网站改版合同,求个没封的a站yw1129cm,学校网站设计思路,织梦网站首页目录在哪里1. SpringSecurity介绍
Spring Security 是一个功能强大且高度可定制的身份验证和访问控制框架。它是为Java应用程序设计的#xff0c;特别是那些基于Spring的应用程序。Spring Security是一个社区驱动的开源项目#xff0c;它提供了全面的安全性解决方案#xff0c;包括防…1. SpringSecurity介绍
Spring Security 是一个功能强大且高度可定制的身份验证和访问控制框架。它是为Java应用程序设计的特别是那些基于Spring的应用程序。Spring Security是一个社区驱动的开源项目它提供了全面的安全性解决方案包括防止常见的安全漏洞如CSRF、点击劫持、会话固定等。
以下是Spring Security的一些关键特性和概念 认证AuthenticationSpring Security可以处理用户的身份验证过程即确认用户是否是他们声称的人。它可以使用多种机制来进行身份验证例如表单登录、HTTP基本认证、OAuth2、JWT等。 授权Authorization一旦用户通过了身份验证Spring Security就会根据用户的权限来决定他们可以访问哪些资源。这可以通过定义角色、权限或更细粒度的访问规则来实现。 安全配置Spring Security可以通过Java配置或XML配置来设置安全策略。通常推荐使用Java配置因为它与现代Spring应用更为集成并提供编译时检查。 拦截URL模式可以定义哪些URL需要特定的权限才能访问以及如何处理未认证或未经授权的请求。 过滤器链Spring Security利用了一组过滤器Filter这些过滤器在每次HTTP请求时被调用以执行各种安全相关的任务。开发者可以根据需要添加自定义过滤器。 密码编码为了安全存储用户密码Spring Security支持多种加密方式如BCrypt、PBKDF2等。 记住我Remember-Me允许系统在用户关闭浏览器后仍然保持登录状态直到明确登出或cookie过期。 注销Logout提供了安全的退出机制确保用户的会话被正确地销毁。 CSRF保护默认启用跨站请求伪造攻击防护确保只有来自合法来源的请求才能修改服务器端的状态。 Session管理可以配置会话创建策略例如只在需要时创建会话或者限制同一时间内的并发会话数量。 OAuth2和OpenID Connect支持内置对OAuth2客户端和资源服务器的支持方便集成第三方认证服务。
使用Spring Security开发者可以专注于业务逻辑的开发而将安全问题交给这个成熟可靠的框架来处理。同时由于其高度可扩展性和灵活性Spring Security也适合用于构建复杂的安全需求。
2. 登录流程
登录API无需拦截SpringSecurity直接放行。
/*** description 认证授权**/
RestController
RequestMapping(/auth)
RequiredArgsConstructor(onConstructor __(Autowired))
Api(tags 认证)
public class AuthController {private final AuthService authService;PostMapping(/login)ApiOperation(登录)public ResponseEntityVoid login(RequestBody LoginRequest loginRequest) {String token authService.createToken(loginRequest);HttpHeaders httpHeaders new HttpHeaders();httpHeaders.set(SecurityConstants.TOKEN_HEADER, token);return new ResponseEntity(httpHeaders, HttpStatus.OK);}
}AuthService首先会校验用户名与密码和用户的角色然后调用JwtTokenUtils创建token然后以userId为keytoken作为value存在Redis中。
Service
RequiredArgsConstructor(onConstructor __(Autowired))
public class AuthService {private final UserService userService;private final StringRedisTemplate stringRedisTemplate;private final CurrentUserUtils currentUserUtils;public String createToken(LoginRequest loginRequest) {User user userService.find(loginRequest.getUsername());if (!userService.check(loginRequest.getPassword(), user.getPassword())) {throw new BadCredentialsException(The user name or password is not correct.);}JwtUser jwtUser new JwtUser(user);if (!jwtUser.isEnabled()) {throw new BadCredentialsException(User is forbidden to login);}ListString authorities jwtUser.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList());String token JwtTokenUtils.createToken(user.getUserName(), user.getId().toString(), authorities, loginRequest.getRememberMe());stringRedisTemplate.opsForValue().set(user.getId().toString(), token);return token;}public void removeToken() {stringRedisTemplate.delete(currentUserUtils.getCurrentUser().getId().toString());}
}JwtTokenUtils负责创建token、解析token与获取userId。
public class JwtTokenUtils {/*** 生成足够的安全随机密钥以适合符合规范的签名*/private static final byte[] API_KEY_SECRET_BYTES DatatypeConverter.parseBase64Binary(SecurityConstants.JWT_SECRET_KEY);private static final SecretKey SECRET_KEY Keys.hmacShaKeyFor(API_KEY_SECRET_BYTES);public static String createToken(String username, String id, ListString roles, boolean isRememberMe) {long expiration isRememberMe ? SecurityConstants.EXPIRATION_REMEMBER : SecurityConstants.EXPIRATION;final Date createdDate new Date();final Date expirationDate new Date(createdDate.getTime() expiration * 1000);String tokenPrefix Jwts.builder().setHeaderParam(type, SecurityConstants.TOKEN_TYPE).signWith(SECRET_KEY, SignatureAlgorithm.HS256).claim(SecurityConstants.ROLE_CLAIMS, String.join(,, roles)).setId(id).setIssuer(SnailClimb).setIssuedAt(createdDate).setSubject(username).setExpiration(expirationDate).compact();return SecurityConstants.TOKEN_PREFIX tokenPrefix; // 添加 token 前缀 Bearer ;}// userIdpublic static String getId(String token) {Claims claims getClaims(token);return claims.getId();}// 得到 userName、token与 authoritiespublic static UsernamePasswordAuthenticationToken getAuthentication(String token) {Claims claims getClaims(token);ListSimpleGrantedAuthority authorities getAuthorities(claims);String userName claims.getSubject();return new UsernamePasswordAuthenticationToken(userName, token, authorities);}private static ListSimpleGrantedAuthority getAuthorities(Claims claims) {String role (String) claims.get(SecurityConstants.ROLE_CLAIMS);return Arrays.stream(role.split(,)).map(SimpleGrantedAuthority::new).collect(Collectors.toList());}private static Claims getClaims(String token) {return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();}
