单点登录SSO解决方案之SpringSecurity+JWT实现

单点登录SSO解决方案之SpringSecurity+JWT实现  通过前面几天文章我们详细的介绍了SpringSecurity的使用,本文我们来看下,结合JWT来实现单点登录操作。一、什么是单点登陆  单点登录(SingleSignOn),简称为SSO,是目前比较流行的企业业务整合的解决方案之一。SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统二、简单的运行机制  单点登录的机制其实是比较简单的,用一个现实中的…

大家好,又见面了,我是你们的朋友全栈君。

  通过前面几天文章我们详细的介绍了SpringSecurity的使用,本文我们来看下,结合JWT来实现单点登录操作。

一、什么是单点登陆

  单点登录(Single Sign On),简称为 SSO,是目前比较流行的企业业务整合的解决方案之一。SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统

二、简单的运行机制

  单点登录的机制其实是比较简单的,用一个现实中的例子做比较。某公园内部有许多独立的景点,游客可以在各个景点门口单独买票。对于需要游玩所有的景点的游客,这种买票方式很不方便,需要在每个景点门口排队买票,钱包拿 进拿出的,容易丢失,很不安全。于是绝大多数游客选择在大门口买一张通票(也叫套票),就可以玩遍所有的景点而不需要重新再买票。他们只需要在每个景点门 口出示一下刚才买的套票就能够被允许进入每个独立的景点。
单点登录的机制也一样,如下图所示,

在这里插入图片描述

用户认证:这一环节主要是用户向认证服务器发起认证请求,认证服务器给用户返回一个成功的令牌token,主要在认证服务器中完成,即图中的认证系统,注意认证系统只能有一个。
身份校验:这一环节是用户携带token去访问其他服务器时,在其他服务器中要对token的真伪进行检验,主要在资源服务器中完成,即图中的应用系统2 3

三、JWT介绍

概念说明

  从分布式认证流程中,我们不难发现,这中间起最关键作用的就是token,token的安全与否,直接关系到系统的健壮性,这里我们选择使用JWT来实现token的生成和校验。
  JWT,全称JSON Web Token,官网地址https://jwt.io,是一款出色的分布式身份校验方案。可以生成token,也可以解析检验token。

JWT生成的token由三部分组成:

头部:主要设置一些规范信息,签名部分的编码格式就在头部中声明。
载荷:token中存放有效信息的部分,比如用户名,用户角色,过期时间等,但是不要放密码,会泄露!
签名:将头部与载荷分别采用base64编码后,用“.”相连,再加入盐,最后使用头部声明的编码类型进行编码,就得到了签名。

JWT生成token的安全性分析

  从JWT生成的token组成上来看,要想避免token被伪造,主要就得看签名部分了,而签名部分又有三部分组成,其中头部和载荷的base64编码,几乎是透明的,毫无安全性可言,那么最终守护token安全的重担就落在了加入的上面了!试想:如果生成token所用的盐与解析token时加入的盐是一样的。岂不是类似于中国人民银行把人民币防伪技术公开了?大家可以用这个盐来解析token,就能用来伪造token。这时,我们就需要对盐采用非对称加密的方式进行加密,以达到生成token与校验token方所用的盐不一致的安全效果!

非对称加密RSA介绍

基本原理:同时生成两把密钥:私钥和公钥,私钥隐秘保存,公钥可以下发给信任客户端
私钥加密,持有私钥或公钥才可以解密
公钥加密,持有私钥才可解密
优点:安全,难以破解
缺点:算法比较耗时,为了安全,可以接受
历史:三位数学家Rivest、Shamir 和 Adleman 设计了一种算法,可以实现非对称加密。这种算法用他们三个人的名字缩写:RSA。

四、SpringSecurity整合JWT

1.认证思路分析

  SpringSecurity主要是通过过滤器来实现功能的!我们要找到SpringSecurity实现认证和校验身份的过滤器!

