javascript
Spring Security 案例实现和执行流程剖析
在線演示
演示地址:http://139.196.87.48:9002/kitty
用戶名:admin 密碼:admin
Spring Security
Spring Security 是 Spring 社區(qū)的一個(gè)頂級(jí)項(xiàng)目,也是 Spring Boot 官方推薦使用的安全框架。除了常規(guī)的認(rèn)證(Authentication)和授權(quán)(Authorization)之外,Spring Security還提供了諸如ACLs,LDAP,JAAS,CAS等高級(jí)特性以滿足復(fù)雜場(chǎng)景下的安全需求。
Spring Security 應(yīng)用級(jí)別的安全主要包含兩個(gè)主要部分,即登錄認(rèn)證(Authentication)和訪問(wèn)授權(quán)(Authorization),首先用戶登錄的時(shí)候傳入登錄信息,登錄驗(yàn)證器完成登錄認(rèn)證并將登錄認(rèn)證好的信息存儲(chǔ)到請(qǐng)求上下文,然后在進(jìn)行其他操作,如接口訪問(wèn)、方法調(diào)用時(shí),權(quán)限認(rèn)證器從上下文中獲取登錄認(rèn)證信息,然后根據(jù)認(rèn)證信息獲取權(quán)限信息,通過(guò)權(quán)限信息和特定的授權(quán)策略決定是否授權(quán)。
接下來(lái),本教程將分別對(duì)登錄認(rèn)證和訪問(wèn)授權(quán)的執(zhí)行流程進(jìn)行剖析,并在最后給出完整的案例實(shí)現(xiàn),如果覺(jué)得先讀前面原理比較難懂,可以先學(xué)習(xí)后面的實(shí)現(xiàn)案例,再結(jié)合案例理解登錄認(rèn)證和訪問(wèn)授權(quán)的執(zhí)行原理。
登錄認(rèn)證
登錄認(rèn)證過(guò)濾器
如果在繼承 WebSecurityConfigurerAdapter 的配置類中的 configure(HttpSecurity http) 方法中有配置?HttpSecurity 的?formLogin,則會(huì)返回一個(gè)?FormLoginConfigurer 對(duì)象。如下是一個(gè) Spring Security 的配置樣例,?formLogin().x.x 就是配置使用內(nèi)置的登錄驗(yàn)證過(guò)濾器,默認(rèn)實(shí)現(xiàn)為?UsernamePasswordAuthenticationFilter。
WebSecurityConfig.java
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserDetailsService userDetailsService;@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {// 使用自定義身份驗(yàn)證組件auth.authenticationProvider(new JwtAuthenticationProvider(userDetailsService));}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().and().csrf().disable().authorizeRequests()// 首頁(yè)和登錄頁(yè)面.antMatchers("/").permitAll()// 其他所有請(qǐng)求需要身份認(rèn)證 .anyRequest().authenticated()// 配置登錄認(rèn)證.and().formLogin().loginProcessingUrl("/login");} }查看 HttpSecurity , formLogion 方法返回一個(gè)?FormLoginConfigurer 對(duì)象。
HttpSecurity.java
public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {return getOrApply(new FormLoginConfigurer<>());}而 FormLoginConfigurer 的構(gòu)造函數(shù)內(nèi)綁定了一個(gè)?UsernamePasswordAuthenticationFilter 過(guò)濾器。
FormLoginConfigurer.java
public FormLoginConfigurer() {super(new UsernamePasswordAuthenticationFilter(), null);usernameParameter("username");passwordParameter("password");}再看?UsernamePasswordAuthenticationFilter 過(guò)濾器的構(gòu)造函數(shù)內(nèi)綁定了 POST 類型的 /login 請(qǐng)求,也就是說(shuō),如果配置了 formLogin 的相關(guān)信息,那么在使用 POST 類型的 /login URL進(jìn)行登錄的時(shí)候就會(huì)被這個(gè)過(guò)濾器攔截,并進(jìn)行登錄驗(yàn)證,登錄驗(yàn)證過(guò)程我們下面繼續(xù)分析。
UsernamePasswordAuthenticationFilter.java
public UsernamePasswordAuthenticationFilter() {super(new AntPathRequestMatcher("/login", "POST"));}查看?UsernamePasswordAuthenticationFilter,發(fā)現(xiàn)它繼承了?AbstractAuthenticationProcessingFilter,AbstractAuthenticationProcessingFilter 中的?doFilter 包含了觸發(fā)登錄認(rèn)證執(zhí)行流程的相關(guān)邏輯。
AbstractAuthenticationProcessingFilter.java
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {...Authentication authResult;try {authResult = attemptAuthentication(request, response);if (authResult == null) {// return immediately as subclass has indicated that it hasn't completed// authenticationreturn;}sessionStrategy.onAuthentication(authResult, request, response);}
...
successfulAuthentication(request, response, chain, authResult);}
上面的登錄邏輯主要步驟有兩個(gè):
1.?attemptAuthentication(request, response)
這是?AbstractAuthenticationProcessingFilter? 中的一個(gè)抽象方法,包含登錄主邏輯,由其子類實(shí)現(xiàn)具體的登錄驗(yàn)證,如 UsernamePasswordAuthenticationFilter 是使用表單方式登錄的具體實(shí)現(xiàn)。如果是非表單登錄的方式,如JNDI等其他方式登錄的可以通過(guò)繼承?AbstractAuthenticationProcessingFilter 自定義登錄實(shí)現(xiàn)。UsernamePasswordAuthenticationFilter 的登錄實(shí)現(xiàn)邏輯如下。
UsernamePasswordAuthenticationFilter.java
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {if (postOnly && !request.getMethod().equals("POST")) {throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());}// 獲取用戶名和密碼String username = obtainUsername(request);String password = obtainPassword(request);if (username == null) {username = "";}if (password == null) {password = "";}username = username.trim();UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);// Allow subclasses to set the "details" propertysetDetails(request, authRequest);return this.getAuthenticationManager().authenticate(authRequest);}2.?successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)
登錄成功之后,將認(rèn)證后的 Authentication 對(duì)象存儲(chǔ)到請(qǐng)求線程上下文,這樣在授權(quán)階段就可以獲取到 Authentication 認(rèn)證信息,并利用 Authentication 內(nèi)的權(quán)限信息進(jìn)行訪問(wèn)控制判斷。
AbstractAuthenticationProcessingFilter.java
protected void successfulAuthentication(HttpServletRequest request,HttpServletResponse response, FilterChain chain, Authentication authResult)throws IOException, ServletException {if (logger.isDebugEnabled()) {logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);}// 登錄成功之后,把認(rèn)證后的 Authentication 對(duì)象存儲(chǔ)到請(qǐng)求線程上下文,這樣在授權(quán)階段就可以獲取到此認(rèn)證信息進(jìn)行訪問(wèn)控制判斷SecurityContextHolder.getContext().setAuthentication(authResult);rememberMeServices.loginSuccess(request, response, authResult);// Fire eventif (this.eventPublisher != null) {eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}successHandler.onAuthenticationSuccess(request, response, authResult);}從上面的登錄邏輯我們可以看到,Spring Security的登錄認(rèn)證過(guò)程是委托給?AuthenticationManager 完成的,它先是解析出用戶名和密碼,然后把用戶名和密碼封裝到一個(gè)UsernamePasswordAuthenticationToken 中,傳遞給 AuthenticationManager,交由 AuthenticationManager 完成實(shí)際的登錄認(rèn)證過(guò)程。?
