Spring Security 是一个用于 Spring 程序身份认证的框架,里面东西很多,用起来也很方便,但是上手并不是那么容易,最近粗略看了一些教程,总算是把它用到自己的项目里去了,并且跟 JWT 整合了一下,下面详细记录一下我的步骤防止我下次用的时候忘了。 -_-

1. 导入依赖

首先将相关的 jar 导入项目中。
构建配置如下(部分):

Maven

<!-- Spring Security -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<!-- Java Web Token -->
<!-- https://github.com/jwtk/jjwt -->
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.11.2</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <version>0.11.2</version>
    <scope>compile</scope> <!-- 这里需要对 jackson 进行一些配置,所以不宜用 runtime -->
</dependency>

<!-- 其他 -->

Gradle

implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'io.jsonwebtoken:jjwt-api:0.11.2'
implementation 'io.jsonwebtoken:jjwt-jackson:0.11.2'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.2'

2. 启用 Spring Security

创建一个 Spring 配置类。

package com.example.config;

import javax.servlet.http.HttpServletResponse;
import com.example.filter.JwtAuthenticationFilter;
import com.example.filter.JwtAuthorizationFilter;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法注解的解析
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final UserDetailsService userDetailsService;

    public SecurityConfig(@Qualifier("userDetailsServiceImpl") UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        return new BCryptPasswordEncoder(); // 使用 BCrypt 密码编码器
    }

    @Bean
    @Override
    public UserDetailsService userDetailsServiceBean() {
        return this.userDetailsService;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // 使用自定义验证服务
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().disable()
            // 禁用 CSRF
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/login").permitAll()
            .antMatchers("/error").permitAll()
            .and()
            //添加自定义 Filter,见下
            .addFilter(new JwtAuthenticationFilter(authenticationManager()))
            .addFilter(new JwtAuthorizationFilter(authenticationManager()))
            // 不需要session(不创建会话)
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            // 授权异常处理
            .exceptionHandling().authenticationEntryPoint((httpServletRequest, httpServletResponse, e) -> httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage()))
            .accessDeniedHandler((httpServletRequest, httpServletResponse, e) -> httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage()))
            // 防止 H2 web 页面的 Frame 被拦截
            .and().headers()
            .frameOptions().disable();
    }
}

3. 创建用户相关的数据实体类和服务

略过,只需要注意让实体类实现 org.springframework.security.core.userdetails.UserDetails 接口,让服务实现 org.springframework.security.core.userdetails.UserDetailsService 接口即可,详细说明查看相关文档。

还有就是 org.springframework.security.core.userdetails.UserDetails#getAuthorities 方法需要返回当前用户的权限,下面会用到的。

4. 编写认证和验证的过滤器

首先是用于认证的过滤器,它的作用是给发给登录接口、带有用户名密码的请求返回一个 token,代码如下:

package com.example.filter;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.List;
import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.example.bean.LoginRequest;
import com.example.model.Account;
import com.example.utils.JwtUtils;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.context.WebApplicationContext;

public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    private final AuthenticationManager authenticationManager;
    private final ThreadLocal<Boolean> rememberMe = new ThreadLocal<>();

    public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
        // 设置验证 URL
        super.setFilterProcessesUrl("/login");
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getParameter("logout") != null && !request.getParameter("logout").equalsIgnoreCase("false")) {
            response.setHeader(JwtUtils.TOKEN_HEADER, "logout"); // 当请求退出登录时清除 token 即可
            response.setStatus(HttpServletResponse.SC_NO_CONTENT);
            return null;
        }
        if (!request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException(
                "Authentication method not supported: " + request.getMethod());
        }
        WebApplicationContext context = RequestContextUtils.findWebApplicationContext(request);
        if (context == null) throw new IllegalStateException("not in a request");
        ObjectMapper objectMapper = context.getBean(ObjectMapper.class); // 获取 ObjectMapper,也可以从构造器传参注入
        try {
            LoginRequest loginRequest = objectMapper.readValue(request.getInputStream(), LoginRequest.class);
            rememberMe.set(loginRequest.rememberMe);
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                loginRequest.username, loginRequest.password);
            return authenticationManager.authenticate(authentication);
        } catch (IOException e) {
            throw new AuthenticationServiceException(e.getLocalizedMessage(), e);
        }
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) {
        // 若验证成功,principal 中会包含取到的用户信息(用第 3 步写的服务获取的)
        Account account = (Account) authResult.getPrincipal();
        List<String> authorities = account.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()); // 转换成字符列表
        // 创建 Token
        String token = JwtUtils.getToken(account.getUsername(), authorities, rememberMe.get(), account);
        rememberMe.remove();
        // Http Response Header 中返回 Token
        response.setHeader(JwtUtils.TOKEN_HEADER, token);
        response.setStatus(HttpServletResponse.SC_NO_CONTENT);
    }

