directory

The background,

Base JAR dependencies are introduced

3. Security module

1. Write configuration classes

2, UnauthorizedHandler code

3. Security Verifies the user name and password

4. JWT module

1. JWT Principle part

2. JWT requires four classes

Five, the summary


The background,

To do a background management system, will introduce multiple systems, which need to do user authentication and authority management. User authentication through token to achieve, there are a lot of technology on the market, I only here to explain a security+ JWT implementation process, there is no page, the need to do the page of the students to achieve their own.

Some easy points into the pit, I read other materials did not say too clearly, here to record, I hope to help the students who jump into the pit.

Base JAR dependencies are introduced

<! -- security --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <! --> <dependency> <groupId> IO. Jsonwebtoken </groupId> <artifactId> JJWT </artifactId> <version>0.91.</version>
</dependency>
Copy the code

Conclusion:

I saw some posts also introduced JJWT API and IMPL package, which I did not use here. The realization of permission control and token verification is completely sufficient

3. Security module

1. Write configuration classes

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    // Operate the user
    @Autowired
    FfUserService ffUserService;

    / / token validation
    @Autowired
    JwtAuthenPreFilter jwtAuthenPreFilter;

    /** * Token is abnormal */
    @Autowired
    UnauthorizedHandler unauthorizedHandler;

    // Configure the permit policy
    @Value("${jwt.security.antMatchers}")
    private String antMatchers;


    /** * Password encryption algorithm **@return* /
    @Bean
    public PasswordEncoder passwordEncoder(a) {
        return new BCryptPasswordEncoder(10);
    }

    /** * verify the user's source, mainly to verify the account and password **@param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(ffUserService).passwordEncoder(passwordEncoder());
    }

    /** * Ignore policy *@param web
     * @throws Exception
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(antMatchers.split(","));
    }

    /** * User authorization *@param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()       // All validations need validation
                .and()
                .csrf().disable()                      // Disable Spring Security's built-in cross-domain processing
// Customize our own session policy: adjust it so that Spring Security does not create or use sessions
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler);
        // Add the custom filter before the specified filter
        http.addFilterBefore(jwtAuthenPreFilter, FilterSecurityInterceptor.class);
        // Disable cachinghttp.headers().cacheControl(); }}Copy the code

Conclusion:

  • Those that need to be released can be configured in two places. The first one is shown in the figure above. The second can be configured in the second configure. Such as: antMatchers (antMatchers. The split () “, “). The permitAll ()
  • In the second configure here especially pay attention to the order of the configuration, exceptionHandling () authenticationEntryPoint (myAuthenticationEntryPoint ()) if can lead to a release strategy is not effective in front.
  • Security is authenticated by the user name and password, which may not meet the actual service requirements. Therefore, to extend the security, the front end separation is commonly used based on userToken, that is, the user-defined jwtAuthenPreFilter above
  • AddFilterAfter: Adds a custom filter after the specified filter
  • AddFilterBefore: Adds a custom filter before the specified filter
  • AddFilter: Add a filter, but it must be an instance or subfilter provided by Spring Security itself
  • AddFilterAt: Adds a filter at the specified filter location

2, UnauthorizedHandler code

@Component
@Slf4j
public class UnauthorizedHandler implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        // The user failed to be authenticated during login
        if(e instanceof BadCredentialsException){
            // Failed to authenticate the user during login
            ResultUtil.writeJavaScript(httpServletResponse, ErrorCodeEnum.TOKEN_INVALID.getCode(), e.getMessage());
        }else if (e instanceof InsufficientAuthenticationException){
            // The Authorization pass is a token value, so the Authorization parameter is required
            ResultUtil.writeJavaScript(httpServletResponse, ErrorCodeEnum.NO_TOKEN.getCode(), ErrorCodeEnum.NO_TOKEN.getMessage());
        }else{
            // The user token is invalidResultUtil.writeJavaScript(httpServletResponse, ErrorCodeEnum.TOKEN_INVALID.getCode(), ErrorCodeEnum.TOKEN_INVALID.getMessage()); }}}Copy the code

Note:

  • The logical exception in the interface should be caught, otherwise it will be intercepted token exception is not beautiful, can also improve the class.
  • It is also possible to extend a separate exception handling module to handle business exceptions in a unified manner. However, I still recommend handling business exceptions separately according to business scenarios. It is not always a good thing to pursue uniform handling.