AuthenticationManager.java
package org.springframework.security.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
/**
* Processes an {@link Authentication} request.
* @author Ben Alex
*/
public interface AuthenticationManager {
Authentication authenticate(Authentication authentication) throws AuthenticationException;
}
AuthenticationManager?提供了一個(gè)默認(rèn)的 實(shí)現(xiàn)?ProviderManager,而 ProviderManager 又將驗(yàn)證委托給了 AuthenticationProvider。
ProviderManager.java
public Authentication authenticate(Authentication authentication)throws AuthenticationException {...for (AuthenticationProvider provider : getProviders()) {if (!provider.supports(toTest)) {continue;}try {result = provider.authenticate(authentication);if (result != null) {copyDetails(authentication, result);break;}}
...
}
根據(jù)驗(yàn)證方式的多樣化,AuthenticationProvider 衍生出多種類型的實(shí)現(xiàn),AbstractUserDetailsAuthenticationProvider 是 AuthenticationProvider 的抽象實(shí)現(xiàn),定義了較為統(tǒng)一的驗(yàn)證邏輯,各種驗(yàn)證方式可以選擇直接繼承?AbstractUserDetailsAuthenticationProvider 完成登錄認(rèn)證,如?DaoAuthenticationProvider 就是繼承了此抽象類,完成了從DAO方式獲取驗(yàn)證需要的用戶信息的。
AbstractUserDetailsAuthenticationProvider.java
public Authentication authenticate(Authentication authentication) throws AuthenticationException {// Determine usernameString username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();boolean cacheWasUsed = true;UserDetails user = this.userCache.getUserFromCache(username);if (user == null) {cacheWasUsed = false;try {// 子類根據(jù)自身情況從指定的地方加載認(rèn)證需要的用戶信息user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);}...try {
// 前置檢查,一般是檢查賬號(hào)狀態(tài),如是否鎖定之類preAuthenticationChecks.check(user);
// 進(jìn)行一般邏輯認(rèn)證,如 DaoAuthenticationProvider 實(shí)現(xiàn)中的密碼驗(yàn)證就是在這里完成的additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);}...
// 后置檢查,如可以檢查密碼是否過(guò)期之類postAuthenticationChecks.check(user); ...
// 驗(yàn)證成功之后返回包含完整認(rèn)證信息的 Authentication 對(duì)象return createSuccessAuthentication(principalToReturn, authentication, user);}
如上面所述,?AuthenticationProvider 通過(guò)?retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) 獲取驗(yàn)證信息,對(duì)于我們一般所用的?DaoAuthenticationProvider 是由 UserDetailsService 專門(mén)負(fù)責(zé)獲取驗(yàn)證信息的。
DaoAuthenticationProvider.java
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {try {UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);if (loadedUser == null) {throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");}return loadedUser;}}UserDetailsService 接口只有一個(gè)方法,loadUserByUsername(String username),一般需要我們實(shí)現(xiàn)此接口方法,根據(jù)用戶名加載登錄認(rèn)證和訪問(wèn)授權(quán)所需要的信息,并返回一個(gè)?UserDetails的實(shí)現(xiàn)類,后面登錄認(rèn)證和訪問(wèn)授權(quán)都需要用到此中的信息。
public interface UserDetailsService {/*** Locates the user based on the username. In the actual implementation, the search* may possibly be case sensitive, or case insensitive depending on how the* implementation instance is configured. In this case, the <code>UserDetails</code>* object that comes back may have a username that is of a different case than what* was actually requested..** @param username the username identifying the user whose data is required.** @return a fully populated user record (never <code>null</code>)** @throws UsernameNotFoundException if the user could not be found or the user has no* GrantedAuthority*/UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; }UserDetails 提供了一個(gè)默認(rèn)實(shí)現(xiàn) User,主要包含用戶名(username)、密碼(password)、權(quán)限(authorities)和一些賬號(hào)或密碼狀態(tài)的標(biāo)識(shí)。
如果默認(rèn)實(shí)現(xiàn)滿足不了你的需求,可以根據(jù)需求定制自己的?UserDetails,然后在?UserDetailsService 的?loadUserByUsername 中返回即可。
public class User implements UserDetails, CredentialsContainer {// ~ Instance fields// ================================================================================================private String password;private final String username;private final Set<GrantedAuthority> authorities;private final boolean accountNonExpired;private final boolean accountNonLocked;private final boolean credentialsNonExpired;private final boolean enabled;// ~ Constructors// ===================================================================================================public User(String username, String password,Collection<? extends GrantedAuthority> authorities) {this(username, password, true, true, true, true, authorities);}... }
退出登錄
Spring Security 提供了一個(gè)默認(rèn)的登出過(guò)濾器?LogoutFilter,默認(rèn)攔截路徑是 /logout,當(dāng)訪問(wèn) /logout 路徑的時(shí)候,LogoutFilter 會(huì)進(jìn)行退出處理。
LogoutFilter.java
package org.springframework.security.web.authentication.logout; public class LogoutFilter extends GenericFilterBean {// ~ Instance fields// ================================================================================================private RequestMatcher logoutRequestMatcher;private final LogoutHandler handler;private final LogoutSuccessHandler logoutSuccessHandler;// ~ Constructors// ===================================================================================================public LogoutFilter(LogoutSuccessHandler logoutSuccessHandler,LogoutHandler... handlers) {this.handler = new CompositeLogoutHandler(handlers);Assert.notNull(logoutSuccessHandler, "logoutSuccessHandler cannot be null");this.logoutSuccessHandler = logoutSuccessHandler;setFilterProcessesUrl("/logout"); // 綁定 /logout}// ~ Methods// ========================================================================================================public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;if (requiresLogout(request, response)) {Authentication auth = SecurityContextHolder.getContext().getAuthentication();this.handler.logout(request, response, auth); // 登出處理,可能包含session、cookie、認(rèn)證信息的清理工作logoutSuccessHandler.onLogoutSuccess(request, response, auth); // 退出后的操作,可能是跳轉(zhuǎn)、返回成功狀態(tài)等return;}chain.doFilter(request, response);}... }如下是?SecurityContextLogoutHandler 中的登出處理實(shí)現(xiàn)。
SecurityContextLogoutHandler.java
public void logout(HttpServletRequest request, HttpServletResponse response,Authentication authentication) {// 讓 session 失效 if (invalidateHttpSession) {HttpSession session = request.getSession(false);if (session != null) {logger.debug("Invalidating session: " + session.getId());session.invalidate();}}// 清理 Security 上下文,其中包含登錄認(rèn)證信息if (clearAuthentication) {SecurityContext context = SecurityContextHolder.getContext();context.setAuthentication(null);}SecurityContextHolder.clearContext();}?
