SpringBoot+SpringSecurity+JWT整合实现单点登录SSO史上最全详解

作者：波波烤鸭

/qq_38526573/article/details/103409430

一、什么是单点登陆

单点登录（Single Sign On），简称为SSO，是目前比较流行的企业业务整合的解决方案之一。SSO的定义是在多个应用系统中，用户只需要登录一次就可以访问所有相互信任的应用系统

二、简单的运行机制

单点登录的机制其实是比较简单的，用一个现实中的例子做比较。某公园内部有许多独立的景点，游客可以在各个景点门口单独买票。对于需要游玩所有的景点的游客，这种买票方式很不方便，需要在每个景点门口排队买票，钱包拿 进拿出的，容易丢失，很不安全。于是绝大多数游客选择在大门口买一张通票（也叫套票），就可以玩遍所有的景点而不需要重新再买票。他们只需要在每个景点门 口出示一下刚才买的套票就能够被允许进入每个独立的景点。单点登录的机制也一样，如下图所示，

用户认证：这一环节主要是用户向认证服务器发起认证请求，认证服务器给用户返回一个成功的令牌token，主要在认证服务器中完成，即图中的认证系统，注意认证系统只能有一个。身份校验：这一环节是用户携带token去访问其他服务器时，在其他服务器中要对token的真伪进行检验，主要在资源服务器中完成，即图中的应用系统2 3

三、JWT介绍

概念说明

从分布式认证流程中，我们不难发现，这中间起最关键作用的就是token，token的安全与否，直接关系到系统的健壮性，这里我们选择使用JWT来实现token的生成和校验。JWT，全称JSON Web Token，官网地址https://jwt.io，是一款出色的分布式身份校验方案。可以生成token，也可以解析检验token。

JWT生成的token由三部分组成：

头部：主要设置一些规范信息，签名部分的编码格式就在头部中声明。载荷：token中存放有效信息的部分，比如用户名，用户角色，过期时间等，但是不要放密码，会泄露！签名：将头部与载荷分别采用base64编码后，用“.”相连，再加入盐，最后使用头部声明的编码类型进行编码，就得到了签名。

JWT生成token的安全性分析

从JWT生成的token组成上来看，要想避免token被伪造，主要就得看签名部分了，而签名部分又有三部分组成，其中头部和载荷的base64编码，几乎是透明的，毫无安全性可言，那么最终守护token安全的重担就落在了加入的盐上面了！试想：如果生成token所用的盐与解析token时加入的盐是一样的。岂不是类似于中国人民银行把人民币防伪技术公开了？大家可以用这个盐来解析token，就能用来伪造token。这时，我们就需要对盐采用非对称加密的方式进行加密，以达到生成token与校验token方所用的盐不一致的安全效果！

非对称加密RSA介绍

基本原理：同时生成两把密钥：私钥和公钥，私钥隐秘保存，公钥可以下发给信任客户端私钥加密，持有私钥或公钥才可以解密公钥加密，持有私钥才可解密 优点：安全，难以破解 缺点：算法比较耗时，为了安全，可以接受 历史：三位数学家Rivest、Shamir 和 Adleman 设计了一种算法，可以实现非对称加密。这种算法用他们三个人的名字缩写：RSA。

四、SpringSecurity整合JWT

1.认证思路分析

SpringSecurity主要是通过过滤器来实现功能的！我们要找到SpringSecurity实现认证和校验身份的过滤器！

回顾集中式认证流程

用户认证：使用UsernamePasswordAuthenticationFilter过滤器中attemptAuthentication方法实现认证功能，该过滤器父类中successfulAuthentication方法实现认证成功后的操作。身份校验：使用BasicAuthenticationFilter过滤器中doFilterInternal方法验证是否登录，以决定能否进入后续过滤器。

