spring |Spring Security安全框架 —— 认证流程实现
文章目录
- 开头
- 简介
- 环境搭建
- 入门使用
- 1、认证
- 1、实体类
- 2、Controller层
- 3、Service层
- 3.1、接口
- 3.2、实现类
- 3.3、实现类:UserDetailsServiceImpl
- 4、Mapper层
- 3、自定义token认证filter
- 注意事项
- 小结
开头
- Spring Security 官方网址:Spring Security官网
开头贴官网,有事找官方!
简介
介绍的话不多说,就一句:
-
Spring Security 是一个安全管理框架。
- 一般用于中大型项目。小项目使用shiro,shiro上手简单。
- 不过,一般是这样。小项目练手用也是相当可以的。
好吧!这是三句话,没跑。
环境搭建
基于SpringBoot3搭建的项目,妥妥好用。
| 组件 | SpringBoot2.X | SpringBoot3.X |
|---|---|---|
| JDK | JDK 8、9 | JDK 17+ |
| JPA | JPA2.0+ | JPA3.0+ |
| Servlet | Servlet 3.1+ | Servlet 5.0 |
| Spring | Spring Framework 5+ | Spring Framework 6+ |
| Gradle | Gradle 4.x | Gradle7.3 |
1、依赖导入
<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>3.3.4</version></parent><!-- spring web--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency>
<!-- spring Security--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><!-- mybatis-plus--><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-spring-boot3-starter</artifactId><version>3.5.7</version></dependency><!-- mysql驱动--><dependency><groupId>com.mysql</groupId><artifactId>mysql-connector-j</artifactId></dependency>
2、配置文件
spring:datasource:url: jdbc:mysql://localhost:3306/dataBase?characterEncoding=utf-8&serverTimezone=Asia/Shanghaiusername: rootpassword: passworddriver-class-name: com.mysql.cj.jdbc.Driver
# mybatisPlus 配置
mybatis-plus:configuration:map-underscore-to-camel-case: true# 日志log-impl: org.apache.ibatis.logging.stdout.StdOutImplglobal-config:db-config:# 逻辑删除logic-delete-field: delFaglogic-delete-value: 1logic-not-delete-value: 0# 主键自增id-type: auto
入门使用
1、认证
废话不多说,贴个认证流程图:
1、SpringSecurity Config类
//整点实在的,一整套流程,绝对全面。
@Configuration
@EnableWebSecurity
public class SecurityConfig {@Autowiredprivate AuthenticationTokenFilter tokenFilter;@Autowiredprivate AuthenticationEntryPointImpl authenticationEntryPoint;/*PasswordEncoder是一个用于密码加密的接口,它封装了多种主流的加密方法,它们用于密码的安全存储和校验。但计算开销也相对较大,因此在面对高并发性能要求的大型信息系统时:推荐使用会话、OAuth、Token等短期加密策略来实现系统的信息安全。*/@Beanpublic PasswordEncoder getPasswordEncoder(){return new BCryptPasswordEncoder();}/*负责注册为应用程序提供认证服务的 。*/@Beanpublic AuthenticationManager authenticationManager(AuthenticationConfiguration config ) throws Exception {return config.getAuthenticationManager();}/*Security Filter是通过FilterChainProxy而不是DelegatingFilterProxy注册进SecurityFilterChain的。 过滤器链,配置*/@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception{http.csrf(csrf -> csrf.disable()); //关闭csrf防护http.authorizeHttpRequests(auth ->auth.requestMatchers("/user/login")//请求路径匹配.permitAll()//放行,不作拦截.anyRequest()//其他请求.authenticated());//认证// 自定义token 认证,用于登录后续请求放行。通过springSecurity上下文判断http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);return http.build();}1、实体类
//主要就是用:username和 password
@Data
public class SysUser implements Serializable {private static final long serialVersionUID = 662137028719131857L;private Long id;
/*** 用户名*/private String username;
/*** 昵称*/private String nickname;
/*** 密码*/private String password;
/*** 用户类型:0:普通 1:管理员*/private String type;
/*** 账号状态:0:正常 1:停用*/private String status;
/*** 邮箱*/private String email;
/*** 手机号*/private String phoneNumber;
/*** 用户性别(0:男 1:女 2 :匿名)*/private String sex;
/*** 头像*/private String avatar;private Integer isDelete;}
2、Controller层
@RestController
@RequestMapping("/user")
public class UserController {@Autowiredprivate SysUserService userService;@PostMapping("/login")public R login(@RequestBody SysUser user){return userService.login(user);}
}3、Service层
3.1、接口
public interface SysUserService extends IService<SysUser> {/*** 登录* @param user* @return*/R login(SysUser user);
}3.2、实现类
@Service
public class SysUserServiceImpl extends ServiceImpl<UserMapper, SysUser> implements SysUserService {@Autowiredprivate AuthenticationManager authenticationManager;@Overridepublic R login(SysUser user) {//重写userDetailsService 处理UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user.getUsername(),user.getPassword());Authentication authenticate = authenticationManager.authenticate(authenticationToken);if(Objects.isNull(authenticate)){throw new AppException(AppExceptionMsgEnum.LOGIN_ERROR);}//jwt令牌信息//……LoginUser loginuser = (LoginUser) authenticate.getPrincipal();//自定义返回return R.success(loginuser.getUser());}
}
3.3、实现类:UserDetailsServiceImpl
- 用于用户信息认证处理
@Service
