欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

SpringSecurity+Jwt实现token权限验证

程序员文章站 2022-07-03 17:45:21
...

1,首先先贴一下项目结构更容易梳理思路,文章较长请细心阅读。
SpringSecurity+Jwt实现token权限验证
2.创建User用户和UserPermissons用户权限实体类,在生成token时会需要用户的账号密码和权限。还需要几个工具类,现在一步步为大家展示。
yml配置文件

# 端口
server:
  port: 8080
# 数据库连接配置
spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://localhost:3306/数据库?useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai
    username: root
    password: root
# 自定义jwt key
jwt:
  tokenHeader: Authorization #JWT存储的请求头
  secret: java@java #JWT加解密使用的**
  expiration: 600 #JWT的超期限时间60*10
  tokenHead: Bearer  #JWT负载中拿到开头
# 配置Swagger
swagger:
  basePackage: com.mujiwulian.controller
  title: Swagger-ui测试
  description: SpringSecurity接口测试
  version: 1.0
创建JwtTokenUtil工具类,这个类用来生成包含权限账户密码的token。
package com.mujiwulian.util;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

/**
 *  @author zhang
 *  @since 2020-06-19
 * TODO  JwtToken生成的工具类
 */

@Component
public class JwtTokenUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class);
    private static final String CLAIM_KEY_USERNAME = "sub";
    private static final String CLAIM_KEY_CREATED = "created";
    @Value("${jwt.secret}")
    private String secret;
    @Value("${jwt.expiration}")
    private Long expiration;
    @Value("${jwt.tokenHead}")
    private String tokenHead;


    /**
     * 从token中获取JWT中的负载
     */
    private Claims getClaimsFromToken(String token) {
        Claims claims = null;
        try {
            claims = Jwts.parser()
                    .setSigningKey(secret)
                    .parseClaimsJws(token)
                    .getBody();
        } catch (Exception e) {
            LOGGER.info("JWT格式验证失败:{}",token);
        }
        return claims;
    }

    /**
     * 生成token的过期时间
     */
    private Date generateExpirationDate() {
        return new Date(System.currentTimeMillis() + expiration * 1000);
    }

    /**
     * 从token中获取登录用户名
     * 从token中获取登录用户的信息
     */
    public String getUserNameFromToken(String token) {
        String username;
        try {
            Claims claims = getClaimsFromToken(token);
            username =  claims.getSubject();
        } catch (Exception e) {
            username = null;
        }
        return username;
    }

    /**
     * 验证token是否还有效
     *
     * @param token       客户端传入的token
     * @param userDetails 从数据库中查询出来的用户信息
     */
    public boolean validateToken(String token, UserDetails userDetails) {
        String username = getUserNameFromToken(token);
        return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
    }

    /**
     * 判断token是否已经失效
     */
    private boolean isTokenExpired(String token) {
        Date expiredDate = getExpiredDateFromToken(token);
        return expiredDate.before(new Date());
    }

    /**
     * 从token中获取过期时间
     */
    private Date getExpiredDateFromToken(String token) {
        Claims claims = getClaimsFromToken(token);
        return claims.getExpiration();
    }

    /**
     * 根据用户信息生成token
     */
    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }
    /**
     * 用于根据登录用户信息生成token
     * 根据负责生成JWT的token
     */
    private String generateToken(Map<String, Object> claims) {
        return tokenHead+Jwts.builder()
                .setClaims(claims)
                .setExpiration(generateExpirationDate())
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }
    /**
     * 判断token是否可以被刷新
     */
    public boolean canRefresh(String token) {
        return !isTokenExpired(token);
    }

    /**
     * 刷新token
     */
    public String refreshToken(String token) {
        Claims claims = getClaimsFromToken(token);
        claims.put(CLAIM_KEY_CREATED, new Date());
        return generateToken(claims);
    }
}

枚举定义下返回的code码,用来表示不同的权限。
package com.mujiwulian.util;

