Technology Sharing

SpringSecurity framework [Authentication]

2024-07-12

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

Table of contents

1. Quick Start

2. Certification

2.1 Login Verification Process

2.2 Principle

2.3 Problem Solving

2.3.1 Thought Analysis

2.3.2 Preparation

2.3.3 Implementation

2.3.3.1 Database Verification User

2.3.3.2 Password Encryption Storage

2.3.3.3 Login interface

2.3.3.4 Authentication Filters

2.3.3.5 Logout

Spring Security is a security management framework in the Spring family. Compared with another security framework Shiro, it provides richer functions and has richer community resources than Shiro.

Generally speaking, Spring Security is more commonly used in large projects, while Shiro is more commonly used in small projects, because compared to Spring Security, Shiro is easier to use.

Generally, Web applications need toCertificationandAuthorization

  • Authentication: Verify whether the current user accessing the system is a user of this system, and confirm which specific user it is
  • Authorization: After authentication, determine whether the current user has the authority to perform a certain operation

Authentication and authorization are the core functions of Spring Security as a security framework!

1. Quick Start

Let's first simply build a SpringBoot project.

At this time, we access a simple hello interface we wrote to verify whether the build is successful.

Then introduce SpringSecurity.

At this time, let's take a look at the effect of the access interface.

After the introduction of SpringSecurity, the access interface will automatically jump to a login page. The default username is user, and the password will be output to the console. You must log in before you can access the interface.

2. Certification

2.1 Login Verification Process

First of all, we need to understand the login verification process. First, the front-end carries the username and password to access the login interface. After the server gets the username and password, it compares them with the database. If the username/user ID is used correctly, a jwt is generated, and then the jwt is responded to the front-end. After logging in, other requests will carry a token in the request header. Each time the server obtains the token in the request header, it parses it and obtains the UserID. It obtains user-related information based on the username id, and checks the permissions. If there is permission, it responds to the front-end.

2.2 Principle

The principle of SpringSecurity is actually a filter chain, which provides filters with various functions. Here we first look at the filters involved in the quick start above.

  • UsernamePasswordAuthenticationFilter is responsible for processing the login request after filling in the username and password on the login page
  • ExceptionTranslationFilter handles any AccessDeniedException and AuthenticationException thrown in the filter chain
  • FilterSecurityInterceptor is responsible for the filter of permission verification

We can also use Debug to see which filters and their order are in the SpringSecurity filter chain in the current system.

Next, let’s take a look at the analysis of the authentication flowchart.

Here we just need to understand the process, in simple terms:

The user submits the username and password, UsernamePasswordAuthenticationFilter encapsulates it into the Authentication object, and calls the authenticate method for authentication, then calls the authenticate method of DaoAuthenticationProvider for authentication, and then calls the loadUserByUserName method to query the user. The query here is to search in the memory, and then encapsulate the corresponding user information into the UserDetails object, and use PasswordEncoder to compare the password in UserDetails and the password in Authentication to see if they are correct. If they are correct, set the permission information in UserDetails to the Authentication object, then return the Authentication object, and finally use the SecurityContextHolder.getContext().setAuthentication method to store the object. Other filters will use SecurityContextHoder to obtain the current user information. (You don't need to remember this section, as long as you can understand it)

Then we know the process and can modify it. First of all, we must search from the memory instead of from the database (here we need to customize a UserDetailsService implementation class), and we will not use the default username and password. The login interface must be written by ourselves, and there is no need to use the default login page provided by him.

Based on our analysis, we can get a picture like this.

At this time, a jwt is returned to the front end, and other requests made by the front end will carry a token. Then the first step is to verify whether the token is carried, parse the token, get the corresponding userid, and encapsulate it as an Anthentication object and store it in the SecurityContextHolder (so that other filters can get it).

Then there is another question here, how to get the complete user information after getting the userid from the jwt authentication filter?

Here we use redis. When the server authenticates by using the user ID to generate jwt for the front end, the user ID is used as the key and the user's information is stored in redis as the value. After that, the complete user information can be obtained from redis through the user ID.

2.3 Problem Solving

2.3.1 Thought Analysis

From the preliminary exploration of the above principles, we have also roughly analyzed what we need to do if we want to implement the authentication process with front-end and back-end separation ourselves.

Log in:

a. Custom login interface

Call the ProviderManager method for authentication. If the authentication passes, a jwt is generated.