訪問(wèn)授權(quán)
訪問(wèn)授權(quán)主要分為兩種:通過(guò)URL方式的接口訪問(wèn)控制和方法調(diào)用的權(quán)限控制。
接口訪問(wèn)權(quán)限
在通過(guò)比如瀏覽器使用URL訪問(wèn)后臺(tái)接口時(shí),是否允許訪問(wèn)此URL,就是接口訪問(wèn)權(quán)限。
在進(jìn)行接口訪問(wèn)時(shí),會(huì)由?FilterSecurityInterceptor 進(jìn)行攔截并進(jìn)行授權(quán)。
FilterSecurityInterceptor 繼承了 AbstractSecurityInterceptor 并實(shí)現(xiàn)了?javax.servlet.Filter 接口, 所以在URL訪問(wèn)的時(shí)候都會(huì)被過(guò)濾器攔截,doFilter 實(shí)現(xiàn)如下。
FilterSecurityInterceptor.java
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {FilterInvocation fi = new FilterInvocation(request, response, chain);invoke(fi);}doFilter 方法又調(diào)用了自身的?invoke 方法, invoke 方法又調(diào)用了父類 AbstractSecurityInterceptor 的 beforeInvocation 方法。
FilterSecurityInterceptor.java
public void invoke(FilterInvocation fi) throws IOException, ServletException {if ((fi.getRequest() != null)&& (fi.getRequest().getAttribute(FILTER_APPLIED) != null)&& observeOncePerRequest) {// filter already applied to this request and user wants us to observe// once-per-request handling, so don't re-do security checking fi.getChain().doFilter(fi.getRequest(), fi.getResponse());}else {// first time this request being called, so perform security checkingif (fi.getRequest() != null && observeOncePerRequest) {fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);}InterceptorStatusToken token = super.beforeInvocation(fi);try {fi.getChain().doFilter(fi.getRequest(), fi.getResponse());}finally {super.finallyInvocation(token);}super.afterInvocation(token, null);}}方法調(diào)用權(quán)限
在進(jìn)行后臺(tái)方法調(diào)用時(shí),是否允許該方法調(diào)用,就是方法調(diào)用權(quán)限。比如在方法上添加了此類注解 @PreAuthorize("hasRole('ROLE_ADMIN')") ,Security 方法注解的支持需要在任何配置類中(如 WebSecurityConfigurerAdapter?)添加 @EnableGlobalMethodSecurity(prePostEnabled = true) 開(kāi)啟,才能夠使用。
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {}在進(jìn)行方法調(diào)用時(shí),會(huì)由 MethodSecurityInterceptor 進(jìn)行攔截并進(jìn)行授權(quán)。
MethodSecurityInterceptor 繼承了?AbstractSecurityInterceptor 并實(shí)現(xiàn)了AOP 的 org.aopalliance.intercept.MethodInterceptor 接口, 所以可以在方法調(diào)用時(shí)進(jìn)行攔截。
MethodSecurityInterceptor?.java
public Object invoke(MethodInvocation mi) throws Throwable {InterceptorStatusToken token = super.beforeInvocation(mi);Object result;try {result = mi.proceed();}finally {super.finallyInvocation(token);}return super.afterInvocation(token, result);}我們看到,MethodSecurityInterceptor 跟 FilterSecurityInterceptor 一樣, 都是通過(guò)調(diào)用父類 AbstractSecurityInterceptor 的相關(guān)方法完成授權(quán),其中 beforeInvocation 是完成權(quán)限認(rèn)證的關(guān)鍵。
AbstractSecurityInterceptor.java
protected InterceptorStatusToken beforeInvocation(Object object) {...// 通過(guò) SecurityMetadataSource 獲取權(quán)限配置信息,可以定制實(shí)現(xiàn)自己的權(quán)限信息獲取邏輯Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object); ...// 確認(rèn)是否經(jīng)過(guò)登錄認(rèn)證 Authentication authenticated = authenticateIfRequired();// Attempt authorizationtry {
// 通過(guò) AccessDecisionManager 完成授權(quán)認(rèn)證,默認(rèn)實(shí)現(xiàn)是 AffirmativeBasedthis.accessDecisionManager.decide(authenticated, object, attributes);}...}
上面代碼顯示 AbstractSecurityInterceptor 又是委托授權(quán)認(rèn)證器 AccessDecisionManager 完成授權(quán)認(rèn)證,默認(rèn)實(shí)現(xiàn)是 AffirmativeBased,?decide 方法實(shí)現(xiàn)如下。
AffirmativeBased.java
public void decide(Authentication authentication, Object object,Collection<ConfigAttribute> configAttributes) throws AccessDeniedException {int deny = 0;for (AccessDecisionVoter voter : getDecisionVoters()) {
// 通過(guò)各種投票策略,最終決定是否授權(quán) int result = voter.vote(authentication, object, configAttributes); switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:return;
case AccessDecisionVoter.ACCESS_DENIED:deny++;break;
default:break;}...}
而?AccessDecisionManager 決定授權(quán)又是通過(guò)一個(gè)授權(quán)策略集合(AccessDecisionVoter?)決定的,授權(quán)決定的原則是:
? 1. 遍歷所有授權(quán)策略, 如果有其中一個(gè)返回?ACCESS_GRANTED,則同意授權(quán)。
? 2. 否則,等待遍歷結(jié)束,統(tǒng)計(jì)?ACCESS_DENIED 個(gè)數(shù),只要拒絕數(shù)大于1,則不同意授權(quán)。
對(duì)于接口訪問(wèn)授權(quán),也就是 FilterSecurityInterceptor 管理的URL授權(quán),默認(rèn)對(duì)應(yīng)的授權(quán)策略只有一個(gè),就是?WebExpressionVoter,它的授權(quán)策略主要是根據(jù) WebSecurityConfigurerAdapter 內(nèi)配置的路徑訪問(wèn)策略進(jìn)行匹配,然后決定是否授權(quán)。
WebExpressionVoter.java
/*** Voter which handles web authorisation decisions.* @author Luke Taylor* @since 3.0*/ public class WebExpressionVoter implements AccessDecisionVoter<FilterInvocation> {private SecurityExpressionHandler<FilterInvocation> expressionHandler = new DefaultWebSecurityExpressionHandler();public int vote(Authentication authentication, FilterInvocation fi,Collection<ConfigAttribute> attributes) {assert authentication != null;assert fi != null;assert attributes != null;WebExpressionConfigAttribute weca = findConfigAttribute(attributes);if (weca == null) {return ACCESS_ABSTAIN;}EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, fi);ctx = weca.postProcess(ctx, fi);return ExpressionUtils.evaluateAsBoolean(weca.getAuthorizeExpression(), ctx) ? ACCESS_GRANTED : ACCESS_DENIED;}... }
對(duì)于方法調(diào)用授權(quán),在全局方法安全配置類里,可以看到給?MethodSecurityInterceptor 默認(rèn)配置的有?RoleVoter、AuthenticatedVoter、Jsr250Voter、和?PreInvocationAuthorizationAdviceVoter,其中?Jsr250Voter、PreInvocationAuthorizationAdviceVoter 都需要打開(kāi)指定的開(kāi)關(guān),才會(huì)添加支持。
GlobalMethodSecurityConfiguration.java
@Configuration public class GlobalMethodSecurityConfiguration implements ImportAware, SmartInitializingSingleton {...