回顾集中式认证流程

用户认证
  使用UsernamePasswordAuthenticationFilter过滤器中attemptAuthentication方法实现认证功能,该过滤器父类中successfulAuthentication方法实现认证成功后的操作。
身份校验
  使用BasicAuthenticationFilter过滤器中doFilterInternal方法验证是否登录,以决定能否进入后续过滤器。

分析分布式认证流程

用户认证
  由于分布式项目,多数是前后端分离的架构设计,我们要满足可以接受异步post的认证请求参数,需要修改UsernamePasswordAuthenticationFilter过滤器中attemptAuthentication方法,让其能够接收请求体。
  另外,默认successfulAuthentication方法在认证通过后,是把用户信息直接放入session就完事了,现在我们需要修改这个方法,在认证通过后生成token并返回给用户。
身份校验
  原来BasicAuthenticationFilter过滤器中doFilterInternal方法校验用户是否登录,就是看session中是否有用户信息,我们要修改为,验证用户携带的token是否合法,并解析出用户信息,交给SpringSecurity,以便于后续的授权功能可以正常使用。

2.具体实现

  为了演示单点登录的效果,我们设计如下项目结构
在这里插入图片描述

2.1父工程创建

  因为本案例需要创建多个系统,所以我们使用maven聚合工程来实现,首先创建一个父工程,导入springboot的父依赖即可

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.1.3.RELEASE</version>
    <relativePath/>
</parent>

2.2公共工程创建

  然后创建一个common工程,其他工程依赖此系统
在这里插入图片描述
导入JWT相关的依赖

<dependencies>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.10.7</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.10.7</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.7</version>
<scope>runtime</scope>
</dependency>
<!--jackson包-->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.9</version>
</dependency>
<!--日志包-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
</dependencies>

创建相关的工具类
在这里插入图片描述

Payload

/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 10:28 */
@Data
public class Payload <T>{ 

private String id;
private T userInfo;
private Date expiration;
}

JsonUtils

package com.dpb.utils;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.List;
import java.util.Map;
/** * @author: 波波烤鸭 **/
public class JsonUtils { 

public static final ObjectMapper mapper = new ObjectMapper();
private static final Logger logger = LoggerFactory.getLogger(JsonUtils.class);
public static String toString(Object obj) { 

if (obj == null) { 

return null;
}
if (obj.getClass() == String.class) { 

return (String) obj;
}
try { 

return mapper.writeValueAsString(obj);
} catch (JsonProcessingException e) { 

logger.error("json序列化出错:" + obj, e);
return null;
}
}
public static <T> T toBean(String json, Class<T> tClass) { 

try { 

return mapper.readValue(json, tClass);
} catch (IOException e) { 

logger.error("json解析出错:" + json, e);
return null;
}
}
public static <E> List<E> toList(String json, Class<E> eClass) { 

try { 

return mapper.readValue(json, mapper.getTypeFactory().constructCollectionType(List.class, eClass));
} catch (IOException e) { 

logger.error("json解析出错:" + json, e);
return null;
}
}
public static <K, V> Map<K, V> toMap(String json, Class<K> kClass, Class<V> vClass) { 

try { 

return mapper.readValue(json, mapper.getTypeFactory().constructMapType(Map.class, kClass, vClass));
} catch (IOException e) { 

logger.error("json解析出错:" + json, e);
return null;
}
}
public static <T> T nativeRead(String json, TypeReference<T> type) { 

try { 

return mapper.readValue(json, type);
} catch (IOException e) { 

logger.error("json解析出错:" + json, e);
return null;
}
}
}

JwtUtils

package com.dpb.utils;
import com.dpb.domain.Payload;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.joda.time.DateTime;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Base64;
import java.util.UUID;
/** * @author: 波波烤鸭 * 生成token以及校验token相关方法 */
public class JwtUtils { 

private static final String JWT_PAYLOAD_USER_KEY = "user";
/** * 私钥加密token * * @param userInfo 载荷中的数据 * @param privateKey 私钥 * @param expire 过期时间,单位分钟 * @return JWT */
public static String generateTokenExpireInMinutes(Object userInfo, PrivateKey privateKey, int expire) { 