Store user information in redis

b. Customize UserDetailsService

To query the database in this implementation class

check:

a. Custom jwt authentication filter

Get a token

Parse the token to obtain the userid

Get complete user information from redis

Store in SecurityContextHolder

2.3.2 Preparation

First you need to add the corresponding dependencies

  1.         <!--   SpringSecurity启动器     -->
  2.         <dependency>
  3.             <groupId>org.springframework.boot</groupId>
  4.             <artifactId>spring-boot-starter-security</artifactId>
  5.         </dependency>
  6.  
  7.         <!--   redis依赖     -->
  8.         <dependency>
  9.             <groupId>org.springframework.boot</groupId>
  10.             <artifactId>spring-boot-starter-data-redis</artifactId>
  11.         </dependency>
  12.         <!--   fastjson依赖     -->
  13.         <dependency>
  14.             <groupId>com.alibaba</groupId>
  15.             <artifactId>fastjson</artifactId>
  16.             <version>1.2.33</version>
  17.         </dependency>
  18.         <!--   jwt依赖     -->
  19.         <dependency>
  20.             <groupId>io.jsonwebtoken</groupId>
  21.             <artifactId>jjwt</artifactId>
  22.             <version>0.9.0</version>
  23.         </dependency>

Next, we need to use Redis and add Redis related configuration

First is the FastJson serializer

  1. package org.example.utils;
  2. import com.alibaba.fastjson.JSON;
  3. import com.alibaba.fastjson.parser.ParserConfig;
  4. import com.alibaba.fastjson.serializer.SerializerFeature;
  5. import com.fasterxml.jackson.databind.JavaType;
  6. import com.fasterxml.jackson.databind.type.TypeFactory;
  7. import org.springframework.data.redis.serializer.RedisSerializer;
  8. import org.springframework.data.redis.serializer.SerializationException;
  9.  
  10. import java.nio.charset.Charset;
  11.  
  12. /**
  13.  * Redis使用fastjson序列化
  14.  * @param <T>
  15.  */
  16. public class FastJsonRedisSerializer<T> implements RedisSerializer<T> {
  17.  
  18.     public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");
  19.  
  20.     private Class<T> clazz;
  21.  
  22.     static {
  23.         ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
  24.     }
  25.  
  26.     public FastJsonRedisSerializer(Class<T> clazz){
  27.         super();
  28.         this.clazz=clazz;
  29.     }
  30.     
  31.     @Override
  32.     public byte[] serialize(T t) throws SerializationException {
  33.         if (t == null){
  34.             return new byte[0];
  35.         }
  36.         return JSON.toJSONString(t, SerializerFeature.WriteClassName).getBytes(DEFAULT_CHARSET);
  37.     }
  38.  
  39.     @Override
  40.     public T deserialize(byte[] bytes) throws SerializationException {
  41.         if (bytes==null || bytes.length<=0){
  42.             return null;
  43.         }
  44.         String str = new String(bytes,DEFAULT_CHARSET);
  45.  
  46.         return JSON.parseObject(str,clazz);
  47.     }
  48.  
  49.     protected JavaType getJavaType(Class<?> clazz){
  50.         return TypeFactory.defaultInstance().constructType(clazz);
  51.     }
  52.     
  53. }

Create a RedisConfig and create a serializer in it to solve problems such as garbled characters

  1. package org.example.config;
  2. import org.example.utils.FastJsonRedisSerializer;
  3. import org.springframework.context.annotation.Bean;
  4. import org.springframework.context.annotation.Configuration;
  5. import org.springframework.data.redis.connection.RedisConnectionFactory;
  6. import org.springframework.data.redis.core.RedisTemplate;
  7. import org.springframework.data.redis.serializer.StringRedisSerializer;
  8.  
  9. @Configuration
  10. public class RedisConfig {
  11.     @Bean
  12.     @SuppressWarnings(value = {"unchecked","rawtypes"})
  13.     public RedisTemplate<Object,Object> redisTemplate(RedisConnectionFactory connectionFactory){
  14.         RedisTemplate<Object,Object> template = new RedisTemplate<>();
  15.         template.setConnectionFactory(connectionFactory);
  16.  
  17.         FastJsonRedisSerializer serializer = new FastJsonRedisSerializer(Object.class);
  18.  
  19.         //使用StringRedisSerializer来序列化和反序列化redus的key值
  20.         template.setKeySerializer(new StringRedisSerializer());
  21.         template.setValueSerializer(serializer);
  22.  
  23.         template.afterPropertiesSet();
  24.         return template;
  25.     }
  26. }