private MethodSecurityInterceptor methodSecurityInterceptor;
@Beanpublic MethodInterceptor methodSecurityInterceptor() throws Exception {this.methodSecurityInterceptor = isAspectJ()? new AspectJMethodSecurityInterceptor(): new MethodSecurityInterceptor();methodSecurityInterceptor.setAccessDecisionManager(accessDecisionManager());methodSecurityInterceptor.setAfterInvocationManager(afterInvocationManager());methodSecurityInterceptor.setSecurityMetadataSource(methodSecurityMetadataSource());RunAsManager runAsManager = runAsManager();if (runAsManager != null) {methodSecurityInterceptor.setRunAsManager(runAsManager);}return this.methodSecurityInterceptor;}protected AccessDecisionManager accessDecisionManager() {List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<AccessDecisionVoter<? extends Object>>();ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();expressionAdvice.setExpressionHandler(getExpressionHandler());if (prePostEnabled()) {decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice));}if (jsr250Enabled()) {decisionVoters.add(new Jsr250Voter());}decisionVoters.add(new RoleVoter());decisionVoters.add(new AuthenticatedVoter());return new AffirmativeBased(decisionVoters);}
...
}
RoleVoter 是根據(jù)角色進(jìn)行匹配授權(quán)的策略。
RoleVoter.java
public class RoleVoter implements AccessDecisionVoter<Object> {// RoleVoter? 默認(rèn)角色名以?"ROLE_" 為前綴。private String rolePrefix = "ROLE_";public boolean supports(ConfigAttribute attribute) {if ((attribute.getAttribute() != null)&& attribute.getAttribute().startsWith(getRolePrefix())) {return true;}else {return false;}}public int vote(Authentication authentication, Object object,Collection<ConfigAttribute> attributes) {if(authentication == null) {return ACCESS_DENIED;}int result = ACCESS_ABSTAIN;Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);// 逐個(gè)角色進(jìn)行匹配,入股有一個(gè)匹配得上,則進(jìn)行授權(quán)for (ConfigAttribute attribute : attributes) {if (this.supports(attribute)) {result = ACCESS_DENIED;// Attempt to find a matching granted authorityfor (GrantedAuthority authority : authorities) {if (attribute.getAttribute().equals(authority.getAuthority())) {return ACCESS_GRANTED;}}}}return result;}Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication) {return authentication.getAuthorities();} }
AuthenticatedVoter 主要是針對(duì)有配置以下幾個(gè)屬性來(lái)決定授權(quán)的策略。
IS_AUTHENTICATED_REMEMBERED:記住我登錄狀態(tài)
IS_AUTHENTICATED_ANONYMOUSLY:匿名認(rèn)證狀態(tài)
IS_AUTHENTICATED_FULLY: 完全登錄狀態(tài),即非上面兩種類型
AuthenticatedVoter.java
public int vote(Authentication authentication, Object object,Collection<ConfigAttribute> attributes) {int result = ACCESS_ABSTAIN;for (ConfigAttribute attribute : attributes) {if (this.supports(attribute)) {result = ACCESS_DENIED;// 完全登錄狀態(tài)if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {if (isFullyAuthenticated(authentication)) {return ACCESS_GRANTED;}}// 記住我登錄狀態(tài)if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {if (authenticationTrustResolver.isRememberMe(authentication)|| isFullyAuthenticated(authentication)) {return ACCESS_GRANTED;}}// 匿名登錄狀態(tài)if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {if (authenticationTrustResolver.isAnonymous(authentication)|| isFullyAuthenticated(authentication)|| authenticationTrustResolver.isRememberMe(authentication)) {return ACCESS_GRANTED;}}}}return result;}PreInvocationAuthorizationAdviceVoter 是針對(duì)類似??@PreAuthorize("hasRole('ROLE_ADMIN')")? 注解解析并進(jìn)行授權(quán)的策略。
PreInvocationAuthorizationAdviceVoter.java
public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVoter<MethodInvocation> {private final PreInvocationAuthorizationAdvice preAdvice; public int vote(Authentication authentication, MethodInvocation method,Collection<ConfigAttribute> attributes) { PreInvocationAttribute preAttr = findPreInvocationAttribute(attributes);if (preAttr == null) {// No expression based metadata, so abstainreturn ACCESS_ABSTAIN;}boolean allowed = preAdvice.before(authentication, method, preAttr);return allowed ? ACCESS_GRANTED : ACCESS_DENIED;}private PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {for (ConfigAttribute attribute : config) {if (attribute instanceof PreInvocationAttribute) {return (PreInvocationAttribute) attribute;}}return null;} }PreInvocationAuthorizationAdviceVoter 解析出注解屬性配置, 然后通過(guò)調(diào)用 PreInvocationAuthorizationAdvice 的前置通知方法進(jìn)行授權(quán)認(rèn)證,默認(rèn)實(shí)現(xiàn)類似?ExpressionBasedPreInvocationAdvice,通知內(nèi)主要進(jìn)行了內(nèi)容的過(guò)濾和權(quán)限表達(dá)式的匹配。
ExpressionBasedPreInvocationAdvice.java
public class ExpressionBasedPreInvocationAdvice implements PreInvocationAuthorizationAdvice {private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();public boolean before(Authentication authentication, MethodInvocation mi, PreInvocationAttribute attr) {PreInvocationExpressionAttribute preAttr = (PreInvocationExpressionAttribute) attr;EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, mi);Expression preFilter = preAttr.getFilterExpression();Expression preAuthorize = preAttr.getAuthorizeExpression();if (preFilter != null) {Object filterTarget = findFilterTarget(preAttr.getFilterTarget(), ctx, mi);expressionHandler.filter(filterTarget, preFilter, ctx);}if (preAuthorize == null) {return true;}return ExpressionUtils.evaluateAsBoolean(preAuthorize, ctx);}... }案例實(shí)現(xiàn)
接下來(lái),我們以一個(gè)實(shí)現(xiàn)案例來(lái)進(jìn)行說(shuō)明講解。
新建工程
新建一個(gè) Spring Boot 項(xiàng)目?springboot-spring-security。
添加依賴
添加項(xiàng)目依賴,主要是 Spring Security 和 JWT,另外添加 Swagger 和 fastjson 作為輔助工具。
pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>top.ivan.demo</groupId><artifactId>springboot-spring-security</artifactId><version>0.0.1-SNAPSHOT</version><packaging>jar</packaging><name>springboot-spring-security</name><description>Demo project for Spring Boot</description><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.0.4.RELEASE</version><relativePath/> <!-- lookup parent from repository --></parent><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version><mybatis.spring.version>1.3.2</mybatis.spring.version><swagger.version>2.8.0</swagger.version><jwt.version>0.9.1</jwt.version><fastjson.version>1.2.48</fastjson.version></properties><dependencies><!-- spring boot --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><!-- swagger --><dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger2</artifactId><version>${swagger.version}</version></dependency><dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger-ui</artifactId><version>${swagger.version}</version></dependency><!-- spring security --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><!-- jwt --><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>${jwt.version}</version></dependency><!-- fastjson --><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>${fastjson.version}</version></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>啟動(dòng)類
啟動(dòng)類沒(méi)什么,主要開(kāi)啟以下包掃描。
SpringSecurityApplication.java
package com.louis.springboot.spring.security;import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.ComponentScan;/*** 啟動(dòng)器* @author Louis* @date Nov 28, 2018*/ @SpringBootApplication @ComponentScan(basePackages = "com.louis.springboot") public class SpringSecurityApplication {public static void main(String[] args) {SpringApplication.run(SpringSecurityApplication.class, args);} }跨域配置類
跨域配置類,不多說(shuō),都懂得。
CorsConfig.java
package com.louis.springboot.spring.security.config;import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;/*** 跨域配置* @author Louis* @date Nov 28, 2018*/ @Configuration public class CorsConfig implements WebMvcConfigurer {@Overridepublic void addCorsMappings(CorsRegistry registry) {registry.addMapping("/**") // 允許跨域訪問(wèn)的路徑.allowedOrigins("*") // 允許跨域訪問(wèn)的源.allowedMethods("POST", "GET", "PUT", "OPTIONS", "DELETE") // 允許請(qǐng)求方法.maxAge(168000) // 預(yù)檢間隔時(shí)間.allowedHeaders("*") // 允許頭部設(shè)置.allowCredentials(true); // 是否發(fā)送cookie } }Swagger配置類
Swagger配置類,除了常規(guī)配置外,加了一個(gè)令牌屬性,可以在接口調(diào)用的時(shí)候傳遞令牌。
SwaggerConfig.java
package com.louis.springboot.spring.security.config; import java.util.ArrayList; import java.util.List;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration;import springfox.documentation.builders.ApiInfoBuilder; import springfox.documentation.builders.ParameterBuilder; import springfox.documentation.builders.PathSelectors; import springfox.documentation.builders.RequestHandlerSelectors; import springfox.documentation.schema.ModelRef; import springfox.documentation.service.ApiInfo; import springfox.documentation.service.Parameter; import springfox.documentation.spi.DocumentationType; import springfox.documentation.spring.web.plugins.Docket; import springfox.documentation.swagger2.annotations.EnableSwagger2;/*** Swagger配置* @author Louis* @date Nov 28, 2018*/ @Configuration @EnableSwagger2 public class SwaggerConfig {@Beanpublic Docket createRestApi(){// 添加請(qǐng)求參數(shù),我們這里把token作為請(qǐng)求頭部參數(shù)傳入后端ParameterBuilder parameterBuilder = new ParameterBuilder();List<Parameter> parameters = new ArrayList<Parameter>();parameterBuilder.name("Authorization").description("令牌").modelRef(new ModelRef("string")).parameterType("header").required(false).build();parameters.add(parameterBuilder.build());return new Docket(DocumentationType.SWAGGER_2).apiInfo(apiInfo()).select().apis(RequestHandlerSelectors.any()).paths(PathSelectors.any()).build().globalOperationParameters(parameters);}private ApiInfo apiInfo(){return new ApiInfoBuilder().build();}}加了令牌屬性后的 Swagger 接口調(diào)用界面。
安全配置類
下面這個(gè)配置類是Spring Security的關(guān)鍵配置。
在這個(gè)配置類中,我們主要做了以下幾個(gè)配置:
1. 訪問(wèn)路徑URL的授權(quán)策略,如登錄、Swagger訪問(wèn)免登錄認(rèn)證等
2. 指定了登錄認(rèn)證流程過(guò)濾器?JwtLoginFilter,由它來(lái)觸發(fā)登錄認(rèn)證
3. 指定了自定義身份認(rèn)證組件?JwtAuthenticationProvider,并注入?UserDetailsService
4. 指定了訪問(wèn)控制過(guò)濾器?JwtAuthenticationFilter,在授權(quán)時(shí)解析令牌和設(shè)置登錄狀態(tài)
5. 指定了退出登錄處理器,因?yàn)槭乔昂蠖朔蛛x,防止內(nèi)置的登錄處理器在后臺(tái)進(jìn)行跳轉(zhuǎn)
WebSecurityConfig.java
package com.louis.springboot.spring.security.config;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;import com.louis.springboot.spring.security.security.JwtAuthenticationFilter; import com.louis.springboot.spring.security.security.JwtAuthenticationProvider; import com.louis.springboot.spring.security.security.JwtLoginFilter;/*** Security Config* @author Louis* @date Nov 28, 2018*/ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserDetailsService userDetailsService;@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {// 使用自定義登錄身份認(rèn)證組件auth.authenticationProvider(new JwtAuthenticationProvider(userDetailsService));}@Overrideprotected void configure(HttpSecurity http) throws Exception {// 禁用 csrf, 由于使用的是JWT,我們這里不需要csrf http.cors().and().csrf().disable().authorizeRequests()// 跨域預(yù)檢請(qǐng)求.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()// 登錄URL.antMatchers("/login").permitAll()// swagger.antMatchers("/swagger-ui.html").permitAll().antMatchers("/swagger-resources").permitAll().antMatchers("/v2/api-docs").permitAll().antMatchers("/webjars/springfox-swagger-ui/**").permitAll()// 其他所有請(qǐng)求需要身份認(rèn)證 .anyRequest().authenticated();// 退出登錄處理器http.logout().logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler());// 開(kāi)啟登錄認(rèn)證流程過(guò)濾器http.addFilterBefore(new JwtLoginFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);// 訪問(wèn)控制時(shí)登錄狀態(tài)檢查過(guò)濾器http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);}@Bean@Overridepublic AuthenticationManager authenticationManager() throws Exception {return super.authenticationManager();}}登錄認(rèn)證觸發(fā)過(guò)濾器
JwtLoginFilter 是在通過(guò)訪問(wèn) /login 的POST請(qǐng)求是被首先被觸發(fā)的過(guò)濾器,默認(rèn)實(shí)現(xiàn)是?UsernamePasswordAuthenticationFilter,它繼承了 AbstractAuthenticationProcessingFilter,抽象父類的 doFilter 定義了登錄認(rèn)證的大致操作流程,這里我們的 JwtLoginFilter 繼承了 UsernamePasswordAuthenticationFilter,并進(jìn)行了兩個(gè)主要內(nèi)容的定制。
