springSecurity jwt 认证与鉴权及异常

我会带着你远行 2022-09-06 15:27 257阅读 0赞

如图红色框

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0MxODI5ODE4MjU3NQ_size_16_color_FFFFFF_t_70][]

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0MxODI5ODE4MjU3NQ_size_16_color_FFFFFF_t_70 1][]

问题：

### 1.认证 ###

1.1 什么是认证，什么时候认证，认证什么东西，怎么算成功，怎么算失败

1.2 认证失败怎么处理

1.3 与jwt关系

### 2.鉴权 ###

1.1 什么是鉴权，如何鉴权，鉴权什么东西，怎么算成功，怎么算失败

1.2 鉴权失败怎么处理

1.3 与jwt关系

\---------------------------------------------------------------------------------------------------------------------------

答：

### 1.认证 ###

1.1

什么是认证：就是验签（常规的签名，验签），根据token和秘钥secret解析jwt

什么时候：调用接口时需要传递token进行认证；

认证什么：校验用户名，操作用户是否是登录用户，token是不过期

失败：根据token反解jwt异常，如下

private Claims getClaimsFromToken(String token) {
            Claims claims = null;
            try {
                claims = Jwts.parser()
                        .setSigningKey(secret)
                        .parseClaimsJws(token)
                        .getBody();
            } catch (Exception e) {
                LOGGER.info("JWT格式验证失败:{}", token, e);
            }
            return claims;
        }

1.2

调用接口，走jwt过滤器，因为无法根据token解析jwt，无法后续认证（用户名，过期），过掉这个调用链。需要自定义一个认证失败处理器。两种方式，见下

/**
     * 当未登录或者token失效访问接口时，自定义的返回结果
     */
    @Component
    public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
    //public class RestAuthenticationEntryPoint implements AuthenticationFailureHandler {
        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json");
            response.getWriter().println(JSON.toJSONString(BaseResult.unauthorized(authException.getMessage())));
            response.getWriter().flush();
        }
    
    //    @Override
    //    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
    //                    AuthenticationException e) throws IOException, ServletException {
    //
    //    }
    }

1.3

在springSecurigy config加入 认证过滤器，以下代码为securityConfig

见：：：：//添加自定义未授权和未登录结果返回

### 2.鉴权 ###

先说一下权限控制，有两种

1.返回有权限的菜单或按钮，不可见即没权限；2.看不见，如果直接调接口，无权限也无法访问

这里鉴权就是针对第二种情况

2.1 什么是鉴权：带token调某接口，该用户是否有权限

2.2 如何鉴权：纯security 与 jwt无关。也有关系，调接口都要走jwt过滤器，在过滤器中调用了渲染权限的接口，见 JwtAuthenticationTokenFilter

2.2.1 调接口时实时从数据库中取用户权限信息，放入security

2.2.2 在每一个接口上加权限注解 @PreAuthorize，标明当前接口权限 如：

@Override
        @Bean
        public UserDetailsService userDetailsService() {
            //获取登录用户信息
            return username -> {
                SysUser sysUser = sysUserService.getAdminByUsername(username);
                if (sysUser != null) {
                    List<SysPermission> permissionList = sysUserService.getPermissionList(sysUser.getId());
                    return new AdminUserDetails(sysUser, permissionList);
                }
                throw new UsernameNotFoundException("用户名或密码错误");
            };
        }

@PreAuthorize("hasAuthority('product')")
        @GetMapping("myRoom")
        @ApiOperation("我的直播间")
        public BaseResult<ResTextLiveProgramVo> myChatRoom() {
    	return textLiveProgrammeService.myChatRoom();
        }

怎么算成功，怎么算失败：security封装好了

1.2 鉴权失败怎么处理

以上工作完成后，无权限报错： 不允许访问，这是security封装的异常消息。我们可以自定义自己的无权限处理类

/**
     * 访问接口没有权限时，自定义的返回结果
     */
    @Component
    public class RestfulAccessDeniedHandler implements AccessDeniedHandler{
        @Override
        public void handle(HttpServletRequest request,
                           HttpServletResponse response,
                           AccessDeniedException e) throws IOException, ServletException {
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json");
            response.getWriter().println(JSON.toJSONString(BaseResult.forbidden(e.getMessage())));
            response.getWriter().flush();
        }
    }

