首页 > 其他分享 >Spring Security基于token的极简示例

Spring Security基于token的极简示例

时间:2024-08-30 17:21:34浏览次数:14  
标签:示例 Spring springframework public import org Security new security

1 引言

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架,但是用起来有点复杂,为了便于学习理解,下面将用最简洁的配置和示例,展示整个流程。

2 代码

创建一个spring-security-demo的项目,总共包含5个文件
在这里插入图片描述

2.1 pom.xml

引入spring-boot-starter-security

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>spring-security-demo</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <!--  为Spring Boot项目提供一系列默认的配置和依赖管理-->
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.3.2</version>
        <relativePath/>
    </parent>

    <dependencies>
        <!--  Spring Boot核心依赖-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <!-- Spring Boot单元测试和集成测试的依赖-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <!-- Spring Boot构建Web应用程序的依赖-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

    </dependencies>

</project>

2.2 application.properties

保持空白即可

2.3 org/example/Main.java

启动类

package org.example;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Main {

    public static void main(String[] args) {
        SpringApplication.run(Main.class, args);
    }

}

2.4 org/example/controller/UserController.java

测试类,注意@PreAuthorize注解,用于标记每个接口的权限标识

package org.example.controller;

import org.example.conf.SecurityConfig;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import java.util.*;


@Controller
@RequestMapping("/user")
public class UserController {

    @Autowired
    private AuthenticationManager authenticationManager;

    private Map<String, Object> returnOk(String obj) {
        Map<String, Object> map = new HashMap<>();
        map.put("code", HttpStatus.OK.value());
        map.put("msg", "ok");
        map.put("data", obj);
        return map;
    }

    private Map<String, Object> returnError(String msg) {
        Map<String, Object> map = new HashMap<>();
        map.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
        map.put("msg", msg);
        return map;
    }


    @PreAuthorize("hasAuthority('user:hello')")
    @RequestMapping("/hello")
    @ResponseBody
    public Object hello() {
        System.out.println("hello");
        return returnOk("hello");
    }

    @PreAuthorize("hasAuthority('user:hello1')")
    @RequestMapping("/hello1")
    @ResponseBody
    public Object hello1() {
        System.out.println("hello1");
        return returnOk("hello1");
    }


    @PostMapping("/login")
    @ResponseBody
    public Object login(@RequestBody Map<String, String> param) {
        String username = param.get("username");
        String password = param.get("password");
        //调用Spring Security的loadUserByUsername方法获取用户信息
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
        Authentication authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
        if (authenticate == null) {
            return returnError("用户不存在");
        } else {
            UserDetails userDetails = (UserDetails) authenticate.getPrincipal();
            //验证密码
            BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
            if (!passwordEncoder.matches(password, userDetails.getPassword())) {
                return returnError("账号密码错误");
            }
            // 生成token
            String token = UUID.randomUUID().toString();
            // 存储token
            SecurityConfig.tokenMap.put(token, userDetails);
            return returnOk(token);
        }
    }

    @PostMapping("/logout")
    @ResponseBody
    public Object logout() {
        return returnOk("退出成功");
    }


}

2.5 org/example/conf/SecurityConfig.java

Spring Security配置,为了简化代码,便于查看,我将所有需要自定义的类,以内部类的方式放到里面,然后引入到filterChain方法中即可。

package org.example.conf;

import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.filter.OncePerRequestFilter;

import java.io.IOException;
import java.util.*;

/**
 * spring security配置
 */
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Configuration
public class SecurityConfig {

    /**
     * 简单模拟token存储,可以用redis代替。
     */
    public static Map<String, UserDetails> tokenMap = new HashMap<>();

    /**
     * 自定义token过滤器
     */
    public static class MyOncePerRequestFilter extends OncePerRequestFilter {
        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
            String token = request.getHeader("token");
            System.out.println("url=" + request.getRequestURI() + ",token=" + token);
            UserDetails userDetails = tokenMap.get(token);
            if (null != userDetails) {
                //如果token存在,则进行spring security权限验证
                UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(authenticationToken);
            }
            chain.doFilter(request, response);
        }

    }


    /**
     * 自定义未授权访问处理逻辑
     */
    public static class AuthenticationEntryPointImpl implements AuthenticationEntryPoint {
        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
            Map<String, Object> map = new HashMap<>();
            map.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
            map.put("msg", "无权限访问该资源");

            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
            response.setContentType("application/json");
            response.setCharacterEncoding("utf-8");
            response.getWriter().print(new ObjectMapper().writeValueAsString(map));
        }
    }


