• SpringBoot整合SpringSecurity

    什么是SpringSecurity?

    Spring Security是Spring提供的一套web的应用安全性的完整解决方案。

    SpringSecurity采用责任式链的设计模式,它的核心是一组过滤器链。

    主要包括:

    • 认证(Authentication):什么是认证?简单的说就是检验某个用户是否为系统合法用户,需要用户提供用户名和密码进行校验当前用户能否访问系统。
    • 授权(Authorization):就是当前用户?是否具有某种权限来进行某种操作。

    SpringSecurity的认证流程

    1. 用户在浏览器中访问一个需要认证的URL。
    2. Spring Security会检查用户是否已经被认证(即是否已登录)。如果用户已经认证,那么他们可以正常访问该URL。如果用户未被认证,那么他们将被重定向到loginPage()对应的URL,通常是登录页面。
    3. 用户在登录页面输入用户名和密码,然后点击登录按钮,发起登录请求。
    4. 如果请求的URL和loginProcessingUrl()一致,那么Spring Security将开始执行登录流程。否则,用户可能需要重新进行认证。
    5. 在执行登录流程时,首先会经过UsernamePasswordAuthenticationFilter过滤器,该过滤器会取出用户输入的用户名和密码,然后将其放入一个容器(UsernamePasswordAuthenticationToken)中。这个容器会被用于后续的认证流程。
    6. 接下来,UsernamePasswordAuthenticationToken会被提交给AuthenticationManager进行管理。AuthenticationManager会委托给AuthenticationProvider进行具体的认证操作。在这个过程中,可能会涉及到密码的加密和比对。
    7. 如果认证成功,那么用户的认证信息将被存储在session中,并且用户可以正常访问他们之前试图访问的URL。如果认证失败,那么用户可能会被重定向到失败URL(如果配置了的话),或者可能会看到一个错误页面

    代码示例

    简单案例

    1,引入maven依赖

    1.         <dependency>
    2.             <groupId>org.springframework.boot</groupId>
    3.             <artifactId>spring-boot-starter-security</artifactId>
    4.         </dependency>

    2,启动服务

    3,访问 http://localhost:8080/ 会自动跳转进入登录页面 默认用户是 user  密码为服务后端启动显示的安全密码

    4,登录成功访问我们提供的接口

    5,退出登录 访问 http://localhost:8080/logout

    完整案例

    1,引入maven依赖

    1.         <dependency>
    2.             <groupId>org.springframework.bootgroupId>
    3.             <artifactId>spring-boot-starter-securityartifactId>
    4.         dependency>

    2,User类

    1. package com.security.domain;
    2.  
    3. import com.baomidou.mybatisplus.annotation.IdType;
    4. import com.baomidou.mybatisplus.annotation.TableId;
    5. import com.baomidou.mybatisplus.annotation.TableName;
    6. import io.swagger.annotations.ApiModelProperty;
    7. import lombok.AllArgsConstructor;
    8. import lombok.Data;
    9. import lombok.NoArgsConstructor;
    10.  
    11. import java.io.Serializable;
    12.  
    13. /**
    14.  * @Program: SpringBoot
    15.  * @ClassName User
    16.  * @Author: liutao
    17.  * @Description: 用户类
    18.  * @Create: 2023-06-11 17:22
    19.  * @Version 1.0
    20.  **/
    21.  
    22. @Data
    23. @AllArgsConstructor
    24. @NoArgsConstructor
    25. @TableName("sys_user")
    26. public class User implements Serializable {
    27.     private static final long serialVersionUID = 1L;
    28.     @TableId(type = IdType.AUTO)
    29.     @ApiModelProperty("用户id")
    30.     private Integer id;
    31.     @ApiModelProperty("用户名")
    32.     private String username;
    33.     @ApiModelProperty("密码")
    34.     private String password;
    35.     @ApiModelProperty("性别")
    36.     private int sex;
    37.     @ApiModelProperty("年龄")
    38.     private int age;
    39.  
    40.  
    41. }