}
3. JWT认证流程
// 启用 SpringSecurity
EnableWebSecurity
// 启用 SpringSecurity 注解开发
EnableGlobalMethodSecurity(prePostEnabled true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {private final StringRedisTemplate stringRedisTemplate;public SecurityConfiguration(StringRedisTemplate stringRedisTemplate) {this.stringRedisTemplate stringRedisTemplate;}/*** 密码编码器*/Beanpublic BCryptPasswordEncoder bCryptPasswordEncoder() {return new BCryptPasswordEncoder();}Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors(withDefaults())// 禁用 CSRF.csrf().disable().authorizeRequests()// 指定的接口直接放行// swagger.antMatchers(SecurityConstants.SWAGGER_WHITELIST).permitAll().antMatchers(SecurityConstants.H2_CONSOLE).permitAll().antMatchers(HttpMethod.POST, SecurityConstants.SYSTEM_WHITELIST).permitAll()// 其他的接口都需要认证后才能请求.anyRequest().authenticated().and()//添加自定义Filter.addFilter(new JwtAuthorizationFilter(authenticationManager(), stringRedisTemplate))// 不需要session不创建会话.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()// 授权异常处理.exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint()).accessDeniedHandler(new JwtAccessDeniedHandler());// 防止H2 web 页面的Frame 被拦截http.headers().frameOptions().disable();}/*** Cors配置优化**/BeanCorsConfigurationSource corsConfigurationSource() {org.springframework.web.cors.CorsConfiguration configuration new CorsConfiguration();configuration.setAllowedOrigins(singletonList(*));// configuration.setAllowedOriginPatterns(singletonList(*));configuration.setAllowedHeaders(singletonList(*));configuration.setAllowedMethods(Arrays.asList(GET, POST, DELETE, PUT, OPTIONS));configuration.setExposedHeaders(singletonList(SecurityConstants.TOKEN_HEADER));configuration.setAllowCredentials(false);configuration.setMaxAge(3600L);UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration(/**, configuration);return source;}
}自定义Filter
Slf4j
public class JwtAuthorizationFilter extends BasicAuthenticationFilter {private final StringRedisTemplate stringRedisTemplate;// 不是 Bean, 需要手动注入public JwtAuthorizationFilter(AuthenticationManager authenticationManager, StringRedisTemplate stringRedisTemplate) {super(authenticationManager);this.stringRedisTemplate stringRedisTemplate;}Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain chain) throws IOException, ServletException {String token request.getHeader(SecurityConstants.TOKEN_HEADER);if (token null || !token.startsWith(SecurityConstants.TOKEN_PREFIX)) {SecurityContextHolder.clearContext();chain.doFilter(request, response);return;}String tokenValue token.replace(SecurityConstants.TOKEN_PREFIX, );UsernamePasswordAuthenticationToken authentication null;try {// token是否有效String previousToken stringRedisTemplate.opsForValue().get(JwtTokenUtils.getId(tokenValue));if (!token.equals(previousToken)) {SecurityContextHolder.clearContext();chain.doFilter(request, response);return;}authentication JwtTokenUtils.getAuthentication(tokenValue);} catch (JwtException e) {logger.error(Invalid jwt : e.getMessage());}// 将userName, token, authorities保存在Context中SecurityContextHolder.getContext().setAuthentication(authentication);chain.doFilter(request, response);}
}SecurityContextHolder是基于ThreadLocal实现的可以实现不同线程之间的隔离。
