【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证

一、先看下DaoAuthenticationProvider的认证过程

【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证

 

1、从读取用户名和密码开始的身份验证Filter将一个UsernamePasswordAuthenticationToken传递给由ProviderManager实现的AuthenticationManager。

2、ProviderManager被配置为使用DaoAuthenticationProvider类型的AuthenticationProvider。

3、第三个DaoAuthenticationProvider从UserDetailsService中查找用户详细信息。

4、DaoAuthenticationProvider使用PasswordEncoder验证上一步返回的用户详细信息上的密码。

5、当身份验证成功时,返回的身份验证类型为UsernamePasswordAuthenticationToken,其主体是已配置的UserDetailsService返回的用户详细信息。最终,返回的UsernamePasswordAuthenticationToken将由身份验证过滤器在securitycontext中设置。

二、过程分析

1)登陆认证
项目中,我们如何实现这个过程

1、自定义UserDetailsService(用于提供用户信息一般通过用户名从数据库查询)

【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证
/**
 * 用户登录认证信息查询
 */
@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private TUserDAO tUserDAO;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        TUser user = tUserDAO.getByUserName(username);
        if (user == null) {
            throw new UsernameNotFoundException("该用户不存在");
        }
        // 用户权限列表,根据用户拥有的权限标识与如 @PreAuthorize("hasAuthority('sys:menu:view')") 标注的接口对比,决定是否可以调用接口
//        Set<String> permissions = sysUserService.findPermissions(user.getName());
        Set<String> permissions = new HashSet<>();
        permissions.add("query");
        List<GrantedAuthority> grantedAuthorities = permissions.stream().map(GrantedAuthorityImpl::new).collect(Collectors.toList());
        return new JwtUserDetails(user.getName(), user.getPassword(), user.getSalt(), user.getAccountType(), grantedAuthorities);
    }
}
View Code

2、自定义DaoAuthenticationProvider (用于验证用户密码是否正确)

【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证
/**
 * 身份验证提供者
 */
public class JwtAuthenticationProvider extends DaoAuthenticationProvider {

    public JwtAuthenticationProvider(UserDetailsService userDetailsService) {
        setUserDetailsService(userDetailsService);
    }

    @Override
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication)
            throws AuthenticationException {
        if (authentication.getCredentials() == null) {
            logger.debug("Authentication failed: no credentials provided");
            throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
        }

        Integer accountType = ((JwtUserDetails) userDetails).getAccountType();

        String presentedPassword = authentication.getCredentials().toString();
        String salt = ((JwtUserDetails) userDetails).getSalt();
        if (!new PasswordEncoder(salt).matches(userDetails.getPassword(), presentedPassword)) {
            logger.debug("Authentication failed: password does not match stored value");
            throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
        }
    }

}
View Code

在spring security中,将用户的获取和密码的验证过程拆开了
代码实现:


@Autowired
private AuthenticationManager authenticationManager;

public HttpResult login(@RequestBody LoginForm loginForm, HttpServletRequest request) throws IOException { // 1、这一步主要获取用户密码 TUserDO tUser = tUserService.login(loginForm.getUsername()); // 2、进行spring security 认证 JwtAuthenticatioToken token = new JwtAuthenticatioToken(loginForm.getUsername(),loginForm.getPassword()); token.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); // 执行登录认证过程 Authentication authentication = authenticationManager.authenticate(token); // 认证成功存储认证信息到上下文 SecurityContextHolder.getContext().setAuthentication(authentication); // 生成令牌并返回给客户端 token.setToken(JwtTokenUtils.generateToken(authentication)); return HttpResult.success(token); }

JwtAuthenticatioToken实现了UsernamePasswordAuthenticationToken,主要封装了JWT token

【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证
/**
 * 自定义令牌对象
 */
public class JwtAuthenticatioToken extends UsernamePasswordAuthenticationToken {

    private static final long serialVersionUID = 1L;
    
    private String token;

    public JwtAuthenticatioToken(Object principal, Object credentials){
        super(principal, credentials);
    }
    
    public JwtAuthenticatioToken(Object principal, Object credentials, String token){
        super(principal, credentials);
        this.token = token;
    }

    public JwtAuthenticatioToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities, String token) {
        super(principal, credentials, authorities);
        this.token = token;
    }
    
    public String getToken() {
        return token;
    }

    public void setToken(String token) {
        this.token = token;
    }

    public static long getSerialversionuid() {
        return serialVersionUID;
    }

}
View Code

 

2)接口拦截认证

1、配置分析

其实我们只需要明确一点,spring security功过容器的filter扩展机制实现的,只不过它定义了一个DelegatingFilterProxy这个filter(这个里面有引用了FiltrChainProxy,通过它可以调用security中一系列的filter),那么我们就是通过扩展或实现security中的filter来满足我们一定的需求


【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证

 

 

【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证

2、配置拦截规则

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(AuthenticationManagerBuilder auth)  {
        // 使用自定义身份验证组件
        auth.authenticationProvider(new JwtAuthenticationProvider(userDetailsService));
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 禁用 csrf, 由于使用的是JWT,我们这里不需要csrf
        http.exceptionHandling().authenticationEntryPoint(new JwtUnauthorizedEntryPoint()).and()
                .cors().and().csrf().disable()
                //.addFilterBefore(new JwtAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests()
                // 跨域预检请求
                .antMatchers("/login").permitAll()
                .antMatchers("/logout").permitAll()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll();


        // 其他所有请求需要身份认证
        http.authorizeRequests().anyRequest().authenticated();

        // 退出登录处理器
        http.logout().logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler());

        // token验证过滤器
        http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

}

JwtAuthenticationFilter

【Spring Boot】Spring Boot之整合Spring security实现JWT权限认证
/**
 * 登录认证过滤器
 *
 */
public class JwtAuthenticationFilter extends BasicAuthenticationFilter {

    private static final Set<String> ALLOWED_PATHS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList("/login", "/register", "/actuator/health")));

    @Autowired
    public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {

        String path = request.getRequestURI().substring(request.getContextPath().length()).replaceAll("[/]+$", "");
        boolean allowedPath = ALLOWED_PATHS.contains(path);
        // todo 该判断没用
        if (!allowedPath) {
            // 获取token, 并检查登录状态
            logger.debug(request.getRequestURI());
            // 构造了一个authentication,写进了spring request中
            try {
                SecurityUtils.checkAuthentication(request);
            } catch (BadCredentialsException badCredentialsException) {
                // token错误则401
                response.sendError(HttpServletResponse.SC_UNAUTHORIZED, badCredentialsException.getMessage());
                return;
            }
        }
        chain.doFilter(request, response);
    }
}
View Code

JwtUnauthorizedEntryPoint

public class JwtUnauthorizedEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED,authException.getMessage());
    }
}

三、后续 时间问题,这块后续会再完善下博客内容

 

上一篇:php – WordPress插件安装要求FTP详细信息


下一篇:最值得收藏的java技术博客(Java篇)