SpringSecurity+Jwt实现token权限验证
1,首先先贴一下项目结构更容易梳理思路,文章较长请细心阅读。
2.创建User用户和UserPermissons用户权限实体类,在生成token时会需要用户的账号密码和权限。还需要几个工具类,现在一步步为大家展示。
yml配置文件
# 端口
server:
port: 8080
# 数据库连接配置
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost:3306/数据库?useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai
username: root
password: root
# 自定义jwt key
jwt:
tokenHeader: Authorization #JWT存储的请求头
secret: java@java #JWT加解密使用的**
expiration: 600 #JWT的超期限时间60*10
tokenHead: Bearer #JWT负载中拿到开头
# 配置Swagger
swagger:
basePackage: com.mujiwulian.controller
title: Swagger-ui测试
description: SpringSecurity接口测试
version: 1.0
创建JwtTokenUtil工具类,这个类用来生成包含权限账户密码的token。
package com.mujiwulian.util;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
/**
* @author zhang
* @since 2020-06-19
* TODO JwtToken生成的工具类
*/
@Component
public class JwtTokenUtil {
private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class);
private static final String CLAIM_KEY_USERNAME = "sub";
private static final String CLAIM_KEY_CREATED = "created";
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
@Value("${jwt.tokenHead}")
private String tokenHead;
/**
* 从token中获取JWT中的负载
*/
private Claims getClaimsFromToken(String token) {
Claims claims = null;
try {
claims = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
} catch (Exception e) {
LOGGER.info("JWT格式验证失败:{}",token);
}
return claims;
}
/**
* 生成token的过期时间
*/
private Date generateExpirationDate() {
return new Date(System.currentTimeMillis() + expiration * 1000);
}
/**
* 从token中获取登录用户名
* 从token中获取登录用户的信息
*/
public String getUserNameFromToken(String token) {
String username;
try {
Claims claims = getClaimsFromToken(token);
username = claims.getSubject();
} catch (Exception e) {
username = null;
}
return username;
}
/**
* 验证token是否还有效
*
* @param token 客户端传入的token
* @param userDetails 从数据库中查询出来的用户信息
*/
public boolean validateToken(String token, UserDetails userDetails) {
String username = getUserNameFromToken(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
/**
* 判断token是否已经失效
*/
private boolean isTokenExpired(String token) {
Date expiredDate = getExpiredDateFromToken(token);
return expiredDate.before(new Date());
}
/**
* 从token中获取过期时间
*/
private Date getExpiredDateFromToken(String token) {
Claims claims = getClaimsFromToken(token);
return claims.getExpiration();
}
/**
* 根据用户信息生成token
*/
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
claims.put(CLAIM_KEY_CREATED, new Date());
return generateToken(claims);
}
/**
* 用于根据登录用户信息生成token
* 根据负责生成JWT的token
*/
private String generateToken(Map<String, Object> claims) {
return tokenHead+Jwts.builder()
.setClaims(claims)
.setExpiration(generateExpirationDate())
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
/**
* 判断token是否可以被刷新
*/
public boolean canRefresh(String token) {
return !isTokenExpired(token);
}
/**
* 刷新token
*/
public String refreshToken(String token) {
Claims claims = getClaimsFromToken(token);
claims.put(CLAIM_KEY_CREATED, new Date());
return generateToken(claims);
}
}
枚举定义下返回的code码,用来表示不同的权限。
package com.mujiwulian.util;
/**
* @author zhang
* @since 2020-06-19
*/
public enum ResultCode {
SUCCESS(200, "操作成功"),
FAILED(500, "操作失败"),
VALIDATE_FAILED(404, "参数检验失败"),
UNAUTHORIZED(401, "暂未登录或token已经过期"),
FORBIDDEN(403, "没有相关权限");
private long code;
private String message;
private ResultCode(long code, String message) {
this.code = code;
this.message = message;
}
public long getCode() {
return code;
}
public String getMessage() {
return message;
}
}
设置了code码当然要有自己定义的Result返回类。
package com.mujiwulian.util;
/**
* @author zhang
* @since 2020-06-19
*/
public class Result <T> {
private long code;
private String message;
private T data;
protected Result() {
}
protected Result(long code, String message, T data) {
this.code = code;
this.message = message;
this.data = data;
}
/**
* 成功返回结果
*
* @param data 获取的数据
*/
