轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战

kenx
• 阅读 1915

前言

我们知道在项目开发中,后台开发权限认证是非常重要的,springboot 中常用熟悉的权限认证框架有,shiro,还有就是springboot 全家桶的 security当然他们各有各的好处,但是我比较喜欢springboot自带的权限认证框架

<!--springboot 权限认证-->
      <dependency>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-security</artifactId>
      </dependency>

与springboot天然集成,功能强大

快速上手

主要实现 Spring Security 的安全认证,结合 RESTful API 的风格,使用无状态的环境。

主要实现是通过请求的 URL ,通过过滤器来做不同的授权策略操作,为该请求提供某个认证的方法,然后进行认证,授权成功返回授权实例信息,供服务调用。

基于Token的身份验证的过程如下:

用户通过用户名和密码发送请求。 程序验证。 程序返回一个签名的token 给客户端。 客户端储存token,并且每次用于每次发送请求。 服务端验证token并返回数据。 每一次请求都需要token,所以每次请求都会去验证用户身份,所以这里必须要使用缓存,

流程图

JWT JSON Web Token 验证流程图

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战

添加Spring Security和JWT依赖项

       <!--springboot 权限认证-->
          <dependency>
              <groupId>org.springframework.boot</groupId>
              <artifactId>spring-boot-starter-security</artifactId>
          </dependency>
         <!--jwt 认证-->
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
         </dependency>

生成JWT toke

因为要生成JWT toke 所以就写了一个工具类JwtTokenUtil

package cn.soboys.kmall.security.utils;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import java.io.Serializable;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/5 22:28
 * @webSite https://www.soboys.cn/
 */
@Component
public class JwtTokenUtil implements Serializable {

    private static final long serialVersionUID = -2550185165626007488L;

    public static final long JWT_TOKEN_VALIDITY = 7*24*60*60;

    private String secret="TcUF7CC8T3txmfQ38pYsQ3KY";

    public String getUsernameFromToken(String token) {
        return getClaimFromToken(token, Claims::getSubject);
    }


    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return doGenerateToken(claims, username);
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = getUsernameFromToken(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }


    public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = getAllClaimsFromToken(token);
        return claimsResolver.apply(claims);
    }

    private Claims getAllClaimsFromToken(String token) {
        return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
    }


    private Boolean isTokenExpired(String token) {
        final Date expiration = getExpirationDateFromToken(token);
        return expiration.before(new Date());
    }

    public Date getExpirationDateFromToken(String token) {
        return getClaimFromToken(token, Claims::getExpiration);
    }

    private String doGenerateToken(Map<String, Object> claims, String subject) {
        return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + JWT_TOKEN_VALIDITY*1000)).signWith(SignatureAlgorithm.HS512, secret).compact();
    }
}

注入数据源

这里我们使用数据库作为权限控制数据保存,所以就要注入数据源,进行权限认证 Spring Security提供了 UserDetailsService接口 用于用户身份认证,和UserDetails实体类,用于保存用户信息,(用户凭证,权限等)

看源码

package org.springframework.security.core.userdetails;

public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}
package org.springframework.security.core.userdetails;
public interface UserDetails extends Serializable {
    Collection<? extends GrantedAuthority> getAuthorities();

    String getPassword();

    String getUsername();

    boolean isAccountNonExpired();

    boolean isAccountNonLocked();

    boolean isCredentialsNonExpired();

    boolean isEnabled();
}

所以我们分为两步走:

  1. 自己的User实体类继承Spring SecurityUserDetails 保存相关权限信息
package cn.soboys.kmall.security.entity;

import com.baomidou.mybatisplus.annotation.IdType;
import com.baomidou.mybatisplus.annotation.TableField;
import com.baomidou.mybatisplus.annotation.TableId;
import com.baomidou.mybatisplus.annotation.TableName;
import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.Data;
import lombok.EqualsAndHashCode;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.io.Serializable;
import java.time.LocalDateTime;
import java.util.*;

/**
 * <p>
 * 用户表
 * </p>
 *
 * @author kenx
 * @since 2021-08-06
 */
@Data
@EqualsAndHashCode(callSuper = false)
@TableName("t_user")
public class User implements Serializable, UserDetails {

    private static final long serialVersionUID = 1L;

    /**
     * 用户ID
     */
    @TableId(value = "USER_ID", type = IdType.AUTO)
    private Long userId;

    /**
     * 用户名
     */
    @TableField("USERNAME")
    private String username;

    /**
     * 密码
     */
    @TableField("PASSWORD")
    private String password;

