {
 
     @PreAuthorize("@myAccessDecisionService.hasPermission('hello:sayHello')")
     @GetMapping("/sayHello")
     public String sayHello() {
         return "hello";
     }
 
     @PreAuthorize("@myAccessDecisionService.hasPermission('hello:sayHi')")
     @GetMapping("/sayHi")
     public String sayHi() {
         return "hi";
     }
 }

資源的訪問控制我們通過判斷是否有相應(yīng)的權(quán)限字符串

package com.example.demo5.service;
  
  import org.springframework.security.core.Authentication;
  import org.springframework.security.core.GrantedAuthority;
  import org.springframework.security.core.authority.SimpleGrantedAuthority;
  import org.springframework.security.core.context.SecurityContextHolder;
  import org.springframework.security.core.userdetails.UserDetails;
  import org.springframework.stereotype.Component;
  
 import java.util.Set;
 import java.util.stream.Collectors;
 
 @Component("myAccessDecisionService")
 public class MyAccessDecisionService {
 
     public boolean hasPermission(String permission) {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         Object principal = authentication.getPrincipal();
         if (principal instanceof UserDetails) {
             UserDetails userDetails = (UserDetails) principal;
 //            SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority(permission);
             Set<String> set = userDetails.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toSet());
             return set.contains(permission);
         }
         return false;
     }
 }

7. 配置WebSecurity

package com.example.demo5.config;
  
  import com.example.demo5.filter.TokenFilter;
  import com.example.demo5.handler.*;
  import com.example.demo5.service.MyUserDetailsService;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/6/12
  */
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Autowired
     private MyUserDetailsService myUserDetailsService;
     @Autowired
     private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
     @Autowired
     private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
     @Autowired
     private TokenFilter tokenFilter;
 
     @Override
     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
         auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
     }
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.formLogin()
 //                .usernameParameter("username")
 //                .passwordParameter("password")
 //                .loginPage("/login.html")
                 .successHandler(myAuthenticationSuccessHandler)
                 .failureHandler(myAuthenticationFailureHandler)
                 .and()
                 .logout().logoutSuccessHandler(new MyLogoutSuccessHandler())
                 .and()
                 .authorizeRequests()
                 .antMatchers("/demo/login").permitAll()
 //                .antMatchers("/css/**", "/js/**", "/**/images/*.*").permitAll()
 //                .regexMatchers(".+[.]jpg").permitAll()
 //                .mvcMatchers("/hello").servletPath("/demo").permitAll()
                 .anyRequest().authenticated()
                 .and()
                 .exceptionHandling()
                 .accessDeniedHandler(new MyAccessDeniedHandler())
                 .authenticationEntryPoint(new MyAuthenticationEntryPoint())
                 .and()
                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                 .maximumSessions(1)
                 .maxSessionsPreventsLogin(false)
                 .expiredSessionStrategy(new MyExpiredSessionStrategy());
 
         http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
 
         http.csrf().disable();
     }
 
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
     }
 
     public static void main(String[] args) {
         System.out.println(new BCryptPasswordEncoder().encode("123456"));
     }
 }

注意,我們將自定義的TokenFilter放到UsernamePasswordAuthenticationFilter之前

所有過濾器的順序可以查看 org.springframework.security.config.annotation.web.builders.FilterComparator 或者org.springframework.security.config.annotation.web.builders.FilterOrderRegistration

8. 看效果

9. 補(bǔ)充:手機(jī)號+短信驗(yàn)證碼登錄

參照org.springframework.security.authentication.UsernamePasswordAuthenticationToken寫一個(gè)短信認(rèn)證Token

package com.example.demo5.filter;
  
  import org.springframework.security.authentication.AbstractAuthenticationToken;
  import org.springframework.security.core.GrantedAuthority;
  import org.springframework.security.core.SpringSecurityCoreVersion;
  import org.springframework.util.Assert;
  
  import java.util.Collection;
  
 /**
  * @Author ChengJianSheng
  * @Date 2021/5/12
  */
 public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
 
     private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
     private final Object principal;
 
     private Object credentials;
 
     public SmsCodeAuthenticationToken(Object principal, Object credentials) {
         super(null);
         this.principal = principal;
         this.credentials = credentials;
         setAuthenticated(false);
     }
 
     public SmsCodeAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
         super(authorities);
         this.principal = principal;
         this.credentials = credentials;
         super.setAuthenticated(true);
     }
 
     @Override
     public Object getCredentials() {
         return credentials;
     }
 
     @Override
     public Object getPrincipal() {
         return principal;
     }
 
     @Override
     public void setAuthenticated(boolean authenticated) {
         Assert.isTrue(!authenticated, "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
         super.setAuthenticated(false);
     }
 
     @Override
     public void eraseCredentials() {
         super.eraseCredentials();
     }
 }