public static <T> Result<T> success(T data) {
return new Result<T>(ResultCode.SUCCESS.getCode(), ResultCode.SUCCESS.getMessage(), data);
}
/**
* 成功返回结果
*
* @param data 获取的数据
* @param message 提示信息
*/
public static <T> Result<T> success(T data, String message) {
return new Result<T>(ResultCode.SUCCESS.getCode(), message, data);
}
/**
* 失败返回结果
* @param errorCode 错误码
*/
public static <T> Result<T> failed(IErrorCode errorCode) {
return new Result<T>(errorCode.getCode(), errorCode.getMessage(), null);
}
/**
* 失败返回结果
* @param message 提示信息
*/
public static <T> Result<T> failed(String message) {
return new Result<T>(ResultCode.FAILED.getCode(), message, null);
}
/**
* 失败返回结果
* @param failed
*/
public static <T> Result<T> failed(ResultCode failed) {
return failed(ResultCode.FAILED);
}
/**
* 参数验证失败返回结果
*/
public static <T> Result<T> validateFailed() {
return failed(ResultCode.VALIDATE_FAILED);
}
/**
* 参数验证失败返回结果
* @param message 提示信息
*/
public static <T> Result<T> validateFailed(String message) {
return new Result<T>(ResultCode.VALIDATE_FAILED.getCode(), message, null);
}
/**
* 未登录返回结果
*/
public static <T> Result<T> unauthorized(T data) {
return new Result<T>(ResultCode.UNAUTHORIZED.getCode(), ResultCode.UNAUTHORIZED.getMessage(), data);
}
/**
* 未授权返回结果
*/
public static <T> Result<T> forbidden(T data) {
return new Result<T>(ResultCode.FORBIDDEN.getCode(), ResultCode.FORBIDDEN.getMessage(), data);
}
public long getCode() {
return code;
}
public void setCode(long code) {
this.code = code;
}
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
public T getData() {
return data;
}
public void setData(T data) {
this.data = data;
}
}
package com.mujiwulian.util;
/**
* @author zhang
* @since 2020-06-19
* TODO 封装API的错误码
*/
public interface IErrorCode {
long getCode();
String getMessage();
}
3.准备工作做好后,就可以进入今天的主角了。我们通过jwt的工具类已经生成了token,现在肯定要对token进行拦截解析数据。所以需要来写一个过滤器。
创建JwtAuthenticationTokenFilter拦截器继承springframework.web.filter的OncePerRequestFilter拦截器。通过request.getHeader()的方法获取带自定义头部(在ymi文件配置的tokenHead属性),在把含有自定义的头部信息去除。token通过jwt的工具类取出用户名,完成比对。
package com.mujiwulian.security;
import com.mujiwulian.util.JwtTokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @author zhang
* @since 2020-06-19
* TODO JWT登录授权过滤器 ,
* 在用户名和密码校验前添加的过滤器,
* 如果请求中有jwt的token且有效,会取出token中的用户名,
* 然后调用SpringSecurity的API进行登录操作。
*/
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Value("${jwt.tokenHeader}")
private String tokenHeader;
@Value("${jwt.tokenHead}")
private String tokenHead;
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String authHeader = request.getHeader(this.tokenHeader);
if (authHeader != null && authHeader.startsWith(this.tokenHead)) {
String authToken = authHeader.substring(this.tokenHead.length());
// The part after "Bearer "
String username = jwtTokenUtil.getUserNameFromToken(authToken);
LOGGER.info("checking username:{}", username);
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
LOGGER.info("authenticated user:{}", username);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
}
chain.doFilter(request, response);
}
}
比对会产生不同的结果,就需要我们去自定义去实现各种不同的返回结果。
先定义当未登录或者token失效访问接口时,自定义的返回结果
package com.mujiwulian.security;
import cn.hutool.json.JSONUtil;
import com.mujiwulian.util.*;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @author zhang
* @since 2020-06-19
* TODO 当未登录或者token失效访问接口时,自定义的返回结果
*/
@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
response.getWriter().println(JSONUtil.parse(Result.unauthorized(e.getMessage())));
response.getWriter().flush();
}
}
在定义当访问接口没有权限时自定义的返回结果
package com.mujiwulian.security;
import cn.hutool.json.JSONUtil;
import com.mujiwulian.util.*;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @author zhang
* @since 2020-06-19
* TODO 当访问接口没有权限时,自定义的返回结果
*/
@Component
