Spring Security 接入 SpringBoot 与前后端分离实战

Spring Security 接入 SpringBoot 与前后端分离实战 | 极客日志

<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-jackson -->
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <version>0.12.6</version>
    <scope>runtime</scope>
</dependency>

<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-impl -->
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.12.6</version>
    <scope>runtime</scope>
</dependency>

<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-api -->
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.12.6</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>3.3.4</version>
</dependency>

@Configuration
@EnableWebSecurity
// 该注解启用 Spring Security 的 web 安全功能。
public class SecurityConfig {}

@Bean
public UserDetailsService userDetailsService() {
    // 创建基于内存的用户信息管理器
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(
        // 创建 UserDetails 对象，用于管理用户名、用户密码、用户角色、用户权限等内容
        User.withDefaultPasswordEncoder()
            .username("user")
            .password("user123")
            .roles("USER")
            .build()
    );
    // 如果自己配置的有账号密码，那么上面讲的 user 和 随机字符串 的默认密码就不能用了
    return manager;
}

@Service
public class UserDetailsServiceImpl implements UserDetailsService {
    @Autowired
    UserMapper userMapper;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        QueryWrapper<User> queryWrapper = new QueryWrapper<>();
        queryWrapper.eq("username", username);
        // 这里不止可以用 username，你可以自定义，主要根据你自己写的查询逻辑
        User user = userMapper.selectOne(queryWrapper);
        if (user == null) {
            throw new UsernameNotFoundException(username);
        }
        return new UserDetailsImpl(user);
    }
}

@Data
@AllArgsConstructor
@NoArgsConstructor
// 这三个注解可以帮我们自动生成 get、set、有参、无参构造函数
public class UserDetailsImpl implements UserDetails {
    private User user;

    // 通过有参构造函数填充赋值的
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return List.of();
    }

    @Override
    public String getPassword() {
        return user.getPassword();
    }

    @Override
    public String getUsername() {
        return user.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {
        // 检查账户是否 没过期。
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        // 检查账户是否 没有被锁定。
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        //检查凭据（密码）是否 没过期。
        return true;
    }

    @Override
    public boolean isEnabled() {
        // 检查账户是否启用。
        return true;
    }

    // 这个方法是 @Data 注解 会自动帮我们生成，用来获取 loadUserByUsername 中最后我们返回的创建 UserDetailsImpl 对象时传入的 User。
    // 如果你的字段包含 username 和 password 的话可以用强制类型转换，把 UserDetailsImpl 转换成 User。如果不能强制类型转换的话就需要用到这个方法了
    public User getUser() {
        return user;
    }
}

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        // 开启授权保护。
        .authorizeHttpRequests(authorize -> authorize
            // 不需要认证的地址有哪些。
            .requestMatchers("/blog/**", "/public/**", "/about").permitAll()
            // ** 通配符
            // 对所有请求开启授权保护。
            .anyRequest().authenticated())
        // 使用默认的登陆登出页面进行授权登陆。
        .formLogin(Customizer.withDefaults())
        // 启用'记住我'功能的。允许用户在关闭浏览器后，仍然保持登录状态，直到他们主动注销或超出设定的过期时间。
        .rememberMe(Customizer.withDefaults());
    // 关闭 csrf CSRF（跨站请求伪造）是一种网络攻击，攻击者通过欺骗已登录用户，诱使他们在不知情的情况下向受信任的网站发送请求。
    http.csrf(csrf -> csrf.disable());
    return http.build();
}

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Autowired
    private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf(CsrfConfigurer::disable)
            // 基于 token，不需要 csrf。
            .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            // 基于 token，不需要 session。
            .authorizeHttpRequests((authz) -> authz
                .requestMatchers("/login/", "/getPicCheckCode").permitAll()
                // 放行 api。
                .requestMatchers(HttpMethod.OPTIONS).permitAll()
                .anyRequest().authenticated())
            .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }
}

@Configuration
public class SecurityConfig {
    @Bean
    public PasswordEncoder passwordEncoder() {
        // 也可用有参构造，取值范围是 4 到 31，默认值为 10。数值越大，加密计算越复杂
        return new BCryptPasswordEncoder();
    }
}

@Autowired
private PasswordEncoder passwordEncoder;

public void registerUser(String username, String rawPassword) {
    String encryptedPassword = passwordEncoder.encode(rawPassword);
    // 保存用户信息到数据库，包括加密后的密码
}

public boolean login(String username, String rawPassword) {
    // 从数据库中获取用户信息，包括加密后的密码
    String storedEncryptedPassword = // 从数据库获取;
    return passwordEncoder.matches(rawPassword, storedEncryptedPassword);
}

fetch('/api/protected-endpoint', {
    method: 'GET',
    headers: {
        'Authorization': `Bearer ${token}`
    }
});

import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class CustomFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        // 自定义过滤逻辑，例如记录请求日志
        System.out.println("Request URI: " + request.getRequestURI());
        // 继续执行过滤链
        filterChain.doFilter(request, response);
    }
}

