本文主要讲解mall通过整合SpringSecurity和JWT实现后台用户的登录和授权功能，同时改造Swagger-UI的配置使其可以自动记住登录令牌进行发送。

项目使用框架介绍

SpringSecurity

SpringSecurity是一个强大的可高度定制的认证和授权框架，对于Spring应用来说它是一套Web安全标准。SpringSecurity注重于为Java应用提供认证和授权功能，像所有的Spring项目一样，它对自定义需求具有强大的扩展性。

JWT

JWT是JSON WEB TOKEN的缩写，它是基于 RFC 7519 标准定义的一种可以安全传输的的JSON对象，由于使用了数字签名，所以是可信任和安全的。

JWT的组成

• JWT token的格式：header.payload.signature

• header中用于存放签名的生成算法

1. {"alg": "HS512"}

• payload中用于存放用户名、token的生成时间和过期时间

1. {"sub":"admin","created":1489079981393,"exp":1489684781}

• signature为以header和payload生成的签名，一旦header和payload被篡改，验证将失败

1. //secret为加密算法的密钥

2. String signature = HMACSHA512(base64UrlEncode(header) + "." +base64UrlEncode(payload),secret)

JWT实例

这是一个JWT的字符串

1. eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImNyZWF0ZWQiOjE1NTY3NzkxMjUzMDksImV4cCI6MTU1NzM4MzkyNX0.d-iki0193X0bBOETf2UN3r3PotNIEAV7mzIxxeI5IxFyzzkOZxS0PGfF_SK6wxCv2K8S0cZjMkv6b5bCqc0VBw

可以在该网站上获得解析结果：https://jwt.io/

JWT实现认证和授权的原理

• 用户调用登录接口，登录成功后获取到JWT的token；

• 之后用户每次调用接口都在http的header中添加一个叫Authorization的头，值为JWT的token；

• 后台程序通过对Authorization头中信息的解码及数字签名校验来获取其中的用户信息，从而实现认证和授权。

Hutool

Hutool是一个丰富的Java开源工具包,它帮助我们简化每一行代码，减少每一个方法，mall项目采用了此工具包。

项目使用表说明

• ums_admin：后台用户表

• ums_role：后台用户角色表

• ums_permission：后台用户权限表

• ums_admin_role_relation：后台用户和角色关系表，用户与角色是多对多关系

• ums_role_permission_relation：后台用户角色和权限关系表，角色与权限是多对多关系

• ums_admin_permission_relation：后台用户和权限关系表(除角色中定义的权限以外的加减权限)，加权限是指用户比角色多出的权限，减权限是指用户比角色少的权限

整合SpringSecurity及JWT

在pom.xml中添加项目依赖

1. <!--SpringSecurity依赖配置-->

2. <dependency>

3. <groupId>org.springframework.boot</groupId>

4. <artifactId>spring-boot-starter-security</artifactId>

5. </dependency>

6. <!--Hutool Java工具包-->

7. <dependency>

8. <groupId>cn.hutool</groupId>

9. <artifactId>hutool-all</artifactId>

10. <version>4.5.7</version>

11. </dependency>

12. <!--JWT(Json Web Token)登录支持-->

13. <dependency>

14. <groupId>io.jsonwebtoken</groupId>

15. <artifactId>jjwt</artifactId>

16. <version>0.9.0</version>

17. </dependency>

添加JWT token的工具类

用于生成和解析JWT token的工具类

相关方法说明：

• generateToken(UserDetails userDetails) :用于根据登录用户信息生成token

• getUserNameFromToken(String token)：从token中获取登录用户的信息

• validateToken(String token, UserDetails userDetails)：判断token是否还有效

1. package com.macro.mall.tiny.common.utils;

2. 
   

3. import io.jsonwebtoken.Claims;

4. import io.jsonwebtoken.Jwts;

5. import io.jsonwebtoken.SignatureAlgorithm;

6. import org.slf4j.Logger;

7. import org.slf4j.LoggerFactory;

8. import org.springframework.beans.factory.annotation.Value;

9. import org.springframework.security.core.userdetails.UserDetails;

10. import org.springframework.stereotype.Component;

11. 
    