3. Security Verifies the user name and password

  • There is a lot of information on the Internet

4. JWT module

1. JWT Principle part

  • There is a lot of information on the Internet

2. JWT requires four classes

  • JwtAuthenPreFilter: Token verification and related services, which can be implemented according to your own project
@Component
@Slf4j
public class JwtAuthenPreFilter extends OncePerRequestFilter {

    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    //@Autowired
    //private RedisUtil redisUtil;
    /** * prevents filter from being executed twice */
    private static final String FILTER_APPLIED = "__spring_security_JwtAuthenPreFilter_filterApplied";

    @Value("${jwt.header:Authorization}")
    private String tokenHeader;

    @Value("${jwt.tokenHead:Bearer}")
    private String tokenHead;
    /** * How long before expiration to refresh token */
    @Value("${jwt.token.subRefresh:#{10*60}}")
    private Long subRefresh;
    // Interface that does not require authentication
    @Value("${jwt.security.antMatchers}")
    private String antMatchers;
    @Autowired
    private FfUserService ffUserService ;

    public JwtAuthenPreFilter(a) {}@Override
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {

        if(httpServletRequest.getAttribute(FILTER_APPLIED) ! =null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        httpServletRequest.setAttribute(FILTER_APPLIED, true);

        // Filter out urls that do not require token authentication
        SkipPathAntMatcher skipPathRequestMatcher = new SkipPathAntMatcher(Arrays.asList(antMatchers.split(",")));
        if (skipPathRequestMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            try {
                Check whether the token is valid 2. Check whether the token is expired 3. If the token is not expired and the expiration time is less than 10 minutes, and a new header is returned in response, the client needs to replace the token
                String authHeader = httpServletRequest.getHeader(this.tokenHeader);
                if(authHeader ! =null && authHeader.startsWith(tokenHead)) {
                    final String authToken = authHeader.substring(tokenHead.length());
                    JWTUserDetail userDetail = jwtTokenUtil.getUserFromToken(authToken);
                    if (ObjectUtils.isEmpty(userDetail)) {
                        log.info("Invalid token, parsing failed {}!", authToken);
                        throw new BadCredentialsException(ErrorCodeEnum.TOKEN_INVALID.getMessage());
                    }
                    if (jwtTokenUtil.isTokenExpired(authToken)) {
                        log.info("The token is invalid! {}", authToken);
                        throw new BadCredentialsException(ErrorCodeEnum.TOKEN_INVALID.getMessage());
                    }

                    // The token is about to expire. New tokens are generated and set to the return header. The client replaces the original value if it finds one in each restful request
                    if (new Date(System.currentTimeMillis() - subRefresh).after(jwtTokenUtil.getExpirationDateFromToken(authToken))) {
                        String resAuthToken = jwtTokenUtil.generateToken(userDetail);
                        httpServletResponse.setHeader(tokenHeader, tokenHead + resAuthToken);
                    }
                    JwtTokenUtil.LOCAL_USER.set(userDetail);
                    UserDetails userDetails = ffUserService.loadUserByUsername(userDetail.getLoginName());
                    UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                    authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                } else {
                    // No user token is required
                    log.info("No header request -->" + httpServletRequest.getRequestURI());
                    throw newInsufficientAuthenticationException(ErrorCodeEnum.NO_TOKEN.getMessage()); }}catch (Exception e) {
                //log.info(" Token parsing failed!" , e);
                throw new BadCredentialsException(ErrorCodeEnum.TOKEN_INVALID.getMessage());
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            // Clear after the call is completeJwtTokenUtil.LOCAL_USER.remove(); }}}Copy the code
  • JWTUserDetail: The token is converted to the user class
@Data
public class JWTUserDetail implements Serializable {
    /** * login user id */
    private long userId;
    /** * Login user account name (may be mobile phone number, email or name user dimension unique) */
    private String loginName;
    /** * Login user type */
    private UserType userType;
    /** * login user credentials */
    private String jwtToken;
    /** * login time */
    private Date loginTime;

    private static ObjectMapper mapper = new ObjectMapper();
    public enum UserType {
        User("USER".1),
        Operator("OPT".2),
        Erp("ERP".3);

        private String name;
        private int index;

        private UserType(String name, int index) {
            this.name = name;
            this.index = index;
        }
        @Override
        public String toString(a) {
            return this.name;
        }

        public static String getName(int index) {
            for (UserType c : UserType.values()) {
                if (c.getIndex() == index) {
                    returnc.getName(); }}return null;
        }

        public String getName(a) {
            return name;
        }

        public int getIndex(a) {
            returnindex; }}public static JWTUserDetail fromJson(String json) throws JsonProcessingException {
        return mapper.readValue(json,JWTUserDetail.class);//JSONObject.parseObject(json, JWTUserDetail.class);
    }
    public String toJson(a) throws JsonProcessingException {
        return mapper.writeValueAsString(this);//.toJSONString(this);}}Copy the code
  • JwtTokenUtil: Token tool
@Component
public class JwtTokenUtil implements Serializable {
    private static final long serialVersionUID = -5883980282405596071L;