    @Override
    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, failed.getMessage());
    }
}

用到的工具类代码如下:

package com.example.bean;
/**
 * 用户登录请求
 */
public class LoginRequest {
    public String username;
    public String password;
    public boolean rememberMe;
}
package com.example.utils;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.DecodingException;
import io.jsonwebtoken.jackson.io.JacksonDeserializer;
import io.jsonwebtoken.lang.Maps;
import io.jsonwebtoken.security.Keys;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import javax.xml.bind.DatatypeConverter;
import net.wlgzs.grading.model.Account;
import org.json.JSONException;
import org.json.JSONObject;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;

public class JwtUtils {

    public static final long EXPIRATION = 20 * 60L; // 20 分钟
    public static final long EXPIRATION_REMEMBER = 60 * 60 * 24 * 7L; // 一周
    public static final String JWT_SECRET_KEY = "自己生成一个密钥"; // 生成方式:DatatypeConverter.printBase64Binary(Keys.secretKeyFor(SignatureAlgorithm.HS256).getEncoded())
    public static final String TOKEN_HEADER = "Authorization";
    public static final String TOKEN_PREFIX = "Bearer ";
    public static final String TOKEN_TYPE = "JWT";

    private static final byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(JWT_SECRET_KEY);
    private static final SecretKey secretKey = Keys.hmacShaKeyFor(apiKeySecretBytes);

    private JwtUtils() {
        throw new IllegalStateException();
    }

    public static String getToken(String username, List<String> roles, boolean isRememberMe, Account account) {
        long expiration = isRememberMe ? EXPIRATION_REMEMBER : EXPIRATION;
        final Date createdDate = new Date();
        final Date expirationDate = new Date(createdDate.getTime() + expiration * 1000);
        String token = Jwts.builder()
            .setHeaderParam("typ", TOKEN_TYPE)
            .setHeaderParam("cty", account.getClass().getName()) // 这里我的 Account 有派生类,所以存了个类名
            .signWith(secretKey, SignatureAlgorithm.HS256)
            .claim("rol", String.join(",", roles))
            .setIssuer("JWT 示例")
            .setIssuedAt(createdDate)
            .setSubject(username)
            .setExpiration(expirationDate)
            .claim("account", account)
            .compact();
        return TOKEN_PREFIX + token;
    }

    public static boolean isTokenExpired(Claims tokenBody) {
        Date expiredDate = tokenBody.getExpiration();
        return expiredDate.before(new Date());
    }

    public static String getUsernameByToken(String token) {
        return parseToken(token).getBody().getSubject();
    }

    public static List<? extends GrantedAuthority> getUserRolesByToken(String token) {
        String role = (String) parseToken(token).getBody()
            .get("rol");
        return Arrays.stream(role.split(","))
            .map(String::trim)
            .map(Account.AdminLevel::valueOf)
            .collect(Collectors.toList());
    }

    public static Account getAccountByTokenBody(Jws<Claims> token) {
        Account account;
        try {
            account = (Account) token.getBody().get("account", Class.forName(token.getHeader().getContentType()));
        } catch (ClassNotFoundException e) {
            throw new IllegalArgumentException("accountType is not a known account class", e);
        }
        return account;
    }

    public static Optional<Account> getCurrentAccount() {
        // 这一步从当前请求上下文中获取已经验证的账号对象
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return Optional.ofNullable(authentication)
            .map(auth -> (Account) auth.getDetails());
    }

    @SuppressWarnings("unchecked")
    public static Class<? extends Account> getAccountType(String token) {
        if (token.isEmpty()) throw new DecodingException("token 为空");
        if (token.indexOf('.') <= 1) throw new DecodingException("token 格式错误");
        StringBuilder headerBase64 = new StringBuilder(token.substring(0, token.indexOf('.')).replace('-', '+').replace('_', '/'));
        while (headerBase64.length() % 4 != 0) headerBase64.append("=");
        String header = new String(DatatypeConverter.parseBase64Binary(headerBase64.toString()));
        try {
            JSONObject jsonObject = new JSONObject(header);
            String cty = jsonObject.getString("cty");
            return (Class<? extends Account>) Class.forName(cty);
        } catch (JSONException | ClassNotFoundException e) {
            throw new DecodingException("accountType is not a known account class", e);
        }
    }