/**
 *  @author zhang
 *  @since 2020-06-19
 */
public enum ResultCode {
    SUCCESS(200, "操作成功"),
    FAILED(500, "操作失败"),
    VALIDATE_FAILED(404, "参数检验失败"),
    UNAUTHORIZED(401, "暂未登录或token已经过期"),
    FORBIDDEN(403, "没有相关权限");
    private long code;
    private String message;

    private ResultCode(long code, String message) {
        this.code = code;
        this.message = message;
    }

    public long getCode() {
        return code;
    }

    public String getMessage() {
        return message;
    }
}
设置了code码当然要有自己定义的Result返回类。
package com.mujiwulian.util;

/**
 * @author zhang
 * @since 2020-06-19
 */
public class Result <T> {
    private long code;
    private String message;
    private T data;

    protected Result() {
    }

    protected Result(long code, String message, T data) {
        this.code = code;
        this.message = message;
        this.data = data;
    }

    /**
     * 成功返回结果
     *
     * @param data 获取的数据
     */
    public static <T> Result<T> success(T data) {
        return new Result<T>(ResultCode.SUCCESS.getCode(), ResultCode.SUCCESS.getMessage(), data);
    }

    /**
     * 成功返回结果
     *
     * @param data 获取的数据
     * @param  message 提示信息
     */
    public static <T> Result<T> success(T data, String message) {
        return new Result<T>(ResultCode.SUCCESS.getCode(), message, data);
    }

    /**
     * 失败返回结果
     * @param errorCode 错误码
     */
    public static <T> Result<T> failed(IErrorCode errorCode) {
        return new Result<T>(errorCode.getCode(), errorCode.getMessage(), null);
    }

    /**
     * 失败返回结果
     * @param message 提示信息
     */
    public static <T> Result<T> failed(String message) {
        return new Result<T>(ResultCode.FAILED.getCode(), message, null);
    }

    /**
     * 失败返回结果
     * @param failed
     */
    public static <T> Result<T> failed(ResultCode failed) {
        return failed(ResultCode.FAILED);
    }


    /**
     * 参数验证失败返回结果
     */
    public static <T> Result<T> validateFailed() {
        return failed(ResultCode.VALIDATE_FAILED);
    }

    /**
     * 参数验证失败返回结果
     * @param message 提示信息
     */
    public static <T> Result<T> validateFailed(String message) {
        return new Result<T>(ResultCode.VALIDATE_FAILED.getCode(), message, null);
    }

    /**
     * 未登录返回结果
     */
    public static <T> Result<T> unauthorized(T data) {
        return new Result<T>(ResultCode.UNAUTHORIZED.getCode(), ResultCode.UNAUTHORIZED.getMessage(), data);
    }

    /**
     * 未授权返回结果
     */
    public static <T> Result<T> forbidden(T data) {
        return new Result<T>(ResultCode.FORBIDDEN.getCode(), ResultCode.FORBIDDEN.getMessage(), data);
    }



    public long getCode() {
        return code;
    }

    public void setCode(long code) {
        this.code = code;
    }

    public String getMessage() {
        return message;
    }

    public void setMessage(String message) {
        this.message = message;
    }

    public T getData() {
        return data;
    }

    public void setData(T data) {
        this.data = data;
    }
}
package com.mujiwulian.util;

/**
 *  @author zhang
 *  @since 2020-06-19
 *  TODO 封装API的错误码
 */
public interface IErrorCode {
    long getCode();

    String getMessage();
}

3.准备工作做好后,就可以进入今天的主角了。我们通过jwt的工具类已经生成了token,现在肯定要对token进行拦截解析数据。所以需要来写一个过滤器。

创建JwtAuthenticationTokenFilter拦截器继承springframework.web.filter的OncePerRequestFilter拦截器。通过request.getHeader()的方法获取带自定义头部(在ymi文件配置的tokenHead属性),在把含有自定义的头部信息去除。token通过jwt的工具类取出用户名,完成比对。

package com.mujiwulian.security;