A unified response class is also needed

  1. package org.example.domain;
  2. import com.fasterxml.jackson.annotation.JsonInclude;
  3. @JsonInclude(JsonInclude.Include.NON_NULL)
  4. public class ResponseResult<T>{
  5.     /**
  6.      * 状态码
  7.      */
  8.     private Integer code;
  9.     /**
  10.      * 提示信息,如果有错误时,前端可以获取该字段进行提示
  11.      */
  12.     private String msg;
  13.     /**
  14.      * 查询到的结果数据
  15.      */
  16.     private T data;
  17.  
  18.     public ResponseResult(Integer code,String msg){
  19.         this.code = code;
  20.         this.msg = msg;
  21.     }
  22.  
  23.     public ResponseResult(Integer code,T data){
  24.         this.code = code;
  25.         this.data = data;
  26.     }
  27.  
  28.     public Integer getCode() {
  29.         return code;
  30.     }
  31.  
  32.     public void setCode(Integer code) {
  33.         this.code = code;
  34.     }
  35.  
  36.     public String getMsg() {
  37.         return msg;
  38.     }
  39.  
  40.     public void setMsg(String msg) {
  41.         this.msg = msg;
  42.     }
  43.  
  44.     public T getData() {
  45.         return data;
  46.     }
  47.  
  48.     public void setData(T data) {
  49.         this.data = data;
  50.     }
  51.  
  52.     public ResponseResult(Integer code,String msg,T data){
  53.         this.code = code;
  54.         this.msg = msg;
  55.         this.data = data;
  56.     }
  57. }

Then we need jwt tool class to generate jwt and parse jwt

  1. package org.example.utils;
  2.  
  3. import io.jsonwebtoken.Claims;
  4. import io.jsonwebtoken.JwtBuilder;
  5. import io.jsonwebtoken.Jwts;
  6. import io.jsonwebtoken.SignatureAlgorithm;
  7.  
  8. import javax.crypto.SecretKey;
  9. import javax.crypto.spec.SecretKeySpec;
  10. import java.util.Base64;
  11. import java.util.Date;
  12. import java.util.UUID;
  13.  
  14. public class JwtUtil {
  15.  
  16.     //有效期为
  17.     public static final Long JWT_TTL = 60*60*1000L; //一个小时
  18.     //设置密钥明文
  19.     public static final String JWT_KEY = "hzj";
  20.  
  21.     public static String getUUID(){
  22.         String token = UUID.randomUUID().toString().replaceAll("-","");
  23.         return token;
  24.     }
  25.  
  26.     /**
  27.      * 生成jwt
  28.      * @param subject token中要存放的数据(json格式)
  29.      * @return
  30.      */
  31.     public static String createJWT(String subject){
  32.         JwtBuilder builder = getJwtBuilder(subject,null,getUUID()); //设置过期时间
  33.         return builder.compact();
  34.     }
  35.  
  36.     /**
  37.      * 生成jwt
  38.      * @param subject token中要存放的数据(json格式)
  39.      * @param ttlMillis token超时时间
  40.      * @return
  41.      */
  42.     public static String createJWT(String subject,Long ttlMillis){
  43.         JwtBuilder builder = getJwtBuilder(subject,ttlMillis,getUUID()); //设置过期时间
  44.         return builder.compact();
  45.     }
  46.  
  47.     private static JwtBuilder getJwtBuilder(String subject,Long ttlMillis,String uuid){
  48.         SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
  49.         SecretKey secretKey = generalkey();
  50.         long nowMillis = System.currentTimeMillis();
  51.         Date now = new Date(nowMillis);
  52.         if(ttlMillis==null){
  53.             ttlMillis=JwtUtil.JWT_TTL;
  54.         }
  55.         long expMillis = nowMillis + ttlMillis;
  56.         Date expDate = new Date(expMillis);
  57.         return Jwts.builder()
  58.                 .setId(uuid) //唯一的Id
  59.                 .setSubject(subject) //主题 可以是Json数据
  60.                 .setIssuer("hzj") //签发者
  61.                 .setIssuedAt(now) //签发时间
  62.                 .signWith(signatureAlgorithm,secretKey) //使用HS256对称加密算法签名,第二个参数为密钥
  63.                 .setExpiration(expDate);
  64.     }
  65.  
  66.     /**
  67.      * 创建token
  68.      * @param id
  69.      * @param subject
  70.      * @param ttlMillis
  71.      * @return
  72.      */
  73.     public static String createJWT(String id,String subject,Long ttlMillis){
  74.         JwtBuilder builder = getJwtBuilder(subject,ttlMillis,id);//设置过期时间
  75.         return builder.compact();
  76.     }
  77.  
  78.     public static void main(String[] args) throws Exception{
  79.         String token =
  80. "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OTg0MjU5MzIsInVzZX" +
  81. "JJZCI6MTExLCJ1c2VybmFtZSI6Ik1hcmtaUVAifQ.PTlOdRG7ROVJqPrA0q2ac7rKFzNNFR3lTMyP_8fIw9Q";
  82.         Claims claims = parseJWT(token);
  83.         System.out.println(claims);
  84.     }
  85.  
  86.     /**
  87.      * 生成加密后的密钥secretkey
  88.      * @return
  89.      */
  90.     public static SecretKey generalkey(){
  91.         byte[] encodeedkey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
  92.         SecretKey key = new SecretKeySpec(encodeedkey,0,encodeedkey.length,"AES");
  93.         return key;
  94.     }
  95.  
  96.     /**
  97.      * 解析
  98.      * @param jwt
  99.      * @return
  100.      * @throws Exception
  101.      */
  102.     public static Claims parseJWT(String jwt) throws Exception{
  103.         SecretKey secretKey = generalkey();
  104.         return Jwts.parser()
  105.                 .setSigningKey(secretKey)
  106.                 .parseClaimsJws(jwt)
  107.                 .getBody();
  108.     }
  109. }