public class RestfulAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException e) throws IOException, ServletException {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
response.getWriter().println(JSONUtil.parse(Result.forbidden(e.getMessage())));
response.getWriter().flush();
}
}
到这里你肯定会有疑问,在做拦截器比对的时候UserDetailsService的数据从哪来的,这就需要我们将自己定义的AdminUserDetails来实现security自带的UserDetails接口了。
package com.mujiwulian.security;
import com.mujiwulian.entity.*;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;
/**
* TODO: 实现UserDetails接口并实现方法
*
* @author ZHANG
* @email aaa@qq.com
* @date 2020/6/19 14:58
*/
public class AdminUserDetails implements UserDetails {
private User user;
private List<UserPermissions> permissionList;
public AdminUserDetails(User user, List<UserPermissions> permissionList) {
this.user = user;
this.permissionList = permissionList;
}
/**
* 得到授权,返回权限
* @return
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return permissionList.stream()
.filter(umsPermission -> umsPermission.getValue()!=null)
.map(umsPermission -> new SimpleGrantedAuthority(umsPermission.getValue()))
.collect(Collectors.toList());
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
/**
* 账号未过期
* @return
*/
@Override
public boolean isAccountNonExpired() {
return true;
}
/**
* 账号未锁定
* @return
*/
@Override
public boolean isAccountNonLocked() {
return true;
}
/**
* 账号凭证是否过期
* @return
*/
@Override
public boolean isCredentialsNonExpired() {
return true;
}
/**
* 账号是否启用
* @return
*/
@Override
public boolean isEnabled() {
return user.getStatus().equals(1);
}
}
4.拦截各种工作都做好了,还需要配置security才能生效。
创建一个SecurityConfig配置类,里面的配置在下面也有详细的说明。
package com.mujiwulian.config;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.mujiwulian.entity.*;
import com.mujiwulian.security.AdminUserDetails;
import com.mujiwulian.security.JwtAuthenticationTokenFilter;
import com.mujiwulian.security.RestAuthenticationEntryPoint;
import com.mujiwulian.security.RestfulAccessDeniedHandler;
import com.mujiwulian.service.UserPermissionsService;
import com.mujiwulian.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.util.StringUtils;
import java.util.List;
/**
* TODO: 类描述
*
* @author ZHANG
* @email aaa@qq.com
* @date 2020/6/19 11:20
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Autowired
private UserPermissionsService userPermissionsService;
@Autowired
private RestfulAccessDeniedHandler restfulAccessDeniedHandler;
@Autowired
private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf
.disable()
.sessionManagement()// 基于token,所以不需要session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// 允许对于网站静态资源的无授权访问
.antMatchers(HttpMethod.GET,
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/swagger-resources/**",
"/v2/api-docs/**",
"/swagger-ui.html/*"
)
.permitAll()
// 对登录注册要允许匿名访问
.antMatchers("/admin/login", "/admin/register")
.permitAll()
//跨域请求会先进行一次options请求
.antMatchers(HttpMethod.OPTIONS)
.permitAll()
//测试时全部运行访问
.antMatchers("/**")
.permitAll()
.anyRequest()// 除上面外的所有请求全部需要鉴权认证
.authenticated();
// 禁用缓存
httpSecurity.headers().cacheControl();
// 添加JWT filter
httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
//添加自定义未授权和未登录结果返回
httpSecurity.exceptionHandling()
.accessDeniedHandler(restfulAccessDeniedHandler)
.authenticationEntryPoint(restAuthenticationEntryPoint);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
@Bean
public UserDetailsService userDetailsService() {
//获取登录用户信息
return username -> {
QueryWrapper<User> qw=new QueryWrapper<>();
qw.lambda().eq(!StringUtils.isEmpty(username),User::getUsername,username);
User user = userService.getOne(qw);
if (user != null) {
QueryWrapper<UserPermissions> qwp=new QueryWrapper<>();
qwp.lambda().eq(!StringUtils.isEmpty(user.getAuthorities()),UserPermissions::getId,user.getAuthorities());
List<UserPermissions> permissionList =userPermissionsService.list();
return new AdminUserDetails(user,permissionList);
}
