1、概述
网站系统出于安全性的考虑会对用户进行两个层面的校验:身份认证以及权限认证。这两个认证可以保证只有特定的用户才能访问特定的数据的需求。
本文先实现一个基于jwt+拦截器+redis+注解实现的简单登录验证功能。
2、设计思路
- jwt用于签发token。
- 拦截器用于拦截不合法的请求(未登录的请求)。
- redis用于存放签发好的token并设置过期时间,以及在注销的时候清空token。
- 注解用于设置哪些接口需要登录验证。
3、实现代码
代码地址:Atlantide/TestAopAuth
LoginRequired.java
package com.mytest.annotation;import java.lang.annotation.*;/*** @author Wulc* @date 2024/4/7 17:55* @description*/
//可用在方法名上
@Target({ElementType.METHOD})
//运行时有效
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface LoginRequired {
}
RedisConfig.java
package com.mytest.config;import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.PropertyAccessor;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.cache.CacheManager;
import org.springframework.cache.annotation.CachingConfigurerSupport;
import org.springframework.cache.annotation.EnableCaching;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.cache.RedisCacheConfiguration;
import org.springframework.data.redis.cache.RedisCacheManager;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.serializer.*;import java.time.Duration;/*** @author Wulc* @date 2024/4/8 11:39* @description*/@Configuration
public class RedisConfig {@Beanpublic RedisTemplate<String, Object> redisTemplate(RedisTemplate redisTemplate) {RedisSerializer stringSerializer = new StringRedisSerializer();redisTemplate.setKeySerializer(stringSerializer);redisTemplate.setStringSerializer(stringSerializer);redisTemplate.setValueSerializer(stringSerializer);redisTemplate.setHashKeySerializer(stringSerializer);redisTemplate.setHashValueSerializer(stringSerializer);return redisTemplate;}
}
WebConfiguration.java
package com.mytest.config;import com.mytest.interceptor.AuthorityInterceptor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.format.FormatterRegistry;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.validation.MessageCodesResolver;
import org.springframework.validation.Validator;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.method.support.HandlerMethodReturnValueHandler;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.config.annotation.*;import java.util.List;/*** @author Wulc* @date 2024/4/7 17:39* @description*/
@Configuration
public class WebConfiguration implements WebMvcConfigurer {@Overridepublic void configurePathMatch(PathMatchConfigurer pathMatchConfigurer) {}@Overridepublic void configureContentNegotiation(ContentNegotiationConfigurer contentNegotiationConfigurer) {}@Overridepublic void configureAsyncSupport(AsyncSupportConfigurer asyncSupportConfigurer) {}@Overridepublic void configureDefaultServletHandling(DefaultServletHandlerConfigurer defaultServletHandlerConfigurer) {}@Overridepublic void addFormatters(FormatterRegistry formatterRegistry) {}// @Bean
// TestInterceptor getTestInterceptor() {
// return new TestInterceptor();
// }@BeanAuthorityInterceptor getAuthorityInterceptor() {return new AuthorityInterceptor();}@Overridepublic void addInterceptors(InterceptorRegistry interceptorRegistry) {//interceptorRegistry.addInterceptor(getTestInterceptor()).addPathPatterns("/**");//interceptorRegistry.addInterceptor(getTestInterceptor()).addPathPatterns("/test1");interceptorRegistry.addInterceptor(getAuthorityInterceptor()).addPathPatterns("/**");//this.addInterceptors(interceptorRegistry);}@Overridepublic void addResourceHandlers(ResourceHandlerRegistry resourceHandlerRegistry) {}@Overridepublic void addCorsMappings(CorsRegistry corsRegistry) {}@Overridepublic void addViewControllers(ViewControllerRegistry viewControllerRegistry) {}@Overridepublic void configureViewResolvers(ViewResolverRegistry viewResolverRegistry) {}@Overridepublic void addArgumentResolvers(List<HandlerMethodArgumentResolver> list) {}@Overridepublic void addReturnValueHandlers(List<HandlerMethodReturnValueHandler> list) {}@Overridepublic void configureMessageConverters(List<HttpMessageConverter<?>> list) {}@Overridepublic void extendMessageConverters(List<HttpMessageConverter<?>> list) {}@Overridepublic void configureHandlerExceptionResolvers(List<HandlerExceptionResolver> list) {}@Overridepublic void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> list) {}@Overridepublic Validator getValidator() {return null;}@Overridepublic MessageCodesResolver getMessageCodesResolver() {return null;}
}
LoginController.java
package com.mytest.controller;import com.mytest.jwtentity.JWTResponseData;
import com.mytest.service.LoginService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;/*** @author Wulc* @date 2024/4/8 10:50* @description*/
@RestController
@RequestMapping("/jwt")