Define another Redis tool class RedisCache, which makes it easier for us to call redistemplate

  1. package org.example.utils;
  2.  
  3.  
  4. import org.springframework.beans.factory.annotation.Autowired;
  5. import org.springframework.data.redis.core.BoundSetOperations;
  6. import org.springframework.data.redis.core.HashOperations;
  7. import org.springframework.data.redis.core.RedisTemplate;
  8. import org.springframework.data.redis.core.ValueOperations;
  9. import org.springframework.stereotype.Component;
  10.  
  11. import java.util.*;
  12. import java.util.concurrent.TimeUnit;
  13.  
  14. @SuppressWarnings(value = { "unchecked", "rawtypes" })
  15. @Component
  16. public class RedisCache
  17. {
  18.     @Autowired
  19.     public RedisTemplate redisTemplate;
  20.  
  21.     /**
  22.      * 缓存基本的对象,Integer、String、实体类等
  23.      *
  24.      * @param key 缓存的键值
  25.      * @param value 缓存的值
  26.      */
  27.     public <T> void setCacheObject(final String key, final T value)
  28.     {
  29.         redisTemplate.opsForValue().set(key, value);
  30.     }
  31.  
  32.     /**
  33.      * 缓存基本的对象,Integer、String、实体类等
  34.      *
  35.      * @param key 缓存的键值
  36.      * @param value 缓存的值
  37.      * @param timeout 时间
  38.      * @param timeUnit 时间颗粒度
  39.      */
  40.     public <T> void setCacheObject(final String key, final T value, final Integer timeout, final TimeUnit timeUnit)
  41.     {
  42.         redisTemplate.opsForValue().set(key, value, timeout, timeUnit);
  43.     }
  44.  
  45.     /**
  46.      * 设置有效时间
  47.      *
  48.      * @param key Redis键
  49.      * @param timeout 超时时间
  50.      * @return true=设置成功;false=设置失败
  51.      */
  52.     public boolean expire(final String key, final long timeout)
  53.     {
  54.         return expire(key, timeout, TimeUnit.SECONDS);
  55.     }
  56.  
  57.     /**
  58.      * 设置有效时间
  59.      *
  60.      * @param key Redis键
  61.      * @param timeout 超时时间
  62.      * @param unit 时间单位
  63.      * @return true=设置成功;false=设置失败
  64.      */
  65.     public boolean expire(final String key, final long timeout, final TimeUnit unit)
  66.     {
  67.         return redisTemplate.expire(key, timeout, unit);
  68.     }
  69.  
  70.     /**
  71.      * 获得缓存的基本对象。
  72.      *
  73.      * @param key 缓存键值
  74.      * @return 缓存键值对应的数据
  75.      */
  76.     public <T> T getCacheObject(final String key)
  77.     {
  78.         ValueOperations<String, T> operation = redisTemplate.opsForValue();
  79.         return operation.get(key);
  80.     }
  81.  
  82.     /**
  83.      * 删除单个对象
  84.      *
  85.      * @param key
  86.      */
  87.     public boolean deleteObject(final String key)
  88.     {
  89.         return redisTemplate.delete(key);
  90.     }
  91.  
  92.     /**
  93.      * 删除集合对象
  94.      *
  95.      * @param collection 多个对象
  96.      * @return
  97.      */
  98.     public long deleteObject(final Collection collection)
  99.     {
  100.         return redisTemplate.delete(collection);
  101.     }
  102.  
  103.     /**
  104.      * 缓存List数据
  105.      *
  106.      * @param key 缓存的键值
  107.      * @param dataList 待缓存的List数据
  108.      * @return 缓存的对象
  109.      */
  110.     public <T> long setCacheList(final String key, final List<T> dataList)
  111.     {
  112.         Long count = redisTemplate.opsForList().rightPushAll(key, dataList);
  113.         return count == null ? 0 : count;
  114.     }
  115.  
  116.     /**
  117.      * 获得缓存的list对象