12. import java.util.Date;

13. import java.util.HashMap;

14. import java.util.Map;

15. 
    

16. /**

17. * JwtToken生成的工具类

18. * Created by macro on 2018/4/26.

19. */

20. @Component

21. public class JwtTokenUtil {

22. private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class);

23. private static final String CLAIM_KEY_USERNAME = "sub";

24. private static final String CLAIM_KEY_CREATED = "created";

25. @Value("${jwt.secret}")

26. private String secret;

27. @Value("${jwt.expiration}")

28. private Long expiration;

29. 
    

30. /**

31. * 根据负责生成JWT的token

32. */

33. private String generateToken(Map<String, Object> claims) {

34. return Jwts.builder()

35. .setClaims(claims)

36. .setExpiration(generateExpirationDate())

37. .signWith(SignatureAlgorithm.HS512, secret)

38. .compact();

39. }

40. 
    

41. /**

42. * 从token中获取JWT中的负载

43. */

44. private Claims getClaimsFromToken(String token) {

45. Claims claims = null;

46. try {

47. claims = Jwts.parser()

48. .setSigningKey(secret)

49. .parseClaimsJws(token)

50. .getBody();

51. } catch (Exception e) {

52. LOGGER.info("JWT格式验证失败:{}",token);

53. }

54. return claims;

55. }

56. 
    

57. /**

58. * 生成token的过期时间

59. */

60. private Date generateExpirationDate() {

61. return new Date(System.currentTimeMillis() + expiration * 1000);

62. }

63. 
    

64. /**

65. * 从token中获取登录用户名

66. */

67. public String getUserNameFromToken(String token) {

68. String username;

69. try {

70. Claims claims = getClaimsFromToken(token);

71. username = claims.getSubject();

72. } catch (Exception e) {

73. username = null;

74. }

75. return username;

76. }

77. 
    

78. /**

79. * 验证token是否还有效

80. *

81. * @param token 客户端传入的token

82. * @param userDetails 从数据库中查询出来的用户信息

83. */

84. public boolean validateToken(String token, UserDetails userDetails) {

85. String username = getUserNameFromToken(token);

86. return username.equals(userDetails.getUsername()) && !isTokenExpired(token);

87. }

88. 
    

89. /**

90. * 判断token是否已经失效

91. */

92. private boolean isTokenExpired(String token) {

93. Date expiredDate = getExpiredDateFromToken(token);

94. return expiredDate.before(new Date());

95. }

96. 
    

97. /**

98. * 从token中获取过期时间

99. */

100. private Date getExpiredDateFromToken(String token) {

101. Claims claims = getClaimsFromToken(token);

102. return claims.getExpiration();

103. }

104. 
     

105. /**

106. * 根据用户信息生成token

107. */

108. public String generateToken(UserDetails userDetails) {

109. Map<String, Object> claims = new HashMap<>();

110. claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());

111. claims.put(CLAIM_KEY_CREATED, new Date());

112. return generateToken(claims);

113. }

114. 
     

115. /**

116. * 判断token是否可以被刷新

117. */

118. public boolean canRefresh(String token) {

119. return !isTokenExpired(token);

120. }

121. 
     

122. /**

123. * 刷新token

124. */

125. public String refreshToken(String token) {

126. Claims claims = getClaimsFromToken(token);

127. claims.put(CLAIM_KEY_CREATED, new Date());

128. return generateToken(claims);

129. }

130. }

添加SpringSecurity的配置类

1. package com.macro.mall.tiny.config;

2. 
   