public class LoginController {@Autowiredprivate LoginService loginService;@GetMapping("/login")@ResponseBodypublic JWTResponseData login(@RequestParam("username") String username, @RequestParam("password") String password) {return loginService.login(username, password);}@GetMapping("/loginout")@ResponseBodypublic JWTResponseData loginout(@RequestParam("username") String username) {return loginService.loginout(username);}
}
OperationController.java
package com.mytest.controller;import com.mytest.annotation.LoginRequired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;/*** @author Wulc* @date 2024/4/8 11:06* @description*/
@RestController
@RequestMapping("/operate")
public class OperationController {@GetMapping("/operate1")@LoginRequiredpublic String operate1() {return "操作1";}
}
AuthorityInterceptor.java
package com.mytest.interceptor;import com.alibaba.fastjson2.JSONObject;
import com.mytest.annotation.LoginRequired;
import com.mytest.jwtentity.JWTResponseData;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;/*** @author Wulc* @date 2024/4/7 17:56* @description*/
public class AuthorityInterceptor extends HandlerInterceptorAdapter {@Autowired@Qualifier("redisTemplate")private RedisTemplate<String, Object> redisTemplate;@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {String path = request.getServletPath();// 如果不是映射到方法直接通过if (!(handler instanceof HandlerMethod)) {return true;}// ①:START 方法注解级拦截器HandlerMethod handlerMethod = (HandlerMethod) handler;Method method = handlerMethod.getMethod();// 判断接口是否需要登录LoginRequired methodmethodAnnotation = method.getAnnotation(LoginRequired.class);// 有 @LoginRequired 注解,需要认证if (methodmethodAnnotation != null) {// 这写你拦截需要干的事儿,比如取缓存,SESSION,权限判断等System.out.println("触发了注解拦截器:" + path);String username = request.getParameter("username");String bearToken = request.getHeader("Authorization");String token = bearToken.substring(7, bearToken.length());String loginToken = "";if (redisTemplate.opsForValue().get(username) == null) {System.out.println("用户未登录");returnJson(response, JSONObject.toJSONString(new JWTResponseData(401, "未登录", "用户未登录", "")));return false;}loginToken = redisTemplate.opsForValue().get(username).toString();if (token.equals(loginToken)) {return true;} else {System.out.println("用户未登录");returnJson(response, JSONObject.toJSONString(new JWTResponseData(401, "未登录", "用户未登录", "")));return false;}}return true;}private void returnJson(HttpServletResponse response, String json) throws Exception {PrintWriter writer = null;response.setCharacterEncoding("UTF-8");response.setContentType("text/html; charset=utf-8");try {writer = response.getWriter();writer.print(json);} catch (IOException e) {//logger.error("response error", e);} finally {if (writer != null) {writer.close();}}}
}
JWTResponseData.java
package com.mytest.jwtentity;import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;/*** 发送给客户端的数据对象。* 商业开发中,一般除特殊请求外,大多数的响应数据都是一个统一类型的数据。* 统一数据有统一的处理方式。便于开发和维护。*/
@AllArgsConstructor
@NoArgsConstructor
@Data
public class JWTResponseData {//返回码,类似HTTP响应码。如:200成功,500服务器错误,404资源不存在等。private Integer code;//业务数据private Object data;//返回描述private String msg;//身份标识, JWT生成的令牌。private String token;
}
LoginServiceImpl.java
package com.mytest.service.impl;import com.mytest.jwtentity.JWTResponseData;
import com.mytest.service.LoginService;
import com.mytest.utils.JWTUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Service;import javax.annotation.Resource;
import java.util.UUID;
import java.util.concurrent.TimeUnit;/*** @author Wulc* @date 2024/4/8 10:58* @description*/
@Service
public class LoginServiceImpl implements LoginService {@Autowired@Qualifier("redisTemplate")private RedisTemplate<String, Object> redisTemplate;@Overridepublic JWTResponseData login(String username, String password) {JWTResponseData responseData = null;if (username.equals("wulc") && password.equals("123")) {String jwtToken = JWTUtils.createJWT(UUID.randomUUID().toString(), "sxt-test-jwt",username, 1 * 60 * 1000);//设置token过期时间redisTemplate.opsForValue().set(username, jwtToken, 60, TimeUnit.SECONDS);responseData = new JWTResponseData();responseData.setCode(200);responseData.setData(null);responseData.setMsg("登录成功");responseData.setToken(jwtToken);} else {responseData = new JWTResponseData();responseData.setCode(500);responseData.setData(null);responseData.setMsg("登录失败");responseData.setToken(null);}return responseData;}@Overridepublic JWTResponseData loginout(String username) {redisTemplate.opsForValue().set(username, "");return new JWTResponseData(200, username, "退出登录", "");}
}
LoginService.java
package com.mytest.service;import com.mytest.jwtentity.JWTResponseData;/*** @author Wulc* @date 2024/4/8 10:58* @description*/