1.3 与jwt关系

见上2.2，

//添加自定义未授权和未登录结果返回
            httpSecurity.exceptionHandling()
                    .accessDeniedHandler(restfulAccessDeniedHandler)
                    .authenticationEntryPoint(restAuthenticationEntryPoint);

SecurityConfig

@Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(prePostEnabled=true)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private ISysUserService sysUserService;
        @Autowired
        private RestfulAccessDeniedHandler restfulAccessDeniedHandler;
        @Autowired
        private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
    
        @Override
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.csrf()// 由于使用的是JWT，我们这里不需要csrf
                    .disable()
                    .sessionManagement()// 基于token，所以不需要session
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                    .authorizeRequests()
                    .antMatchers(HttpMethod.GET, // 允许对于网站静态资源的无授权访问
                            "/",
                            "/*.html",
                            "/favicon.ico",
                            "/**/*.html",
                            "/**/*.css",
                            "/**/*.js",
                            "/swagger-resources/**",
                            "/v2/api-docs/**"
                    )
                    .permitAll()
                    .antMatchers("/sys/user/login", "/sys/user/register")// 对登录注册要允许匿名访问
                    .permitAll()
                    .antMatchers(HttpMethod.OPTIONS)//跨域请求会先进行一次options请求
                    .permitAll()
                    .antMatchers("/**")//测试时全部运行访问
                            .permitAll()
                    .anyRequest()// 除上面外的所有请求全部需要鉴权认证
                    .authenticated();
            // 禁用缓存
            httpSecurity.headers().cacheControl();
            // 添加JWT filter
            httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
            //添加自定义未授权和未登录结果返回
            httpSecurity.exceptionHandling()
                    .accessDeniedHandler(restfulAccessDeniedHandler)
                    .authenticationEntryPoint(restAuthenticationEntryPoint);
        }
    
        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailsService())
                    .passwordEncoder(passwordEncoder());
        }
    
        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    
        @Override
        @Bean
        public UserDetailsService userDetailsService() {
            //获取登录用户信息
            return username -> {
                SysUser sysUser = sysUserService.getAdminByUsername(username);
                if (sysUser != null) {
                    List<SysPermission> permissionList = sysUserService.getPermissionList(sysUser.getId());
                    return new AdminUserDetails(sysUser, permissionList);
                }
                throw new UsernameNotFoundException("用户名或密码错误");
            };
        }
    
        @Bean
        public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){
            return new JwtAuthenticationTokenFilter();
        }
    
        /**
         * 允许跨域调用的过滤器
         */
        @Bean
        public CorsFilter corsFilter() {
            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            CorsConfiguration config = new CorsConfiguration();
            config.addAllowedOrigin("*");
            config.setAllowCredentials(true);
            config.addAllowedHeader("*");
            config.addAllowedMethod("*");
            source.registerCorsConfiguration("/**", config);
            FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<CorsFilter>(new CorsFilter(source));
            bean.setOrder(0);
            return new CorsFilter(source);
        }
    
        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
    
    }

JwtAuthenticationTokenFilter

public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
        private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
        @Autowired
        private UserDetailsService userDetailsService;
        @Autowired
        private JwtTokenUtil jwtTokenUtil;
        @Value("${jwt.tokenHeader}")
        private String tokenHeader;
        @Value("${jwt.tokenHead}")
        private String tokenHead;
    
        @Override
        protected void doFilterInternal(HttpServletRequest request,
                                        HttpServletResponse response,
                                        FilterChain chain) throws ServletException, IOException {
            String authHeader = request.getHeader(this.tokenHeader);
            if (authHeader != null && authHeader.startsWith(this.tokenHead)) {
                String authToken = authHeader.substring(this.tokenHead.length());// The part after "Bearer "
                String username = jwtTokenUtil.getUserNameFromToken(authToken);
                LOGGER.info("checking username:{}", username);
                if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
                    UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
                    if (jwtTokenUtil.validateToken(authToken, userDetails)) {
                        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                        LOGGER.info("authenticated user:{}", username);
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                }
            }
            chain.doFilter(request, response);
        }
    }

