衡水精品网站建设,上海注册汽车租赁公司,电商设计的理解,网络运维工作总结文章目录 开头简介环境搭建入门使用1、认证1、实体类2、Controller层3、Service层3.1、接口3.2、实现类3.3、实现类#xff1a;UserDetailsServiceImpl 4、Mapper层3、自定义token认证filter 注意事项小结 开头
Spring Security 官方网址#xff1a;Spring Security官网
开… 文章目录 开头简介环境搭建入门使用1、认证1、实体类2、Controller层3、Service层3.1、接口3.2、实现类3.3、实现类UserDetailsServiceImpl 4、Mapper层3、自定义token认证filter 注意事项小结 开头
Spring Security 官方网址Spring Security官网
开头贴官网有事找官方 简介
介绍的话不多说就一句 Spring Security 是一个安全管理框架。 一般用于中大型项目。小项目使用shiroshiro上手简单。不过一般是这样。小项目练手用也是相当可以的。
好吧这是三句话没跑。
环境搭建
基于SpringBoot3搭建的项目妥妥好用。
组件SpringBoot2.XSpringBoot3.XJDKJDK 8、9JDK 17JPAJPA2.0JPA3.0ServletServlet 3.1Servlet 5.0SpringSpring Framework 5Spring Framework 6GradleGradle 4.xGradle7.3
1、依赖导入 parentgroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-parent/artifactIdversion3.3.4/version/parent!-- spring web--dependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-web/artifactId/dependency
!-- spring Security--dependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-security/artifactId/dependency!-- mybatis-plus--dependencygroupIdcom.baomidou/groupIdartifactIdmybatis-plus-spring-boot3-starter/artifactIdversion3.5.7/version/dependency!-- mysql驱动--dependencygroupIdcom.mysql/groupIdartifactIdmysql-connector-j/artifactId/dependency2、配置文件
spring:datasource:url: jdbc:mysql://localhost:3306/dataBase?characterEncodingutf-8serverTimezoneAsia/Shanghaiusername: rootpassword: passworddriver-class-name: com.mysql.cj.jdbc.Driver
# mybatisPlus 配置
mybatis-plus:configuration:map-underscore-to-camel-case: true# 日志log-impl: org.apache.ibatis.logging.stdout.StdOutImplglobal-config:db-config:# 逻辑删除logic-delete-field: delFaglogic-delete-value: 1logic-not-delete-value: 0# 主键自增id-type: auto入门使用
1、认证
废话不多说贴个认证流程图 1、SpringSecurity Config类 //整点实在的一整套流程绝对全面。
Configuration
EnableWebSecurity
public class SecurityConfig {Autowiredprivate AuthenticationTokenFilter tokenFilter;Autowiredprivate AuthenticationEntryPointImpl authenticationEntryPoint;/*PasswordEncoder是一个用于密码加密的接口它封装了多种主流的加密方法它们用于密码的安全存储和校验。但计算开销也相对较大因此在面对高并发性能要求的大型信息系统时推荐使用会话、OAuth、Token等短期加密策略来实现系统的信息安全。*/Beanpublic PasswordEncoder getPasswordEncoder(){return new BCryptPasswordEncoder();}/*负责注册为应用程序提供认证服务的 。*/Beanpublic AuthenticationManager authenticationManager(AuthenticationConfiguration config ) throws Exception {return config.getAuthenticationManager();}/*Security Filter是通过FilterChainProxy而不是DelegatingFilterProxy注册进SecurityFilterChain的。 过滤器链配置*/Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception{http.csrf(csrf - csrf.disable()); //关闭csrf防护http.authorizeHttpRequests(auth -auth.requestMatchers(/user/login)//请求路径匹配.permitAll()//放行不作拦截.anyRequest()//其他请求.authenticated());//认证// 自定义token 认证用于登录后续请求放行。通过springSecurity上下文判断http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);return http.build();}
1、实体类
//主要就是用username和 password
Data
public class SysUser implements Serializable {private static final long serialVersionUID 662137028719131857L;private Long id;
/*** 用户名*/private String username;
/*** 昵称*/private String nickname;
/*** 密码*/private String password;
/*** 用户类型0普通 1管理员*/private String type;
/*** 账号状态0正常 1停用*/private String status;
/*** 邮箱*/private String email;
/*** 手机号*/private String phoneNumber;
/*** 用户性别0男 1女 2 匿名*/private String sex;
/*** 头像*/private String avatar;private Integer isDelete;}2、Controller层
RestController
RequestMapping(/user)
public class UserController {Autowiredprivate SysUserService userService;PostMapping(/login)public R login(RequestBody SysUser user){return userService.login(user);}
}
3、Service层
3.1、接口
public interface SysUserService extends IServiceSysUser {/*** 登录* param user* return*/R login(SysUser user);
}
3.2、实现类
Service
public class SysUserServiceImpl extends ServiceImplUserMapper, SysUser implements SysUserService {Autowiredprivate AuthenticationManager authenticationManager;Overridepublic R login(SysUser user) {//重写userDetailsService 处理UsernamePasswordAuthenticationToken authenticationToken new UsernamePasswordAuthenticationToken(user.getUsername(),user.getPassword());Authentication authenticate authenticationManager.authenticate(authenticationToken);if(Objects.isNull(authenticate)){throw new AppException(AppExceptionMsgEnum.LOGIN_ERROR);}//jwt令牌信息//……LoginUser loginuser (LoginUser) authenticate.getPrincipal();//自定义返回return R.success(loginuser.getUser());}