return Jwts.builder()
.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo))
.setId(createJTI())
.setExpiration(DateTime.now().plusMinutes(expire).toDate())
.signWith(privateKey, SignatureAlgorithm.RS256)
.compact();
}
/** * 私钥加密token * * @param userInfo 载荷中的数据 * @param privateKey 私钥 * @param expire 过期时间,单位秒 * @return JWT */
public static String generateTokenExpireInSeconds(Object userInfo, PrivateKey privateKey, int expire) { 

return Jwts.builder()
.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo))
.setId(createJTI())
.setExpiration(DateTime.now().plusSeconds(expire).toDate())
.signWith(privateKey, SignatureAlgorithm.RS256)
.compact();
}
/** * 公钥解析token * * @param token 用户请求中的token * @param publicKey 公钥 * @return Jws<Claims> */
private static Jws<Claims> parserToken(String token, PublicKey publicKey) { 

return Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token);
}
private static String createJTI() { 

return new String(Base64.getEncoder().encode(UUID.randomUUID().toString().getBytes()));
}
/** * 获取token中的用户信息 * * @param token 用户请求中的令牌 * @param publicKey 公钥 * @return 用户信息 */
public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey, Class<T> userType) { 

Jws<Claims> claimsJws = parserToken(token, publicKey);
Claims body = claimsJws.getBody();
Payload<T> claims = new Payload<>();
claims.setId(body.getId());
claims.setUserInfo(JsonUtils.toBean(body.get(JWT_PAYLOAD_USER_KEY).toString(), userType));
claims.setExpiration(body.getExpiration());
return claims;
}
/** * 获取token中的载荷信息 * * @param token 用户请求中的令牌 * @param publicKey 公钥 * @return 用户信息 */
public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey) { 

Jws<Claims> claimsJws = parserToken(token, publicKey);
Claims body = claimsJws.getBody();
Payload<T> claims = new Payload<>();
claims.setId(body.getId());
claims.setExpiration(body.getExpiration());
return claims;
}
}

RsaUtils

package com.dpb.utils;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
/** * @author 波波烤鸭 */
public class RsaUtils { 

private static final int DEFAULT_KEY_SIZE = 2048;
/** * 从文件中读取公钥 * * @param filename 公钥保存路径,相对于classpath * @return 公钥对象 * @throws Exception */
public static PublicKey getPublicKey(String filename) throws Exception { 

byte[] bytes = readFile(filename);
return getPublicKey(bytes);
}
/** * 从文件中读取密钥 * * @param filename 私钥保存路径,相对于classpath * @return 私钥对象 * @throws Exception */
public static PrivateKey getPrivateKey(String filename) throws Exception { 

byte[] bytes = readFile(filename);
return getPrivateKey(bytes);
}
/** * 获取公钥 * * @param bytes 公钥的字节形式 * @return * @throws Exception */
private static PublicKey getPublicKey(byte[] bytes) throws Exception { 

bytes = Base64.getDecoder().decode(bytes);
X509EncodedKeySpec spec = new X509EncodedKeySpec(bytes);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePublic(spec);
}
/** * 获取密钥 * * @param bytes 私钥的字节形式 * @return * @throws Exception */
private static PrivateKey getPrivateKey(byte[] bytes) throws NoSuchAlgorithmException, InvalidKeySpecException { 

bytes = Base64.getDecoder().decode(bytes);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(spec);
}
/** * 根据密文,生存rsa公钥和私钥,并写入指定文件 * * @param publicKeyFilename 公钥文件路径 * @param privateKeyFilename 私钥文件路径 * @param secret 生成密钥的密文 */
public static void generateKey(String publicKeyFilename, String privateKeyFilename, String secret, int keySize) throws Exception { 