  118.      *
  119.      * @param key 缓存的键值
  120.      * @return 缓存键值对应的数据
  121.      */
  122.     public <T> List<T> getCacheList(final String key)
  123.     {
  124.         return redisTemplate.opsForList().range(key, 0, -1);
  125.     }
  126.  
  127.     /**
  128.      * 缓存Set
  129.      *
  130.      * @param key 缓存键值
  131.      * @param dataSet 缓存的数据
  132.      * @return 缓存数据的对象
  133.      */
  134.     public <T> BoundSetOperations<String, T> setCacheSet(final String key, final Set<T> dataSet)
  135.     {
  136.         BoundSetOperations<String, T> setOperation = redisTemplate.boundSetOps(key);
  137.         Iterator<T> it = dataSet.iterator();
  138.         while (it.hasNext())
  139.         {
  140.             setOperation.add(it.next());
  141.         }
  142.         return setOperation;
  143.     }
  144.  
  145.     /**
  146.      * 获得缓存的set
  147.      *
  148.      * @param key
  149.      * @return
  150.      */
  151.     public <T> Set<T> getCacheSet(final String key)
  152.     {
  153.         return redisTemplate.opsForSet().members(key);
  154.     }
  155.  
  156.     /**
  157.      * 缓存Map
  158.      *
  159.      * @param key
  160.      * @param dataMap
  161.      */
  162.     public <T> void setCacheMap(final String key, final Map<String, T> dataMap)
  163.     {
  164.         if (dataMap != null) {
  165.             redisTemplate.opsForHash().putAll(key, dataMap);
  166.         }
  167.     }
  168.  
  169.     /**
  170.      * 获得缓存的Map
  171.      *
  172.      * @param key
  173.      * @return
  174.      */
  175.     public <T> Map<String, T> getCacheMap(final String key)
  176.     {
  177.         return redisTemplate.opsForHash().entries(key);
  178.     }
  179.  
  180.     /**
  181.      * 往Hash中存入数据
  182.      *
  183.      * @param key Redis键
  184.      * @param hKey Hash键
  185.      * @param value 值
  186.      */
  187.     public <T> void setCacheMapValue(final String key, final String hKey, final T value)
  188.     {
  189.         redisTemplate.opsForHash().put(key, hKey, value);
  190.     }
  191.  
  192.     /**
  193.      * 获取Hash中的数据
  194.      *
  195.      * @param key Redis键
  196.      * @param hKey Hash键
  197.      * @return Hash中的对象
  198.      */
  199.     public <T> T getCacheMapValue(final String key, final String hKey)
  200.     {
  201.         HashOperations<String, String, T> opsForHash = redisTemplate.opsForHash();
  202.         return opsForHash.get(key, hKey);
  203.     }
  204.  
  205.     /**
  206.      * 删除Hash中的数据
  207.      *
  208.      * @param key
  209.      * @param hkey
  210.      */
  211.     public void delCacheMapValue(final String key, final String hkey)
  212.     {
  213.         HashOperations hashOperations = redisTemplate.opsForHash();
  214.         hashOperations.delete(key, hkey);
  215.     }
  216.  
  217.     /**
  218.      * 获取多个Hash中的数据
  219.      *
  220.      * @param key Redis键
  221.      * @param hKeys Hash键集合
  222.      * @return Hash对象集合
  223.      */
  224.     public <T> List<T> getMultiCacheMapValue(final String key, final Collection<Object> hKeys)
  225.     {
  226.         return redisTemplate.opsForHash().multiGet(key, hKeys);
  227.     }
  228.  
  229.     /**
  230.      * 获得缓存的基本对象列表
  231.      *
  232.      * @param pattern 字符串前缀
  233.      * @return 对象列表
  234.      */
  235.     public Collection<String> keys(final String pattern)
  236.     {
  237.         return redisTemplate.keys(pattern);
  238.     }
  239. }
  240.

