Spring Security基于token的极简示例
1 引言
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架,但是用起来有点复杂,为了便于学习理解,下面将用最简洁的配置和示例,展示整个流程。
2 代码
创建一个spring-security-demo的项目,总共包含5个文件
2.1 pom.xml
引入spring-boot-starter-security
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>spring-security-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<!-- 为Spring Boot项目提供一系列默认的配置和依赖管理-->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.2</version>
<relativePath/>
</parent>
<dependencies>
<!-- Spring Boot核心依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<!-- Spring Boot单元测试和集成测试的依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!-- Spring Boot构建Web应用程序的依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
</project>
2.2 application.properties
保持空白即可
2.3 org/example/Main.java
启动类
package org.example;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Main {
public static void main(String[] args) {
SpringApplication.run(Main.class, args);
}
}
2.4 org/example/controller/UserController.java
测试类,注意@PreAuthorize注解,用于标记每个接口的权限标识
package org.example.controller;
import org.example.conf.SecurityConfig;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import java.util.*;
@Controller
@RequestMapping("/user")
public class UserController {
@Autowired
private AuthenticationManager authenticationManager;
private Map<String, Object> returnOk(String obj) {
Map<String, Object> map = new HashMap<>();
map.put("code", HttpStatus.OK.value());
map.put("msg", "ok");
map.put("data", obj);
return map;
}
private Map<String, Object> returnError(String msg) {
Map<String, Object> map = new HashMap<>();
map.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
map.put("msg", msg);
return map;
}
@PreAuthorize("hasAuthority('user:hello')")
@RequestMapping("/hello")
@ResponseBody
public Object hello() {
System.out.println("hello");
return returnOk("hello");
}
@PreAuthorize("hasAuthority('user:hello1')")
@RequestMapping("/hello1")
@ResponseBody
public Object hello1() {
System.out.println("hello1");
return returnOk("hello1");
}
@PostMapping("/login")
@ResponseBody
public Object login(@RequestBody Map<String, String> param) {
String username = param.get("username");
String password = param.get("password");
//调用Spring Security的loadUserByUsername方法获取用户信息
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
Authentication authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
if (authenticate == null) {
return returnError("用户不存在");
} else {
UserDetails userDetails = (UserDetails) authenticate.getPrincipal();
//验证密码
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
if (!passwordEncoder.matches(password, userDetails.getPassword())) {
return returnError("账号密码错误");
}
// 生成token
String token = UUID.randomUUID().toString();
// 存储token
SecurityConfig.tokenMap.put(token, userDetails);
return returnOk(token);
}
}
@PostMapping("/logout")
@ResponseBody
public Object logout() {
return returnOk("退出成功");
}
}
2.5 org/example/conf/SecurityConfig.java
Spring Security配置,为了简化代码,便于查看,我将所有需要自定义的类,以内部类的方式放到里面,然后引入到filterChain方法中即可。
package org.example.conf;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
import java.util.*;
/**
* spring security配置
*/
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Configuration
public class SecurityConfig {
/**
* 简单模拟token存储,可以用redis代替。
*/
public static Map<String, UserDetails> tokenMap = new HashMap<>();
/**
* 自定义token过滤器
*/
public static class MyOncePerRequestFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
String token = request.getHeader("token");
System.out.println("url=" + request.getRequestURI() + ",token=" + token);
UserDetails userDetails = tokenMap.get(token);
if (null != userDetails) {
//如果token存在,则进行spring security权限验证
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
chain.doFilter(request, response);
}
}
/**
* 自定义未授权访问处理逻辑
*/
