Keep三面:如何用Spring Security實現前後端分離?
阿新 • • 發佈:2021-06-19
前言
Spring Security網路上很多前後端分離的示例很多都不是完全的前後分離,而且大家實現的方式各不相同,有的是靠自己寫攔截器去自己校驗許可權的,有的頁面是使用themleaf來實現的不是真正的前後分離,看的越多對Spring Security越來越疑惑,此篇文章要用最簡單的示例實現出真正的前後端完全分離的許可權校驗實現,spring全家桶共享,總結了大廠面試真題,資深架構師學習筆記等。
1. pom.xml
主要依賴是
spring-boot-starter-security和jwt。
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-api</artifactId> <version>${jjwt.version}</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-impl</artifactId> <version>${jjwt.version}</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-jackson</artifactId> <version>${jjwt.version}</version> </dependency> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>3.9</version> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <optional>true</optional> </dependency>
2. User
@Data @ToString @NoArgsConstructor @AllArgsConstructor public class User implements UserDetails { private Long id; private String username; private String password; private Boolean enabled; private List<GrantedAuthority> authorities; @Override public Collection<? extends GrantedAuthority> getAuthorities() { return this.authorities; } @Override public String getPassword() { return this.password; } @Override public String getUsername() { return this.username; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return this.enabled; } }
3. UserDetailsService
@RequiredArgsConstructor @Service("userDetailsService") public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private PasswordEncoder passwordEncoder; @Override public User loadUserByUsername(String username) { List<GrantedAuthority> authorities = Arrays.asList( new SimpleGrantedAuthority("user:add"), new SimpleGrantedAuthority("user:view"), new SimpleGrantedAuthority("user:update")); User user = new User(1L, username, passwordEncoder.encode("123456"), true, authorities); if (user == null) { throw new UsernameNotFoundException("使用者名稱或者密碼錯誤"); } return user; } }
4. TokenProvider
/**
* JWT Token提供器
*/
@Slf4j
@Component
public class TokenProvider implements InitializingBean {
public static final String AUTHORITIES_KEY = "auth";
private JwtParser jwtParser;
private JwtBuilder jwtBuilder;
@Override
public void afterPropertiesSet() {
// 必須使用最少88位的Base64對該令牌進行編碼
String secret = "必須使用最少88位的Base64對該令牌進行編碼,一般是配置在application.yml中,需要預先定義好";
byte[] keyBytes = Decoders.BASE64.decode(secret);
Key key = Keys.hmacShaKeyFor(keyBytes);
jwtParser = Jwts.parserBuilder().setSigningKey(key).build();
jwtBuilder = Jwts.builder().signWith(key, SignatureAlgorithm.HS512);
}
public String createToken(Authentication authentication) {
// 獲取許可權列表
String authorities = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.joining(","));
return jwtBuilder
// 加入ID確保生成的 Token 都不一致
.setId(UUID.randomUUID().toString())
// 許可權列表
.claim(AUTHORITIES_KEY, authorities)
// username
.setSubject(authentication.getName())
// 過期時間
.setExpiration(DateUtils.addDays(new Date(), 1))
.compact();
}
/**
* 從token中獲取認證資訊
* @param token
* @return
*/
public Authentication getAuthentication(String token) {
Claims claims = jwtParser.parseClaimsJws(token).getBody();
Object authoritiesStr = claims.get(AUTHORITIES_KEY);
Collection<? extends GrantedAuthority> authorities =
authoritiesStr != null ?