import com.mujiwulian.util.JwtTokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 *  @author zhang
 *  @since 2020-06-19
 * TODO JWT登录授权过滤器 ,
 * 在用户名和密码校验前添加的过滤器,
 * 如果请求中有jwt的token且有效,会取出token中的用户名,
 * 然后调用SpringSecurity的API进行登录操作。
 */

public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    @Value("${jwt.tokenHeader}")
    private String tokenHeader;
    @Value("${jwt.tokenHead}")
    private String tokenHead;
    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain) throws ServletException, IOException {
        String authHeader = request.getHeader(this.tokenHeader);
        if (authHeader != null && authHeader.startsWith(this.tokenHead)) {
            String authToken = authHeader.substring(this.tokenHead.length());
            // The part after "Bearer "
            String username = jwtTokenUtil.getUserNameFromToken(authToken);
            LOGGER.info("checking username:{}", username);
            if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
                UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
                if (jwtTokenUtil.validateToken(authToken, userDetails)) {
                    UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                    authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                    LOGGER.info("authenticated user:{}", username);
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                }
            }
        }
        chain.doFilter(request, response);
    }

}

比对会产生不同的结果,就需要我们去自定义去实现各种不同的返回结果。

先定义当未登录或者token失效访问接口时,自定义的返回结果
package com.mujiwulian.security;

import cn.hutool.json.JSONUtil;
import com.mujiwulian.util.*;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 *  @author zhang
 *  @since 2020-06-19
 * TODO 当未登录或者token失效访问接口时,自定义的返回结果
 */
@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        response.setCharacterEncoding("UTF-8");
        response.setContentType("application/json");
        response.getWriter().println(JSONUtil.parse(Result.unauthorized(e.getMessage())));
        response.getWriter().flush();
    }
}

在定义当访问接口没有权限时自定义的返回结果
package com.mujiwulian.security;

import cn.hutool.json.JSONUtil;
import com.mujiwulian.util.*;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 *  @author zhang
 *  @since 2020-06-19
 * TODO 当访问接口没有权限时,自定义的返回结果
 */
@Component
public class RestfulAccessDeniedHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest request,
                       HttpServletResponse response,
                       AccessDeniedException e) throws IOException, ServletException {
        response.setCharacterEncoding("UTF-8");
        response.setContentType("application/json");
        response.getWriter().println(JSONUtil.parse(Result.forbidden(e.getMessage())));
        response.getWriter().flush();
    }
}

到这里你肯定会有疑问,在做拦截器比对的时候UserDetailsService的数据从哪来的,这就需要我们将自己定义的AdminUserDetails来实现security自带的UserDetails接口了。

package com.mujiwulian.security;

import com.mujiwulian.entity.*;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;

/**
 * TODO: 实现UserDetails接口并实现方法
 *
 * @author ZHANG
 * @email aaa@qq.com
 * @date 2020/6/19 14:58
 */
public class AdminUserDetails implements UserDetails {
    private User user;
    private List<UserPermissions> permissionList;
    public AdminUserDetails(User user, List<UserPermissions> permissionList) {
        this.user = user;
        this.permissionList = permissionList;
    }

    /**
     * 得到授权,返回权限
     * @return
     */
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return permissionList.stream()
                .filter(umsPermission -> umsPermission.getValue()!=null)
                .map(umsPermission -> new SimpleGrantedAuthority(umsPermission.getValue()))
                .collect(Collectors.toList());
    }

    @Override
    public String getPassword() {
        return user.getPassword();
    }

    @Override
    public String getUsername() {
        return user.getUsername();
    }

    /**
     * 账号未过期
     * @return
     */
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    /**
     * 账号未锁定
     * @return
     */
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    /**
     * 账号凭证是否过期
     * @return
     */

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    /**
     * 账号是否启用
     * @return
     */
    @Override
    public boolean isEnabled() {
        return user.getStatus().equals(1);
    }
}

4.拦截各种工作都做好了,还需要配置security才能生效。
创建一个SecurityConfig配置类,里面的配置在下面也有详细的说明。

package com.mujiwulian.config;