    3,实现UserDetails接口并重写所有方法

    1. package com.security.domain;
    2.  
    3. import com.alibaba.fastjson.annotation.JSONField;
    4. import lombok.Data;
    5. import lombok.NoArgsConstructor;
    6. import org.springframework.security.core.GrantedAuthority;
    7. import org.springframework.security.core.authority.SimpleGrantedAuthority;
    8. import org.springframework.security.core.userdetails.UserDetails;
    9.  
    10. import java.util.Collection;
    11. import java.util.List;
    12. import java.util.stream.Collectors;
    13.  
    14. /**
    15.  * @Program: SpringBoot
    16.  * @ClassName LoginUser
    17.  * @Author: liutao
    18.  * @Description: 登录用户
    19.  * @Create: 2023-06-11 18:17
    20.  * @Version 1.0
    21.  **/
    22.  
    23. @Data
    24. @NoArgsConstructor
    25. public class LoginUser implements UserDetails {
    26.     private User user;
    27.     private List permissions;
    28.     @JSONField(serialize = false)
    29.     private List authorities;
    30.  
    31.     public LoginUser(User user, List permissions) {
    32.         this.user = user;
    33.         this.permissions = permissions;
    34.     }
    35.  
    36.     @Override
    37.     public Collectionextends GrantedAuthority> getAuthorities() {
    38.         if (authorities != null) {
    39.             return authorities;
    40.         }
    41. //        authorities = new ArrayList();
    42. //        // 封装权限信息 -》GrantedAuthority
    43. //        permissions.forEach(s -> {
    44. //            SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority(s);
    45. //            authorities.add(simpleGrantedAuthority);
    46. //        });
    47.  
    48.         authorities = permissions.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());
    49.         return authorities;
    50.     }
    51.  
    52.     @Override
    53.     public String getPassword() {
    54.         return user.getPassword();
    55.     }
    56.  
    57.     @Override
    58.     public String getUsername() {
    59.         return user.getUsername();
    60.     }
    61.  
    62.     @Override
    63.     public boolean isAccountNonExpired() {
    64.         return true;
    65.     }
    66.  
    67.     @Override
    68.     public boolean isAccountNonLocked() {
    69.         return true;
    70.     }
    71.  
    72.     @Override
    73.     public boolean isCredentialsNonExpired() {
    74.         return true;
    75.     }
    76.  
    77.     @Override
    78.     public boolean isEnabled() {
    79.         return true;
    80.     }
    81. }

    4,创建业务接口实现 UserDetailService接口 重写loadUserByUser(String s) 完成业务认证和授权

    1. package com.security.service.impl;
    2.  
    3. import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
    4. import com.security.domain.LoginUser;
    5. import com.security.domain.Role;
    6. import com.security.domain.User;
    7. import com.security.domain.UserRole;
    8. import com.security.mapper.RoleMapper;
    9. import com.security.mapper.UserMapper;
    10. import com.security.mapper.UserRoleMapper;
    11. import org.springframework.beans.factory.annotation.Autowired;
    12. import org.springframework.security.core.userdetails.UserDetails;
    13. import org.springframework.security.core.userdetails.UserDetailsService;
    14. import org.springframework.security.core.userdetails.UsernameNotFoundException;
    15. import org.springframework.stereotype.Service;
    16.  
    17. import java.util.ArrayList;
    18. import java.util.Collections;
    19. import java.util.List;
    20. import java.util.Objects;
    21. import java.util.stream.Collectors;
    22.  
    23. /**
    24.  * @Program: SpringBoot
    25.  * @ClassName service
    26.  * @Author: liutao
    27.  * @Description: 用户业务接口
    28.  * @Create: 2023-06-11 17:43
    29.  * @Version 1.0
    30.  **/
    31.  
    32. @Service
    33. public class UserDetailsServiceImpl implements UserDetailsService {
    34.     @Autowired
    35.     private UserMapper mapper;
    36.     @Autowired
    37.     private UserRoleMapper userRoleMapper;
    38.     @Autowired
    39.     private RoleMapper roleMapper;
    40.  
    41.     @Override
    42.     public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
    43.         LambdaQueryWrapper lambdaQueryWrapper = new LambdaQueryWrapper();
    44.         lambdaQueryWrapper.eq(User::getUsername, s);
    45.         User user = mapper.selectOne(lambdaQueryWrapper);
    46.         if (Objects.isNull(user)) {
    47.             throw new UsernameNotFoundException("用户不存在");
    48.         }
    49.         //TODO  查询对应角色和权限信息 注意角色前一定要以“ROLE_”开头
    50. //        List auths = new ArrayList(Arrays.asList("ROLE_USER","sys:user"));
    51.         List auths = new ArrayList(Collections.emptyList());
    52.         // 通过用户id获取当前用户所有角色id
    53.         List ids = userRoleMapper.selectList(
    54.                 new LambdaQueryWrapper()
    55.                         .eq(UserRole::getUserId, user.getId())
    56.                 )
    57.                 .stream()
    58.                 .map(UserRole::getRoleId)
    59.                 .collect(Collectors.toList());
    60.         // 获取角色
    61.         List roles = roleMapper.selectBatchIds(ids)
    62.                 .stream()
    63.                 .map(Role::getFlag)
    64.                 .collect(Collectors.toList());
    65.         auths.addAll(roles);
    66.         auths.add("sys:user");
    67.         return new LoginUser(user, auths);
    68.     }
    69.  
    70.  
    71. }