public class UserDetailsServiceImpl implements UserDetailsService {@Autowiredprivate UserMapper userMapper;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {LambdaQueryWrapper<SysUser> queryWrapper = new LambdaQueryWrapper<>();queryWrapper.eq(SysUser::getUsername,username);SysUser userResult = userMapper.selectOne(queryWrapper);if(Objects.isNull(userResult)){throw new AppException(AppExceptionMsgEnum.LOGIN_ERROR);}return new LoginUser(userResult);}
}
4、Mapper层
public interface UserMapper extends BaseMapper<SysUser> {
}3、自定义token认证filter
@Component
public class AuthenticationTokenFilter extends OncePerRequestFilter {@Autowiredprivate UserMapper userMapper;@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException, ServletException, IOException {//获取tokenString token = request.getHeader("token");String uri = request.getRequestURI();if(uri.equals("/gate/logout")){filterChain.doFilter(request,response);return;}//放行未携带token 的请求,交由后面拦截器处理if (token == null) {filterChain.doFilter(request,response);return;}//获取用户信息,这里由于没有使用jwt,所以仿制了一下SysUser user = new SysUser();user.setUsername(token);LoginUser loginUser = new LoginUser();loginUser.setUser(user);UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null,null);//存储到SecurityContextHolderSecurityContextHolder.getContext().setAuthentication(authenticationToken);//放行filterChain.doFilter(request,response);}}
注意事项
- 认证失败后,会抛出异常。使用全局异常处理器 + 自定义异常 使用。
- 自定义返回类
@Data
@JsonInclude(JsonInclude.Include.NON_NULL)// 属性为NULL 不序列化
public class R<T> {private int status;// private boolean success;private String message;private T data;@JSONField(format="yyyy-MM-dd HH:mm:ss")private DateTime time;/*** 正确result* @param data* @param <T>* @return*/public static <T> R<T> success(T data){R<T> r = new R<>();
// r.success = true;r.status = 200;r.data = data;r.message = "successful";r.time = DateTime.now();return r;}public static <T> R<T> success(String msg ,T data){R<T> r = new R<>();
// r.success = true;r.status = 200;r.data = data;r.message = msg;r.time = DateTime.now();return r;}/*** 错误result* @param msg* @param status* @param <T>* @return*/public static <T> R<T> error(String msg,int status){R<T> r = new R<>();
// r.success = false;r.status = status;r.message = msg;r.time = DateTime.now();return r;}/*** 错误result* @param msg* @param <T>* @return*/public static <T> R<T> error(String msg){R<T> r = new R<>();
// r.success = false;r.message = msg;r.time = DateTime.now();return r;}public static <T> R<T> error(AppExceptionMsgEnum appExceptionMsg){R<T> r = new R<>();
// r.success = false;r.status = appExceptionMsg.getStatus();r.message = appExceptionMsg.getMsg();r.time = DateTime.now();return r;}}
- 全局异常处理器
@RestControllerAdvice
@Slf4j
public class GlobalExceptionHandler {@ExceptionHandler(value = BadCredentialsException.class)public static <T> R<T> badCredentialsException(BadCredentialsException e) throws InterruptedException {return R.error(AppExceptionMsgEnum.LOGIN_ERROR);}@ExceptionHandler(value = Exception.class)public static <T> R<T> exceptionHandle(Exception e) throws InterruptedException {if(e instanceof AppException){AppException app = (AppException) e;return R.error(app.getMsg(),app.getStatus());}return R.error(e.toString(),500);}
}- 自定义异常
@EqualsAndHashCode(callSuper = true)
@Data
public class AppException extends RuntimeException{private int status;private String msg;public AppException(AppExceptionMsgEnum appExceptionMsgEnum) {this.status = appExceptionMsgEnum.getStatus();this.msg = appExceptionMsgEnum.getMsg();}
}- 异常枚举类
public enum AppExceptionMsgEnum {//成功SUCCESS(200,"操作成功"),//失败NEED_LOGIN(401,"需要登录后操作"),NO_OPERATION_AUTH(403,"无权限操作"),USERNAME_EXIST(501,"用户名已存在"),PHONE_NUMBER_EXITS(502,"手机号已存在"),EMAIL_EXIST(503,"邮箱已存在"),REQUIRED_USERNAME(504,"必须填写用户名"),LOGIN_ERROR(505," 用户名或密码错误"),WRONG_PAGE_PARAM(506,"wrong page param"),CONTENT_NOT_NULL(507,"评论内容不能为空"),FILENAME_ERROR(508,"上传文件错误"),ONLY_UPDATE_SELF(509,"只能修改自己的信息"),SERVER_ERROR(500,"SERVER ERROR");private int status;private String msg;AppExceptionMsgEnum(int status, String msg) {this.status = status;this.msg = msg;}public int getStatus() {return status;}public String getMsg() {return msg;}
}
例如:
- API
- 支持模型类型
小结
-
SpringSecurity5.7.0之前
- 常见的 Spring HTTP Security 配置类都会继承一个 WebSecurityConfigureAdapter 类。
-
从 5.7.0-M2 起,WebSecurityConfigureAdapter 被废弃了,不推荐使用。
- 组件化开始,更加灵活。
-
基础认证功能完成。完结撒花!!