參照org.springframework.security.authentication.dao.DaoAuthenticationProvider寫一個(gè)自己的短信認(rèn)證Provider

package com.example.demo5.filter;
 
  import com.example.demo.service.MyUserDetailsService;
  import org.apache.commons.lang3.StringUtils;
  import org.springframework.security.authentication.AuthenticationProvider;
  import org.springframework.security.authentication.BadCredentialsException;
  import org.springframework.security.core.Authentication;
  import org.springframework.security.core.AuthenticationException;
  import org.springframework.security.core.userdetails.UserDetails;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/5/12
  */
 public class SmsAuthenticationProvider implements AuthenticationProvider {
 
     private MyUserDetailsService myUserDetailsService;
 
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
         //  校驗(yàn)驗(yàn)證碼
         additionalAuthenticationChecks((SmsCodeAuthenticationToken) authentication);
 
         //  校驗(yàn)手機(jī)號
         String mobile = authentication.getPrincipal().toString();
 
         UserDetails userDetails = myUserDetailsService.loadUserByMobile(mobile);
 
         if (null == userDetails) {
             throw new BadCredentialsException("手機(jī)號不存在");
         }
 
         //  創(chuàng)建認(rèn)證成功的Authentication對象
         SmsCodeAuthenticationToken result = new SmsCodeAuthenticationToken(userDetails, userDetails.getAuthorities());
         result.setDetails(authentication.getDetails());
 
         return result;
     }
 
     protected void additionalAuthenticationChecks(SmsCodeAuthenticationToken authentication) throws AuthenticationException {
         if (authentication.getCredentials() == null) {
             throw new BadCredentialsException("驗(yàn)證碼不能為空");
         }
         String mobile = authentication.getPrincipal().toString();
         String smsCode = authentication.getCredentials().toString();
 
         //  從Session或者Redis中獲取相應(yīng)的驗(yàn)證碼
         String smsCodeInSessionKey = "SMS_CODE_" + mobile;
 //        String verificationCode = sessionStrategy.getAttribute(servletWebRequest, smsCodeInSessionKey);
 //        String verificationCode = stringRedisTemplate.opsForValue().get(smsCodeInSessionKey);
         String verificationCode = "1234";
 
         if (StringUtils.isBlank(verificationCode)) {
             throw new BadCredentialsException("短信驗(yàn)證碼不存在,請重新發(fā)送!");
         }
         if (!smsCode.equalsIgnoreCase(verificationCode)) {
             throw new BadCredentialsException("驗(yàn)證碼錯(cuò)誤!");
         }
 
         //todo  清除Session或者Redis中獲取相應(yīng)的驗(yàn)證碼
     }
 
     @Override
     public boolean supports(Class<?> authentication) {
         return (SmsCodeAuthenticationToken.class.isAssignableFrom(authentication));
     }
 
     public MyUserDetailsService getMyUserDetailsService() {
         return myUserDetailsService;
     }
 
     public void setMyUserDetailsService(MyUserDetailsService myUserDetailsService) {
         this.myUserDetailsService = myUserDetailsService;
     }
 }

參照org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter寫一個(gè)短信認(rèn)證處理的過濾器

package com.example.demo.filter;
  
  import org.springframework.security.authentication.AuthenticationManager;
  import org.springframework.security.authentication.AuthenticationServiceException;
  import org.springframework.security.core.Authentication;
  import org.springframework.security.core.AuthenticationException;
  import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
  import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
  
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/5/12
  */
 public class SmsAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
 
     public static final String SPRING_SECURITY_FORM_MOBILE_KEY = "mobile";
 
     public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "smsCode";
 
     private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER = new AntPathRequestMatcher("/login/mobile", "POST");
 
     private String usernameParameter = SPRING_SECURITY_FORM_MOBILE_KEY;
 
     private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
 
     private boolean postOnly = true;
 
     public SmsAuthenticationFilter() {
         super(DEFAULT_ANT_PATH_REQUEST_MATCHER);
     }
 
     public SmsAuthenticationFilter(AuthenticationManager authenticationManager) {
         super(DEFAULT_ANT_PATH_REQUEST_MATCHER, authenticationManager);
     }
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
         if (postOnly && !request.getMethod().equals("POST")) {
             throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
         }
 
         String mobile = obtainMobile(request);
         mobile = (mobile != null) ? mobile : "";
         mobile = mobile.trim();
         String smsCode = obtainPassword(request);
         smsCode = (smsCode != null) ? smsCode : "";
 
         SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile, smsCode);
 
         setDetails(request, authRequest);
 
         return this.getAuthenticationManager().authenticate(authRequest);
     }
 
     private String obtainMobile(HttpServletRequest request) {
         return request.getParameter(this.usernameParameter);
     }
 
     private String obtainPassword(HttpServletRequest request) {
         return request.getParameter(this.passwordParameter);
     }
 
     protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) {
         authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
     }
 }

在WebSecurity中進(jìn)行配置

package com.example.demo.config;
  
  import com.example.demo.filter.SmsAuthenticationFilter;
  import com.example.demo.filter.SmsAuthenticationProvider;
  import com.example.demo.handler.MyAuthenticationFailureHandler;
  import com.example.demo.handler.MyAuthenticationSuccessHandler;
  import com.example.demo.service.MyUserDetailsService;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.stereotype.Component;
 
