安全验证

8 months ago · 47dcb14d2e
parent d6bfc34538
commit 47dcb14d2e
2 changed files with 124 additions and 0 deletions
--- a/IDEA/src/main/java/com/example/api/security/JwtAuthorizationFilter.java
+++ b/IDEA/src/main/java/com/example/api/security/JwtAuthorizationFilter.java
@ -0,0 +1,63 @@
 package com.example.api.security;
 import com.example.api.model.support.ResponseResult; // 导入自定义响应结果类
 import com.example.api.utils.JwtTokenUtil; // 导入JWT工具类
 import com.example.api.utils.ResponseUtil; // 导入响应工具类
 import org.springframework.security.authentication.AuthenticationManager; // 导入认证管理器
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; // 导入用户名密码认证令牌
 import org.springframework.security.core.authority.SimpleGrantedAuthority; // 导入简单授权对象
 import org.springframework.security.core.context.SecurityContextHolder; // 导入安全上下文持有者
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; // 导入基本认证过滤器
 import javax.servlet.FilterChain; // 导入过滤器链
 import javax.servlet.ServletException; // 导入Servlet异常
 import javax.servlet.http.HttpServletRequest; // 导入HTTP请求
 import javax.servlet.http.HttpServletResponse; // 导入HTTP响应
 import java.io.IOException; // 导入IO异常
 import java.util.ArrayList; // 导入ArrayList
 import java.util.List; // 导入List
 /**
 * JWT认证过滤器，从Request的Authorization Header获取JWT，
 * 解析JWT授权发放token。
 */
 public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
    public JwtAuthorizationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // 从Request Header取出Token
        String token = request.getHeader(JwtTokenUtil.TOKEN_HEADER);
        // Token为空放行
        // 如果接下来进入的URL不是公共的地址SpringSecurity会返回403的错误
        if (token == null || !JwtTokenUtil.checkToken(token)) {
            chain.doFilter(request, response);
            return;
        }
        // 判断JWT Token是否过期
        if (JwtTokenUtil.isExpiration(token)) {
            ResponseUtil.writeJson(response, new ResponseResult<>(403, "令牌已过期, 请重新登录"));
            return;
        }
        // 解析token
        String username = JwtTokenUtil.getUsername(token);
        List<String> tokenRoles = JwtTokenUtil.getTokenRoles(token);
        ArrayList<SimpleGrantedAuthority> roles = new ArrayList<>();
        for (String role : tokenRoles) {
            roles.add(new SimpleGrantedAuthority(role));
        }
        // 向SpringSecurity的Context中加入认证信息
        SecurityContextHolder.getContext().setAuthentication(
                new UsernamePasswordAuthenticationToken(username, null, roles));
        super.doFilterInternal(request, response, chain);
    }
 }
--- a/IDEA/src/main/java/com/example/api/security/SecurityConfiguration.java
+++ b/IDEA/src/main/java/com/example/api/security/SecurityConfiguration.java
@ -0,0 +1,61 @@
 package com.example.api.security;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        return new BCryptPasswordEncoder();
    }
    /**
     * HTTP验证规则
     *
     * @param http h
     * @throws Exception e
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //开启跨域
        http.csrf().disable().cors();
        //禁用session
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        //添加自定义的jwt过滤器
        http.addFilter(new JwtAuthorizationFilter(authenticationManagerBean()));
    }
    /**
     * SpringSecurity有默认的跨域配置 会无法放行RequestHeader带有"Authorization"请求
     * 防止前端请求api报出cors error
     *
     * @return *
     */
    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        final CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.addAllowedHeader("*");
        corsConfiguration.addAllowedHeader("DELETE");
        corsConfiguration.addAllowedMethod("*");
        corsConfiguration.addAllowedOrigin("*");
        source.registerCorsConfiguration("/**", corsConfiguration);
        return source;
    }
 }