public static class AuthenticationEntryPointImpl implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
Map<String, Object> map = new HashMap<>();
map.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
map.put("msg", "无权限访问该资源");
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
response.setContentType("application/json");
response.setCharacterEncoding("utf-8");
response.getWriter().print(new ObjectMapper().writeValueAsString(map));
}
}
/**
* 定义退出处理逻辑
*/
public static class LogoutSuccessHandlerImpl implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
String token = request.getHeader("header");
tokenMap.remove(token);
Map<String, Object> map = new HashMap<>();
map.put("code", HttpStatus.OK.value());
map.put("msg", "退出成功");
response.setStatus(HttpStatus.OK.value());
response.setContentType("application/json");
response.setCharacterEncoding("utf-8");
response.getWriter().print(new ObjectMapper().writeValueAsString(map));
}
}
/**
* 定义身份认证处理逻辑
*/
public static class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 一般情况下,从数据库查询用户信息和权限信息,TODO
// 为了方便测试,直接模拟用户信息和权限信息。
Set<GrantedAuthority> authorities = new HashSet<>();
authorities.add(new SimpleGrantedAuthority("user:hello"));
authorities.add(new SimpleGrantedAuthority("user:hello2"));
return getUserDetails(username, new BCryptPasswordEncoder().encode("123456"), authorities);
}
private UserDetails getUserDetails(String username, String password, Set<GrantedAuthority> authorities) {
return new UserDetails() {
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return UserDetails.super.isAccountNonExpired();
}
@Override
public boolean isAccountNonLocked() {
return UserDetails.super.isAccountNonLocked();
}
@Override
public boolean isCredentialsNonExpired() {
return UserDetails.super.isCredentialsNonExpired();
}
@Override
public boolean isEnabled() {
return UserDetails.super.isEnabled();
}
};
}
}
@Bean
protected SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
// 不使用session,禁用CSRF
.csrf(csrf -> csrf.disable())
// 禁用HTTP响应标头
.headers((headersCustomizer) -> {
headersCustomizer.cacheControl(cache -> cache.disable()).frameOptions(options -> options.sameOrigin());
})
// 定义未授权访问处理逻辑
.exceptionHandling(exception -> exception.authenticationEntryPoint(new AuthenticationEntryPointImpl()))
// 不使用session
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
// 记允许匿名访问的url
.authorizeHttpRequests((requests) -> {
requests.requestMatchers("/user/login", "/user/register").permitAll()
// 除上面外的所有请求全部需要鉴权认证
.anyRequest().authenticated();
})
// 定义退出处理逻辑
.logout(logout -> logout.logoutUrl("/user/logout").logoutSuccessHandler(new LogoutSuccessHandlerImpl()))
// 定义token过滤器
.addFilterBefore(new MyOncePerRequestFilter(), UsernamePasswordAuthenticationFilter.class).build();
}
/**
* 身份验证实现
*/
@Bean
public AuthenticationManager authenticationManager() {
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setUserDetailsService(new UserDetailsServiceImpl());
daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
return new ProviderManager(daoAuthenticationProvider);
}
/**
* 跨域配置
*/
@Bean
public CorsFilter corsFilter() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
// 设置访问源地址
config.addAllowedOriginPattern("*");
// 设置访问源请求头
config.addAllowedHeader("*");
// 设置访问源请求方法
config.addAllowedMethod("*");
// 有效期 1800秒
config.setMaxAge(1800L);
// 添加映射路径,拦截一切请求
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
// 返回新的CorsFilter
return new CorsFilter(source);
}
}
3 测试
- 启动项目访问http://localhost:8080/user/hello,可以看到提示"无权限访问该资源",由于未登录,请求被正常拦截。
- post调用 http://localhost:8080/user/login进行登录操作,用户名随意,密码123456(在认证方法中自定义的)。然后可以看到返回了data即自定义的token值。
- 再次访问http://localhost:8080/user/hello,并提前将token值放到header中。可以看到成功返回,表示请求通过了权限验证。这与我们设置的权限标识刚好一致。
4. 用该token继续访问http://localhost:8080/user/hello1,可以看到 “无权限访问该资源”,由于我们没有赋予用户"user:hello1"的权限标识,请求被正常拦截。