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.addFilterBefore(new CustomFilter(), UsernamePasswordAuthenticationFilter.class);
        // 其他配置...
        return http.build();
    }
}

@Component
public class JwtUtil {
    public static final long JWT_TTL = 60 * 60 * 1000L * 24 * 14; // 有效期 14 天
    public static final String JWT_KEY = "SDFGjhdsfalshdfHFdsjkdsfds121232131afasdfac";

    public static String getUUID() {
        return UUID.randomUUID().toString().replaceAll("-", "");
    }

    public static String createJWT(String subject) {
        JwtBuilder builder = getJwtBuilder(subject, null, getUUID());
        return builder.compact();
    }

    private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
        SecretKey secretKey = generalKey();
        long nowMillis = System.currentTimeMillis();
        Date now = new Date(nowMillis);
        if (ttlMillis == null) { ttlMillis = JwtUtil.JWT_TTL; }
        long expMillis = nowMillis + ttlMillis;
        Date expDate = new Date(expMillis);
        return Jwts.builder()
            .id(uuid)
            .subject(subject)
            .issuer("sg")
            .issuedAt(now)
            .signWith(secretKey)
            .expiration(expDate);
    }

    public static SecretKey generalKey() {
        byte[] encodeKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
        return new SecretKeySpec(encodeKey, 0, encodeKey.length, "HmacSHA256");
    }

    public static Claims parseJWT(String jwt) throws Exception {
        SecretKey secretKey = generalKey();
        return Jwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(jwt).getBody();
    }
}

public static String getUUID() {
    return UUID.randomUUID().toString().replaceAll("-", "");
}

public static String createJWT(String subject) {
    JwtBuilder builder = getJwtBuilder(subject, null, getUUID());
    return builder.compact();
}

private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {
    // ...
}

public static SecretKey generalKey() {
    byte[] encodeKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
    return new SecretKeySpec(encodeKey, 0, encodeKey.length, "HmacSHA256");
}

public static Claims parseJWT(String jwt) throws Exception {
    SecretKey secretKey = generalKey();
    return Jwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(jwt).getBody();
}

import io.jsonwebtoken.Claims;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
    @Autowired
    private UserMapper userMapper;

    @Override
    protected void doFilterInternal(HttpServletRequest request, @NotNull HttpServletResponse response, @NotNull FilterChain filterChain) throws ServletException, IOException {
        String token = request.getHeader("Authorization");
        if (!StringUtils.hasText(token) || !token.startsWith("Bearer ")) {
            filterChain.doFilter(request, response);
            return;
        }
        token = token.substring(7);
        String userid;
        try {
            Claims claims = JwtUtil.parseJWT(token);
            userid = claims.getSubject();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
        User user = userMapper.selectById(Integer.parseInt(userid));
        if (user == null) {
            throw new RuntimeException("用户名未登录");
        }
        UserDetailsImpl loginUser = new UserDetailsImpl(user);
        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, null);
        // 如果是有效的 jwt，那么设置该用户为认证后的用户
        SecurityContextHolder.getContext().setAuthentication(authenticationToken);
        filterChain.doFilter(request, response);
    }
}

@Autowired
private UserMapper userMapper;

String token = request.getHeader("Authorization");
if (!StringUtils.hasText(token) || !token.startsWith("Bearer ")) {
    filterChain.doFilter(request, response);
    return;
}

token = token.substring(7); // 去掉 "Bearer " 前缀
String userid;
try {
    Claims claims = JwtUtil.parseJWT(token);
    userid = claims.getSubject();
} catch (Exception e) {
    throw new RuntimeException(e);
}

User user = userMapper.selectById(Integer.parseInt(userid));
if (user == null) {
    throw new RuntimeException("用户名未登录");
}

UserDetailsImpl loginUser = new UserDetailsImpl(user);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, null);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);

filterChain.doFilter(request, response);

http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);

@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
    return authConfig.getAuthenticationManager();
}

@Autowired
private AuthenticationManager authenticationManager;

UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);
// 从数据库中对比查找，如果找到了会返回一个带有认证的封装后的用户，否则会报错，自动处理。（这里我们假设我们配置的 security 是基于数据库查找的）
Authentication authenticate = authenticationManager.authenticate(authenticationToken);
// 获取认证后的用户
User user = (User) authenticate.getPrincipal();
// 如果强制类型转换报错的话，可以用我们实现的 `UserDetailsImpl` 类中的 getUser 方法了
String jwt = JwtUtil.createJWT(user.getId().toString());