public interface LoginService {JWTResponseData login(String username, String password);JWTResponseData loginout(String username);
}
JWTUtils.java
package com.mytest.utils;import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.*;import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.util.Date;/*** @author Wulc* @date 2024/4/8 10:43* @description*/
public class JWTUtils {private static final String JWT_SECERT = "test_jwt_secert";private static final ObjectMapper MAPPER = new ObjectMapper();//Token过期public static final int JWT_ERRCODE_EXPIRE = 1005;//验证不通过public static final int JWT_ERRCODE_FAIL = 1006;public static SecretKey generalKey() {try {byte[] encodedKey = JWT_SECERT.getBytes("UTF-8");SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");return key;} catch (Exception e) {e.printStackTrace();return null;}}/*** 签发JWT,创建token的方法。** @param id jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击。* @param iss jwt签发者* @param subject jwt所面向的用户。payload中记录的public claims。当前环境中就是用户的登录名。* @param ttlMillis 有效期,单位毫秒* @return token, token是一次性的。是为一个用户的有效登录周期准备的一个token。用户退出或超时,token失效。* @throws Exception*/public static String createJWT(String id, String iss, String subject, long ttlMillis) {//加密算法SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;//当前时间。long nowMillis = System.currentTimeMillis();//当前时间的日期对象。Date now = new Date(nowMillis);SecretKey secretKey = generalKey();//创建JWT的构建器。 就是使用指定的信息和加密算法,生成Token的工具。JwtBuilder builder = Jwts.builder()//设置身份标志。就是一个客户端的唯一标记。 如:可以使用用户的主键,客户端的IP,服务器生成的随机数据。.setId(id).setIssuer(iss).setSubject(subject)//token生成的时间(签发时间)。.setIssuedAt(now)//设定密匙和算法.signWith(signatureAlgorithm, secretKey);if (ttlMillis >= 0) {long expMillis = nowMillis + ttlMillis;// token的失效时间。Date expDate = new Date(expMillis);builder.setExpiration(expDate);}//生成tokenreturn builder.compact();}}
ApplicationStarter.java
package com.mytest;import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;/*** @author Wulc* @date 2024/4/7 13:56* @description*/
@SpringBootApplication
public class ApplicationStarter {public static void main(String[] args) {SpringApplication.run(ApplicationStarter.class, args);}
}
application.yml
server:port: 8080spring:redis:port: 6379database: 0host: 127.0.0.1password:
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>org.example</groupId><artifactId>TestAopAuth</artifactId><version>1.0-SNAPSHOT</version><properties><maven.compiler.source>8</maven.compiler.source><maven.compiler.target>8</maven.compiler.target><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><!-- <springframework.version>1.5.4.RELEASE</springframework.version>--><!-- <springframework.version1>2.2.1.RELEASE</springframework.version1>--><springframework.version>2.2.1.RELEASE</springframework.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId><version>${springframework.version}</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter</artifactId><version>${springframework.version}</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><version>${springframework.version}</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId><version>${springframework.version}</version></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><version>1.18.20</version><scope>compile</scope></dependency><!-- JWT核心依赖 --><dependency><groupId>com.auth0</groupId><artifactId>java-jwt</artifactId><version>3.3.0</version></dependency><!-- java开发JWT的依赖jar包。 --><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.0</version></dependency><!-- redis --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId><!-- <version>2.7.8</version>--><version>${springframework.version}</version></dependency><!-- https://mvnrepository.com/artifact/com.alibaba.fastjson2/fastjson2 --><dependency><groupId>com.alibaba.fastjson2</groupId><artifactId>fastjson2</artifactId><version>2.0.47</version></dependency><!-- spring2.X集成redis所需common-pool2--><dependency><groupId>org.apache.commons</groupId><artifactId>commons-pool2</artifactId><version>2.6.0</version></dependency></dependencies>
</project>
4、演示
程序启动后,对于未登录或者登录信息过期的用户如果想访问/operate/operate1接口的话,会因为token校验不通过而被拦截器阻拦。
访问/jwt/login实现用户登录,并获取token。
登录获取到token后,用这个最新的token,访问/operate/operate1接口,则此时token校验通过,拦截器放行,进入了/operate/operate1接口。
5、总结
鉴权系统是一个非常复杂的系统,登录验证只是第一步,也是最简单的一步。因为年前公司有组织过关于鉴权系统的培训,因此就顺便学习整理一下鉴权系统的设计。这里先简单实现一个登录验证的demo。后续还有权限结构的划分与设计,以及鉴权系统的高可用性保证。等后面有空了再写。
6、参考资料
SSO单点登录 - 多系统,单一位置登录,实现多系统同时登录_哔哩哔哩_bilibili
https到底把什么加密了? - 知乎
Windows下如何查看某个端口被谁占用 | 菜鸟教程
Spring自定义注解的使用(实现切面aspect)_spring aspect-CSDN博客
Spring AOP切入点@Pointcut -- execution表达式_pointcut execution-CSDN博客
Spring AOP代码实现:实例演示与注解全解_springaop代码示例-CSDN博客
Spring AOP - 注解方式使用介绍(长文详解) - 掘金
springboot 配置拦截器超详细介绍_springboot设置拦截器-CSDN博客