    @SuppressWarnings({"unchecked", "rawtypes"})
    public static Jws<Claims> parseToken(String token) {
        // ======== 由于我的 Account 有派生类,所以先解析是哪种账号 ========
        Class<? extends Account> accountClass = getAccountType(token);
        // ==================
        return Jwts.parserBuilder()
            .setSigningKey(secretKey)
            .deserializeJsonWith(new JacksonDeserializer(Maps.of("account", accountClass).build()))
            .build()
            .parseClaimsJws(token);
    }

}

其次是过滤掉未验证的请求,写一个过滤器即可。

package com.example.filter;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import java.io.IOException;
import java.time.Duration;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import com.example.utils.JwtUtils;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.StringUtils;

@Slf4j
public class JwtAuthorizationFilter extends BasicAuthenticationFilter {

    public JwtAuthorizationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain) throws IOException, ServletException {
        String token = request.getHeader(JwtUtils.TOKEN_HEADER);
        if (token == null || !token.startsWith(JwtUtils.TOKEN_PREFIX)) {
            SecurityContextHolder.clearContext();
        } else {
            try {
                UsernamePasswordAuthenticationToken authRequest = getAuthentication(token, response);
                log.info("authentication: {}", authRequest);
                if (authRequest == null) {
                    chain.doFilter(request, response);
                    return;
                }
//              Authentication authResult = this.getAuthenticationManager().authenticate(authRequest); // 不需要再这里验证,因为如果 JWT 非法,就已经抛出异常了
                SecurityContextHolder.getContext().setAuthentication(authRequest);
                onSuccessfulAuthentication(request, response, authRequest);
            } catch (AuthenticationException failed) {
                SecurityContextHolder.clearContext();
                onUnsuccessfulAuthentication(request, response, failed);
                if (this.isIgnoreFailure()) {
                    chain.doFilter(request, response);
                } else {
                    this.getAuthenticationEntryPoint().commence(request, response, failed);
                }
                return;
            }
        }

        chain.doFilter(request, response);
    }

    /**
     * 获取用户认证信息 Authentication
     */
    private UsernamePasswordAuthenticationToken getAuthentication(String authorization, HttpServletResponse response) {
        String token = authorization.replaceFirst(JwtUtils.TOKEN_PREFIX, "");
        long renewPeriod = Duration.ofMinutes(20).toMillis();
        try {
            Jws<Claims> jwsToken;
            try {
                jwsToken = JwtUtils.parseToken(token);
            } catch (ExpiredJwtException e) {
                // 过期 20 分钟后仍有效
                // 防止当前用户正在使用中而过 token 期
                if (System.currentTimeMillis() - e.getClaims().getExpiration().getTime() < renewPeriod) {
                    Account account;
                    try {
                        account = (Account) e.getClaims().get("account", Class.forName(e.getHeader().getContentType()));
                        token = JwtUtils.getToken(e.getClaims().getSubject(), Arrays.asList(e.getClaims().get("rol", String.class).split(",")), false, account);
                        token = token.substring(token.indexOf(' ') + 1);
                    } catch (ClassNotFoundException ex) {
                        throw new IllegalArgumentException("accountType is not a known account class", ex);
                    }
                    response.setHeader(JwtUtils.TOKEN_HEADER, JwtUtils.TOKEN_PREFIX + token);
                    jwsToken = JwtUtils.parseToken(token);
                } else throw e;
            }
            Claims tokenBody = jwsToken.getBody();

            String username = tokenBody.getSubject();
            if (!StringUtils.isEmpty(username)) {
                UserDetails userDetails = JwtUtils.getAccountByTokenBody(jwsToken);
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken.setDetails(userDetails);
                return userDetails.isEnabled() ? usernamePasswordAuthenticationToken : null;
            }
        } catch (JwtException | IllegalArgumentException e) {
            AuthenticationException ex = new BadCredentialsException(e.getLocalizedMessage(), e);
            log.warn("token:{} 无效", token, ex);
            throw ex;
        }
        return null;
    }
}

5. 在请求方法上加上权限要求

@GetMapping("/info")
@PreAuthorize("hasAnyRole('USER')") // 这里写认证权限
public Optional<Account> getInfo() {
    return JwtUtils.getCurrentAccount();
}

OK 到这里就把应用加上身份认证了,点到为止。

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注