应用系统定制开发SpringCloud gateway+Spring Security + JWT实现登录和用户权限校验

引言

应用系统定制开发原本打算将Security模块与gateway应用系统定制开发模块分开写的,但想到gateway应用系统定制开发本来就有过滤的作用 ,于是就把gateway和Security应用系统定制开发结合在一起了,然后结合JWT应用系统定制开发令牌对用户身份和权限进行校验。

Spring Cloud应用系统定制开发的网关与传统的SpringMVC不同,gateway是基于Netty容器,采用的webflux技术,所以gateway应用系统定制开发模块不能引入spring web包。应用系统定制开发虽然是不同,但是在SpringMVC模式下的Security实现步骤和流程都差不多。

依赖

Spring  cloud gateway模块依赖

  1. <dependency>
  2.             <groupId>org.springframework.cloud</groupId>
  3.             <artifactId>spring-cloud-starter</artifactId>
  4.         </dependency>
  5.         <dependency>
  6.             <groupId>org.springframework.cloud</groupId>
  7.             <artifactId>spring-cloud-starter-gateway</artifactId>
  8.         </dependency>
  9.         <dependency>
  10.             <groupId>org.springframework.cloud</groupId>
  11.             <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
  12.         </dependency>
  13.  
  14.         <!--JWT的依赖-->
  15.         <dependency>
  16.             <groupId>com.auth0</groupId>
  17.             <artifactId>java-jwt</artifactId>
  18.             <version>3.4.0</version>
  19.         </dependency>
  20.         <dependency>
  21.             <groupId>com.fasterxml.jackson.datatype</groupId>
  22.             <artifactId>jackson-datatype-jsr310</artifactId>
  23.         </dependency>
  24.  
  25.         <dependency>
  26.             <groupId>org.springframework.boot</groupId>
  27.             <artifactId>spring-boot-starter-data-redis</artifactId>
  28.         </dependency>
  29.         <dependency>
  30.             <groupId>redis.clients</groupId>
  31.             <artifactId>jedis</artifactId>
  32.             <type>jar</type>
  33.         </dependency>
  34.         <dependency>
  35.             <groupId>org.springframework.data</groupId>
  36.             <artifactId>spring-data-redis</artifactId>
  37.         </dependency>

代码基本结构

认证执行流程

一、Token工具类

  1. public class JWTUtils {
  2.     private final static String SING="XIAOYUAN";
  3.     public static String creatToken(Map<String,String> payload,int expireTime){
  4.         JWTCreator.Builder builder= JWT.create();
  5.         Calendar instance=Calendar.getInstance();//获取日历对象
  6.         if(expireTime <=0)
  7.         instance.add(Calendar.SECOND,3600);//默认一小时
  8.         else
  9.             instance.add(Calendar.SECOND,expireTime);
  10.         //为了方便只放入了一种类型
  11.         payload.forEach(builder::withClaim);
  12.         return builder.withExpiresAt(instance.getTime()).sign(Algorithm.HMAC256(SING));
  13.     }
  14.     public static Map<String, Object> getTokenInfo(String token){
  15.         DecodedJWT verify = JWT.require(Algorithm.HMAC256(SING)).build().verify(token);
  16.         Map<String, Claim> claims = verify.getClaims();
  17.         SimpleDateFormat dateTime = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
  18.         String expired= dateTime.format(verify.getExpiresAt());
  19.         Map<String,Object> m=new HashMap<>();
  20.         claims.forEach((k,v)-> m.put(k,v.asString()));
  21.         m.put("exp",expired);
  22.         return m;
  23.  
  24.     }
  25. }

二、自定义User并且实现Spring Security的User接口,以及实现UserDetail接口

 
  1. public class SecurityUserDetails extends User implements Serializable {
  2.  
  3.     private Long userId;
  4.  
  5.     public SecurityUserDetails(String username, String password, Collection<? extends GrantedAuthority> authorities, Long userId) {
  6.         super(username, password, authorities);
  7.         this.userId = userId;
  8.     }
  9.  
  10.     public SecurityUserDetails(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities, Long userId) {
  11.         super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
  12.         this.userId = userId;
  13.     }
  14.  
  15.     public Long getUserId() {
  16.         return userId;
  17.     }
  18.  
  19.     public void setUserId(Long userId) {
  20.         this.userId = userId;
  21.     }
  22. }
 