We may also write data to the response, so we also need a tool class WebUtils

  1. package org.example.utils;
  2.  
  3. import javax.servlet.http.HttpServletResponse;
  4. import java.io.IOException;
  5.  
  6. public class WebUtils {
  7.     /**
  8.      * 将字符串渲染到客户端
  9.      *
  10.      * @param response 渲染对象
  11.      * @param string 待渲染的字符串
  12.      * @return null
  13.      */
  14.     public static String renderString(HttpServletResponse response, String string) {
  15.         try
  16.         {
  17.             response.setStatus(200);
  18.             response.setContentType("application/json");
  19.             response.setCharacterEncoding("utf-8");
  20.             response.getWriter().print(string);
  21.         }
  22.         catch (IOException e)
  23.         {
  24.             e.printStackTrace();
  25.         }
  26.         return null;
  27.     }
  28. }

Finally, write the corresponding user entity class

  1. package org.example.domain;
  2.  
  3. import lombok.AllArgsConstructor;
  4. import lombok.Data;
  5. import lombok.NoArgsConstructor;
  6. import java.io.Serializable;
  7. import java.util.Date;
  8. /**
  9.  * 用户表(User)实体类
  10.  */
  11. @Data
  12. @AllArgsConstructor
  13. @NoArgsConstructor
  14. public class User implements Serializable {
  15.     private static final long serialVersionUID = -40356785423868312L;
  16.     /**
  17.      * 主键
  18.      */
  19.     private Long id;
  20.     /**
  21.      * 用户名
  22.      */
  23.     private String userName;
  24.     /**
  25.      * 昵称
  26.      */
  27.     private String nickName;
  28.     /**
  29.      * 密码
  30.      */
  31.     private String password;
  32.     /**
  33.      * 账号状态(0正常 1停用)
  34.      */
  35.     private String status;
  36.     /**
  37.      * 邮箱
  38.      */
  39.     private String email;
  40.     /**
  41.      * 手机号
  42.      */
  43.     private String phonenumber;
  44.     /**
  45.      * 用户性别(0男,1女,2未知)
  46.      */
  47.     private String sex;
  48.     /**
  49.      * 头像
  50.      */
  51.     private String avatar;
  52.     /**
  53.      * 用户类型(0管理员,1普通用户)
  54.      */
  55.     private String userType;
  56.     /**
  57.      * 创建人的用户id
  58.      */
  59.     private Long createBy;
  60.     /**
  61.      * 创建时间
  62.      */
  63.     private Date createTime;
  64.     /**
  65.      * 更新人
  66.      */
  67.     private Long updateBy;
  68.     /**
  69.      * 更新时间
  70.      */
  71.     private Date updateTime;
  72.     /**
  73.      * 删除标志(0代表未删除,1代表已删除)
  74.      */
  75.     private Integer delFlag;
  76. }
  77.

According to our analysis above, we need to customize a UserDetailsService so that SpringSecuriry can use our UserDetailsService. Our own UserDetailsService can query the username and password from the database.

We first create a database table sys_user.

  1. CREATE TABLE `sys_user` (
  2.   `id` bigint NOT NULL AUTO_INCREMENT COMMENT '主键',
  3.   `user_name` varchar(64) NOT NULL DEFAULT 'NULL' COMMENT '用户名',
  4.   `nick_name` varchar(64) NOT NULL DEFAULT 'NULL' COMMENT '呢称',
  5.   `password` varchar(64) NOT NULL DEFAULT 'NULL' COMMENT '密码',
  6.   `status` char(1) DEFAULT '0' COMMENT '账号状态(0正常1停用)',
  7.   `email` varchar(64) DEFAULT NULL COMMENT '邮箱',
  8.   `phonenumber` varchar(32) DEFAULT NULL COMMENT '手机号',
  9.   `sex` char(1) DEFAULT NULL COMMENT '用户性别(0男,1女,2未知)',
  10.   `avatar` varchar(128) DEFAULT NULL COMMENT '头像',
  11.   `user_type` char(1) NOT NULL DEFAULT '1' COMMENT '用户类型(O管理员,1普通用户)',
  12.   `create_by` bigint DEFAULT NULL COMMENT '创建人的用户id',
  13.   `create_time` datetime DEFAULT NULL COMMENT '创建时间',
  14.   `update_by` bigint DEFAULT NULL COMMENT '更新人',
  15.   `update_time` datetime DEFAULT NULL COMMENT '更新时间',
  16.   `del_flag` int DEFAULT '0' COMMENT '删除标志(O代表未删除,1代表已删除)',
  17.   PRIMARY KEY (`id`)
  18. ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci COMMENT='用户表';

Then introduce myBatisPlus and mysql drivers.