    /**
     * 部门ID
     */
    @TableField("DEPT_ID")
    private Long deptId;

    /**
     * 邮箱
     */
    @TableField("EMAIL")
    private String email;

    /**
     * 联系电话
     */
    @TableField("MOBILE")
    private String mobile;

    /**
     * 状态 0锁定 1有效
     */
    @TableField("STATUS")
    private String status;

    /**
     * 创建时间
     */
    @TableField("CREATE_TIME")
    private Date createTime;

    /**
     * 修改时间
     */
    @TableField("MODIFY_TIME")
    private Date modifyTime;

    /**
     * 最近访问时间
     */
    @TableField("LAST_LOGIN_TIME")
    private Date lastLoginTime;

    /**
     * 性别 0男 1女 2保密
     */
    @TableField("SSEX")
    private String ssex;

    /**
     * 是否开启tab,0关闭 1开启
     */
    @TableField("IS_TAB")
    private String isTab;

    /**
     * 主题
     */
    @TableField("THEME")
    private String theme;

    /**
     * 头像
     */
    @TableField("AVATAR")
    private String avatar;

    /**
     * 描述
     */
    @TableField("DESCRIPTION")
    private String description;

    @TableField(exist = false)
    private List<Role> roles;


    @TableField(exist = false)
    private Set<String> perms;

    /**
     * 用户权限
     *
     * @return
     */
    /*@Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> auths = new ArrayList<>();
        List<Role> roles = this.getRoles();
        for (Role role : roles) {
            auths.add(new SimpleGrantedAuthority(role.getRolePerms()));
        }
        return auths;
    }*/
    @Override
    @JsonIgnore
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> auths = new ArrayList<>();
        Set<String> perms = this.getPerms();
        for (String perm : perms) {
            //这里perms值如果为空或空字符会报错
            auths.add(new SimpleGrantedAuthority(perm));
        }
        return auths;
    }

    @Override
    @JsonIgnore
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    @JsonIgnore
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    @JsonIgnore
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    @JsonIgnore
    public boolean isEnabled() {
        return true;
    }
}

注意这里有一个问题 登录用户时,总提示 User account is locked

是因为用户实体类实现UserDetails这个接口时,我默认把所有抽象方法给自动实现了,而自动生成下面这四个方法,默认返回false,

    @Override
    public boolean isAccountNonExpired() {
        return false;
    }

    @Override
    public boolean isAccountNonLocked() {
        return false;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return false;
    }

    @Override
    public boolean isEnabled() {
        return false;
    }

问题原因就在这里,只要把它们的返回值改成true就行。

UserDetails 中几个字段的解释:

//返回验证用户密码,无法返回则NULL

String getPassword();
String getUsername();

账户是否过期,过期无法验证

boolean isAccountNonExpired();

指定用户是否被锁定或者解锁,锁定的用户无法进行身份验证

boolean isAccountNonLocked();

指示是否已过期的用户的凭据(密码),过期的凭据防止认证

boolean isCredentialsNonExpired();

是否被禁用,禁用的用户不能身份验证

boolean isEnabled();
  1. 实现接口中loadUserByUsername方法注入数据验证就可以了

自己IUserService用户接口类继承Spring Security提供了 UserDetailsService接口

public interface IUserService  extends IService<User>, UserDetailsService {

    User getUserByUsername(String username);

   /* *//**
     * 获取用户所有权限
     *
     * @param username
     * @return
     *//*
    Set<String> getUserPerms(String username);*/

}

并且加以实现

@Service
@RequiredArgsConstructor
@Slf4j
public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements IUserService {
    private final RoleMapper roleMapper;

    @Override
    public User getUserByUsername(String username) {
        return this.baseMapper.selectOne(new QueryWrapper<User>().lambda()
                .eq(User::getUsername, username));
    }


    /**
     * 对用户提供的用户详细信息进行身份验证时
     *
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = this.getUserByUsername(username);

        if (StrUtil.isBlankIfStr(user)) {
            throw new UsernameNotFoundException("User not found with username: " + username);
        }

        //获取用户角色信息
        List<Role> roles = roleMapper.findUserRolePermsByUserName(username);
        user.setRoles(roles);

        List<String> permList = this.baseMapper.findUserPerms(username);

        //java8 stream 便利
        Set<String> perms = permList.stream().filter(o->StrUtil.isNotBlank(o)).collect(Collectors.toSet());
        user.setPerms(perms);