1. 覆寫(xiě)認(rèn)證方法,修改用戶名、密碼的獲取方式,具體原因看代碼注釋
2. 覆寫(xiě)認(rèn)證成功后的操作,移除后臺(tái)跳轉(zhuǎn),添加生成令牌并返回給客戶端
JwtLoginFilter.java
package com.louis.springboot.spring.security.security;import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.nio.charset.Charset;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONObject; import com.louis.springboot.spring.security.utils.HttpUtils; import com.louis.springboot.spring.security.utils.JwtTokenUtils;/*** 啟動(dòng)登錄認(rèn)證流程過(guò)濾器* @author Louis* @date Nov 28, 2018*/ public class JwtLoginFilter extends UsernamePasswordAuthenticationFilter {public JwtLoginFilter(AuthenticationManager authManager) {setAuthenticationManager(authManager);}@Overridepublic void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {// POST 請(qǐng)求 /login 登錄時(shí)攔截, 由此方法觸發(fā)執(zhí)行登錄認(rèn)證流程,可以在此覆寫(xiě)整個(gè)登錄認(rèn)證邏輯super.doFilter(req, res, chain); }@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {// 可以在此覆寫(xiě)嘗試進(jìn)行登錄認(rèn)證的邏輯,登錄成功之后等操作不再此方法內(nèi)// 如果使用此過(guò)濾器來(lái)觸發(fā)登錄認(rèn)證流程,注意登錄請(qǐng)求數(shù)據(jù)格式的問(wèn)題// 此過(guò)濾器的用戶名密碼默認(rèn)從request.getParameter()獲取,但是這種// 讀取方式不能讀取到如 application/json 等 post 請(qǐng)求數(shù)據(jù),需要把// 用戶名密碼的讀取邏輯修改為到流中讀取request.getInputStream() String body = getBody(request);JSONObject jsonObject = JSON.parseObject(body);String username = jsonObject.getString("username");String password = jsonObject.getString("password");if (username == null) {username = "";}if (password == null) {password = "";}username = username.trim();JwtAuthenticatioToken authRequest = new JwtAuthenticatioToken(username, password);// Allow subclasses to set the "details" property setDetails(request, authRequest);return this.getAuthenticationManager().authenticate(authRequest);}@Overrideprotected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,Authentication authResult) throws IOException, ServletException {// 存儲(chǔ)登錄認(rèn)證信息到上下文 SecurityContextHolder.getContext().setAuthentication(authResult);// 記住我服務(wù) getRememberMeServices().loginSuccess(request, response, authResult);// 觸發(fā)事件監(jiān)聽(tīng)器if (this.eventPublisher != null) {eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}// 生成并返回token給客戶端,后續(xù)訪問(wèn)攜帶此tokenJwtAuthenticatioToken token = new JwtAuthenticatioToken(null, null, JwtTokenUtils.generateToken(authResult));HttpUtils.write(response, token);}/**?* 獲取請(qǐng)求Body* @param request* @return*/public String getBody(HttpServletRequest request) {StringBuilder sb = new StringBuilder();InputStream inputStream = null;BufferedReader reader = null;try {inputStream = request.getInputStream();reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));String line = "";while ((line = reader.readLine()) != null) {sb.append(line);}} catch (IOException e) {e.printStackTrace();} finally {if (inputStream != null) {try {inputStream.close();} catch (IOException e) {e.printStackTrace();}}if (reader != null) {try {reader.close();} catch (IOException e) {e.printStackTrace();}}}return sb.toString();} }登錄控制器
除了使用上面的登錄認(rèn)證過(guò)濾器攔截 /login Post請(qǐng)求之外,我們也可以不使用上面的過(guò)濾器,通過(guò)自定義登錄接口實(shí)現(xiàn),只要在登錄接口手動(dòng)觸發(fā)登錄流程并生產(chǎn)令牌即可。
其實(shí) Spring Security 的登錄認(rèn)證過(guò)程只需 調(diào)用?AuthenticationManager 的?authenticate(Authentication authentication) 方法,最終返回認(rèn)證成功的?Authentication 實(shí)現(xiàn)類并存儲(chǔ)到SpringContexHolder 上下文即可,這樣后面授權(quán)的時(shí)候就可以從 SpringContexHolder 中獲取登錄認(rèn)證信息,并根據(jù)其中的用戶信息和權(quán)限信息決定是否進(jìn)行授權(quán)。
LoginController.java
package com.louis.springboot.spring.security.controller;import java.io.IOException;import javax.servlet.http.HttpServletRequest;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController;import com.louis.springboot.spring.security.security.JwtAuthenticatioToken; import com.louis.springboot.spring.security.utils.SecurityUtils; import com.louis.springboot.spring.security.vo.HttpResult; import com.louis.springboot.spring.security.vo.LoginBean;/*** 登錄控制器* @author Louis* @date Nov 28, 2018*/ @RestController public class LoginController {@Autowiredprivate AuthenticationManager authenticationManager;/*** 登錄接口*/@PostMapping(value = "/login")public HttpResult login(@RequestBody LoginBean loginBean, HttpServletRequest request) throws IOException {String username = loginBean.getUsername();String password = loginBean.getPassword();// 系統(tǒng)登錄認(rèn)證JwtAuthenticatioToken token = SecurityUtils.login(request, username, password, authenticationManager);return HttpResult.ok(token);}}注意:如果使用此登錄控制器觸發(fā)登錄認(rèn)證,需要禁用登錄認(rèn)證過(guò)濾器,即將?WebSecurityConfig 中的以下配置項(xiàng)注釋即可,否則訪問(wèn)登錄接口會(huì)被過(guò)濾攔截,執(zhí)行不會(huì)再進(jìn)入此登錄接口,大家根據(jù)使用習(xí)慣二選一即可。
// 開(kāi)啟登錄認(rèn)證流程過(guò)濾器,如果使用LoginController的login接口, 需要注釋掉此過(guò)濾器,根據(jù)使用習(xí)慣二選一即可 http.addFilterBefore(new JwtLoginFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);如下是登錄認(rèn)證的邏輯, 可以看到部分邏輯跟上面的登錄認(rèn)證過(guò)濾器差不多。
1.?執(zhí)行登錄認(rèn)證過(guò)程,通過(guò)調(diào)用 AuthenticationManager 的 authenticate(token) 方法實(shí)現(xiàn)
2. 將認(rèn)證成功的認(rèn)證信息存儲(chǔ)到上下文,供后續(xù)訪問(wèn)授權(quán)的時(shí)候獲取使用
3. 通過(guò)JWT生成令牌并返回給客戶端,后續(xù)訪問(wèn)和操作都需要攜帶此令牌
SecurityUtils.java
/*** Security相關(guān)操作* @author Louis* @date Nov 28, 2018*/ public class SecurityUtils {/*** 系統(tǒng)登錄認(rèn)證* @param request* @param username* @param password* @param authenticationManager* @return*/public static JwtAuthenticatioToken login(HttpServletRequest request, String username, String password, AuthenticationManager authenticationManager) {JwtAuthenticatioToken token = new JwtAuthenticatioToken(username, password);token.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));// 執(zhí)行登錄認(rèn)證過(guò)程Authentication authentication = authenticationManager.authenticate(token);// 認(rèn)證成功存儲(chǔ)認(rèn)證信息到上下文 SecurityContextHolder.getContext().setAuthentication(authentication);// 生成令牌并返回給客戶端 token.setToken(JwtTokenUtils.generateToken(authentication));return token;}...
