Spring Security Demo

quding · quding · commit cf06116f4e8e · 2017-06-30T12:24:28.000+08:00
diff --git a/README.MD b/README.MD
@@ -63,5 +63,9 @@ SpringDataRedis学习的一个Demo,内容不多,配合博文:[redis学习记录(
 --------------
 增加Motan-Demo,一个基本的RPC调用Demo
 
-15.待添加
+15.Spring-Security-Demo
+--------------
+增加Spring Security Demo,项目中使用了JWT Token验证机制,该项目可以很好的了解整个流程的作用,需要配合我博客中Spring Security相关博文食用.
+
+16.待添加
 --------------
diff --git a/Spring-Security-Demo/pom.xml b/Spring-Security-Demo/pom.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>cn.mrdear.security</groupId>
+    <artifactId>Spring-Security-Demo</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.4.RELEASE</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <!--jwt依赖-->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>0.7.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.5</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>21.0</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.8</source>
+                    <target>1.8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+
+</project>
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/Application.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/Application.java
@@ -0,0 +1,17 @@
+package cn.mrdear.servuity;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author Niu Li
+ * @since 2017/6/16
+ */
+@SpringBootApplication
+public class Application {
+
+  public static void main(String[] args) {
+    SpringApplication.run(Application.class, args);
+  }
+
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/CommonBeanConfig.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/CommonBeanConfig.java
@@ -0,0 +1,23 @@
+package cn.mrdear.servuity.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import cn.mrdear.servuity.util.JwtTokenUtil;
+
+/**
+ * 配置一些线程安全的工具类
+ * @author Niu Li
+ * @since 2017/6/28
+ */
+@Configuration
+public class CommonBeanConfig {
+
+  /**
+   * 配置jwt token
+   */
+  @Bean
+  public JwtTokenUtil configToken() {
+    return new JwtTokenUtil();
+  }
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/CorsFilter.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/CorsFilter.java
@@ -0,0 +1,40 @@
+package cn.mrdear.servuity.config;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+
+
+public class CorsFilter implements javax.servlet.Filter {
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    System.err.println("CorsFilter");
+    HttpServletResponse res = (HttpServletResponse) response;
+    HttpServletRequest req = (HttpServletRequest) request;
+
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding, Accept-Language, Host, Referer, Connection, User-Agent, authorization, sw-useragent, sw-version");
+
+    // Just REPLY OK if request method is OPTIONS for CORS (pre-flight)
+    if (req.getMethod().equals("OPTIONS")) {
+      res.setStatus(HttpServletResponse.SC_OK);
+      return;
+    }
+    chain.doFilter(request, response);
+  }
+
+  @Override
+  public void destroy() {
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+  }
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/SecurityConfig.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/SecurityConfig.java
@@ -0,0 +1,64 @@
+package cn.mrdear.servuity.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.context.NullSecurityContextRepository;
+
+import cn.mrdear.servuity.util.JwtTokenUtil;
+
+import javax.annotation.Resource;
+
+/**
+ * Spring Security配置类
+ * @author Niu Li
+ * @since 2017/6/16
+ */
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+  @Resource
+  private JwtTokenUtil jwtTokenUtil;
+
+  /**
+   * 在此配置不过滤的请求
+   */
+  @Override
+  public void configure(WebSecurity web) throws Exception {
+    //每一个请求对应一个空的filter链,这里一般不要配置过多,
+    // 因为查找处是一个for循环,过多就导致每个请求都需要循环一遍直到找到
+    web.ignoring().antMatchers("/","/login","/favicon.ico");
+  }
+
+  /**
+   * 在此配置过滤链
+   */
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http
+        .authorizeRequests()
+        //角色定义,Spring Security会在其前面自动加上ROLE_,因此存储权限的时候也要加上ROLE_ADMIN
+        .antMatchers("/detail").access("hasRole('ADMIN')")
+        .anyRequest().permitAll().and()
+        //异常处理,可以再此使用entrypoint来定义错误输出
+        .exceptionHandling().and()
+        //不需要session来控制,所以这里可以去掉
+        .securityContext().securityContextRepository(new NullSecurityContextRepository()).and()
+        //开启匿名访问
+        .anonymous().and()
+        //退出登录自己来控制
+        .logout().disable()
+        //因为没用到cookies,所以关闭cookies
+        .csrf().disable()
+        //允许跨域
+        .addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class)
+        //验证token
+        .addFilterBefore(new VerifyTokenFilter(jwtTokenUtil),
+            UsernamePasswordAuthenticationFilter.class);
+  }
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/VerifyTokenFilter.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/config/VerifyTokenFilter.java
