前言

这章我们来整合JWT，实现一个自定义的登录

一、认证流程

我先捋一下认证的流程，方便我们后面写自定义登录

核心的类就几个，分别是：
Authentication：用户认证
AbstractAuthenticationProcessingFilter：认证处理拦截器
AuthenticationManager：处理认证
AuthenticationProvider：具体做认证的
UserDetailsService：获取用户信息
AuthenticationSuccessHandler：认证成功处理器
AuthenticationFailureHandler：认证失败处理器

我们自定义登录其实也是就是根据我们自己的需求重写这几个类。

二、自定义登录

认证和授权相关的都放在base-security这个目录，方便我们后面做扩展；
自定义的这些类，其实就是仿照以UsernamePassword开头的类来写的，部分代码其实都是一样的。

1、自定义用户认证的对象JwtUser

public class JwtUser extends User {
/**
* 用户ID
*/
@Getter
private String id;
/**
* 机构ID
*/
@Getter
private String orgId;

public JwtUser(String id, String orgId, String username, String password, Collection<? extends GrantedAuthority> authorities) {
super(username, password, authorities);
this.id = id;
this.orgId = orgId;
}
}

2、自定义JwtAuthenticationToken

代码其实跟UsernamePasswordAuthenticationToken差不多

public class JwtAuthenticationToken extends AbstractAuthenticationToken {
/**
* 登录信息
*/
private final Object principal;
/**
* 凭证
*/
private final Object credentials;
/**
* 创建已认证的授权
*
* @param authorities
* @param principal
* @param credentials
*/
public JwtAuthenticationToken(Collection<? extends GrantedAuthority> authorities, Object principal, Object credentials) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true);
}
/**
* 创建未认证的授权
*
* @param principal
* @param credentials
*/
public JwtAuthenticationToken(Object principal, Object credentials) {
//因为刚开始并没有认证，因此用户没有任何权限，并且设置没有认证的信息（setAuthenticated(false)）
super(null);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(false);
}
@Override
public Object getCredentials() {
return this.credentials;
}
@Override
public Object getPrincipal() {
return this.principal;
}
}

3、自定义认证拦截器JwtAuthenticationFilter

这个类也是仿照UsernamePasswordAuthenticationFilter来实现的

/**
* 这个代码完全是仿照UsernamePasswordAuthenticationFilter来写的
* {@link UsernamePasswordAuthenticationFilter}
*/
public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER = new AntPathRequestMatcher("/login",
"POST");
private String usernameParameter = "username";
private String passwordParameter = "password";
public JwtAuthenticationFilter() {
super(DEFAULT_ANT_PATH_REQUEST_MATCHER);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (!request.getMethod().equals(HttpMethod.POST.name())) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = request.getParameter(this.usernameParameter);
username = (username != null) ? username.trim() : "";
String password = request.getParameter(this.passwordParameter);
password = (password != null) ? password : "";
//创建未认证的token
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(username, password);
//认证详情写入到凭着
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
return this.getAuthenticationManager().authenticate(authRequest);
}
}

4、自定义认证处理器JwtAuthenticationProvider

大部分的代码也来自AbstractUserDetailsAuthenticationProvider和DaoAuthenticationProvider

@Slf4j
@Component
public class JwtAuthenticationProvider implements AuthenticationProvider {
private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
@Getter
@Setter
private UserDetailsService userDetailsService;
@Getter
@Setter
private PasswordEncoder passwordEncoder;
public JwtAuthenticationProvider() {
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UserDetails user = userDetailsService.loadUserByUsername(authentication.getName());
JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authentication;
additionalAuthenticationChecks(user, jwtAuthenticationToken);
//构建已认证的authenticatedToken
JwtAuthenticationToken result = new JwtAuthenticationToken(jwtAuthenticationToken.getAuthorities(), user, jwtAuthenticationToken.getCredentials());
result.setDetails(authentication.getDetails());
log.debug("Authenticated user");
return result;
}
@Override
public boolean supports(Class<?> authentication) {
return (JwtAuthenticationToken.class.isAssignableFrom(authentication));
}
/**
* 直接拷贝的DaoAuthenticationProvider里面的同名方法
* @param userDetails
* @param authentication
* @throws AuthenticationException
*/
private void additionalAuthenticationChecks(UserDetails userDetails,
JwtAuthenticationToken authentication) throws AuthenticationException {
if (authentication.getCredentials() == null) {
log.debug("Failed to authenticate since no credentials provided");
throw new BadCredentialsException(this.messages
.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
}
String presentedPassword = authentication.getCredentials().toString();
if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
log.debug("Failed to authenticate since password does not match stored value");
throw new BadCredentialsException(this.messages
.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
}
}
}

5、自定义认证成功和失败处理类

默认情况下，认证成功和失败都是跳转到别的页面，我们改为返回一个json对象

5.1、认证失败JwtAuthenticationFailureHandler

@Slf4j
@Component
public class JwtAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
log.info("登录失败:{}", exception.getLocalizedMessage());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.getWriter().write(exception.getLocalizedMessage());
response.getWriter().flush();
response.getWriter().close();
}
}