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.mujiwulian.entity.*;
import com.mujiwulian.security.AdminUserDetails;
import com.mujiwulian.security.JwtAuthenticationTokenFilter;
import com.mujiwulian.security.RestAuthenticationEntryPoint;
import com.mujiwulian.security.RestfulAccessDeniedHandler;
import com.mujiwulian.service.UserPermissionsService;
import com.mujiwulian.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.util.StringUtils;

import java.util.List;

/**
 * TODO: 类描述
 *
 * @author ZHANG
 * @email aaa@qq.com
 * @date 2020/6/19 11:20
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserService userService;
    @Autowired
    private UserPermissionsService userPermissionsService;
    @Autowired
    private RestfulAccessDeniedHandler restfulAccessDeniedHandler;
    @Autowired
    private RestAuthenticationEntryPoint restAuthenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf
                .disable()
                .sessionManagement()// 基于token,所以不需要session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                // 允许对于网站静态资源的无授权访问
                .antMatchers(HttpMethod.GET,
                        "/",
                        "/*.html",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js",
                        "/swagger-resources/**",
                        "/v2/api-docs/**",
                        "/swagger-ui.html/*"
                )
                .permitAll()
                // 对登录注册要允许匿名访问
                .antMatchers("/admin/login", "/admin/register")
                .permitAll()
                //跨域请求会先进行一次options请求
                .antMatchers(HttpMethod.OPTIONS)
                .permitAll()
                //测试时全部运行访问
                .antMatchers("/**")
                .permitAll()
                .anyRequest()// 除上面外的所有请求全部需要鉴权认证
                .authenticated();
        // 禁用缓存
        httpSecurity.headers().cacheControl();
        // 添加JWT filter
        httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
        //添加自定义未授权和未登录结果返回
        httpSecurity.exceptionHandling()
                .accessDeniedHandler(restfulAccessDeniedHandler)
                .authenticationEntryPoint(restAuthenticationEntryPoint);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService())
                .passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    @Bean
    public UserDetailsService userDetailsService() {
        //获取登录用户信息
        return username -> {
            QueryWrapper<User> qw=new QueryWrapper<>();
            qw.lambda().eq(!StringUtils.isEmpty(username),User::getUsername,username);
            User user = userService.getOne(qw);
            if (user != null) {
                QueryWrapper<UserPermissions> qwp=new QueryWrapper<>();
                qwp.lambda().eq(!StringUtils.isEmpty(user.getAuthorities()),UserPermissions::getId,user.getAuthorities());
                List<UserPermissions> permissionList =userPermissionsService.list();
                return new AdminUserDetails(user,permissionList);
            }
            throw new UsernameNotFoundException("用户名或密码错误");
        };
    }

    @Bean
    public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){
        return new JwtAuthenticationTokenFilter();
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    /**
     * configure(HttpSecurity httpSecurity):用于配置需要拦截的url路径、jwt过滤器及出异常后的处理器;
     * configure(AuthenticationManagerBuilder auth):用于配置UserDetailsService及PasswordEncoder;
     * RestfulAccessDeniedHandler:当用户没有访问权限时的处理器,用于返回JSON格式的处理结果;
     * RestAuthenticationEntryPoint:当未登录或token失效时,返回JSON格式的结果;
     * UserDetailsService:SpringSecurity定义的核心接口,用于根据用户名获取用户信息,需要自行实现;
     * UserDetails:SpringSecurity定义用于封装用户信息的类(主要是用户信息和权限),需要自行实现;
     * PasswordEncoder:SpringSecurity定义的用于对密码进行编码及比对的接口,目前使用的是BCryptPasswordEncoder;
     * JwtAuthenticationTokenFilter:在用户名和密码校验前添加的过滤器,如果有jwt的token,会自行根据token信息进行登录。
     */
}

5.配置完成后我们来测试一下。
写一个登录的controller

package com.mujiwulian.controller;


import com.mujiwulian.entity.User;
import com.mujiwulian.entity.UserPermissions;
import com.mujiwulian.service.UserService;
import com.mujiwulian.util.Result;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;

import java.util.HashMap;
import java.util.List;
import java.util.Map;