    /**
     * 定义退出处理逻辑
     */
    public static class LogoutSuccessHandlerImpl implements LogoutSuccessHandler {
        @Override
        public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
            String token = request.getHeader("header");
            tokenMap.remove(token);

            Map<String, Object> map = new HashMap<>();
            map.put("code", HttpStatus.OK.value());
            map.put("msg", "退出成功");

            response.setStatus(HttpStatus.OK.value());
            response.setContentType("application/json");
            response.setCharacterEncoding("utf-8");
            response.getWriter().print(new ObjectMapper().writeValueAsString(map));
        }
    }

    /**
     * 定义身份认证处理逻辑
     */
    public static class UserDetailsServiceImpl implements UserDetailsService {
        @Override
        public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
            // 一般情况下,从数据库查询用户信息和权限信息,TODO
            // 为了方便测试,直接模拟用户信息和权限信息。
            Set<GrantedAuthority> authorities = new HashSet<>();
            authorities.add(new SimpleGrantedAuthority("user:hello"));
            authorities.add(new SimpleGrantedAuthority("user:hello2"));
            return getUserDetails(username, new BCryptPasswordEncoder().encode("123456"), authorities);
        }

        private UserDetails getUserDetails(String username, String password, Set<GrantedAuthority> authorities) {
            return new UserDetails() {
                @Override
                public Collection<? extends GrantedAuthority> getAuthorities() {
                    return authorities;
                }

                @Override
                public String getPassword() {
                    return password;
                }

                @Override
                public String getUsername() {
                    return username;
                }

                @Override
                public boolean isAccountNonExpired() {
                    return UserDetails.super.isAccountNonExpired();
                }

                @Override
                public boolean isAccountNonLocked() {
                    return UserDetails.super.isAccountNonLocked();
                }

                @Override
                public boolean isCredentialsNonExpired() {
                    return UserDetails.super.isCredentialsNonExpired();
                }

                @Override
                public boolean isEnabled() {
                    return UserDetails.super.isEnabled();
                }
            };
        }
    }


    @Bean
    protected SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity
                // 不使用session,禁用CSRF
                .csrf(csrf -> csrf.disable())
                // 禁用HTTP响应标头
                .headers((headersCustomizer) -> {
                    headersCustomizer.cacheControl(cache -> cache.disable()).frameOptions(options -> options.sameOrigin());
                })
                // 定义未授权访问处理逻辑
                .exceptionHandling(exception -> exception.authenticationEntryPoint(new AuthenticationEntryPointImpl()))
                // 不使用session
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                // 记允许匿名访问的url
                .authorizeHttpRequests((requests) -> {
                    requests.requestMatchers("/user/login", "/user/register").permitAll()
                            // 除上面外的所有请求全部需要鉴权认证
                            .anyRequest().authenticated();
                })
                // 定义退出处理逻辑
                .logout(logout -> logout.logoutUrl("/user/logout").logoutSuccessHandler(new LogoutSuccessHandlerImpl()))
                // 定义token过滤器
                .addFilterBefore(new MyOncePerRequestFilter(), UsernamePasswordAuthenticationFilter.class).build();
    }

    /**
     * 身份验证实现
     */
    @Bean
    public AuthenticationManager authenticationManager() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(new UserDetailsServiceImpl());
        daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
        return new ProviderManager(daoAuthenticationProvider);
    }


    /**
     * 跨域配置
     */
    @Bean
    public CorsFilter corsFilter() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        // 设置访问源地址
        config.addAllowedOriginPattern("*");
        // 设置访问源请求头
        config.addAllowedHeader("*");
        // 设置访问源请求方法
        config.addAllowedMethod("*");
        // 有效期 1800秒
        config.setMaxAge(1800L);
        // 添加映射路径,拦截一切请求
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", config);
        // 返回新的CorsFilter
        return new CorsFilter(source);
    }

}

3 测试

  1. 启动项目访问http://localhost:8080/user/hello,可以看到提示"无权限访问该资源",由于未登录,请求被正常拦截。
    在这里插入图片描述
  2. post调用 http://localhost:8080/user/login进行登录操作,用户名随意,密码123456(在认证方法中自定义的)。然后可以看到返回了data即自定义的token值。
    在这里插入图片描述
    在这里插入图片描述
  3. 再次访问http://localhost:8080/user/hello,并提前将token值放到header中。可以看到成功返回,表示请求通过了权限验证。这与我们设置的权限标识刚好一致。
    在这里插入图片描述
    在这里插入图片描述在这里插入图片描述4. 用该token继续访问http://localhost:8080/user/hello1,可以看到 “无权限访问该资源”,由于我们没有赋予用户"user:hello1"的权限标识,请求被正常拦截。