3. import com.macro.mall.tiny.component.JwtAuthenticationTokenFilter;

4. import com.macro.mall.tiny.component.RestAuthenticationEntryPoint;

5. import com.macro.mall.tiny.component.RestfulAccessDeniedHandler;

6. import com.macro.mall.tiny.dto.AdminUserDetails;

7. import com.macro.mall.tiny.mbg.model.UmsAdmin;

8. import com.macro.mall.tiny.mbg.model.UmsPermission;

9. import com.macro.mall.tiny.service.UmsAdminService;

10. import org.springframework.beans.factory.annotation.Autowired;

11. import org.springframework.context.annotation.Bean;

12. import org.springframework.context.annotation.Configuration;

13. import org.springframework.http.HttpMethod;

14. import org.springframework.security.authentication.AuthenticationManager;

15. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

16. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

17. import org.springframework.security.config.annotation.web.builders.HttpSecurity;

18. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

19. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

20. import org.springframework.security.config.http.SessionCreationPolicy;

21. import org.springframework.security.core.userdetails.UserDetailsService;

22. import org.springframework.security.core.userdetails.UsernameNotFoundException;

23. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

24. import org.springframework.security.crypto.password.PasswordEncoder;

25. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

26. 
    

27. import java.util.List;

28. 
    

29. 
    

30. /**

31. * SpringSecurity的配置

32. * Created by macro on 2018/4/26.

33. */

34. @Configuration

35. @EnableWebSecurity

36. @EnableGlobalMethodSecurity(prePostEnabled=true)

37. public class SecurityConfig extends WebSecurityConfigurerAdapter {

38. @Autowired

39. private UmsAdminService adminService;

40. @Autowired

41. private RestfulAccessDeniedHandler restfulAccessDeniedHandler;

42. @Autowired

43. private RestAuthenticationEntryPoint restAuthenticationEntryPoint;

44. 
    

45. @Override

46. protected void configure(HttpSecurity httpSecurity) throws Exception {

47. httpSecurity.csrf()// 由于使用的是JWT，我们这里不需要csrf

48. .disable()

49. .sessionManagement()// 基于token，所以不需要session

50. .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

51. .and()

52. .authorizeRequests()

53. .antMatchers(HttpMethod.GET, // 允许对于网站静态资源的无授权访问

54. "/",

55. "/*.html",

56. "/favicon.ico",

57. "/**/*.html",

58. "/**/*.css",

59. "/**/*.js",

60. "/swagger-resources/**",

61. "/v2/api-docs/**"

62. )

63. .permitAll()

64. .antMatchers("/admin/login", "/admin/register")// 对登录注册要允许匿名访问

65. .permitAll()

66. .antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求

67. .permitAll()

68. // .antMatchers("/**")//测试时全部运行访问

69. // .permitAll()

70. .anyRequest()// 除上面外的所有请求全部需要鉴权认证

71. .authenticated();

72. // 禁用缓存

73. httpSecurity.headers().cacheControl();

74. // 添加JWT filter

75. httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);

76. //添加自定义未授权和未登录结果返回

77. httpSecurity.exceptionHandling()

78. .accessDeniedHandler(restfulAccessDeniedHandler)

79. .authenticationEntryPoint(restAuthenticationEntryPoint);

80. }

81. 
    

82. @Override

83. protected void configure(AuthenticationManagerBuilder auth) throws Exception {

84. auth.userDetailsService(userDetailsService())

85. .passwordEncoder(passwordEncoder());

86. }

87. 
    

88. @Bean

89. public PasswordEncoder passwordEncoder() {

90. return new BCryptPasswordEncoder();

91. }

92. 
    

93. @Bean

94. public UserDetailsService userDetailsService() {

95. //获取登录用户信息

96. return username -> {

97. UmsAdmin admin = adminService.getAdminByUsername(username);

98. if (admin != null) {

99. List<UmsPermission> permissionList = adminService.getPermissionList(admin.getId());

100. return new AdminUserDetails(admin,permissionList);

101. }

102. throw new UsernameNotFoundException("用户名或密码错误");

103. };

104. }

105. 
     

106. @Bean

107. public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){

108. return new JwtAuthenticationTokenFilter();

109. }

110. 
     

111. @Bean

112. @Override

113. public AuthenticationManager authenticationManagerBean() throws Exception {

114. return super.authenticationManagerBean();

115. }

116. 
     