 /**
  * @Author ChengJianSheng
  * @Date 2021/5/12
  */
 @Component
 public class SmsAuthenticationConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
 
     @Autowired
     private MyUserDetailsService myUserDetailsService;
     @Autowired
     private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
     @Autowired
     private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
 
     @Override
     public void configure(HttpSecurity http) throws Exception {
         SmsAuthenticationFilter smsAuthenticationFilter = new SmsAuthenticationFilter();
         smsAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
         smsAuthenticationFilter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler);
         smsAuthenticationFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler);
 
         SmsAuthenticationProvider smsAuthenticationProvider = new SmsAuthenticationProvider();
         smsAuthenticationProvider.setMyUserDetailsService(myUserDetailsService);
 
         http.authenticationProvider(smsAuthenticationProvider)
                 .addFilterAfter(smsAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
     }
 }
 http.apply(smsAuthenticationConfig);

以上就是基于 Spring Security前后端分離的權(quán)限控制系統(tǒng)的詳細(xì)內(nèi)容,更多關(guān)于Spring Security權(quán)限控制系統(tǒng)的資料請關(guān)注腳本之家其它相關(guān)文章!

相關(guān)文章

  • 詳解MyBatis resultType與resultMap中的幾種返回類型

    詳解MyBatis resultType與resultMap中的幾種返回類型

    本文主要介紹了MyBatis resultType與resultMap中的幾種返回類型,文中通過示例代碼介紹的非常詳細(xì),具有一定的參考價(jià)值,感興趣的小伙伴們可以參考一下
    2021-09-09
  • Java web自定義filter代碼實(shí)例

    Java web自定義filter代碼實(shí)例

    這篇文章主要介紹了Java web自定義filter代碼實(shí)例,文中通過示例代碼介紹的非常詳細(xì),對大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友可以參考下
    2020-12-12
  • MyBatisPlus中@TableField注解的基本使用

    MyBatisPlus中@TableField注解的基本使用

    這篇文章主要介紹了MyBatisPlus中@TableField注解的基本使用,具有很好的參考價(jià)值,希望對大家有所幫助。如有錯(cuò)誤或未考慮完全的地方,望不吝賜教
    2023-07-07
  • springboot項(xiàng)目啟動類錯(cuò)誤(找不到或無法加載主類 com.**Application)

    springboot項(xiàng)目啟動類錯(cuò)誤(找不到或無法加載主類 com.**Application)

    本文主要介紹了spring-boot項(xiàng)目啟動類錯(cuò)誤(找不到或無法加載主類 com.**Application),文中通過示例代碼介紹的非常詳細(xì),對大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友們下面隨著小編來一起學(xué)習(xí)學(xué)習(xí)吧
    2024-05-05
  • SpringBoot靜態(tài)資源css,js,img配置方案

    SpringBoot靜態(tài)資源css,js,img配置方案

    這篇文章主要介紹了SpringBoot靜態(tài)資源css,js,img配置方案,下文給大家分享了三種解決方案,需要的朋友可以參考下
    2017-07-07
  • Java線程中synchronized和volatile關(guān)鍵字的區(qū)別詳解

    Java線程中synchronized和volatile關(guān)鍵字的區(qū)別詳解

    這篇文章主要介紹了Java線程中synchronized和volatile關(guān)鍵字的區(qū)別詳解,synchronzied既能夠保障可見性,又能保證原子性,而volatile只能保證可見性,無法保證原子性,volatile不需要加鎖,比synchronized更輕量級,不會阻塞線程,需要的朋友可以參考下
    2024-01-01
  • Java中雙向鏈表詳解及實(shí)例

    Java中雙向鏈表詳解及實(shí)例

    這篇文章主要介紹了Java中雙向鏈表詳解及實(shí)例的相關(guān)資料,需要的朋友可以參考下
    2017-04-04
  • Java?不同版本的?Switch語句

    Java?不同版本的?Switch語句

    本文主要介紹了Java不同版本的Switch語句,自Java13以來,Switch表達(dá)式就被添加到Java核心庫中,下面我們將介紹舊的Java?Switch語句和新的Switch語句的區(qū)別,需要的朋友可以參考一下
    2022-06-06
  • eclipse實(shí)現(xiàn)Schnorr數(shù)字簽名

    eclipse實(shí)現(xiàn)Schnorr數(shù)字簽名

    這篇文章主要為大家詳細(xì)介紹了eclipse實(shí)現(xiàn)Schnorr數(shù)字簽名,文中示例代碼介紹的非常詳細(xì),具有一定的參考價(jià)值,感興趣的小伙伴們可以參考一下
    2020-06-06
  • SpringBoot2.1.4中的錯(cuò)誤處理機(jī)制

    SpringBoot2.1.4中的錯(cuò)誤處理機(jī)制

    這篇文章主要介紹了SpringBoot2.1.4中的錯(cuò)誤處理機(jī)制,具有很好的參考價(jià)值,希望對大家有所幫助。如有錯(cuò)誤或未考慮完全的地方,望不吝賜教
    2021-10-10

最新評論