        //用于添加用户的权限。只要把用户权限添加到authorities 就万事大吉。
        // List<SimpleGrantedAuthority> authorities = new ArrayList<>();


        //用于添加用户的权限。只要把用户权限添加到authorities 就万事大吉。
        /*for (Role role : roles) {
            authorities.add(new SimpleGrantedAuthority(role.getRolePerms()));
            log.info("loadUserByUsername: " + user);
        }*/
        //user.setAuthorities(authorities);//用于登录时 @AuthenticationPrincipal 标签取值
        return user;
    }


}

自己实现loadUserByUsername从数据库中验证用户名密码,获取用户角色权限信息

拦截器配置

Spring Security的AuthenticationEntryPoint类,它拒绝每个未经身份验证的请求并发送错误代码401

package cn.soboys.kmall.security.config;

import cn.soboys.kmall.common.ret.Result;
import cn.soboys.kmall.common.ret.ResultCode;
import cn.soboys.kmall.common.ret.ResultResponse;
import cn.soboys.kmall.common.utils.ResponseUtil;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.Serializable;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/5 22:30
 * @webSite https://www.soboys.cn/
 * 此类继承Spring Security的AuthenticationEntryPoint类,
 * 并重写其commence。它拒绝每个未经身份验证的请求并发送错误代码401。
 */
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {

    /**
     * 此类继承Spring Security的AuthenticationEntryPoint类,并重写其commence。
     * 它拒绝每个未经身份验证的请求并发送错误代码401
     *
     * @param httpServletRequest
     * @param httpServletResponse
     * @param e
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        Result result = ResultResponse.failure(ResultCode.UNAUTHORIZED, "请先登录");
        ResponseUtil.responseJson(httpServletResponse, result);
    }
}

JwtRequestFilter 任何请求都会执行此类检查请求是否具有有效的JWT令牌。如果它具有有效的JWT令牌,则它将在上下文中设置Authentication,以指定当前用户已通过身份验证。

package cn.soboys.kmall.security.config;

import cn.soboys.kmall.common.utils.ConstantFiledUtil;
import cn.soboys.kmall.security.service.IUserService;
import cn.soboys.kmall.security.utils.JwtTokenUtil;
import io.jsonwebtoken.ExpiredJwtException;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/5 22:27
 * @webSite https://www.soboys.cn/
 * 任何请求都会执行此类
 * 检查请求是否具有有效的JWT令牌。如果它具有有效的JWT令牌,
 * 则它将在上下文中设置Authentication,以指定当前用户已通过身份验证。
 */
@Component
@Slf4j
public class JwtRequestFilter extends OncePerRequestFilter {

    //用户数据源
    private IUserService userService;
    //生成jwt 的token
    private  JwtTokenUtil jwtTokenUtil;

    public JwtRequestFilter(IUserService userService,JwtTokenUtil jwtTokenUtil) {
        this.userService = userService;
        this.jwtTokenUtil = jwtTokenUtil;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        final String requestTokenHeader = request.getHeader(ConstantFiledUtil.AUTHORIZATION_TOKEN);

        String username = null;
        String jwtToken = null;
        // JWT Token is in the form "Bearer token". Remove Bearer word and get only the Token
        if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
            jwtToken = requestTokenHeader.substring(7);
            try {
                username = jwtTokenUtil.getUsernameFromToken(jwtToken);
            } catch (IllegalArgumentException e) {
                log.error("Unable to get JWT Token");
            } catch (ExpiredJwtException e) {
                log.error("JWT Token has expired");
            }
        } else {
            //logger.warn("JWT Token does not begin with Bearer String");
        }

        //Once we get the token validate it.
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

            UserDetails userDetails = this.userService.loadUserByUsername(username);

            // if token is valid configure Spring Security to manually set authentication
            if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {

                //保存用户信息和权限信息
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken
                        .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                // After setting the Authentication in the context, we specify
                // that the current user is authenticated. So it passes the Spring Security Configurations successfully.
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        filterChain.doFilter(request, response);
    }
}

配置Spring Security 配置类SecurityConfig

  1. 自定义Spring Security的时候我们需要继承自WebSecurityConfigurerAdapter来完成,相关配置重写对应 方法

  2. 此处使用了 BCryptPasswordEncoder 密码加密

  3. 通过重写configure方法添加我们自定义的认证方式。

package cn.soboys.kmall.security.config;


import cn.soboys.kmall.security.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import java.util.Set;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/6 17:27
 * @webSite https://www.soboys.cn/
 */
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true) // 控制权限注解
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
    private IUserService userService;
    private JwtRequestFilter jwtRequestFilter;


    public SecurityConfig(JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint,
                          IUserService userService,
                          JwtRequestFilter jwtRequestFilter) {
        this.jwtAuthenticationEntryPoint = jwtAuthenticationEntryPoint;
        this.userService = userService;
        this.jwtRequestFilter = jwtRequestFilter;
    }