/**
 * <p>
 *  前端控制器
 * </p>
 *
 * @author zhang
 * @since 2020-06-19
 */
@Api(tags = "UserController" ,description = "后台用户管理")
@RestController
@RequestMapping("/user")
public class UserController {
    @Autowired
    private UserService userService;
    @Value("${jwt.tokenHeader}")
    private String tokenHeader;
    @Value("${jwt.tokenHead}")
    private String tokenHead;

    @ApiOperation(value = "用户注册")
    @PostMapping(value = "/register")
    public Result<User> register(@RequestBody User user) {
        User umsAdmin = userService.register(user);
        if (umsAdmin == null) {
            Result.failed("注册失败,该用户已被注册!");
        }
        return Result.success(umsAdmin);
    }
    @ApiOperation(value = "登录以后返回token")
    @PostMapping(value = "/login")
    public Result login(@RequestBody User user) {
        String token = userService.login(user.getUsername(), user.getPassword());
        if (token == null) {
            return Result.validateFailed("用户名或密码错误");
        }
        Map<String, String> tokenMap = new HashMap<>();
        tokenMap.put("token", token);
        tokenMap.put("tokenHead", tokenHead);
        System.out.println("token:"+token);
        return Result.success(tokenMap);
    }
    @ApiOperation("获取用户所有权限(包括+-权限)")
    @GetMapping(value = "/permission/{userId}")
    public Result<List<UserPermissions>> getPermissionList(@PathVariable Long userId) {
        List<UserPermissions> permissionList = userService.getPermissionList(userId);
        return Result.success(permissionList);
    }
    @ApiOperation("根据条件获取所有的用户")
    @PostMapping(value = "/list")
    @PreAuthorize("hasAuthority('pms:brand:order')")
    public Result<List<User>> getuserList(@RequestBody User user) {
        List<User> list=userService.getlist(user);
        return Result.success(list);
    }
}

这里在显示下我的service实体接口就不显示了。我这里用的是mybatis-plus。这些都不是重点。。。。。。
package com.mujiwulian.service.impl;

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.mujiwulian.entity.User;
import com.mujiwulian.entity.UserPermissions;
import com.mujiwulian.mapper.UserMapper;
import com.mujiwulian.service.UserPermissionsService;
import com.mujiwulian.service.UserService;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mujiwulian.util.JwtTokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;

import javax.annotation.Resource;
import java.util.List;

/**
 * <p>
 *  服务实现类
 * </p>
 *
 * @author zhang
 * @since 2020-06-19
 */
@Service
public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements UserService {

    private static final Logger LOGGER = LoggerFactory.getLogger(UserServiceImpl.class);
    @Resource
    private  UserMapper userMapper;
    @Resource
    private PasswordEncoder passwordEncoder;
    @Resource
    private UserDetailsService userDetailsService;
    @Resource
    private JwtTokenUtil jwtTokenUtil;
    @Resource
    private UserPermissionsService userPermissionsService;

    @Override
    public User register(User user) {
        QueryWrapper<User> qw=new QueryWrapper<>();
        qw.lambda().eq(!StringUtils.isEmpty(user.getUsername()),User::getUsername,user.getUsername());
        if( this.list(qw).size()>0){
            return null;
        }
        //密码加密
        user.setPassword(passwordEncoder.encode(user.getPassword()));
        userMapper.insert(user);
        return user;
    }

    @Override
    public String login(String username, String password) {
        String token="";
        try {
            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
            if (!passwordEncoder.matches(password, userDetails.getPassword())) {
                throw new BadCredentialsException("密码不正确");
            }
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(authentication);
            token = jwtTokenUtil.generateToken(userDetails);
        } catch (AuthenticationException e) {
            LOGGER.warn("登录异常:{}", e.getMessage());
        }
        return token;
    }