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
SecureRandom secureRandom = new SecureRandom(secret.getBytes());
keyPairGenerator.initialize(Math.max(keySize, DEFAULT_KEY_SIZE), secureRandom);
KeyPair keyPair = keyPairGenerator.genKeyPair();
// 获取公钥并写出
byte[] publicKeyBytes = keyPair.getPublic().getEncoded();
publicKeyBytes = Base64.getEncoder().encode(publicKeyBytes);
writeFile(publicKeyFilename, publicKeyBytes);
// 获取私钥并写出
byte[] privateKeyBytes = keyPair.getPrivate().getEncoded();
privateKeyBytes = Base64.getEncoder().encode(privateKeyBytes);
writeFile(privateKeyFilename, privateKeyBytes);
}
private static byte[] readFile(String fileName) throws Exception { 

return Files.readAllBytes(new File(fileName).toPath());
}
private static void writeFile(String destPath, byte[] bytes) throws IOException { 

File dest = new File(destPath);
if (!dest.exists()) { 

dest.createNewFile();
}
Files.write(dest.toPath(), bytes);
}
}

在通用子模块中编写测试类生成rsa公钥和私钥

/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 11:08 */
public class JwtTest { 

private String privateKey = "c:/tools/auth_key/id_key_rsa";
private String publicKey = "c:/tools/auth_key/id_key_rsa.pub";
@Test
public void test1() throws Exception{ 

RsaUtils.generateKey(publicKey,privateKey,"dpb",1024);
}
}

在这里插入图片描述

2.3认证系统创建

  接下来我们创建我们的认证服务。
在这里插入图片描述

导入相关的依赖

<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<artifactId>security-jwt-common</artifactId>
<groupId>com.dpb</groupId>
<version>1.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.47</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.10</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
</dependencies>

创建配置文件

spring:
datasource:
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://localhost:3306/srm
username: root
password: 123456
type: com.alibaba.druid.pool.DruidDataSource
mybatis:
type-aliases-package: com.dpb.domain
mapper-locations: classpath:mapper/*.xml
logging:
level:
com.dpb: debug
rsa:
key:
pubKeyFile: c:\tools\auth_key\id_key_rsa.pub
priKeyFile: c:\tools\auth_key\id_key_rsa

在这里插入图片描述

提供公钥私钥的配置类

package com.dpb.config;
import com.dpb.utils.RsaUtils;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import javax.annotation.PostConstruct;
import java.security.PrivateKey;
import java.security.PublicKey;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 11:25 */
@Data
@ConfigurationProperties(prefix = "rsa.key")
public class RsaKeyProperties { 

private String pubKeyFile;
private String priKeyFile;
private PublicKey publicKey;
private PrivateKey privateKey;
/** * 系统启动的时候触发 * @throws Exception */
@PostConstruct
public void createRsaKey() throws Exception { 

publicKey = RsaUtils.getPublicKey(pubKeyFile);
privateKey = RsaUtils.getPrivateKey(priKeyFile);
}
}

创建启动类

/** * @program: springboot-54-security-jwt-demo * @description: 启动类 * @author: 波波烤鸭 * @create: 2019-12-03 11:23 */
@SpringBootApplication
@MapperScan("com.dpb.mapper")
@EnableConfigurationProperties(RsaKeyProperties.class)
public class App { 

public static void main(String[] args) { 

SpringApplication.run(App.class,args);
}
}

完成数据认证的逻辑

pojo

package com.dpb.domain;
import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.Data;
import org.springframework.security.core.GrantedAuthority;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 15:21 */
@Data
public class RolePojo implements GrantedAuthority { 

private Integer id;
private String roleName;
private String roleDesc;
@JsonIgnore
@Override
public String getAuthority() { 

return roleName;
}
}
package com.dpb.domain;
import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.Data;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 11:33 */
@Data
public class UserPojo implements UserDetails { 

private Integer id;
private String username;
private String password;
private Integer status;
private List<RolePojo> roles;
@JsonIgnore
@Override
public Collection<? extends GrantedAuthority> getAuthorities() { 