  1.  
  2. @Component("securityUserDetailsService")
  3. @Slf4j
  4. public class SecurityUserDetailsService implements ReactiveUserDetailsService {
  5.     private final PasswordEncoder passwordEncoder= new BCryptPasswordEncoder();;
  6.     @Override
  7.     public Mono<UserDetails> findByUsername(String username) {
  8.         //调用数据库根据用户名获取用户
  9.         log.info(username);
  10.         if(!username.equals("admin")&&!username.equals("user"))
  11.                 throw new UsernameNotFoundException("username error");
  12.         else {
  13.             Collection<GrantedAuthority> authorities = new ArrayList<>();
  14.             if (username.equals("admin"))
  15.             authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));//ROLE_ADMIN
  16.             if (username.equals("user"))
  17.                 authorities.add(new SimpleGrantedAuthority("ROLE_USER"));//ROLE_ADMIN
  18.             SecurityUserDetails securityUserDetails = new SecurityUserDetails(username,"{bcrypt}"+passwordEncoder.encode("123"),authorities,1L);
  19.             return Mono.just(securityUserDetails);
  20.         }
  21.  
  22.     }
  23. }
 
这里我为了方便测试,只设置了两个用户,admin和晢user,用户角色也只有一种。
 
二、AuthenticationSuccessHandler,定义认证成功类
 
  1. @Component
  2. @Slf4j
  3. public class AuthenticationSuccessHandler extends WebFilterChainServerAuthenticationSuccessHandler {
  4.     @Value("${login.timeout}")
  5.     private int timeout=3600;//默认一小时
  6.     private final int rememberMe=180;
  7.     @Autowired
  8.     private RedisTemplate<String, Object> redisTemplate;
  9.  
  10.     @SneakyThrows
  11.     @Override
  12.     public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
  13.         ServerWebExchange exchange = webFilterExchange.getExchange();
  14.         ServerHttpResponse response = exchange.getResponse();
  15.         //设置headers
  16.         HttpHeaders httpHeaders = response.getHeaders();
  17.         httpHeaders.add("Content-Type", "application/json; charset=UTF-8");
  18.         httpHeaders.add("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");
  19.         //设置body
  20.         HashMap<String, String> map = new HashMap<>();
  21.         String remember_me=exchange.getRequest().getHeaders().getFirst("Remember-me");
  22.  
  23.         ObjectMapper mapper = new ObjectMapper();
  24.         List<? extends GrantedAuthority> list=authentication.getAuthorities().stream().toList();
  25.           try {
  26.             Map<String, String> load = new HashMap<>();
  27.             load.put("username",authentication.getName());
  28.             load.put("role",list.get(0).getAuthority());//这里只添加了一种角色 实际上用户可以有不同的角色类型
  29.             String token;
  30.             log.info(authentication.toString());
  31.             if (remember_me==null) {
  32.                 token=JWTUtils.creatToken(load,3600*24);
  33.                 response.addCookie(ResponseCookie.from("token", token).path("/").build());
  34.                 //maxAge默认-1 浏览器关闭cookie失效
  35.                 redisTemplate.opsForValue().set(authentication.getName(), token, 1, TimeUnit.DAYS);
  36.             }else {
  37.                 token=JWTUtils.creatToken(load,3600*24*180);
  38.                 response.addCookie(ResponseCookie.from("token", token).maxAge(Duration.ofDays(rememberMe)).path("/").build());
  39.                 redisTemplate.opsForValue().set(authentication.getName(), token, rememberMe, TimeUnit.SECONDS);//保存180天
  40.             }
  41.  
  42.             map.put("code", "000220");
  43.             map.put("message", "登录成功");
  44.             map.put("token",token);
  45.         } catch (Exception ex) {
  46.             ex.printStackTrace();
  47.               map.put("code", "000440");
  48.             map.put("message","登录失败");
  49.         }
  50.         DataBuffer bodyDataBuffer = response.bufferFactory().wrap(mapper.writeValueAsBytes(map));
  51.         return response.writeWith(Mono.just(bodyDataBuffer));
  52.     }
  53.     
  54. }
 