    /**
     * 1)HttpSecurity支持cors。
     * 2)默认会启用CRSF,此处因为没有使用thymeleaf模板(会自动注入_csrf参数),
     * 要先禁用csrf,否则登录时需要_csrf参数,而导致登录失败。
     * 3)antMatchers:匹配 "/" 路径,不需要权限即可访问,匹配 "/user" 及其以下所有路径,
     * 都需要 "USER" 权限
     * 4)配置登录地址和退出地址
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // We don't need CSRF for this example
        http.csrf().disable()
                // dont authenticate this particular request
                .authorizeRequests().antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**",
                "/v3/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**",
                "/statics/**", "/login", "/register").permitAll().
                // all other requests need to be authenticated
                        anyRequest().authenticated().and().
                // make sure we use stateless session; session won't be used to
                // store user's state.
                //覆盖默认登录
                        exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
                // 基于token,所以不需要session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);


        // Add a filter to validate the tokens with every request
        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }


    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    /**
     * 密码校验
     *
     * @param auth
     * @throws Exception
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        // configure AuthenticationManager so that it knows from where to load
        // user for matching credentials
        // Use BCryptPasswordEncoder
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
    }

    /**
     * 密码加密验证
     *
     * @return
     */
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }


}

具体应用

package cn.soboys.kmall.security.controller;

import cn.hutool.core.util.StrUtil;
import cn.soboys.kmall.common.exception.BusinessException;
import cn.soboys.kmall.common.ret.ResponseResult;
import cn.soboys.kmall.common.ret.Result;
import cn.soboys.kmall.common.ret.ResultResponse;
import cn.soboys.kmall.security.entity.User;
import cn.soboys.kmall.security.service.IUserService;
import cn.soboys.kmall.security.utils.EncryptPwdUtil;
import cn.soboys.kmall.security.utils.JwtTokenUtil;
import com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper;
import io.swagger.annotations.*;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import javax.validation.constraints.NotBlank;
import javax.validation.constraints.NotEmpty;
import java.util.Date;
import java.util.Objects;

/**
 * @author kenx
 * @version 1.0
 * @date 2021/8/6 12:30
 * @webSite https://www.soboys.cn/
 */
@RestController
@ResponseResult
@Validated
@RequiredArgsConstructor
@Api(tags = "登录接口")
public class LoginController {
    private final IUserService userService;
    //认证管理,认证用户省份
    private final AuthenticationManager authenticationManager;
    private final JwtTokenUtil jwtTokenUtil;
    //自己数据源
    private final UserDetailsService jwtInMemoryUserDetailsService;




    @PostMapping("/login")
    @ApiOperation("用户登录")
    @SneakyThrows
    public Result login(@NotBlank @RequestParam String username,
                        @NotBlank @RequestParam String password) {


        Authentication authentication= this.authenticate(username, password);

        String user = authentication.getName();

        final String token = jwtTokenUtil.generateToken(user);
        //更新用户最后登录时间
        User u = new User();
        u.setLastLoginTime(new Date());
        userService.update(u, new UpdateWrapper<User>().lambda().eq(User::getUsername, username));
        return ResultResponse.success("Bearer " + token);
    }

    @PostMapping("/register")
    @ApiOperation("用户注册")
    public Result register(@NotEmpty @RequestParam String username, @NotEmpty @RequestParam String password) {
        User user = userService.getUserByUsername(username);

        if (!StrUtil.isBlankIfStr(user)) {
            throw new BusinessException("用户已存在");
        }
        User u = new User();
        u.setPassword(EncryptPwdUtil.encryptPassword(password));
        u.setUsername(username);
        u.setCreateTime(new Date());
        u.setModifyTime(new Date());
        u.setStatus("1");
        userService.save(u);
        return ResultResponse.success();