List<SimpleGrantedAuthority> auth = new ArrayList<>();
auth.add(new SimpleGrantedAuthority("ADMIN"));
return auth;
}
@Override
public String getPassword() { 

return this.password;
}
@Override
public String getUsername() { 

return this.username;
}
@JsonIgnore
@Override
public boolean isAccountNonExpired() { 

return true;
}
@JsonIgnore
@Override
public boolean isAccountNonLocked() { 

return true;
}
@JsonIgnore
@Override
public boolean isCredentialsNonExpired() { 

return true;
}
@JsonIgnore
@Override
public boolean isEnabled() { 

return true;
}
}

Mapper接口

public interface UserMapper { 

public UserPojo queryByUserName(@Param("userName") String userName);
}

Mapper映射文件

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.dpb.mapper.UserMapper">
<select id="queryByUserName" resultType="UserPojo">
select * from t_user where username = #{userName}
</select>
</mapper>

Service

public interface UserService extends UserDetailsService { 

}
@Service
@Transactional
public class UserServiceImpl implements UserService { 

@Autowired
private UserMapper mapper;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { 

UserPojo user = mapper.queryByUserName(s);
return user;
}
}

自定义认证过滤器

package com.dpb.filter;
import com.dpb.config.RsaKeyProperties;
import com.dpb.domain.RolePojo;
import com.dpb.domain.UserPojo;
import com.dpb.utils.JwtUtils;
import com.fasterxml.jackson.databind.ObjectMapper;
import net.bytebuddy.agent.builder.AgentBuilder;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 11:57 */
public class TokenLoginFilter extends UsernamePasswordAuthenticationFilter { 

private AuthenticationManager authenticationManager;
private RsaKeyProperties prop;
public TokenLoginFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) { 

this.authenticationManager = authenticationManager;
this.prop = prop;
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { 

try { 

UserPojo sysUser = new ObjectMapper().readValue(request.getInputStream(), UserPojo.class);
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(sysUser.getUsername(), sysUser.getPassword());
return authenticationManager.authenticate(authRequest);
}catch (Exception e){ 

try { 

response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
PrintWriter out = response.getWriter();
Map resultMap = new HashMap();
resultMap.put("code", HttpServletResponse.SC_UNAUTHORIZED);
resultMap.put("msg", "用户名或密码错误!");
out.write(new ObjectMapper().writeValueAsString(resultMap));
out.flush();
out.close();
}catch (Exception outEx){ 

outEx.printStackTrace();
}
throw new RuntimeException(e);
}
}
public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { 

UserPojo user = new UserPojo();
user.setUsername(authResult.getName());
user.setRoles((List<RolePojo>)authResult.getAuthorities());
String token = JwtUtils.generateTokenExpireInMinutes(user, prop.getPrivateKey(), 24 * 60);
response.addHeader("Authorization", "Bearer "+token);
try { 

response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = response.getWriter();
Map resultMap = new HashMap();
resultMap.put("code", HttpServletResponse.SC_OK);
resultMap.put("msg", "认证通过!");
out.write(new ObjectMapper().writeValueAsString(resultMap));
out.flush();
out.close();
}catch (Exception outEx){ 

outEx.printStackTrace();
}
}
}

自定义校验token的过滤器

package com.dpb.filter;
import com.dpb.config.RsaKeyProperties;
import com.dpb.domain.Payload;
import com.dpb.domain.UserPojo;
import com.dpb.utils.JwtUtils;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.Map;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 12:39 */
public class TokenVerifyFilter  extends BasicAuthenticationFilter { 

private RsaKeyProperties prop;
public TokenVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) { 

super(authenticationManager);
this.prop = prop;
}
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { 

String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) { 

//如果携带错误的token,则给用户提示请登录!
chain.doFilter(request, response);
response.setContentType("application/json;charset=utf-8");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
PrintWriter out = response.getWriter();
Map resultMap = new HashMap();
resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);
resultMap.put("msg", "请登录!");
out.write(new ObjectMapper().writeValueAsString(resultMap));
out.flush();
out.close();
} else { 