}
令牌生成器
我們令牌是使用JWT生成的,下面是令牌生成的簡(jiǎn)要邏輯,詳細(xì)參見(jiàn)源碼。
JwtTokenUtils.java
/*** JWT工具類* @author Louis* @date Nov 28, 2018*/ public class JwtTokenUtils implements Serializable {.../*** 生成令牌** @param userDetails 用戶* @return 令牌*/public static String generateToken(Authentication authentication) {Map<String, Object> claims = new HashMap<>(3);claims.put(USERNAME, SecurityUtils.getUsername(authentication));claims.put(CREATED, new Date());claims.put(AUTHORITIES, authentication.getAuthorities());return generateToken(claims);}/*** 從數(shù)據(jù)聲明生成令牌** @param claims 數(shù)據(jù)聲明* @return 令牌*/private static String generateToken(Map<String, Object> claims) {Date expirationDate = new Date(System.currentTimeMillis() + EXPIRE_TIME);return Jwts.builder().setClaims(claims).setExpiration(expirationDate).signWith(SignatureAlgorithm.HS512, SECRET).compact();}...}登錄身份認(rèn)證組件
上面說(shuō)到登錄認(rèn)證是通過(guò)調(diào)用 AuthenticationManager 的 authenticate(token) 方法實(shí)現(xiàn)的,而?AuthenticationManager 又是通過(guò)調(diào)用?AuthenticationProvider 的?authenticate(Authentication authentication) 來(lái)完成認(rèn)證的,所以通過(guò)定制?AuthenticationProvider 也可以完成各種自定義的需求,我們這里只是簡(jiǎn)單的繼承?DaoAuthenticationProvider 展示如何自定義,具體的大家可以根據(jù)各自的需求按需定制。
JwtAuthenticationProvider.java
package com.louis.springboot.spring.security.security;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;/*** 身份驗(yàn)證提供者* @author Louis* @date Nov 20, 2018*/ public class JwtAuthenticationProvider extends DaoAuthenticationProvider {public JwtAuthenticationProvider(UserDetailsService userDetailsService) {setUserDetailsService(userDetailsService);setPasswordEncoder(new BCryptPasswordEncoder());}@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {// 可以在此處覆寫(xiě)整個(gè)登錄認(rèn)證邏輯return super.authenticate(authentication);}@Overrideprotected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {// 可以在此處覆寫(xiě)密碼驗(yàn)證邏輯super.additionalAuthenticationChecks(userDetails, authentication);}}認(rèn)證信息獲取服務(wù)
通過(guò)跟蹤代碼運(yùn)行,我們發(fā)現(xiàn)像默認(rèn)使用的?DaoAuthenticationProvider,在認(rèn)證的使用都是通過(guò)一個(gè)叫?UserDetailsService 的來(lái)獲取用戶認(rèn)證所需信息的。
AbstractUserDetailsAuthenticationProvider 定義了在 authenticate 方法中通過(guò)?retrieveUser 方法獲取用戶信息,子類?DaoAuthenticationProvider 通過(guò)?UserDetailsService 來(lái)進(jìn)行獲取, 一般情況,這個(gè)?UserDetailsService 需要我們自定義,實(shí)現(xiàn)從用戶服務(wù)獲取用戶和權(quán)限信息封裝到?UserDetails 的實(shí)現(xiàn)類。
AbstractUserDetailsAuthenticationProvider.java
public Authentication authenticate(Authentication authentication) throws AuthenticationException {...if (user == null) {cacheWasUsed = false;try {user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);}...return createSuccessAuthentication(principalToReturn, authentication, user);}
DaoAuthenticationProvider.java
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {try {UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);return loadedUser;}...}
我們自定義的?UserDetailsService,從我們的用戶服務(wù)?UserService 中獲取用戶和權(quán)限信息。
UserDetailsServiceImpl.java
package com.louis.springboot.spring.security.security; import java.util.List; import java.util.Set; import java.util.stream.Collectors;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service;import com.louis.springboot.spring.security.model.User; import com.louis.springboot.spring.security.service.UserService;/*** 用戶登錄認(rèn)證信息查詢* @author Louis* @date Nov 20, 2018*/ @Service public class UserDetailsServiceImpl implements UserDetailsService {@Autowiredprivate UserService userService;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userService.findByUsername(username);if (user == null) {throw new UsernameNotFoundException("該用戶不存在");}// 用戶權(quán)限列表,根據(jù)用戶擁有的權(quán)限標(biāo)識(shí)與如 @PreAuthorize("hasAuthority('sys:menu:view')") 標(biāo)注的接口對(duì)比,決定是否可以調(diào)用接口Set<String> permissions = userService.findPermissions(username);List<GrantedAuthority> grantedAuthorities = permissions.stream().map(GrantedAuthorityImpl::new).collect(Collectors.toList());return new JwtUserDetails(username, user.getPassword(), grantedAuthorities);} }一般而言,定制?UserDetailsService?就可以滿足大部分需求了,在?UserDetailsService?滿足不了我們的需求的時(shí)候考慮定制?AuthenticationProvider。
如果直接定制UserDetailsService?,而不自定義 AuthenticationProvider,可以直接在配置文件 WebSecurityConfig 中這樣配置。
WebSecurityConfig.java
@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {// 指定自定義的獲取信息獲取服務(wù) auth.userDetailsService(userDetailsService)}用戶認(rèn)證信息
上面 UserDetailsService 加載好用戶認(rèn)證信息后會(huì)封裝認(rèn)證信息到一個(gè) UserDetails 的實(shí)現(xiàn)類。
默認(rèn)實(shí)現(xiàn)是 User 類,我們這里沒(méi)有特殊需要,簡(jiǎn)單繼承即可,復(fù)雜需求可以在此基礎(chǔ)上進(jìn)行拓展。
JwtUserDetails.java
package com.louis.springboot.spring.security.security; import java.util.Collection;import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.User;/*** 安全用戶模型* @author Louis* @date Nov 28, 2018*/ public class JwtUserDetails extends User {private static final long serialVersionUID = 1L;public JwtUserDetails(String username, String password, Collection<? extends GrantedAuthority> authorities) {this(username, password, true, true, true, true, authorities);}public JwtUserDetails(String username, String password, boolean enabled, boolean accountNonExpired,boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);}}用戶操作代碼