// SecurityContextHolder 是一个存储安全上下文的工具类，提供了一个全局访问点，用于获取当前请求的安全上下文。
// SecurityContext 是当前线程的安全上下文，包含了当前用户的认证信息（即 Authentication 对象）。
SecurityContext context = SecurityContextHolder.getContext();
Authentication authentication = context.getAuthentication();
User user = (User) authenticate.getPrincipal();
// 另一种获取 User 的方法
UsernamePasswordAuthenticationToken authenticationToken = (UsernamePasswordAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
UserDetailsImpl loginUser = (UserDetailsImpl) authenticationToken.getPrincipal();
User user = userDetails.getUser();

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/admin/**").hasRole("ADMIN") // 只有 ADMIN 角色可以访问。
        .antMatchers("/user/**").hasAnyRole("USER", "ADMIN") // USER 和 ADMIN 角色可以访问。
        .anyRequest().authenticated(); // 其他请求需要认证
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/edit/**").hasAuthority("EDIT_PRIVILEGE") // 仅具有 EDIT_PRIVILEGE 权限的用户可以访问。
        .anyRequest().authenticated();
}

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    }
}

http.formLogin(form -> form.successHandler(new MyAuthenticationSuccessHandler()));

public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
    }
}

http.formLogin(form -> form.failureHandler(new MyAuthenticationFailureHandler()));

public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    }
}

http.logout(logout -> {
    logout.logoutSuccessHandler(new MyLogoutSuccessHandler());
});

// 重写 AuthenticationEntryPoint 接口
public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
    }
}

http.exceptionHandling(exception -> {
    exception.authenticationEntryPoint(new MyAuthenticationEntryPoint());
});

// 重写 SessionInformationExpiredStrategy 接口
public class MySessionInformationExpiredStrategy implements SessionInformationExpiredStrategy {
    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
    }
}

http.sessionManagement(session -> {
    session.maximumSessions(1).expiredSessionStrategy(new MySessionInformationExpiredStrategy());
});

// 重写 AccessDeniedHandler 接口
public class MyAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
    }
}

http.exceptionHandling(exception -> {
    exception.accessDeniedHandler(new MyAccessDeniedHandler());
});

Spring Security 接入 SpringBoot 与前后端分离实战

Spring Security 超详细使用教程

核心概念

1. 准备工作

1.1 引入依赖

1.1.1 JWT 相关依赖

1.1.2 Spring Security 依赖

1.2 用户认证的配置

基于内存的用户认证

基于数据库的用户认证

1.3 基本的配置

1.4 常用配置

2. 加密

1. 密码加密的重要性

2. Spring Security 的加密机制

2.1 PasswordEncoder 接口

2.2 BCrypt 算法

3. 使用 PasswordEncoder

3.1 配置 PasswordEncoder

3.2 加密密码

3.3 验证密码

3. 前后端分离

1. 用户认证流程

1.1 用户登录

2. 使用 JWT 进行用户认证

2.1 前端存储 JWT

2.2 发送受保护请求

2.3 后端解析 JWT

3. 退出登录

4. 保护敏感信息

4. 实现 JWT

4.1 OncePerRequestFilter

4.2 生成 JWT

1. 类注解与常量

2. UUID 生成

3. 创建 JWT

4. JWT 构建器

5. 生成密钥

6. 解析 JWT

4.3 应用 JWT

1. 类注解与继承

2. 依赖注入

3. 获取 JWT

4. 解析 JWT

5. 查询用户信息

6. 设置安全上下文

4. 继续过滤链

4.4 注册自定义的 JwtAuthenticationTokenFilter 过滤器

5. 常用操作

5.1 配置 AuthenticationManager

5.2 验证当前用户

5.3 获取当前用户的认证信息

5.4 对比 authenticationManager 和 SecurityContext 获取 Authentication

5.5 Authentication 接口

6. 授权

1. 授权的基本概念

2. 授权的主要组成部分

2.1 权限与角色

2.2 GrantedAuthority 接口

3. 授权方式

3.1 基于角色的授权

3.2 基于权限的授权

4. 自定义授权逻辑

4.1 AccessDecisionVoter

4.2 AccessDecisionManager

7. 其他自定义行为

1. AuthenticationSuccessHandler

2. AuthenticationFailureHandler

3. LogoutSuccessHandler

4. AuthenticationEntryPoint

5. SessionInformationExpiredStrategy

6. AccessDeniedHandler

微信扫一扫，关注极客日志

更多推荐文章

相关免费在线工具

4.4 注册自定义的 `JwtAuthenticationTokenFilter` 过滤器

5.4 对比 `authenticationManager` 和 `SecurityContext` 获取 `Authentication`