    }


    private Authentication authenticate(String username, String password) throws Exception {
        Authentication authentication = null;
        try {
            //security 认证用户身份
            authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        } catch (DisabledException e) {
            throw new BusinessException("用户不存");
        } catch (BadCredentialsException e) {
            throw new BusinessException("用户名密码错误");
        }

        return authentication;
    }
}

深入了解

Spring Security 配置讲解

  1. @EnableWebSecurity 开启权限认证
  2. @EnableGlobalMethodSecurity(prePostEnabled = true) 开启权限注解认证
  3. configure 配置
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // We don't need CSRF for this example
        http.csrf().disable()
                // dont authenticate this particular request
                .authorizeRequests().antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**",
                "/v3/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**",
                "/statics/**", "/login", "/register").permitAll().
                // all other requests need to be authenticated
                        anyRequest().authenticated().and().
                // make sure we use stateless session; session won't be used to
                // store user's state.
                //覆盖默认登录
                        exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
                // 基于token,所以不需要session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);


        // Add a filter to validate the tokens with every request
        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战

轻松上手SpringBoot+SpringSecurity+JWT实RESTfulAPI权限控制实战

参考

  1. Spring Security 权限认证
  2. springSecurity 之 http Basic认证
  3. 轻松上手SpringBoot Security + JWT Hello World示例
点赞
收藏
评论区
推荐文章
blmius blmius
3年前
MySQL:[Err] 1292 - Incorrect datetime value: ‘0000-00-00 00:00:00‘ for column ‘CREATE_TIME‘ at row 1
文章目录问题用navicat导入数据时,报错:原因这是因为当前的MySQL不支持datetime为0的情况。解决修改sql\mode:sql\mode:SQLMode定义了MySQL应支持的SQL语法、数据校验等,这样可以更容易地在不同的环境中使用MySQL。全局s
皕杰报表之UUID
​在我们用皕杰报表工具设计填报报表时,如何在新增行里自动增加id呢?能新增整数排序id吗?目前可以在新增行里自动增加id,但只能用uuid函数增加UUID编码,不能新增整数排序id。uuid函数说明:获取一个UUID,可以在填报表中用来创建数据ID语法:uuid()或uuid(sep)参数说明:sep布尔值,生成的uuid中是否包含分隔符'',缺省为
待兔 待兔
4个月前
手写Java HashMap源码
HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程22
Jacquelyn38 Jacquelyn38
3年前
2020年前端实用代码段,为你的工作保驾护航
有空的时候,自己总结了几个代码段,在开发中也经常使用,谢谢。1、使用解构获取json数据let jsonData  id: 1,status: "OK",data: 'a', 'b';let  id, status, data: number   jsonData;console.log(id, status, number )
Stella981 Stella981
3年前
Spring Security使用详解1(基本用法 )
一般项目都会有严格的认证和授权操作,而在Java开发领域常见的安全框架有Shiro和SpringSecurity。本文首先介绍下后者。一、基本用法1、什么是SpringSecurity?SpringSecurity是一个相对复杂的安全管理框架,功能比Shiro更加强大,权限控制细粒度更高,对O
Stella981 Stella981
3年前
Shiro 核心功能案例讲解 基于SpringBoot 有源码
Shiro核心功能案例讲解基于SpringBoot有源码从实战中学习Shiro的用法。本章使用SpringBoot快速搭建项目。整合SiteMesh框架布局页面。整合Shiro框架实现用身份认证,授权,数据加密功能。通过本章内容,你将学会用户权限的分配规则,SpringBoot整合Sh
Wesley13 Wesley13
3年前
00:Java简单了解
浅谈Java之概述Java是SUN(StanfordUniversityNetwork),斯坦福大学网络公司)1995年推出的一门高级编程语言。Java是一种面向Internet的编程语言。随着Java技术在web方面的不断成熟,已经成为Web应用程序的首选开发语言。Java是简单易学,完全面向对象,安全可靠,与平台无关的编程语言。
Stella981 Stella981
3年前
Django中Admin中的一些参数配置
设置在列表中显示的字段,id为django模型默认的主键list_display('id','name','sex','profession','email','qq','phone','status','create_time')设置在列表可编辑字段list_editable
Wesley13 Wesley13
3年前
MySQL部分从库上面因为大量的临时表tmp_table造成慢查询
背景描述Time:20190124T00:08:14.70572408:00User@Host:@Id:Schema:sentrymetaLast_errno:0Killed:0Query_time:0.315758Lock_
Python进阶者 Python进阶者
10个月前
Excel中这日期老是出来00:00:00,怎么用Pandas把这个去除
大家好,我是皮皮。一、前言前几天在Python白银交流群【上海新年人】问了一个Pandas数据筛选的问题。问题如下:这日期老是出来00:00:00,怎么把这个去除。二、实现过程后来【论草莓如何成为冻干莓】给了一个思路和代码如下:pd.toexcel之前把这