117. }

相关依赖及方法说明

• configure(HttpSecurity httpSecurity)：用于配置需要拦截的url路径、jwt过滤器及出异常后的处理器；

• configure(AuthenticationManagerBuilder auth)：用于配置UserDetailsService及PasswordEncoder；

• RestfulAccessDeniedHandler：当用户没有访问权限时的处理器，用于返回JSON格式的处理结果；

• RestAuthenticationEntryPoint：当未登录或token失效时，返回JSON格式的结果；

• UserDetailsService:SpringSecurity定义的核心接口，用于根据用户名获取用户信息，需要自行实现；

• UserDetails：SpringSecurity定义用于封装用户信息的类（主要是用户信息和权限），需要自行实现；

• PasswordEncoder：SpringSecurity定义的用于对密码进行编码及比对的接口，目前使用的是BCryptPasswordEncoder；

• JwtAuthenticationTokenFilter：在用户名和密码校验前添加的过滤器，如果有jwt的token，会自行根据token信息进行登录。

添加RestfulAccessDeniedHandler

1. package com.macro.mall.tiny.component;

2. 
   

3. import cn.hutool.json.JSONUtil;

4. import com.macro.mall.tiny.common.api.CommonResult;

5. import org.springframework.security.access.AccessDeniedException;

6. import org.springframework.security.web.access.AccessDeniedHandler;

7. import org.springframework.stereotype.Component;

8. 
   

9. import javax.servlet.ServletException;

10. import javax.servlet.http.HttpServletRequest;

11. import javax.servlet.http.HttpServletResponse;

12. import java.io.IOException;

13. 
    

14. /**

15. * 当访问接口没有权限时，自定义的返回结果

16. * Created by macro on 2018/4/26.

17. */

18. @Component

19. public class RestfulAccessDeniedHandler implements AccessDeniedHandler{

20. @Override

21. public void handle(HttpServletRequest request,

22. HttpServletResponse response,

23. AccessDeniedException e) throws IOException, ServletException {

24. response.setCharacterEncoding("UTF-8");

25. response.setContentType("application/json");

26. response.getWriter().println(JSONUtil.parse(CommonResult.forbidden(e.getMessage())));

27. response.getWriter().flush();

28. }

29. }

添加RestAuthenticationEntryPoint

1. package com.macro.mall.tiny.component;

2. 
   

3. import cn.hutool.json.JSONUtil;

4. import com.macro.mall.tiny.common.api.CommonResult;

5. import org.springframework.security.core.AuthenticationException;

6. import org.springframework.security.web.AuthenticationEntryPoint;

7. import org.springframework.stereotype.Component;

8. 
   

9. import javax.servlet.ServletException;

10. import javax.servlet.http.HttpServletRequest;

11. import javax.servlet.http.HttpServletResponse;

12. import java.io.IOException;

13. 
    

14. /**

15. * 当未登录或者token失效访问接口时，自定义的返回结果

16. * Created by macro on 2018/5/14.

17. */

18. @Component

19. public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

20. @Override

21. public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {

22. response.setCharacterEncoding("UTF-8");

23. response.setContentType("application/json");

24. response.getWriter().println(JSONUtil.parse(CommonResult.unauthorized(authException.getMessage())));

25. response.getWriter().flush();

26. }

27. }

添加AdminUserDetails

1. package com.macro.mall.tiny.dto;

2. 
   

3. import com.macro.mall.tiny.mbg.model.UmsAdmin;

4. import com.macro.mall.tiny.mbg.model.UmsPermission;

5. import org.springframework.security.core.GrantedAuthority;

6. import org.springframework.security.core.authority.SimpleGrantedAuthority;

7. import org.springframework.security.core.userdetails.UserDetails;

8. 
   

9. import java.util.Collection;

10. import java.util.List;

11. import java.util.stream.Collectors;

12. 
    

13. /**

14. * SpringSecurity需要的用户详情

15. * Created by macro on 2018/4/26.