//如果携带了正确格式的token要先得到token
String token = header.replace("Bearer ", "");
//验证tken是否正确
Payload<UserPojo> payload = JwtUtils.getInfoFromToken(token, prop.getPublicKey(), UserPojo.class);
UserPojo user = payload.getUserInfo();
if(user!=null){ 

UsernamePasswordAuthenticationToken authResult = new UsernamePasswordAuthenticationToken(user.getUsername(), null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authResult);
chain.doFilter(request, response);
}
}
}
}

###编写SpringSecurity的配置类

package com.dpb.config;
import com.dpb.filter.TokenLoginFilter;
import com.dpb.filter.TokenVerifyFilter;
import com.dpb.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 12:41 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
public class WebSecurityConfig   extends WebSecurityConfigurerAdapter { 

@Autowired
private UserService userService;
@Autowired
private RsaKeyProperties prop;
@Bean
public BCryptPasswordEncoder passwordEncoder(){ 

return new BCryptPasswordEncoder();
}
//指定认证对象的来源
public void configure(AuthenticationManagerBuilder auth) throws Exception { 

auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
//SpringSecurity配置信息
public void configure(HttpSecurity http) throws Exception { 

http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/user/query").hasAnyRole("ADMIN")
.anyRequest()
.authenticated()
.and()
.addFilter(new TokenLoginFilter(super.authenticationManager(), prop))
.addFilter(new TokenVerifyFilter(super.authenticationManager(), prop))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}

启动服务测试

启动服务
在这里插入图片描述

通过Postman来访问测试
在这里插入图片描述

在这里插入图片描述

根据token信息我们访问其他资源

在这里插入图片描述

2.4资源系统创建

说明
资源服务可以有很多个,这里只拿产品服务为例,记住,资源服务中只能通过公钥验证认证。不能签发token!创建产品服务并导入jar包根据实际业务导包即可,咱们就暂时和认证服务一样了。

接下来我们再创建一个资源服务
在这里插入图片描述

导入相关的依赖

<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<artifactId>security-jwt-common</artifactId>
<groupId>com.dpb</groupId>
<version>1.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.47</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.10</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
</dependencies>

编写产品服务配置文件

切记这里只能有公钥地址!

server:
port: 9002
spring:
datasource:
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://localhost:3306/srm
username: root
password: 123456
type: com.alibaba.druid.pool.DruidDataSource
mybatis:
type-aliases-package: com.dpb.domain
mapper-locations: classpath:mapper/*.xml
logging:
level:
com.dpb: debug
rsa:
key:
pubKeyFile: c:\tools\auth_key\id_key_rsa.pub

编写读取公钥的配置类

package com.dpb.config;
import com.dpb.utils.RsaUtils;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import javax.annotation.PostConstruct;
import java.security.PrivateKey;
import java.security.PublicKey;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 11:25 */
@Data
@ConfigurationProperties(prefix = "rsa.key")
public class RsaKeyProperties { 

private String pubKeyFile;
private PublicKey publicKey;
/** * 系统启动的时候触发 * @throws Exception */
@PostConstruct
public void createRsaKey() throws Exception { 

publicKey = RsaUtils.getPublicKey(pubKeyFile);
}
}

编写启动类

package com.dpb;
import com.dpb.config.RsaKeyProperties;
import org.mybatis.spring.annotation.MapperScan;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 17:23 */
@SpringBootApplication
@MapperScan("com.dpb.mapper")
@EnableConfigurationProperties(RsaKeyProperties.class)
public class App { 

public static void main(String[] args) { 

SpringApplication.run(App.class,args);
}
}

复制认证服务中,用户对象,角色对象和校验认证的接口

复制认证服务中的相关内容即可

复制认证服务中SpringSecurity配置类做修改

package com.dpb.config;
import com.dpb.filter.TokenVerifyFilter;
import com.dpb.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 12:41 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
public class WebSecurityConfig   extends WebSecurityConfigurerAdapter { 