当用户认证成功的时候就会调用这个类,这里我将token作为cookie返回客户端,当客服端请求接口的时候将带上Cookie,然后gateway在认证之前拦截,然后将Cookie写入Http请求头中,后面的授权在请求头中获取token。(这里我使用的cookie来保存token,当然也可以保存在localStorage里,每次请求的headers里面带上token)
 
这里还实现了一个记住用户登录的功能,原本是打算读取请求头中的表单数据的Remember-me字段来判断是否记住用户登录状态,但是这里有一个问题,在获取请求的表单数据的时候一直为空,因为Webflux中请求体中的数据只能被读取一次,如果读取了就需要重新封装,前面在进行用户认证的时候已经读取过了请求体导致后面就读取不了(只是猜测,因为刚学习gateway还不是很了解,在网上查了很多资料一直没有解决这个问题),于是我用了另一个方法,需要记住用户登录状态的时候(Remember-me),我就在前端请求的时候往Http请求头加一个Remember-me字段,然后后端判断有没有这个字段,没有的话就不记住。
 
三、AuthenticationFaillHandler  ,认证失败类
 
  1. @Slf4j
  2. @Component
  3. public class AuthenticationFaillHandler  implements ServerAuthenticationFailureHandler {
  4.  
  5.     @SneakyThrows
  6.     @Override
  7.     public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException e) {
  8.         ServerHttpResponse response = webFilterExchange.getExchange().getResponse();
  9.         response.setStatusCode(HttpStatus.FORBIDDEN);
  10.         response.getHeaders().add("Content-Type", "application/json; charset=UTF-8");
  11.         HashMap<String, String> map = new HashMap<>();
  12.         map.put("code", "000400");
  13.         map.put("message", e.getMessage());
  14.         log.error("access forbidden path={}", webFilterExchange.getExchange().getRequest().getPath());
  15.         ObjectMapper objectMapper = new ObjectMapper();
  16.         DataBuffer dataBuffer = response.bufferFactory().wrap(objectMapper.writeValueAsBytes(map));
  17.         return response.writeWith(Mono.just(dataBuffer));
  18.     }
  19. }
 
四、SecurityRepository ,用户信息上下文存储类
 
  1. @Slf4j
  2. @Component
  3. public class SecurityRepository implements ServerSecurityContextRepository {
  4.     @Autowired
  5.     private RedisTemplate<String, Object> redisTemplate;
  6.  
  7.     @Override
  8.     public Mono<Void> save(ServerWebExchange exchange, SecurityContext context) {
  9.         return Mono.empty();
  10.     }
  11.  
  12.     @Override
  13.     public Mono<SecurityContext> load(ServerWebExchange exchange) {
  14.         String token = exchange.getRequest().getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
  15.         log.info(token);
  16.         if (token != null) {
  17.             try {
  18.                 Map<String,Object> userMap= JWTUtils.getTokenInfo(token);
  19.                 String result=(String)redisTemplate.opsForValue().get(userMap.get("username"));
  20.                 if (result==null || !result.equals(token))
  21.                     return Mono.empty();
  22.                 SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
  23.                 Collection<SimpleGrantedAuthority> authorities=new ArrayList<>();
  24.                 log.info((String) userMap.get("role"));
  25.                 authorities.add(new SimpleGrantedAuthority((String) userMap.get("role")));
  26.                 Authentication authentication=new UsernamePasswordAuthenticationToken(null, null,authorities);
  27.                 emptyContext.setAuthentication(authentication);
  28.                 return Mono.just(emptyContext);
  29.             }catch (Exception e) {
  30.                 return Mono.empty();
  31.             }
  32.         }
  33.         return Mono.empty();
  34.     }
  35. }
 