    public static final ThreadLocal<JWTUserDetail> LOCAL_USER = new ThreadLocal<>();

    public final static String JWT_TOKEN_PREFIX = "jwt:%s:%d";


    private final String JWT_LOGIN_NAME = "JWT_LOGIN_NAME";
    private final String JWT_LOGIN_TIME = "JWT_LOGIN_TIME";
    private final String JWT_LOGIN_USERID = "JWT_LOGIN_USERID";
    private final String JWT_LOGIN_USERTYPE = "JWT_LOGIN_USERTYPE";
    // Signature mode
    private final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.HS256;
    / / key
    @Value("${jwt.security.secret}")
    private String secret;

    @Value("${jwt.access_token:#{30*24*60*60}}")
    private Long access_token_expiration;

    public String getLoginNameFromToken(String token) {
        return getClaimsFromToken(token).getSubject();
    }

    /** * Obtain user information based on token */
    public JWTUserDetail getUserFromToken(String token) {
        JWTUserDetail jwtUserDetails = new JWTUserDetail();
        Claims claims = getClaimsFromToken(token);
        jwtUserDetails.setUserId(claims.get(JWT_LOGIN_USERID, Long.class));
        jwtUserDetails.setLoginName(claims.get(JWT_LOGIN_NAME, String.class));
        jwtUserDetails.setUserType(Enum.valueOf(JWTUserDetail.UserType.class, (String) claims.get(JWT_LOGIN_USERTYPE)));
        jwtUserDetails.setLoginTime(new Date(claims.get(JWT_LOGIN_TIME, Long.class)));
        jwtUserDetails.setJwtToken(token);
        return jwtUserDetails;
    }

    /** * Generate token ** based on user information@param user
     * @return* /
    public String generateToken(JWTUserDetail user) {
        Map<String, Object> claims = new HashMap<>();
        claims.put(JWT_LOGIN_NAME, user.getLoginName());
        claims.put(JWT_LOGIN_TIME, user.getLoginTime());
        claims.put(JWT_LOGIN_USERID, user.getUserId());
        claims.put(JWT_LOGIN_USERTYPE, user.getUserType());
        return Jwts.builder()
                // A map can store things in resources
                .setClaims(claims)
                // Write the user name to the title
                .setSubject(user.getLoginName())
                .setId(UUID.randomUUID().toString())
                .setIssuedAt(new Date())
                // Expiration time
                .setExpiration(new Date(System.currentTimeMillis() + access_token_expiration * 1000))
                // Digital signature
                .signWith(SIGNATURE_ALGORITHM, secret)
                .compact();
    }
    /** * Get the generation time based on the token */
    public Date getCreatedDateFromToken(String token) {
        return getClaimsFromToken(token).getIssuedAt();
    }

    /** * Obtain expiration time based on token */
    public Date getExpirationDateFromToken(String token) {
        return getClaimsFromToken(token).getExpiration();
    }

    /** * Whether the token expires */
    public Boolean isTokenExpired(String token) {
        return getExpirationDateFromToken(token).before(new Date());
    }

    /*** * Parses token information *@param token
     * @return* /
    private Claims getClaimsFromToken(String token) {
        return Jwts.parser()
                // The signature key
                .setSigningKey(secret)
                / / signature token.parseClaimsJws(token) .getBody(); }}Copy the code
  • SkipPathAntMatcher: indicates the permit policy for token verification
@Slf4j
public class SkipPathAntMatcher implements RequestMatcher {
    private List<String> pathsToSkip;

    public SkipPathAntMatcher(List<String> pathsToSkip) {
        this.pathsToSkip = pathsToSkip;
    }

    @Override
    public boolean matches(HttpServletRequest request) {
        if(! ObjectUtils.isEmpty(pathsToSkip)) {for (String s : pathsToSkip) {
                AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher(s);
                if (antPathRequestMatcher.matches(request)) {
                    return true; }}}return false; }}Copy the code

Five, the summary

  • Both the security and token filters must be configured in the permit policy.
  • Security is to verify whether the URL has permission to access or directly release. I do not write user roles and permissions here, because I plan to return different menus for different roles later, which can be distinguished by menus. It can be set separately if your business needs it
  • The token filter configures whether the token is valid for this request. The token is also allowed if the token is security. For example, the login and registration page, then the user does not have any permission, so they are allowed.