JwtTokenUtil

/**
     * JwtToken生成的工具类
     * JWT token的格式：header.payload.signature
     * header的格式（算法、token的类型）：
     * {"alg": "HS512","typ": "JWT"}
     * payload的格式（用户名、创建时间、生成时间）：
     * {"sub":"wang","created":1489079981393,"exp":1489684781}
     * signature的生成算法：
     * HMACSHA512(base64UrlEncode(header) + "." +base64UrlEncode(payload),secret)
     * Created by macro on 2018/4/26.
     */
    @Component
    public class JwtTokenUtil {
        private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class);
        private static final String CLAIM_KEY_USERNAME = "sub";
        private static final String CLAIM_KEY_CREATED = "created";
        @Value("${jwt.secret}")
        private String secret;
        @Value("${jwt.expiration}")
        private Long expiration;
    
        /**
         * 根据负责生成JWT的token
         */
        private String generateToken(Map<String, Object> claims) {
            return Jwts.builder()
                    .setClaims(claims)
                    .setExpiration(generateExpirationDate())
                    .signWith(SignatureAlgorithm.HS512, secret)
                    .compact();
        }
    
        /**
         * 从token中获取JWT中的负载
         */
        private Claims getClaimsFromToken(String token) {
            Claims claims = null;
            try {
                claims = Jwts.parser()
                        .setSigningKey(secret)
                        .parseClaimsJws(token)
                        .getBody();
            } catch (Exception e) {
                LOGGER.info("JWT格式验证失败:{}", token, e);
            }
            return claims;
        }
    
        /**
         * 生成token的过期时间
         */
        private Date generateExpirationDate() {
            return new Date(System.currentTimeMillis() + expiration * 1000);
        }
    
        /**
         * 从token中获取登录用户名
         */
        public String getUserNameFromToken(String token) {
            String username;
            try {
                Claims claims = getClaimsFromToken(token);
                username =  claims.getSubject();
            } catch (Exception e) {
                username = null;
            }
            return username;
        }
    
        /**
         * 验证token是否还有效
         *
         * @param token       客户端传入的token
         * @param userDetails 从数据库中查询出来的用户信息
         */
        public boolean validateToken(String token, UserDetails userDetails) {
            String username = getUserNameFromToken(token);
            return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
        }
    
        /**
         * 判断token是否已经失效
         */
        private boolean isTokenExpired(String token) {
            Date expiredDate = getExpiredDateFromToken(token);
            return expiredDate.before(new Date());
        }
    
        /**
         * 从token中获取过期时间
         */
        private Date getExpiredDateFromToken(String token) {
            Claims claims = getClaimsFromToken(token);
            return claims.getExpiration();
        }
    
        /**
         * 根据用户信息生成token
         */
        public String generateToken(UserDetails userDetails) {
            Map<String, Object> claims = new HashMap<>();
            claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
            claims.put(CLAIM_KEY_CREATED, new Date());
            return generateToken(claims);
        }
    
        /**
         * 判断token是否可以被刷新
         */
        public boolean canRefresh(String token) {
            return !isTokenExpired(token);
        }
    
        /**
         * 刷新token
         */
        public String refreshToken(String token) {
            Claims claims = getClaimsFromToken(token);
            claims.put(CLAIM_KEY_CREATED, new Date());
            return generateToken(claims);
        }
    }

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0MxODI5ODE4MjU3NQ_size_16_color_FFFFFF_t_70]: /images/20220829/c14f5f9e703b4063992c27232d9641f9.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0MxODI5ODE4MjU3NQ_size_16_color_FFFFFF_t_70 1]: /images/20220829/b2b5c36c9064418f894c7dc2bfd59dad.png