  1.         <dependency>
  2.             <groupId>com.baomidou</groupId>
  3.             <artifactId>mybatis-plus-boot-starter</artifactId>
  4.             <version>3.4.3</version>
  5.         </dependency>
  6.         <dependency>
  7.             <groupId>mysql</groupId>
  8.             <artifactId>mysql-connector-java</artifactId>
  9.         </dependency>

Then configure the database related information.

Then define the mapper interface UserMapper and use mybatisplus to add the corresponding annotations.

  1. package org.example.mapper;
  2.  
  3. import com.baomidou.mybatisplus.core.mapper.BaseMapper;
  4. import org.example.domain.User;
  5.  
  6. public interface UserMapper extends BaseMapper<User> {
  7. }

Then configure component scanning

Finally, test whether mp can be used normally.

Introducing junit

This way it can be used normally.

2.3.3 Implementation

2.3.3.1 Database Verification User

Next we need to implement the core code.

First, let's customize the UserDetailsService.

  1. package org.example.service.impl;
  2. import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
  3. import org.example.domain.LoginUser;
  4. import org.example.domain.User;
  5. import org.example.mapper.UserMapper;
  6. import org.springframework.beans.factory.annotation.Autowired;
  7. import org.springframework.security.core.userdetails.UserDetails;
  8. import org.springframework.security.core.userdetails.UserDetailsService;
  9. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  10. import org.springframework.stereotype.Service;
  11. import java.util.Objects;
  12. @Service
  13. public class UserDetailsServiceImpl implements UserDetailsService {
  14.     @Autowired
  15.     private UserMapper userMapper;
  16.     @Override
  17.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  18.         //查询用户信息 [InMemoryUserDetailsManager是在内存中查找]
  19.         LambdaQueryWrapper<User> wrapper = new LambdaQueryWrapper<>();
  20.         wrapper.eq(User::getUserName,username);
  21.         User user = userMapper.selectOne(wrapper);
  22.         //如果查询不到数据就抛出异常,给出提示
  23.         if(Objects.isNull(user)){
  24.             throw new RuntimeException("用户名或密码错误!");
  25.         }
  26.  
  27.         //TODO 查询权限信息
  28.  
  29.         //封装为UserDetails对象返回
  30.         return new LoginUser(user);
  31.     }
  32. }

Here, the user is encapsulated as UserDetails and returned.

  1. package org.example.domain;
  2. import lombok.AllArgsConstructor;
  3. import lombok.Data;
  4. import lombok.NoArgsConstructor;
  5. import org.springframework.security.core.GrantedAuthority;
  6. import org.springframework.security.core.userdetails.UserDetails;
  7. import java.util.Collection;
  8. @Data
  9. @AllArgsConstructor
  10. @NoArgsConstructor
  11. public class LoginUser implements UserDetails {
  12.     private User user;
  13.     @Override
  14.     public Collection<? extends GrantedAuthority> getAuthorities() {
  15.         return null;
  16.     }
  17.  
  18.     @Override
  19.     public String getPassword() {
  20.         return user.getPassword();
  21.     }
  22.  
  23.     @Override
  24.     public String getUsername() {
  25.         return user.getUserName();
  26.     }
  27.  
  28.     @Override
  29.     public boolean isAccountNonExpired() {
  30.         return true;
  31.     }
  32.  
  33.     @Override
  34.     public boolean isAccountNonLocked() {
  35.         return true;
  36.     }
  37.  
  38.     @Override
  39.     public boolean isCredentialsNonExpired() {
  40.         return true;
  41.     }
  42.  
  43.     @Override
  44.     public boolean isEnabled() {
  45.         return true;
  46.     }
  47. }

Finally, there is a point here, that is, we need to test the login and get data from the database. We need to write user data into the table, and if you want the user's password to be transmitted in plain text, you need to add {noop} before the password.

Here we can log in by entering the username and password in the database.

2.3.3.2 Password Encryption Storage

Here we explain why we need to add {noop} in front of the password, because the default PasswordEncoder requires the password format in the database to be {id}password. It will determine the encryption method of the password based on the id, but we generally do not take this approach, so we need to replace PasswordEncoder.