5.2、认证成功JwtAuthenticationSuccessHandler

认证成功后我们需要返回一个token，所以我们需要一个Jwt的工具类JWTUtils

@Slf4j
@Component
@AllArgsConstructor
public class JWTUtils {
private final JwtProperties jwtProperties;
public static final String ID = "id";
public static final String ORGID = "orgId";
public static final String USERNAME = "username";
public static final String AUTHORITIES = "authorities";
/**
* 生成token
*
* @param jwtUser
* @return
*/
public String createToken(JwtUser jwtUser) {
// 签名算法 ，将对token进行签名
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(jwtProperties.getSecret());
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
Map claims = Maps.newHashMap();
claims.put(ID, jwtUser.getId());
claims.put(ORGID, jwtUser.getOrgId());
claims.put(USERNAME, jwtUser.getUsername());
List list = jwtUser.getAuthorities().stream().collect(Collectors.toList());
List stringList = list.stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList());
claims.put(AUTHORITIES, JSONUtil.toJsonStr(stringList));
return Jwts
.builder()
.setHeaderParam("typ", "JWT")
.setClaims(claims)
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + jwtProperties.getExpire() * 60 * 60 * 1000))
.signWith(signatureAlgorithm, signingKey).compact();
}
/**
* 检查token是否有效
*
* @param token the token
* @return the claims
*/
public Claims getClaimsFromToken(String token) {
try {
return Jwts.parser().setSigningKey(jwtProperties.getSecret()).parseClaimsJws(token).getBody();
} catch (Exception e) {
log.error("验证token出错:{}", e.getMessage());
return null;
}
}
/**
* 判断是否过期
*
* @param claims
* @return
*/
public boolean isTokenExpired(Claims claims) {
return claims.getExpiration().before(new Date());
}
/**
* true 无效
* false 有效
*
* @param token
* @return
*/
public boolean checkToken(String token) {
Claims claims = getClaimsFromToken(token);
if (claims != null) {
return isTokenExpired(claims);
}
return true;
}
}

这里面的jwtProperties主要用来动态配置token秘钥和有效期，所以需要在spring.factories配置

@Slf4j
@Component
public class JwtAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Autowired
private JWTUtils jwtUtils;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
//从authentication中获取用户信息
final JwtUser userDetail = (JwtUser) authentication.getPrincipal();
log.info("{}:登录成功", userDetail.getUsername());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
String token = jwtUtils.createToken(userDetail);
response.getWriter().write(token);
response.getWriter().flush();
response.getWriter().close();
}
}

6、安全配置

@EnableWebSecurity
public class SpringSecurityConfigurer {
private final JwtUserDetailsService jwtUserDetailsService;
private final JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandle;
private final JwtAuthenticationFailureHandler jwtAuthenticationFailureHandler;
public SpringSecurityConfigurer(JwtUserDetailsService jwtUserDetailsService, JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandle, JwtAuthenticationFailureHandler jwtAuthenticationFailureHandler) {
this.jwtUserDetailsService = jwtUserDetailsService;
this.jwtAuthenticationSuccessHandle = jwtAuthenticationSuccessHandle;
this.jwtAuthenticationFailureHandler = jwtAuthenticationFailureHandler;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
//禁用表单登录
.formLogin().disable()
.authorizeRequests((authorize) -> authorize
// 这里需要将登录页面放行,permitAll()表示不再拦截，
.antMatchers("/upms/login/**").permitAll()
// 所有请求都要验证
.anyRequest().authenticated())
// 关闭csrf
.csrf((csrf) -> csrf.disable())
//禁用session，JWT校验不需要session
.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
@Bean
JwtAuthenticationFilter jwtAuthenticationFilter() {
JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter();
jwtAuthenticationFilter.setAuthenticationManager(authenticationManager());
jwtAuthenticationFilter.setAuthenticationSuccessHandler(jwtAuthenticationSuccessHandle);
jwtAuthenticationFilter.setAuthenticationFailureHandler(jwtAuthenticationFailureHandler);
return jwtAuthenticationFilter;
}
@Bean
JwtAuthenticationProvider jwtAuthenticationProvider() {
JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider();
//设置userDetailsService
jwtAuthenticationProvider.setUserDetailsService(jwtUserDetailsService);
//设置加密算法
jwtAuthenticationProvider.setPasswordEncoder(passwordEncoder());
return jwtAuthenticationProvider;
}
/**
* 自定义的认证处理器
*/
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(jwtAuthenticationProvider());
}
/**
* 指定加解密算法
*
* @return
*/
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}

三、编译运行

经过一系列的调试修改后，启动项目，模拟登录请求，看到如下界面就表示成功了。

当前版本tag：1.0.3

代码仓库

四、 体验地址

后台数据库只给了部分权限，报错属于正常！
想学的老铁给点点关注吧！！！
我是阿咕噜，一个从互联网慢慢上岸的程序员，如果喜欢我的文章，记得帮忙点个赞哟，谢谢！