@@ -0,0 +1,46 @@
+package cn.mrdear.servuity.config;
+
+import lombok.extern.slf4j.Slf4j;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import cn.mrdear.servuity.util.JwtTokenUtil;
+import io.jsonwebtoken.JwtException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.Optional;
+
+/**
+ *  jwt token验证类,验证成功后设置进去SecurityContext中
+ * @author Niu Li
+ * @since 2017/6/28
+ */
+@Slf4j
+public class VerifyTokenFilter extends OncePerRequestFilter {
+
+  private JwtTokenUtil jwtTokenUtil;
+
+  public VerifyTokenFilter(JwtTokenUtil jwtTokenUtil) {
+    this.jwtTokenUtil = jwtTokenUtil;
+  }
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+    try {
+      Optional<Authentication> authentication = jwtTokenUtil.verifyToken(request);
+      log.debug("VerifyTokenFilter result: {}",authentication.orElse(null));
+      SecurityContextHolder.getContext().setAuthentication(authentication.orElse(null));
+      filterChain.doFilter(request,response);
+    } catch (JwtException e) {
+      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      //可以在这里指定重定向还是返回错误接口示例
+    }
+  }
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/controller/LoginCntroller.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/controller/LoginCntroller.java
@@ -0,0 +1,65 @@
+package cn.mrdear.servuity.controller;
+
+import com.google.common.collect.Lists;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import cn.mrdear.servuity.dto.TokenUserDTO;
+import cn.mrdear.servuity.util.JwtTokenUtil;
+
+import javax.annotation.Resource;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * @author Niu Li
+ * @since 2017/6/19
+ */
+@RestController
+public class LoginCntroller {
+
+  @Resource
+  private JwtTokenUtil jwtTokenUtil;
+
+  /**
+   * 该链接获取token
+   */
+  @GetMapping("/login")
+  public Map login(String username, String password) {
+    Map<String, Object> map = new HashMap<>();
+    if (!StringUtils.equals(username, "demo") || !StringUtils.equals(password, "demo")) {
+      map.put("status", 4);
+      map.put("msg", "登录失败,用户名密码错误");
+      return map;
+    }
+    TokenUserDTO userDTO = new TokenUserDTO();
+    userDTO.setUsername(username);
+    userDTO.setRoles(Lists.newArrayList("ROLE_ADMIN"));
+    userDTO.setId(1L);
+    userDTO.setEmail("1015315668@qq.com");
+    userDTO.setAvatar("ahahhahahhaha");
+    map.put("status", 1);
+    map.put("msg", "Success");
+    map.put("token", jwtTokenUtil.create(userDTO));
+    return map;
+  }
+
+  /**
+   * 该链接尝试获取登录用户,返回该认证用户的信息,请求该链接需要在header中放入x-authorization: token
+   */
+  @GetMapping("/detail")
+  public TokenUserDTO userDetail() {
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+    if (Objects.isNull(authentication)) {
+      return null;
+    }
+    return (TokenUserDTO) authentication.getDetails();
+  }
+
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/dto/TokenUserAuthentication.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/dto/TokenUserAuthentication.java
@@ -0,0 +1,63 @@
+package cn.mrdear.servuity.dto;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+import java.util.Collection;
+import java.util.stream.Collectors;
+
+/**
+ * Spring Security中存放的认证用户
+ * @author Niu Li
+ * @since 2017/6/28
+ */
+public class TokenUserAuthentication implements Authentication {
+
+  private static final long serialVersionUID = 3730332217518791533L;
+
+  private TokenUserDTO userDTO;
+
+  private Boolean authentication = false;
+
+  public TokenUserAuthentication(TokenUserDTO userDTO, Boolean authentication) {
+    this.userDTO = userDTO;
+    this.authentication = authentication;
+  }
+
+  @Override
+  public Collection<? extends GrantedAuthority> getAuthorities() {
+    return userDTO.getRoles().stream()
+        .map(SimpleGrantedAuthority::new).collect(Collectors.toList());
+  }
+
+  @Override
+  public Object getCredentials() {
+    return userDTO.getPassword();
+  }
+
+  @Override
+  public Object getDetails() {
+    return userDTO;
+  }
+
+  @Override
+  public Object getPrincipal() {
+    return userDTO.getUsername();
+  }
+
+  @Override
+  public boolean isAuthenticated() {
+    return authentication;
+  }
+
+  @Override
+  public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
+    this.authentication = isAuthenticated;
+  }
+
+  @Override
+  public String getName() {
+    return userDTO.getUsername();
+  }
+}
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/dto/TokenUserDTO.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/dto/TokenUserDTO.java
diff --git a/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/util/JwtTokenUtil.java b/Spring-Security-Demo/src/main/java/cn/mrdear/servuity/util/JwtTokenUtil.java
diff --git a/Spring-Security-Demo/src/main/resources/application.properties b/Spring-Security-Demo/src/main/resources/application.properties