    6,配置核心配置文件

    1. package com.security.config;
    2.  
    3. import com.security.filter.JwtAuthenticationTokenFilter;
    4. import com.security.service.impl.UserDetailsServiceImpl;
    5. import org.springframework.beans.factory.annotation.Autowired;
    6. import org.springframework.context.annotation.Bean;
    7. import org.springframework.context.annotation.Configuration;
    8. import org.springframework.security.authentication.AuthenticationManager;
    9. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    10. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
    11. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    12. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    13. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    14. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    15. import org.springframework.security.crypto.password.PasswordEncoder;
    16. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
    17.  
    18. /**
    19.  * @Program: SpringBoot
    20.  * @ClassName SecurityConfig
    21.  * @Author: liutao
    22.  * @Description: security配置类
    23.  * @Create: 2023-06-11 17:39
    24.  * @Version 1.0
    25.  **/
    26.  
    27. @Configuration
    28. @EnableGlobalMethodSecurity(jsr250Enabled = true, prePostEnabled = true)
    29. @EnableWebSecurity
    30. public class SecurityConfig extends WebSecurityConfigurerAdapter {
    31.     @Autowired
    32.     private UserDetailsServiceImpl userDetailsService;
    33.  
    34.     @Autowired
    35.     private PasswordEncoder passwordEncoder;
    36.  
    37.     @Autowired
    38.     private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
    39.  
    40.     @Override
    41.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    42.         // 自定义用户认证
    43. //        auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
    44.  
    45.         // 数据库用户认证
    46.         auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
    47.     }
    48.  
    49.     /**
    50.      * anyRequest          |   匹配所有请求路径
    51.      * access              |   SpringEl表达式结果为true时可以访问
    52.      * anonymous           |   匿名可以访问
    53.      * denyAll             |   用户不能访问
    54.      * fullyAuthenticated  |   用户完全认证可以访问(非remember-me下自动登录)
    55.      * hasAnyAuthority     |   如果有参数,参数表示权限,则其中任何一个权限可以访问
    56.      * hasAnyRole          |   如果有参数,参数表示角色,则其中任何一个角色可以访问
    57.      * hasAuthority        |   如果有参数,参数表示权限,则其权限可以访问
    58.      * hasIpAddress        |   如果有参数,参数表示IP地址,如果用户IP和参数匹配,则可以访问
    59.      * hasRole             |   如果有参数,参数表示角色,则其角色可以访问
    60.      * permitAll           |   用户可以任意访问
    61.      * rememberMe          |   允许通过remember-me登录的用户访问
    62.      * authenticated       |   用户登录后可访问
    63.      */
    64.     @Override
    65.     protected void configure(HttpSecurity http) throws Exception {
    66.         http
    67.                 // CSRF禁用,因为不使用session
    68.                 .csrf().disable()
    69.                 // 禁用HTTP响应标头
    70.                 .headers().cacheControl().disable().and()
    71.                 // 过滤请求
    72.                 .authorizeRequests()
    73.                 // 对于登录toLogin 允许匿名访问
    74.                 .mvcMatchers("/toLogin").permitAll().mvcMatchers("/css/**", "/js/**", "/swagger-resources/**", "/webjars/**", "/v2/**", "/doc.html", "/img/**", "/favicon.ico").permitAll()
    75. //                .antMatchers("/**")
    76. //                .hasAnyRole("USER")
    77.                 // 除上面外的所有请求全部需要鉴权认证
    78.                 .anyRequest().authenticated();
    79. //                .and()
    80. //                .formLogin()
    81. //                .loginProcessingUrl("/toLogin")
    82. //                .successForwardUrl("/home")
    83. //                .and()
    84. //                .httpBasic();
    85.         http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
    86.     }
    87.  
    88.  
    89.     @Bean
    90.     @Override
    91.     protected AuthenticationManager authenticationManager() throws Exception {
    92.         return super.authenticationManager();
    93.     }
    94.  
    95.     @Bean
    96.     public BCryptPasswordEncoder passwordEncoder() {
    97.         return new BCryptPasswordEncoder();
    98.     }
    99. }