Next, let’s test it out.

You can see that the original passwords we passed in twice are the same, but we got different results. This is actually related to the salting algorithm. I will write an article about custom encryption later.

After obtaining the encrypted password, you can store the encrypted password in the database, and then you can log in by verifying the plain text password sent from the front end with the encrypted password in the database.

At this time, we started the project to log in, and found that the previous password could no longer be used, because the database should now store the encrypted password stored in the database during the registration phase, not the original password (because I wrote the encrypted password into the database myself without registration).

2.3.3.3 Login interface

We need to implement a login interface and then let SpringSecuruty release it. If we don't release it, it will be contradictory. In the interface, user authentication is performed through the authenticate method of AuthenticationManager, so we need to configure the AuthenticationManager to be injected into the container in SecurityConfig.

If the authentication is successful, a jwt needs to be generated and put into the response. In order to allow the user to identify the specific user through jwt the next time the user requests, the user information needs to be stored in redis, and the user id can be used as the key.

Write LoginController first

Then write the corresponding Service.

Inject AuthenticationManager in SecurityConfig and release the login interface.

In the business logic of the service, if authentication fails, a custom exception is returned, but if authentication succeeds, how do we get the corresponding information?

Here we can debug and see the object obtained.

It is found here that the required information can be obtained in Principal.

Then complete the code.

Finally, test it out.

2.3.3.4 Authentication Filters

I'll paste the code first.

  1. @Component
  2. public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
  3.  
  4.     @Autowired
  5.     private RedisCache redisCache;
  6.  
  7.     @Override
  8.     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
  9.         //获取token
  10.         String token = request.getHeader("token");
  11.         if (!StringUtils.hasText(token)) {
  12.             //放行
  13.             filterChain.doFilter(request, response); //这里放行是因为还有后续的过滤器会给出对应的异常
  14.             return; //token为空 不执行后续流程
  15.         }
  16.         //解析token
  17.         String userid;
  18.         try {
  19.             Claims claims = JwtUtil.parseJWT(token);
  20.             userid = claims.getSubject();
  21.         } catch (Exception e) {
  22.             e.printStackTrace();
  23.             throw new RuntimeException("token非法!");
  24.         }
  25.         //从redis中获取用户信息
  26.         String redisKey = "login:" + userid;
  27.         LoginUser loginUser = redisCache.getCacheObject(redisKey);
  28.         if (Objects.isNull(loginUser)){
  29.             throw new RuntimeException("用户未登录!");
  30.         }
  31.         //将信息存入SecurityContextHolder(因为过滤器链后面的filter都是从中获取认证信息进行对应放行)
  32.         //TODO 获取权限信息封装到Authentication中
  33.         UsernamePasswordAuthenticationToken authenticationToken =
  34.                 new UsernamePasswordAuthenticationToken(loginUser,null,null);
  35.         SecurityContextHolder.getContext().setAuthentication(authenticationToken);
  36.  
  37.         //放行
  38.         filterChain.doFilter(request,response); //此时的放行是携带认证的,不同于上方token为空的放行
  39.     }
  40. }

First, we get the token from the request header, and then check whether it is empty. If it is empty, we release it directly without going through the subsequent process. Next, we parse the token to get the userid inside, and then get the corresponding user information from redis based on the userid, and finally store it in the SecurityContextHolder, because subsequent filters need to obtain daily authentication information from it, and finally perform analysis operations.

Another point to note is that SecurityContextHolder.getContext().setAuthentication() requires the authentication object to be passed in. When we construct the object, we use three parameters because the third parameter is the key to determining whether to authenticate.

Next we need to configure this filter.

Then we access the user/login interface, which will return a response body with a token. If we access the hello interface again, it will be 403 because there is no token. Therefore, it corresponds to the code above. There is no token release and return does not execute the subsequent process (the release here is because there are other filters that specifically throw exceptions for processing, and return is to prevent it from going through the response process)

At this point, if we put the token generated by user/login into the request header of the hello interface, we can access it normally.

Then the purpose of our set of filters is achieved (get token, parse token, store in SecurityContextHolder)

2.3.3.5 Logout

At this point, it is relatively easy for us to log out. We only need to delete the corresponding data in redis. When we access with token later, we will get the corresponding user information in redis in our custom filter. If we can't get it at this time, it means we are not logged in.

We carry this token to access the /user/logout interface.

Then the logout function is realized.

This article is learned from the up master of station b! ! !

Personal profile

I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages ​​such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.

my contact information

Mail