Arrays.stream(authoritiesStr.toString().split(","))
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList()) : Collections.emptyList();
User principal = new User(claims.getSubject(), "******", authorities);
return new UsernamePasswordAuthenticationToken(principal, token, authorities);
}
}
5. AccessDeniedHandler
@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
// 當用戶在沒有授權的情況下訪問受保護的REST資源時,將呼叫此方法傳送403 Forbidden響應
response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
}
6. AuthenticationEntryPoint
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException {
// 當用戶嘗試訪問安全的REST資源而不提供任何憑據時,將呼叫此方法傳送401響應
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException == null ? "Unauthorized" : authException.getMessage());
}
}
7. TokenFilter
@Slf4j
@Component
public class TokenFilter extends GenericFilterBean {
private TokenProvider tokenProvider;
public TokenFilter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
String bearerToken = httpServletRequest.getHeader("Authorization");
String token = null;
if (!StringUtils.isEmpty(bearerToken) && bearerToken.startsWith("Bearer")) {
token = bearerToken.replace("Bearer", "");
}
if (!StringUtils.isEmpty(token)) {
Authentication authentication = tokenProvider.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(servletRequest, servletResponse);
}
}
8. WebMvcConfigurer
@Configuration
@EnableWebMvc
public class WebMvcConfigurerAdapter implements WebMvcConfigurer {
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
9. TokenConfigurer
@RequiredArgsConstructor
public class TokenConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
private TokenProvider tokenProvider;
public TokenConfigurer(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
public void configure(HttpSecurity http) {
TokenFilter customFilter = new TokenFilter(tokenProvider);
http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
}
}
10. SecurityConfig
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CorsFilter corsFilter;
@Autowired
private TokenProvider tokenProvider;
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtAccessDeniedHandler jwtAccessDeniedHandler;
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// 去除 ROLE_ 字首
return new GrantedAuthorityDefaults("");
}
@Bean
public PasswordEncoder passwordEncoder() {
// 密碼加密方式
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// 禁用 CSRF
.csrf().disable()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
// 授權異常
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.accessDeniedHandler(jwtAccessDeniedHandler)
// 防止iframe 造成跨域
.and()
.headers()
.frameOptions()
.disable()
// 不建立會話
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// 靜態資源等等
.antMatchers(
HttpMethod.GET,
"/*.html",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/webSocket/**"
).permitAll()
// swagger 文件
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/*/api-docs").permitAll()
// 檔案
.antMatchers("/avatar/**").permitAll()
.antMatchers("/file/**").permitAll()
// 阿里巴巴 druid
.antMatchers("/druid/**").permitAll()
// 放行OPTIONS請求
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// 不需要認證的介面
.antMatchers("/auth/login").permitAll()
// 所有請求都需要認證
.anyRequest().authenticated()
.and().apply(securityConfigurerAdapter());
}
private TokenConfigurer securityConfigurerAdapter() {
return new TokenConfigurer(tokenProvider);
}
}
11. AuthController
@RestController
@RequestMapping("/auth")
public class AuthController {
@Autowired
private TokenProvider tokenProvider;
@Autowired
private AuthenticationManagerBuilder authenticationManagerBuilder;
@RequestMapping("/login")
public String login() {
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken("monday", "123456");
// 會呼叫 UserDetailsService.loadUserByUsername
Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
String token = tokenProvider.createToken(authentication);
return token;
}
}
12. UserController
@RestController
@RequestMapping("/user")
public class UserController {
@RequestMapping("/add")
@PreAuthorize("hasAnyRole('user:add')")
public String add() {
return "user:add";
}
@RequestMapping("/update")
@PreAuthorize("hasAnyRole('user:update')")
public String update() {
return "user:update";
}
@RequestMapping("/view")
@PreAuthorize("hasAnyRole('user:view')")
public String view() {
return "user:view";
}
@RequestMapping("/delete")
@PreAuthorize("hasAnyRole('user:delete')")
public String delete() {
return "user:delete";
}
}
訪問有許可權的介面。
訪問沒有許可權的介面被拒絕。
13. Spring Security 認證和授權原理
- 使用者登入會呼叫UserDetailsService對使用者名稱和密碼進行檢查,返回使用者名稱、密碼、許可權字串列表,認證成功後就會將使用者資訊放在安全上下文中SecurityContext。
- 當用戶訪問帶有許可權的介面,Spring Security會呼叫TokenFilter獲取到token,解析token並存入到安全上下文SecurityContext中,然後檢查@PreAuthorize("hasAnyRole('user:add')")配置的許可權字串是否在SecurityContext中使用者的authorities列表中,如果在表示有許可權放行,如果不在表示沒有許可權,則執行AccessDeniedHandler返回。
- 關注公眾號:麒麟改bug,共享更多Java相關的學習筆記,面試真題,電子書,感謝您的支援!