SpringSecurity 实现token 认证
-
配置类
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {@Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean(); }// 由于过滤器 比 servelt 先加载 在这里注入一下 负责 TokenAuthenticationTokenFilter 中redisuntity @Bean public TokenAuthenticationTokenFilter getTokenFiter(){return new TokenAuthenticationTokenFilter(); } @Override protected void configure(HttpSecurity http) throws Exception {//http.addFilterBefore(new VerCodeFi lter("/Login/Login"), UsernamePasswordAuthenticationFilter.class);http.addFilterBefore(getTokenFiter(), UsernamePasswordAuthenticationFilter.class);http.authorizeRequests().antMatchers("/Login/**").permitAll() // 放行Login.anyRequest().authenticated() // 所有请求都需要验证.and().formLogin() // 使用默认的登录页面.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable();// post请求要关闭csrf验证,不然访问报错;实际开发中开启,需要前端配合传递其他参数 }}
-
定义token 验证过滤器
public class TokenAuthenticationTokenFilter extends OncePerRequestFilter {
@Autowired private RedisUtils redisUtils;public TokenAuthenticationTokenFilter(){ }@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {//1、获取请求头携带的tokenString token = request.getHeader("token");if(!StringUtils.hasText(token)){//不需要token的路由可以直接放行filterChain.doFilter(request,response);return;}Object o =redisUtils.get(token);if (o==null){response.setStatus(200);response.setCharacterEncoding("utf-8");response.getWriter().write(JSON.toJSONString(Result.failed(401,"token 非法","")));return;}Map<String,String> maps=new HashMap<>();Map Values = JSON.parseObject(o.toString(), maps.getClass());Collection<GrantedAuthority> authorities = new ArrayList<>();authorities.add(new SimpleGrantedAuthority(Values.get("role").toString()));UsernamePasswordAuthenticationToken authenticationToken=new UsernamePasswordAuthenticationToken(new Userdto(), null, authorities);SecurityContextHolder.getContext().setAuthentication(authenticationToken);filterChain.doFilter(request,response); //放行 }}