throw new UsernameNotFoundException("用户名或密码错误");
};
}
@Bean
public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){
return new JwtAuthenticationTokenFilter();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* configure(HttpSecurity httpSecurity):用于配置需要拦截的url路径、jwt过滤器及出异常后的处理器;
* configure(AuthenticationManagerBuilder auth):用于配置UserDetailsService及PasswordEncoder;
* RestfulAccessDeniedHandler:当用户没有访问权限时的处理器,用于返回JSON格式的处理结果;
* RestAuthenticationEntryPoint:当未登录或token失效时,返回JSON格式的结果;
* UserDetailsService:SpringSecurity定义的核心接口,用于根据用户名获取用户信息,需要自行实现;
* UserDetails:SpringSecurity定义用于封装用户信息的类(主要是用户信息和权限),需要自行实现;
* PasswordEncoder:SpringSecurity定义的用于对密码进行编码及比对的接口,目前使用的是BCryptPasswordEncoder;
* JwtAuthenticationTokenFilter:在用户名和密码校验前添加的过滤器,如果有jwt的token,会自行根据token信息进行登录。
*/
}
5.配置完成后我们来测试一下。
写一个登录的controller
package com.mujiwulian.controller;
import com.mujiwulian.entity.User;
import com.mujiwulian.entity.UserPermissions;
import com.mujiwulian.service.UserService;
import com.mujiwulian.util.Result;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* <p>
* 前端控制器
* </p>
*
* @author zhang
* @since 2020-06-19
*/
@Api(tags = "UserController" ,description = "后台用户管理")
@RestController
@RequestMapping("/user")
public class UserController {
@Autowired
private UserService userService;
@Value("${jwt.tokenHeader}")
private String tokenHeader;
@Value("${jwt.tokenHead}")
private String tokenHead;
@ApiOperation(value = "用户注册")
@PostMapping(value = "/register")
public Result<User> register(@RequestBody User user) {
User umsAdmin = userService.register(user);
if (umsAdmin == null) {
Result.failed("注册失败,该用户已被注册!");
}
return Result.success(umsAdmin);
}
@ApiOperation(value = "登录以后返回token")
@PostMapping(value = "/login")
public Result login(@RequestBody User user) {
String token = userService.login(user.getUsername(), user.getPassword());
if (token == null) {
return Result.validateFailed("用户名或密码错误");
}
Map<String, String> tokenMap = new HashMap<>();
tokenMap.put("token", token);
tokenMap.put("tokenHead", tokenHead);
System.out.println("token:"+token);
return Result.success(tokenMap);
}
@ApiOperation("获取用户所有权限(包括+-权限)")
@GetMapping(value = "/permission/{userId}")
public Result<List<UserPermissions>> getPermissionList(@PathVariable Long userId) {
List<UserPermissions> permissionList = userService.getPermissionList(userId);
return Result.success(permissionList);
}
@ApiOperation("根据条件获取所有的用户")
@PostMapping(value = "/list")
@PreAuthorize("hasAuthority('pms:brand:order')")
public Result<List<User>> getuserList(@RequestBody User user) {
List<User> list=userService.getlist(user);
return Result.success(list);
}
}
这里在显示下我的service实体接口就不显示了。我这里用的是mybatis-plus。这些都不是重点。。。。。。
package com.mujiwulian.service.impl;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.mujiwulian.entity.User;
import com.mujiwulian.entity.UserPermissions;
import com.mujiwulian.mapper.UserMapper;
import com.mujiwulian.service.UserPermissionsService;
import com.mujiwulian.service.UserService;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mujiwulian.util.JwtTokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import javax.annotation.Resource;
import java.util.List;
/**
* <p>
* 服务实现类
* </p>
*
* @author zhang
* @since 2020-06-19
*/
@Service
public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements UserService {
private static final Logger LOGGER = LoggerFactory.getLogger(UserServiceImpl.class);
@Resource
private UserMapper userMapper;
@Resource
private PasswordEncoder passwordEncoder;
@Resource
private UserDetailsService userDetailsService;
@Resource
private JwtTokenUtil jwtTokenUtil;
@Resource
private UserPermissionsService userPermissionsService;
@Override
public User register(User user) {
QueryWrapper<User> qw=new QueryWrapper<>();
qw.lambda().eq(!StringUtils.isEmpty(user.getUsername()),User::getUsername,user.getUsername());