16. */

17. public class AdminUserDetails implements UserDetails {

18. private UmsAdmin umsAdmin;

19. private List<UmsPermission> permissionList;

20. public AdminUserDetails(UmsAdmin umsAdmin, List<UmsPermission> permissionList) {

21. this.umsAdmin = umsAdmin;

22. this.permissionList = permissionList;

23. }

24. 
    

25. @Override

26. public Collection<? extends GrantedAuthority> getAuthorities() {

27. //返回当前用户的权限

28. return permissionList.stream()

29. .filter(permission -> permission.getValue()!=null)

30. .map(permission ->new SimpleGrantedAuthority(permission.getValue()))

31. .collect(Collectors.toList());

32. }

33. 
    

34. @Override

35. public String getPassword() {

36. return umsAdmin.getPassword();

37. }

38. 
    

39. @Override

40. public String getUsername() {

41. return umsAdmin.getUsername();

42. }

43. 
    

44. @Override

45. public boolean isAccountNonExpired() {

46. return true;

47. }

48. 
    

49. @Override

50. public boolean isAccountNonLocked() {

51. return true;

52. }

53. 
    

54. @Override

55. public boolean isCredentialsNonExpired() {

56. return true;

57. }

58. 
    

59. @Override

60. public boolean isEnabled() {

61. return umsAdmin.getStatus().equals(1);

62. }

63. }

添加JwtAuthenticationTokenFilter

在用户名和密码校验前添加的过滤器，如果请求中有jwt的token且有效，会取出token中的用户名，然后调用SpringSecurity的API进行登录操作。

1. package com.macro.mall.tiny.component;

2. 
   

3. import com.macro.mall.tiny.common.utils.JwtTokenUtil;

4. import org.slf4j.Logger;

5. import org.slf4j.LoggerFactory;

6. import org.springframework.beans.factory.annotation.Autowired;

7. import org.springframework.beans.factory.annotation.Value;

8. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

9. import org.springframework.security.core.context.SecurityContextHolder;

10. import org.springframework.security.core.userdetails.UserDetails;

11. import org.springframework.security.core.userdetails.UserDetailsService;

12. import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;

13. import org.springframework.web.filter.OncePerRequestFilter;

14. 
    

15. import javax.servlet.FilterChain;

16. import javax.servlet.ServletException;

17. import javax.servlet.http.HttpServletRequest;

18. import javax.servlet.http.HttpServletResponse;

19. import java.io.IOException;

20. 
    

21. /**

22. * JWT登录授权过滤器

23. * Created by macro on 2018/4/26.

24. */

25. public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {

26. private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);

27. @Autowired

28. private UserDetailsService userDetailsService;

29. @Autowired

30. private JwtTokenUtil jwtTokenUtil;

31. @Value("${jwt.tokenHeader}")

32. private String tokenHeader;

33. @Value("${jwt.tokenHead}")

34. private String tokenHead;

35. 
    

36. @Override

37. protected void doFilterInternal(HttpServletRequest request,

38. HttpServletResponse response,

39. FilterChain chain) throws ServletException, IOException {

40. String authHeader = request.getHeader(this.tokenHeader);

41. if (authHeader != null && authHeader.startsWith(this.tokenHead)) {

42. String authToken = authHeader.substring(this.tokenHead.length());// The part after "Bearer "

43. String username = jwtTokenUtil.getUserNameFromToken(authToken);

44. LOGGER.info("checking username:{}", username);

45. if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

46. UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);

47. if (jwtTokenUtil.validateToken(authToken, userDetails)) {

48. UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());

49. authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

50. LOGGER.info("authenticated user:{}", username);

51. SecurityContextHolder.getContext().setAuthentication(authentication);

52. }

53. }

54. }

55. chain.doFilter(request, response);

56. }

57. }

项目源码地址

https://github.com/macrozheng/mall-learning/tree/master/mall-tiny-04

推荐阅读

• mall架构及功能概览

• mall学习所需知识点（推荐资料）

• mall整合SpringBoot+MyBatis搭建基本骨架

• mall整合Swagger-UI实现在线API文档

• mall整合Redis实现缓存功能

欢迎关注，点个在看