    @Override
    public List<UserPermissions> getPermissionList(Long userId) {
        QueryWrapper<UserPermissions> qwp=new QueryWrapper<>();
        qwp.lambda().eq(!StringUtils.isEmpty(userId),UserPermissions::getId,userId);
        List<UserPermissions> permissionList =userPermissionsService.list();
        return permissionList;
    }

    @Override
    public List<User> getlist(User user) {
        QueryWrapper<User> qw=new QueryWrapper<>();
        qw.lambda()
                .like(!StringUtils.isEmpty(user.getUsername()),User::getUsername,user.getUsername())
                .eq(!StringUtils.isEmpty(user.getPassword()),User::getPassword,user.getPassword())
                .like(!StringUtils.isEmpty(user.getNickName()),User::getNickName,user.getNickName())
                .eq(!StringUtils.isEmpty(user.getStatus()),User::getStatus,user.getStatus());

        return this.list(qw);
    }
}

我这里是导入了swagger的包,就用swqgger测试下。老规矩先展示swagger的配置类。
package com.mujiwulian.config;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import springfox.documentation.builders.ApiInfoBuilder;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.service.ApiInfo;
import springfox.documentation.service.ApiKey;
import springfox.documentation.service.AuthorizationScope;
import springfox.documentation.service.SecurityReference;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spi.service.contexts.SecurityContext;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;

import java.util.ArrayList;
import java.util.List;

/**
 * TODO: 类描述
 *
 * @author ZHANG
 * @email aaa@qq.com
 * @date 2020/6/19 10:21
 */
@Configuration
@EnableSwagger2
public class Swagger2Config {
    /**
     *  controller接口所在的包
     */
    @Value("${swagger.basePackage}")
    private String basePackage;

    /**
     * 当前文档的标题
     */
    @Value("${swagger.title}")
    private String title;

    /**
     * 当前文档的详细描述
     */
    @Value("${swagger.description}")
    private String description;

    /**
     * 当前文档的版本
     */
    @Value("${swagger.version}")
    private String version;

    @Bean
    public Docket createRestApi() {
        return new Docket(DocumentationType.SWAGGER_2)
                .apiInfo(apiInfo())
                .select()
                //为当前包下controller生成API文档
                .apis(RequestHandlerSelectors.basePackage(basePackage))
                .paths(PathSelectors.any())
                .build()
                //添加登录认证
                .securitySchemes(securitySchemes())
                .securityContexts(securityContexts());

    }
    private ApiInfo apiInfo() {
        return new ApiInfoBuilder()
                .description(description)
                .version(version)
                .title(title)
                .build();
    }
    private List<ApiKey> securitySchemes(){
        //设置请求头信息
        List<ApiKey> result = new ArrayList<>();
        ApiKey apiKey = new ApiKey("Authorization", "Authorization", "header");
        result.add(apiKey);
        return result;
    }
    private List<SecurityContext> securityContexts() {
        //设置需要登录认证的路径
        List<SecurityContext> result = new ArrayList<>();
        result.add(SecurityContext.builder()
                .securityReferences(defaultAuth())
                .forPaths(PathSelectors.regex("^(?!auth).*$"))
                .build());
        return result;
    }
    private List<SecurityReference> defaultAuth() {
        List<SecurityReference> result = new ArrayList<>();
        AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
        AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
        authorizationScopes[0] = authorizationScope;
        result.add(new SecurityReference("Authorization", authorizationScopes));
        return result;
    }
}

6.输入localhost:8080/swagger-ui.html,找到登陆的接口进行测试
SpringSecurity+Jwt实现token权限验证
这就是登录后产生的token,前面的Bearer是我们自定义的开头,后面的是jwt的token。将token复制后放到Authorize。这个表示为全局tokenSpringSecurity+Jwt实现token权限验证
如果接口无@PreAuthorize()不会进行权限拦截,加入后如果无对应的权限则会提示无权限。
SpringSecurity+Jwt实现token权限验证
7.本次分享到此结束。发现问题及时联系,大家一起共同成长。