}3.3、实现类UserDetailsServiceImpl
用于用户信息认证处理
Service
public class UserDetailsServiceImpl implements UserDetailsService {Autowiredprivate UserMapper userMapper;Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {LambdaQueryWrapperSysUser queryWrapper new LambdaQueryWrapper();queryWrapper.eq(SysUser::getUsername,username);SysUser userResult userMapper.selectOne(queryWrapper);if(Objects.isNull(userResult)){throw new AppException(AppExceptionMsgEnum.LOGIN_ERROR);}return new LoginUser(userResult);}
}4、Mapper层
public interface UserMapper extends BaseMapperSysUser {
}
3、自定义token认证filter Component
public class AuthenticationTokenFilter extends OncePerRequestFilter {Autowiredprivate UserMapper userMapper;Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException, ServletException, IOException {//获取tokenString token request.getHeader(token);String uri request.getRequestURI();if(uri.equals(/gate/logout)){filterChain.doFilter(request,response);return;}//放行未携带token 的请求交由后面拦截器处理if (token null) {filterChain.doFilter(request,response);return;}//获取用户信息这里由于没有使用jwt所以仿制了一下SysUser user new SysUser();user.setUsername(token);LoginUser loginUser new LoginUser();loginUser.setUser(user);UsernamePasswordAuthenticationToken authenticationToken new UsernamePasswordAuthenticationToken(loginUser, null,null);//存储到SecurityContextHolderSecurityContextHolder.getContext().setAuthentication(authenticationToken);//放行filterChain.doFilter(request,response);}}注意事项
认证失败后会抛出异常。使用全局异常处理器 自定义异常 使用。
自定义返回类
Data
JsonInclude(JsonInclude.Include.NON_NULL)// 属性为NULL 不序列化
public class RT {private int status;// private boolean success;private String message;private T data;JSONField(formatyyyy-MM-dd HH:mm:ss)private DateTime time;/*** 正确result* param data* param T* return*/public static T RT success(T data){RT r new R();
// r.success true;r.status 200;r.data data;r.message successful;r.time DateTime.now();return r;}public static T RT success(String msg ,T data){RT r new R();
// r.success true;r.status 200;r.data data;r.message msg;r.time DateTime.now();return r;}/*** 错误result* param msg* param status* param T* return*/public static T RT error(String msg,int status){RT r new R();
// r.success false;r.status status;r.message msg;r.time DateTime.now();return r;}/*** 错误result* param msg* param T* return*/public static T RT error(String msg){RT r new R();
// r.success false;r.message msg;r.time DateTime.now();return r;}public static T RT error(AppExceptionMsgEnum appExceptionMsg){RT r new R();
// r.success false;r.status appExceptionMsg.getStatus();r.message appExceptionMsg.getMsg();r.time DateTime.now();return r;}}全局异常处理器
RestControllerAdvice
Slf4j
public class GlobalExceptionHandler {ExceptionHandler(value BadCredentialsException.class)public static T RT badCredentialsException(BadCredentialsException e) throws InterruptedException {return R.error(AppExceptionMsgEnum.LOGIN_ERROR);}ExceptionHandler(value Exception.class)public static T RT exceptionHandle(Exception e) throws InterruptedException {if(e instanceof AppException){AppException app (AppException) e;return R.error(app.getMsg(),app.getStatus());}return R.error(e.toString(),500);}
}
自定义异常
EqualsAndHashCode(callSuper true)
Data
public class AppException extends RuntimeException{private int status;private String msg;public AppException(AppExceptionMsgEnum appExceptionMsgEnum) {this.status appExceptionMsgEnum.getStatus();this.msg appExceptionMsgEnum.getMsg();}
}
异常枚举类
public enum AppExceptionMsgEnum {//成功SUCCESS(200,操作成功),//失败NEED_LOGIN(401,需要登录后操作),NO_OPERATION_AUTH(403,无权限操作),USERNAME_EXIST(501,用户名已存在),PHONE_NUMBER_EXITS(502,手机号已存在),EMAIL_EXIST(503,邮箱已存在),REQUIRED_USERNAME(504,必须填写用户名),LOGIN_ERROR(505, 用户名或密码错误),WRONG_PAGE_PARAM(506,wrong page param),CONTENT_NOT_NULL(507,评论内容不能为空),FILENAME_ERROR(508,上传文件错误),ONLY_UPDATE_SELF(509,只能修改自己的信息),SERVER_ERROR(500,SERVER ERROR);private int status;private String msg;AppExceptionMsgEnum(int status, String msg) {this.status status;this.msg msg;}public int getStatus() {return status;}public String getMsg() {return msg;}
}例如
API支持模型类型
小结 SpringSecurity5.7.0之前 常见的 Spring HTTP Security 配置类都会继承一个 WebSecurityConfigureAdapter 类。 从 5.7.0-M2 起WebSecurityConfigureAdapter 被废弃了不推荐使用。 组件化开始更加灵活。 基础认证功能完成。完结撒花