簡(jiǎn)單的用戶模型,包含用戶名密碼。
User.java
package com.louis.springboot.spring.security.model;/*** 用戶模型* @author Louis* @date Nov 28, 2018*/ public class User {private Long id;private String username;private String password;...}用戶服務(wù)接口,只提供簡(jiǎn)單的用戶查詢和權(quán)限查詢接口用于模擬。
UserService.java
/*** 用戶管理* @author Louis* @date Nov 28, 2018*/ public interface UserService {/*** 根據(jù)用戶名查找用戶* @param username* @return*/User findByUsername(String username);/*** 查找用戶的菜單權(quán)限標(biāo)識(shí)集合* @param userName* @return*/Set<String> findPermissions(String username);}用戶服務(wù)實(shí)現(xiàn),只簡(jiǎn)單獲取返回模擬數(shù)據(jù),實(shí)際場(chǎng)景根據(jù)情況從DAO獲取即可。
SysUserServiceImpl.java
@Service public class SysUserServiceImpl implements UserService {@Overridepublic User findByUsername(String username) {User user = new User();user.setId(1L);user.setUsername(username);String password = new BCryptPasswordEncoder().encode("123");user.setPassword(password);return user;}@Overridepublic Set<String> findPermissions(String username) {Set<String> permissions = new HashSet<>();permissions.add("sys:user:view");permissions.add("sys:user:add");permissions.add("sys:user:edit");return permissions;}}用戶控制器,提供三個(gè)測(cè)試接口,其中權(quán)限列表中未包含刪除接口定義的權(quán)限('sys:user:delete'),登錄之后也將無(wú)權(quán)限調(diào)用。
UserController.java
/*** 用戶控制器* @author Louis * @date Oct 31, 2018*/ @RestController @RequestMapping("user") public class UserController {@PreAuthorize("hasAuthority('sys:user:view')")@GetMapping(value="/findAll")public HttpResult findAll() {return HttpResult.ok("the findAll service is called success.");}@PreAuthorize("hasAuthority('sys:user:edit')")@GetMapping(value="/edit")public HttpResult edit() {return HttpResult.ok("the edit service is called success.");}@PreAuthorize("hasAuthority('sys:user:delete')")@GetMapping(value="/delete")public HttpResult delete() {return HttpResult.ok("the delete service is called success.");}}登錄認(rèn)證檢查過(guò)濾器
訪問(wèn)接口的時(shí)候,登錄認(rèn)證檢查過(guò)濾器 JwtAuthenticationFilter 會(huì)攔截請(qǐng)求校驗(yàn)令牌和登錄狀態(tài),并根據(jù)情況設(shè)置登錄狀態(tài)。
JwtAuthenticationFilter.java
/*** 登錄認(rèn)證檢查過(guò)濾器* @author Louis* @date Nov 20, 2018*/ public class JwtAuthenticationFilter extends BasicAuthenticationFilter {@Autowiredpublic JwtAuthenticationFilter(AuthenticationManager authenticationManager) {super(authenticationManager);}@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {// 獲取token, 并檢查登錄狀態(tài) SecurityUtils.checkAuthentication(request);chain.doFilter(request, response);}}SecurityUtils.java
/*** 獲取令牌進(jìn)行認(rèn)證* @param request*/public static void checkAuthentication(HttpServletRequest request) {// 獲取令牌并根據(jù)令牌獲取登錄認(rèn)證信息Authentication authentication = JwtTokenUtils.getAuthenticationeFromToken(request);// 設(shè)置登錄認(rèn)證信息到上下文 SecurityContextHolder.getContext().setAuthentication(authentication);}JwtTokenUtils.java
/*** 根據(jù)請(qǐng)求令牌獲取登錄認(rèn)證信息* @param token 令牌* @return 用戶名*/public static Authentication getAuthenticationeFromToken(HttpServletRequest request) {Authentication authentication = null;// 獲取請(qǐng)求攜帶的令牌String token = JwtTokenUtils.getToken(request);if(token != null) {// 請(qǐng)求令牌不能為空if(SecurityUtils.getAuthentication() == null) {// 上下文中Authentication為空Claims claims = getClaimsFromToken(token);if(claims == null) {return null;}String username = claims.getSubject();if(username == null) {return null;}if(isTokenExpired(token)) {return null;}Object authors = claims.get(AUTHORITIES);List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();if (authors != null && authors instanceof List) {for (Object object : (List) authors) {authorities.add(new GrantedAuthorityImpl((String) ((Map) object).get("authority")));}}authentication = new JwtAuthenticatioToken(username, null, authorities, token);} else {if(validateToken(token, SecurityUtils.getUsername())) {// 如果上下文中Authentication非空,且請(qǐng)求令牌合法,直接返回當(dāng)前登錄認(rèn)證信息authentication = SecurityUtils.getAuthentication();}}}return authentication;}接口測(cè)試
找到 SpringSecurityApplication, 啟動(dòng)程序, 訪問(wèn)?http://localhost:8080/swagger-ui.html,進(jìn)入Swagger。
?
我們先再未登錄沒(méi)有令牌的時(shí)候直接訪問(wèn)接口,發(fā)現(xiàn)都返回?zé)o權(quán)限,禁止訪問(wèn)的結(jié)果。
返回拒絕訪問(wèn)結(jié)果。
?打開(kāi) LoginController,輸入我們用戶名和密碼(username:amdin, password:123)
?登錄成功之后,成功返回令牌,如下圖所示。
?
拷貝返回的令牌,粘貼到令牌參數(shù)輸入框,再次訪問(wèn) /user/edit 接口。
這個(gè)時(shí)候,成功的返回了結(jié)果:?the edit service is called success.
同樣的,拷貝返回的令牌,粘貼到令牌參數(shù)輸入框,訪問(wèn) /user/delete 接口。
發(fā)現(xiàn)還是返回拒絕訪問(wèn)的結(jié)果,那是因?yàn)樵L問(wèn)這個(gè)接口需要 'sys:user:delete' 權(quán)限,而我們之前返回的權(quán)限列表中并沒(méi)有包含,所以授權(quán)訪問(wèn)失敗。
我們修改一下?SysUserServiceImpl,添加上‘sys:user:delete’ 權(quán)限,重新登錄,再次訪問(wèn)一遍。
發(fā)現(xiàn)刪除接口也可以訪問(wèn)了,記住務(wù)必要重新調(diào)用登錄接口,獲取令牌后拷貝到刪除接口,再次訪問(wèn)刪除接口。
到此,Spring Security 的講解就結(jié)束了,本人知識(shí)有限,有不正確的地方,煩請(qǐng)指正,不盡感激。
?
源碼下載
碼云:https://gitee.com/liuge1988/spring-boot-demo.git
作者:朝雨憶輕塵
出處:https://www.cnblogs.com/xifengxiaoma/?
版權(quán)所有,歡迎轉(zhuǎn)載,轉(zhuǎn)載請(qǐng)注明原文作者及出處。
轉(zhuǎn)載于:https://www.cnblogs.com/xifengxiaoma/p/10020960.html
總結(jié)
以上是生活随笔為你收集整理的Spring Security 案例实现和执行流程剖析的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: linux如何抓包是什么,linux抓包
- 下一篇: 56、servlet3.0-与Sprin