当客户端访问服务接口的时候,如果是有效token,那么就根据token来判断,实现ServerSecurityContextRepository 类的主要目的是实现load方法,这个方法实际上是传递一个Authentication对象供后面ReactiveAuthorizationManager<AuthorizationContext>来判断用户权限。我这里只传递了用户的role信息,所以就没有去实现ReactiveAuthorizationManager这个接口了。
 
Security框架默认提供了两个ServerSecurityContextRepository实现类,WebSessionServerSecurityContextRepository和NoOpServerSecurityContextRepository,Security默认使用WebSessionServerSecurityContextRepository,这个是使用session来保存用户登录状态的,NoOpServerSecurityContextRepository是无状态的。
 
五、AuthenticationEntryPoint ,接口认证入口类
 
如果客户端没有认证授权就直接访问服务接口,然后就会调用这个类,返回的状态码是401
 
  1.  
  2. @Slf4j
  3. @Component
  4. public class AuthenticationEntryPoint extends HttpBasicServerAuthenticationEntryPoint {
  5.     @SneakyThrows
  6.     @Override
  7.     public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
  8.         ServerHttpResponse response = exchange.getResponse();
  9.         response.setStatusCode(HttpStatus.UNAUTHORIZED);
  10.         response.getHeaders().add("Content-Type", "application/json; charset=UTF-8");
  11.         HashMap<String, String> map = new HashMap<>();
  12.         map.put("status", "00401");
  13.         map.put("message", "未登录");
  14.         ObjectMapper objectMapper = new ObjectMapper();
  15.         DataBuffer bodyDataBuffer = response.bufferFactory().wrap(objectMapper.writeValueAsBytes(map));
  16.         return response.writeWith(Mono.just(bodyDataBuffer));
  17.     }
  18. }
  19.  
 
六、AccessDeniedHandler ,授权失败处理类
 
当访问服务接口的用户权限不够时会调用这个类,返回HTTP状态码是403
 
  1. @Slf4j
  2. @Component
  3. public class AccessDeniedHandler implements ServerAccessDeniedHandler {
  4.     @SneakyThrows
  5.     @Override
  6.     public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {
  7.         ServerHttpResponse response = exchange.getResponse();
  8.         response.setStatusCode(HttpStatus.FORBIDDEN);
  9.         response.getHeaders().add("Content-Type", "application/json; charset=UTF-8");
  10.         HashMap<String, String> map = new HashMap<>();
  11.         map.put("code", "000403");
  12.         map.put("message", "未授权禁止访问");
  13.         log.error("access forbidden path={}", exchange.getRequest().getPath());
  14.         ObjectMapper objectMapper = new ObjectMapper();
  15.         DataBuffer dataBuffer = response.bufferFactory().wrap(objectMapper.writeValueAsBytes(map));
  16.         return response.writeWith(Mono.just(dataBuffer));
  17.     }
  18. }
 
七、AuthorizationManager ,鉴权管理类
 
  1. @Slf4j
  2. @Component
  3. public class AuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
  4.     @Override
  5.     public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext authorizationContext) {
  6.         return authentication.map(auth -> {
  7.             //SecurityUserDetails userSecurity = (SecurityUserDetails) auth.getPrincipal();
  8.             String path=authorizationContext.getExchange().getRequest().getURI().getPath();
  9.             for (GrantedAuthority authority : auth.getAuthorities()){
  10.                 if (authority.getAuthority().equals("ROLE_USER")&&path.contains("/user/normal"))
  11.                     return new AuthorizationDecision(true);
  12.                 else if (authority.getAuthority().equals("ROLE_ADMIN")&&path.contains("/user/admin"))
  13.                     return new AuthorizationDecision(true);
  14. //对客户端访问路径与用户角色进行匹配
  15.             }
  16.             return new AuthorizationDecision(false);
  17.         }).defaultIfEmpty(new AuthorizationDecision(false));
  18.     }
  19. }
 