    7,抽离web接口代码

    1. package com.security.service.impl;
    2.  
    3. import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
    4. import com.security.common.Result;
    5. import com.security.domain.LoginUser;
    6. import com.security.domain.User;
    7. import com.security.domain.dto.UserDto;
    8. import com.security.domain.vo.UserVo;
    9. import com.security.mapper.UserMapper;
    10. import com.security.service.UserService;
    11. import com.security.utils.JwtUtil;
    12. import com.security.utils.RedisUtil;
    13. import org.slf4j.Logger;
    14. import org.slf4j.LoggerFactory;
    15. import org.springframework.beans.BeanUtils;
    16. import org.springframework.beans.factory.annotation.Autowired;
    17. import org.springframework.security.authentication.AuthenticationManager;
    18. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
    19. import org.springframework.security.core.Authentication;
    20. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    21. import org.springframework.stereotype.Service;
    22.  
    23. import java.util.Objects;
    24. import java.util.concurrent.TimeUnit;
    25.  
    26. /**
    27.  * @Program: SpringBoot
    28.  * @ClassName UserServiceImpl
    29.  * @Author: liutao
    30.  * @Description:
    31.  * @Create: 2023-06-12 00:51
    32.  * @Version 1.0
    33.  **/
    34.  
    35. @Service
    36. public class UserServiceImpl extends ServiceImpl implements UserService {
    37.     private static final Logger log = LoggerFactory.getLogger(UserServiceImpl.class);
    38.     @Autowired
    39.     private UserMapper mapper;
    40.  
    41.     @Autowired
    42.     private RedisUtil redisUtil;
    43.  
    44.     @Autowired
    45.     private AuthenticationManager authenticationManager;
    46.     @Autowired
    47.     private BCryptPasswordEncoder passwordEncoder;
    48.  
    49.     @Override
    50.     public UserVo login(UserDto userDto) {
    51.         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDto.getUsername(), userDto.getPassword());
    52.         Authentication authentication = authenticationManager.authenticate(token);
    53.         if (Objects.isNull(authentication)) {
    54.             throw new RuntimeException("登录失败!");
    55.         }
    56.         LoginUser loginUser = (LoginUser) authentication.getPrincipal();
    57.         if (!passwordEncoder.matches(userDto.getPassword(), loginUser.getPassword())) {
    58.             throw new RuntimeException("密码错误");
    59.         }
    60.         UserVo userVo = new UserVo();
    61.         BeanUtils.copyProperties(loginUser.getUser(), userVo);
    62.         String jwtToken = JwtUtil.getToken(userVo.getId().toString());
    63.         String redisKey = "login:" + userVo.getId().toString();
    64.         log.info("当前登录用户:{}",loginUser);
    65.         redisUtil.set(redisKey, loginUser,20L, TimeUnit.MINUTES);
    66.         userVo.setToken(jwtToken);
    67.         return  userVo;
    68.     }
    69. }

    8,web接口

    1. package com.security.controller;
    2.  
    3. import com.security.common.Result;
    4. import com.security.domain.dto.UserDto;
    5. import com.security.domain.vo.UserVo;
    6. import com.security.service.UserService;
    7. import org.springframework.beans.factory.annotation.Autowired;
    8. import org.springframework.security.access.prepost.PreAuthorize;
    9. import org.springframework.web.bind.annotation.*;
    10.  
    11. /**
    12.  * @author TAOGE
    13.  */
    14. @RestController
    15. public class BasicController {
    16.  
    17.     @Autowired
    18.     private UserService userService;
    19.     @PostMapping("/toLogin")
    20.     public Result login(@RequestBody UserDto userDto) {
    21.         return  Result.success("登录成功", userService.login(userDto));
    22.     }
    23.  
    24.     @PreAuthorize("hasRole('ADMIN')")
    25.     @GetMapping("/hasRole")
    26.     public Result hasRole() {
    27.         return Result.success("ADMIN");
    28.     }
    29.  
    30.     @PreAuthorize("hasAuthority('sys:user')")
    31.     @GetMapping("/hasPerm")
    32.     public Result hasPerm() {
    33.         return Result.success("sys:user");
    34.     }
    35. }

    测试

    1,启动服务

    2,访问 /hasRole接口

    3,认证授权

    4,携带token访问 /hasRole 和 /hasPerm接口

    结尾

    到这里我们今天的SpringBoot整合和尝鲜SpringSecurity就结束了!!

    欢迎双击点赞 666!!!

    everybody see you!!!

  • 相关阅读:
    在kubernetes+istio中通过FQDN请求Nacos服务
    java虚拟机详解篇七(虚拟机线程)
    浅谈ClickHouse安全性和权限管理
    虚拟机Linux+Ubuntu操作系统 如何在虚拟机上安装docker VMPro 2024在线激活资源
    React 官网为什么那么快?
    一文讲清楚Java面向对象的继承关系
    为什么手动采购管理会危及你的工作流程?
    讯飞开放平台--星火认知大模型--开发技术文档--js实例代码详解
    【动态规划 状态机dp 性能优化】3098. 求出所有子序列的能量和
    阿里工作8年,肝到P7就剩这份学习笔记了,已助朋友拿到10个Offer
  • 原文地址:https://blog.csdn.net/LT19990304/article/details/136407281