@Autowired
private UserService userService;
@Autowired
private RsaKeyProperties prop;
@Bean
public BCryptPasswordEncoder passwordEncoder(){ 

return new BCryptPasswordEncoder();
}
//指定认证对象的来源
public void configure(AuthenticationManagerBuilder auth) throws Exception { 

auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
//SpringSecurity配置信息
public void configure(HttpSecurity http) throws Exception { 

http.csrf()
.disable()
.authorizeRequests()
//.antMatchers("/user/query").hasAnyRole("USER")
.anyRequest()
.authenticated()
.and()
.addFilter(new TokenVerifyFilter(super.authenticationManager(), prop))
// 禁用掉session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}

去掉“增加自定义认证过滤器”即可!

编写产品处理器

package com.dpb.controller;
import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/** * @program: springboot-54-security-jwt-demo * @description: * @author: 波波烤鸭 * @create: 2019-12-03 11:55 */
@RestController
@RequestMapping("/user")
public class UserController { 

@RequestMapping("/query")
public String query(){ 

return "success";
}
@RequestMapping("/update")
public String update(){ 

return "update";
}
}

测试

在这里插入图片描述

搞定~

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/143498.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)
blank

相关推荐

  • odrive教程(处理器2O11接口)

    输入接口在开发自定义ODrive控制代码时,建议您的电动机可以自由连续旋转,并且不与行程有限的传动系统连接ODrive可以通过各种端口和协议进行控制。如果您对嵌入式熟悉的话也可以直接在ODrive上运行自定义代码。请参考ODrive固件开发指南。文章目录输入接口引脚说明引脚功能优先级模拟输入霍尔信号反馈引脚native协议Python其它编程语言ASCII协议ArduinoStep/…

  • 空间尺度分析图_尺度空间理论

    空间尺度分析图_尺度空间理论SIFT简介整理一下方便阅读,作者写的东西摘自论文,在此感谢xiaowei等的贡献DoG尺度空间构造(Scale-spaceextremadetection)http://blog.csdn.net/xiaowei_cqu/article/details/8067881 关键点搜索与定位(Keypointlocalization)http://blog.csdn.net/xi…

    2022年10月14日
  • WebView中的视频全屏的相关操作

    WebView中的视频全屏的相关操作

    2021年11月30日
  • 开启QQ登录保护仍被盗号——QQ安全机制全面分析[通俗易懂]

    开启QQ登录保护仍被盗号——QQ安全机制全面分析[通俗易懂]1、前言周围总是有些同学QQ被盗号,攻击者盗取账号后会继续去欺骗列表里的好友,形成链式反应。危害比较大。腾讯QQ安全中心提供了登录保护机制,如图:  这是腾讯为QQ添加第二层保护,在开启登录保护后,盗号者偷走密码的情况下QQ仍然安全。即使你的账号密码不小心泄露了,盗号者仍旧无法登录你的QQ。  但是,有位同学在开启QQ登录保护的情况下依然被盗号者登录成功了。QQ登录保护的安全机制:当我们开启了“登录保护”,盗号者登录QQ输入正确的密码,即使更换IP骗过了安全检测系统,会发现仍然需要

  • mybatis二级缓存问题_mybatis清空二级缓存

    mybatis二级缓存问题_mybatis清空二级缓存转载:https://www.cnblogs.com/xrq730/p/6991655.html

  • HTML5移动开发的10大移动APP开发框架

    HTML5移动开发的10大移动APP开发框架今天给大家介绍10款有关HTML5移动开发APP开发框架,这几款框架都是比较优秀的移动Web开发框架,能够帮助开发者更加高效的开发移动Web应用。.  十款移动APP开发框架:1.jquerymobile框架2.bootstrap框架3.ionic框架4.MobileAngularUI框架5.IntelXDK框架6.AppceleratorTitanium框架7.Senc

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号