返回new AuthorizationDecision(true)代表授予权限访问服务,为false则是拒绝。
 
八、LogoutHandler,LogoutSuccessHandler 登出处理类
 
  1. @Component
  2. @Slf4j
  3. public class LogoutHandler implements ServerLogoutHandler {
  4.     @Autowired
  5.     private RedisTemplate<String,Object> redisTemplate;
  6.     @Override
  7.     public Mono<Void> logout(WebFilterExchange webFilterExchange, Authentication authentication) {
  8.         HttpCookie cookie=webFilterExchange.getExchange().getRequest().getCookies().getFirst("token");
  9.         try {
  10.             if (cookie != null) {
  11.                 Map<String,Object> userMap= JWTUtils.getTokenInfo(cookie.getValue());
  12.                 redisTemplate.delete((String) userMap.get("username"));
  13.             }
  14.         }catch (JWTDecodeException e) {
  15.            return Mono.error(e);
  16.         }
  17.  
  18.         return Mono.empty();
  19.     }
  20. }
 
  1. @Component
  2. public class LogoutSuccessHandler implements ServerLogoutSuccessHandler {
  3.     @SneakyThrows
  4.     @Override
  5.     public Mono<Void> onLogoutSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
  6.         ServerHttpResponse response = webFilterExchange.getExchange().getResponse();
  7.         //设置headers
  8.         HttpHeaders httpHeaders = response.getHeaders();
  9.         httpHeaders.add("Content-Type", "application/json; charset=UTF-8");
  10.         httpHeaders.add("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");
  11.         //设置body
  12.         HashMap<String, String> map = new HashMap<>();
  13.         //删除token
  14.         response.addCookie(ResponseCookie.from("token", "logout").maxAge(0).path("/").build());
  15.         map.put("code", "000220");
  16.         map.put("message", "退出登录成功");
  17.         ObjectMapper mapper = new ObjectMapper();
  18.         DataBuffer bodyDataBuffer = response.bufferFactory().wrap(mapper.writeValueAsBytes(map));
  19.         return response.writeWith(Mono.just(bodyDataBuffer));
  20.     }
  21. }
 
九、CookieToHeadersFilter ,将Cookie写入Http请求头中
 
  1. @Slf4j
  2. @Component
  3. public class CookieToHeadersFilter implements WebFilter{
  4.     @Override
  5.     public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
  6.         try {
  7.  
  8.             HttpCookie cookie=exchange.getRequest().getCookies().getFirst("token");
  9.             if (cookie != null) {
  10.                 String token = cookie.getValue();
  11.                 ServerHttpRequest request=exchange.getRequest().mutate().header(HttpHeaders.AUTHORIZATION,token).build();
  12.                 return chain.filter(exchange.mutate().request(request).build());
  13.             }
  14.         }catch (NoFoundToken e) {
  15.             log.error(e.getMsg());
  16.         }
  17.  
  18.         return chain.filter(exchange);
  19.  
  20.     }
  21.  
  22. }
 
这里需要注意的是,如果要想在认证前后过滤Http请求,用全局过滤器或者局部过滤器是不起作用的,因为它们总是在鉴权通过后执行,也就是它们的执行顺序始终再Security过滤器之后,无论order值多大多小。这时候必须实现的接口是WebFilter而不是GlobalFilter或者GatewayFilter,然后将接口实现类添加到WebSecurityConfig配置中心去。
 