if( this.list(qw).size()>0){
return null;
}
//密码加密
user.setPassword(passwordEncoder.encode(user.getPassword()));
userMapper.insert(user);
return user;
}
@Override
public String login(String username, String password) {
String token="";
try {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if (!passwordEncoder.matches(password, userDetails.getPassword())) {
throw new BadCredentialsException("密码不正确");
}
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
token = jwtTokenUtil.generateToken(userDetails);
} catch (AuthenticationException e) {
LOGGER.warn("登录异常:{}", e.getMessage());
}
return token;
}
@Override
public List<UserPermissions> getPermissionList(Long userId) {
QueryWrapper<UserPermissions> qwp=new QueryWrapper<>();
qwp.lambda().eq(!StringUtils.isEmpty(userId),UserPermissions::getId,userId);
List<UserPermissions> permissionList =userPermissionsService.list();
return permissionList;
}
@Override
public List<User> getlist(User user) {
QueryWrapper<User> qw=new QueryWrapper<>();
qw.lambda()
.like(!StringUtils.isEmpty(user.getUsername()),User::getUsername,user.getUsername())
.eq(!StringUtils.isEmpty(user.getPassword()),User::getPassword,user.getPassword())
.like(!StringUtils.isEmpty(user.getNickName()),User::getNickName,user.getNickName())
.eq(!StringUtils.isEmpty(user.getStatus()),User::getStatus,user.getStatus());
return this.list(qw);
}
}
我这里是导入了swagger的包,就用swqgger测试下。老规矩先展示swagger的配置类。
package com.mujiwulian.config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import springfox.documentation.builders.ApiInfoBuilder;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.service.ApiInfo;
import springfox.documentation.service.ApiKey;
import springfox.documentation.service.AuthorizationScope;
import springfox.documentation.service.SecurityReference;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spi.service.contexts.SecurityContext;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;
import java.util.ArrayList;
import java.util.List;
/**
* TODO: 类描述
*
* @author ZHANG
* @email aaa@qq.com
* @date 2020/6/19 10:21
*/
@Configuration
@EnableSwagger2
public class Swagger2Config {
/**
* controller接口所在的包
*/
@Value("${swagger.basePackage}")
private String basePackage;
/**
* 当前文档的标题
*/
@Value("${swagger.title}")
private String title;
/**
* 当前文档的详细描述
*/
@Value("${swagger.description}")
private String description;
/**
* 当前文档的版本
*/
@Value("${swagger.version}")
private String version;
@Bean
public Docket createRestApi() {
return new Docket(DocumentationType.SWAGGER_2)
.apiInfo(apiInfo())
.select()
//为当前包下controller生成API文档
.apis(RequestHandlerSelectors.basePackage(basePackage))
.paths(PathSelectors.any())
.build()
//添加登录认证
.securitySchemes(securitySchemes())
.securityContexts(securityContexts());
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder()
.description(description)
.version(version)
.title(title)
.build();
}
private List<ApiKey> securitySchemes(){
//设置请求头信息
List<ApiKey> result = new ArrayList<>();
ApiKey apiKey = new ApiKey("Authorization", "Authorization", "header");
result.add(apiKey);
return result;
}
private List<SecurityContext> securityContexts() {
//设置需要登录认证的路径
List<SecurityContext> result = new ArrayList<>();
result.add(SecurityContext.builder()
.securityReferences(defaultAuth())
.forPaths(PathSelectors.regex("^(?!auth).*$"))
.build());
return result;
}
private List<SecurityReference> defaultAuth() {
List<SecurityReference> result = new ArrayList<>();
AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
authorizationScopes[0] = authorizationScope;
result.add(new SecurityReference("Authorization", authorizationScopes));
return result;
}
}
6.输入localhost:8080/swagger-ui.html,找到登陆的接口进行测试
这就是登录后产生的token,前面的Bearer是我们自定义的开头,后面的是jwt的token。将token复制后放到Authorize。这个表示为全局token
如果接口无@PreAuthorize()不会进行权限拦截,加入后如果无对应的权限则会提示无权限。
7.本次分享到此结束。发现问题及时联系,大家一起共同成长。
上一篇: 中国社会热点新闻十年回顾