public class SecurityContextHolder {public static final String MODE_THREADLOCAL MODE_THREADLOCAL;public static final String MODE_INHERITABLETHREADLOCAL MODE_INHERITABLETHREADLOCAL;public static final String MODE_GLOBAL MODE_GLOBAL;public static final String SYSTEM_PROPERTY spring.security.strategy;private static String strategyName System.getProperty(spring.security.strategy);private static SecurityContextHolderStrategy strategy;private static int initializeCount 0;public SecurityContextHolder() {}private static void initialize() {if (!StringUtils.hasText(strategyName)) {strategyName MODE_THREADLOCAL;}if (strategyName.equals(MODE_THREADLOCAL)) {strategy new ThreadLocalSecurityContextHolderStrategy();} else if (strategyName.equals(MODE_INHERITABLETHREADLOCAL)) {strategy new InheritableThreadLocalSecurityContextHolderStrategy();} else if (strategyName.equals(MODE_GLOBAL)) {strategy new GlobalSecurityContextHolderStrategy();} else {try {Class? clazz Class.forName(strategyName);Constructor? customStrategy clazz.getConstructor();strategy (SecurityContextHolderStrategy)customStrategy.newInstance();} catch (Exception var2) {Exception ex var2;ReflectionUtils.handleReflectionException(ex);}}initializeCount;}
}4. 全局异常处理器
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {/*** 当用户尝试访问需要权限才能的REST资源而不提供Token或者Token错误或者过期时* 将调用此方法发送401响应以及错误信息*/Overridepublic void commence(HttpServletRequest request,HttpServletResponse response,AuthenticationException authException) throws IOException {response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());}
}public class JwtAccessDeniedHandler implements AccessDeniedHandler {/*** 当用户尝试访问需要权限才能的REST资源而权限不足的时候* 将调用此方法发送403响应以及错误信息*/Overridepublic void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {accessDeniedException new AccessDeniedException(Sorry you don not enough permissions to access it!);response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());}
}5. 注销流程
删除Redis中保存的token。
Service
RequiredArgsConstructor(onConstructor __(Autowired))
public class AuthService {private final UserService userService;private final StringRedisTemplate stringRedisTemplate;private final CurrentUserUtils currentUserUtils;public String createToken(LoginRequest loginRequest) {User user userService.find(loginRequest.getUsername());if (!userService.check(loginRequest.getPassword(), user.getPassword())) {throw new BadCredentialsException(The user name or password is not correct.);}JwtUser jwtUser new JwtUser(user);if (!jwtUser.isEnabled()) {throw new BadCredentialsException(User is forbidden to login);}ListString authorities jwtUser.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList());String token JwtTokenUtils.createToken(user.getUserName(), user.getId().toString(), authorities, loginRequest.getRememberMe());stringRedisTemplate.opsForValue().set(user.getId().toString(), token);return token;}public void removeToken() {stringRedisTemplate.delete(currentUserUtils.getCurrentUser().getId().toString());}
}Component
RequiredArgsConstructor(onConstructor __(Autowired))
public class CurrentUserUtils {private final UserService userService;public User getCurrentUser() {return userService.find(getCurrentUserName());}private String getCurrentUserName() {Authentication authentication SecurityContextHolder.getContext().getAuthentication();if (authentication ! null authentication.getPrincipal() ! null) {return (String) authentication.getPrincipal();}return null;}
}6. 权限管理
基于PreAuthorize实现权限管理
RestController
RequiredArgsConstructor(onConstructor __(Autowired))
RequestMapping(/users)
Api(tags 用户)
public class UserController {private final UserService userService;GetMapping// 有任意角色的权限都可以访问PreAuthorize(hasAnyRole(ROLE_USER,ROLE_MANAGER,ROLE_ADMIN))ApiOperation(获取所有用户的信息分页)public ResponseEntityPageUserRepresentation getAllUser(RequestParam(value pageNum, defaultValue 0) int pageNum, RequestParam(value pageSize, defaultValue 10) int pageSize) {Authentication authentication SecurityContextHolder.getContext().getAuthentication();System.out.println(auth信息: authentication.getPrincipal().toString() 鉴权 authentication.getAuthorities().toString());System.out.println(***********);PageUserRepresentation allUser userService.getAll(pageNum, pageSize);return ResponseEntity.ok().body(allUser);}PutMappingPreAuthorize(hasAnyRole(ROLE_ADMIN))ApiOperation(更新用户)public ResponseEntityVoid update(RequestBody Valid UserUpdateRequest userUpdateRequest) {userService.update(userUpdateRequest);return ResponseEntity.ok().build();}DeleteMappingPreAuthorize(hasAnyRole(ROLE_ADMIN))ApiOperation(根据用户名删除用户)public ResponseEntityVoid deleteUserByUserName(RequestParam(username) String username) {userService.delete(username);return ResponseEntity.ok().build();}
}