十、WebSecurityConfig,配置类
 
  1. @EnableWebFluxSecurity
  2. @Configuration
  3. @Slf4j
  4. public class WebSecurityConfig {
  5.     @Autowired
  6.     SecurityUserDetailsService securityUserDetailsService;
  7.     @Autowired
  8.     AuthorizationManager authorizationManager;
  9.     @Autowired
  10.     AccessDeniedHandler accessDeniedHandler;
  11.     @Autowired
  12.     AuthenticationSuccessHandler authenticationSuccessHandler;
  13.     @Autowired
  14.     AuthenticationFaillHandler authenticationFaillHandler;
  15.     @Autowired
  16.     SecurityRepository securityRepository;
  17.     @Autowired
  18.     CookieToHeadersFilter cookieToHeadersFilter;
  19.     @Autowired
  20.     LogoutSuccessHandler logoutSuccessHandler;
  21.     @Autowired
  22.     LogoutHandler logoutHandler;
  23.  
  24.     @Autowired
  25.     com.example.gateway.security.AuthenticationEntryPoint authenticationEntryPoint;
  26.     private final String[] path={
  27.             "/favicon.ico",
  28.             "/book/**",
  29.             "/user/login.html",
  30.             "/user/__MACOSX/**",
  31.             "/user/css/**",
  32.             "/user/fonts/**",
  33.             "/user/images/**"};
  34.     @Bean
  35.     public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
  36.         http.addFilterBefore(cookieToHeadersFilter, SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
  37.         //SecurityWebFiltersOrder枚举类定义了执行次序
  38.         http.authorizeExchange(exchange -> exchange // 请求拦截处理
  39.                                 .pathMatchers(path).permitAll()
  40.                                 .pathMatchers(HttpMethod.OPTIONS).permitAll()
  41.                                 .anyExchange().access(authorizationManager)//权限
  42.                         //.and().authorizeExchange().pathMatchers("/user/normal/**").hasRole("ROLE_USER")
  43.                         //.and().authorizeExchange().pathMatchers("/user/admin/**").hasRole("ROLE_ADMIN")
  44.                         //也可以这样写 将匹配路径和角色权限写在一起
  45.                 )
  46.                 .httpBasic()
  47.                 .and()
  48.                 .formLogin().loginPage("/user/login")//登录接口
  49.                 .authenticationSuccessHandler(authenticationSuccessHandler) //认证成功
  50.                 .authenticationFailureHandler(authenticationFaillHandler) //登陆验证失败
  51.                 .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
  52.                 .accessDeniedHandler(accessDeniedHandler)//基于http的接口请求鉴权失败
  53.                 .and().csrf().disable()//必须支持跨域
  54.                 .logout().logoutUrl("/user/logout")
  55.                 .logoutHandler(logoutHandler)
  56.                 .logoutSuccessHandler(logoutSuccessHandler);
  57.         http.securityContextRepository(securityRepository);
  58.         //http.securityContextRepository(NoOpServerSecurityContextRepository.getInstance());//无状态 默认情况下使用的WebSession
  59.         return http.build();
  60.     }
  61.  
  62.     @Bean
  63.     public ReactiveAuthenticationManager reactiveAuthenticationManager() {
  64.         LinkedList<ReactiveAuthenticationManager> managers = new LinkedList<>();
  65.         managers.add(authentication -> {
  66.             // 其他登陆方式
  67.             return Mono.empty();
  68.         });
  69.         managers.add(new UserDetailsRepositoryReactiveAuthenticationManager(securityUserDetailsService));
  70.         return new DelegatingReactiveAuthenticationManager(managers);
  71.     }
  72.  
  73. }
  74.  
  75.  
  76.  
  77.  
 
十一、测试
 
首先没有登录访问服务
 
 
然后登录 
 
 
访问服务
 
 
访问另一个接口
 
 
 
                
        
            
 





        

                网站建设定制开发
                软件系统开发定制
                定制软件开发
                软件开发定制
                定制app开发
                app开发定制
                app开发定制公司
                电商商城定制开发
                定制小程序开发
                定制开发小程序
                客户管理系统开发定制
                定制网站
                定制开发
                crm开发定制
                开发公司
                小程序开发定制
                定制软件
                收款定制开发
                企业网站定制开发
                定制化开发
                android系统定制开发
                定制小程序开发费用
                定制设计
                专注app软件定制开发
                软件开发定制定制
                知名网站建设定制
                软件定制开发供应商
                应用系统定制开发
                软件系统定制开发
                企业管理系统定制开发
                系统定制开发