Spring Boot 2結合Spring security + JWT實現微信小程序登錄
項目源碼:https://gitee.com/tanwubo/jwt-spring-security-demo
登錄
通過自定義的WxAppletAuthenticationFilter
替換默認的UsernamePasswordAuthenticationFilter
,在UsernamePasswordAuthenticationFilter
中可任意定制自己的登錄方式。
用戶認證
需要結合JWT來實現用戶認證,第一步登錄成功後如何頒發token。
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Autowired private JwtTokenUtils jwtTokenUtils; @Override public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException { // 使用jwt管理,所以封裝用戶信息生成jwt響應給前端 String token = jwtTokenUtils.generateToken(((WxAppletAuthenticationToken)authentication).getOpenid()); Map<String, Object> result = Maps.newHashMap(); result.put(ConstantEnum.AUTHORIZATION.getValue(), token); httpServletResponse.setContentType(ContentType.JSON.toString()); httpServletResponse.getWriter().write(JSON.toJSONString(result)); } }
第二步,棄用spring security默認的session機制,通過token來管理用戶的登錄狀態。這裡有倆段關鍵代碼。
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .sessionManagement() // 不創建Session, 使用jwt來管理用戶的登錄狀態 .sessionCreationPolicy(SessionCreationPolicy.STATELESS) ......; }
第二步,添加token的認證過濾器。
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter { @Autowired private AuthService authService; @Autowired private JwtTokenUtils jwtTokenUtils; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { log.debug("processing authentication for [{}]", request.getRequestURI()); String token = request.getHeader(ConstantEnum.AUTHORIZATION.getValue()); String openid = null; if (token != null) { try { openid = jwtTokenUtils.getUsernameFromToken(token); } catch (IllegalArgumentException e) { log.error("an error occurred during getting username from token", e); throw new BasicException(ExceptionEnum.JWT_EXCEPTION.customMessage("an error occurred during getting username from token , token is [%s]", token)); } catch (ExpiredJwtException e) { log.warn("the token is expired and not valid anymore", e); throw new BasicException(ExceptionEnum.JWT_EXCEPTION.customMessage("the token is expired and not valid anymore, token is [%s]", token)); }catch (SignatureException e) { log.warn("JWT signature does not match locally computed signature", e); throw new BasicException(ExceptionEnum.JWT_EXCEPTION.customMessage("JWT signature does not match locally computed signature, token is [%s]", token)); } }else { log.warn("couldn't find token string"); } if (openid != null && SecurityContextHolder.getContext().getAuthentication() == null) { log.debug("security context was null, so authorizing user"); Account account = authService.findAccount(openid); List<Permission> permissions = authService.acquirePermission(account.getAccountId()); List<SimpleGrantedAuthority> authorities = permissions.stream().map(permission -> new SimpleGrantedAuthority(permission.getPermission())).collect(Collectors.toList()); log.info("authorized user [{}], setting security context", openid); SecurityContextHolder.getContext().setAuthentication(new WxAppletAuthenticationToken(openid, authorities)); } filterChain.doFilter(request, response); } }
接口鑒權
第一步,開啟註解@EnableGlobalMethodSecurity
。
@SpringBootApplication @EnableGlobalMethodSecurity(prePostEnabled = true) public class JwtSpringSecurityDemoApplication { public static void main(String[] args) { SpringApplication.run(JwtSpringSecurityDemoApplication.class, args); } }
第二部,在需要鑒權的接口上添加@PreAuthorize
註解。
@RestController @RequestMapping("/test") public class TestController { @GetMapping @PreAuthorize("hasAuthority('user:test')") public String test(){ return "test success"; } @GetMapping("/authority") @PreAuthorize("hasAuthority('admin:test')") public String authority(){ return "test authority success"; } }
到此這篇關於Spring Boot 2結合Spring security + JWT實現微信小程序登錄的文章就介紹到這瞭,更多相關Spring Boot Spring security JWT微信小程序登錄內容請搜索WalkonNet以前的文章或繼續瀏覽下面的相關文章希望大傢以後多多支持WalkonNet!
推薦閱讀:
- springboot+jwt+springSecurity微信小程序授權登錄問題
- SpringBoot整合SpringSecurity實現JWT認證的項目實踐
- Spring security如何重寫Filter實現json登錄
- Spring Security登陸流程講解
- Spring Security實現自動登陸功能示例