在这里插入图片描述

标签:示例,Spring,springframework,public,import,org,Security,new,security
From: https://blog.csdn.net/qq_40718345/article/details/141722391

相关文章

  • 二. Spring Boot 中的 “依赖管理和自动配置” 详解透彻到底(附+详细代码流程)sh
    二.SpringBoot中的“依赖管理和自动配置”详解透彻到底(附+详细代码流程)@目录*二.SpringBoot中的“依赖管理和自动配置”详解透彻到底(附+详细代码流程)1.如何理解“约定优于配置”2.SpringBoot依赖管理和自动配置2.1SpringBoot的依赖管理2.1.1什么......
  • Spring整合mybatis源码剖析
    Spring整合mybatis源码剖析整合原理图:@MapperScan底层原理剖析主要作用:会将MapperScannerConfigurer注册到spring容器中。@Retention(RetentionPolicy.RUNTIME)@Target(ElementType.TYPE)@Documented@Import(MapperScannerRegistrar.class)//点进去@Repeatable(Mapper......
  • Spring Task
    使用方式启动类importorg.springframework.boot.SpringApplication;importorg.springframework.boot.autoconfigure.SpringBootApplication;importorg.springframework.scheduling.annotation.EnableScheduling;@SpringBootApplication@EnableSchedulingpublicclas......
  • springboot 接口接收参数的注解介绍(@RequestParam,@PathVariable,@RequestBody 等)
    springboot接收参数的注解介绍(使用方法)在SpringBoot中,接收参数的方式主要依赖于SpringMVC提供的注解。这些注解帮助你将HTTP请求中的参数绑定到控制器(Controller)方法的参数上。以下是一些常用的接收参数的注解:1.@RequestParam用法:用于将HTTP请求参数绑定到控制器的方......
  • springboot+vue安心养老一站通服务系统的设计与实现【程序+论文+开题】计算机毕业设计
    系统程序文件列表开题报告内容研究背景随着社会老龄化的加速,养老问题已成为全球性的社会挑战。传统的养老模式面临着资源分配不均、服务效率低下、信息孤岛等诸多问题,难以满足老年人日益增长的多元化、个性化需求。在此背景下,安心养老一站通服务系统的设计与实现显得尤为重......
  • springboot+vue爱心捐赠系统【程序+论文+开题】计算机毕业设计
    系统程序文件列表开题报告内容研究背景在当今社会,随着经济的快速发展与信息技术的日益普及,公益慈善事业逐渐成为连接社会爱心与需要帮助群体的重要桥梁。然而,传统的捐赠方式往往存在信息不对称、流程繁琐、透明度不足等问题,限制了公益资源的有效配置与利用。因此,构建一个高......
  • springboot+vue爱心慈善公益系统【程序+论文+开题】计算机毕业设计
    系统程序文件列表开题报告内容研究背景在当今社会,随着经济的快速发展与人民生活水平的日益提高,社会各界对于慈善公益事业的关注度与参与度也显著提升。然而,传统的慈善捐赠方式往往存在信息不对称、流程繁琐、透明度不足等问题,限制了公益资源的高效配置与利用。特别是在互联......
  • 深入解析 Spring Boot 中 MyBatis 自动配置的流程
    在SpringBoot项目中,自动配置是一个非常强大的功能,可以极大简化配置工作。本文将通过MyBatis的自动配置为例,详细解析SpringBoot自动配置的整个流程,包括从META-INF/spring.factories文件到mysql-connector-java依赖的引入,帮助大家更好地理解SpringBoot的自动配......
  • SpringBoot原理
    目录一、配置优先级二、Bean管理1.获取Bean(1)三种方式(2)获取示例 2.Bean作用域 3.第三方Bean 三、SpringBoot原理1.起步依赖2.自动配置(1)概述(2)准备工作 (3)@Import (4)模拟过程3.自动配置原理(1)源码跟踪 (2)@Conditional (3)自定义start业务场景需求 步骤具......
  • 二. Spring Boot 中的 “依赖管理和自动配置” 详解透彻到底(附+详细代码流程)
    二.SpringBoot中的“依赖管理和自动配置”详解透彻到底(附+详细代码流程)@目录*二.SpringBoot中的“依赖管理和自动配置”详解透彻到底(附+详细代码流程)1.如何理解“约定优于配置”2.SpringBoot依赖管理和自动配置2.1SpringBoot的依赖管理2.1.1什么......