分析分布式认证流程

用户认证：由于分布式项目，多数是前后端分离的架构设计，我们要满足可以接受异步post的认证请求参数，需要修改UsernamePasswordAuthenticationFilter过滤器中attemptAuthentication方法，让其能够接收请求体。另外，默认successfulAuthentication方法在认证通过后，是把用户信息直接放入session就完事了，现在我们需要修改这个方法，在认证通过后生成token并返回给用户。身份校验：原来BasicAuthenticationFilter过滤器中doFilterInternal方法校验用户是否登录，就是看session中是否有用户信息，我们要修改为，验证用户携带的token是否合法，并解析出用户信息，交给SpringSecurity，以便于后续的授权功能可以正常使用。

2.具体实现

为了演示单点登录的效果，我们设计如下项目结构

2.1父工程创建

因为本案例需要创建多个系统，所以我们使用maven聚合工程来实现，首先创建一个父工程，导入springboot的父依赖即可

<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.1.3.RELEASE</version><relativePath/></parent>123456

2.2公共工程创建

然后创建一个common工程，其他工程依赖此系统导入JWT相关的依赖

<dependencies><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-api</artifactId><version>0.10.7</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-impl</artifactId><version>0.10.7</version><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-jackson</artifactId><version>0.10.7</version><scope>runtime</scope></dependency><!--jackson包--><dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-databind</artifactId><version>2.9.9</version></dependency><!--日志包--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-logging</artifactId></dependency><dependency><groupId>joda-time</groupId><artifactId>joda-time</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId></dependency></dependencies>12345678910111213141516171819222324252627282930313233343536373839404142

创建相关的工具类

Payload

/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0310:28*/@DatapublicclassPayload<T>{privateStringid;privateTuserInfo;privateDateexpiration;}123456789101112

JsonUtils

packagecom.dpb.utils;importcom.fasterxml.jackson.core.JsonProcessingException;importcom.fasterxml.jackson.core.type.TypeReference;importcom.fasterxml.jackson.databind.ObjectMapper;importorg.slf4j.Logger;importorg.slf4j.LoggerFactory;importjava.io.IOException;importjava.util.List;importjava.util.Map;/***@author:波波烤鸭**/publicclassJsonUtils{publicstaticfinalObjectMappermapper=newObjectMapper();privatestaticfinalLoggerlogger=LoggerFactory.getLogger(JsonUtils.class);publicstaticStringtoString(Objectobj){if(obj==null){returnnull;}if(obj.getClass()==String.class){return(String)obj;}try{returnmapper.writeValueAsString(obj);}catch(JsonProcessingExceptione){logger.error("json序列化出错："+obj,e);returnnull;}}publicstatic<T>TtoBean(Stringjson,Class<T>tClass){try{returnmapper.readValue(json,tClass);}catch(IOExceptione){logger.error("json解析出错："+json,e);returnnull;}}publicstatic<E>List<E>toList(Stringjson,Class<E>eClass){try{returnmapper.readValue(json,mapper.getTypeFactory().constructCollectionType(List.class,eClass));}catch(IOExceptione){logger.error("json解析出错："+json,e);returnnull;}}publicstatic<K,V>Map<K,V>toMap(Stringjson,Class<K>kClass,Class<V>vClass){try{returnmapper.readValue(json,mapper.getTypeFactory().constructMapType(Map.class,kClass,vClass));}catch(IOExceptione){logger.error("json解析出错："+json,e);returnnull;}}publicstatic<T>TnativeRead(Stringjson,TypeReference<T>type){try{returnmapper.readValue(json,type);}catch(IOExceptione){logger.error("json解析出错："+json,e);returnnull;}}}12345678910111213141516171819222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172

JwtUtils

packagecom.dpb.utils;importcom.dpb.domain.Payload;importio.jsonwebtoken.Claims;importio.jsonwebtoken.Jws;importio.jsonwebtoken.Jwts;importio.jsonwebtoken.SignatureAlgorithm;importorg.joda.time.DateTime;importjava.security.PrivateKey;importjava.security.PublicKey;importjava.util.Base64;importjava.util.UUID;/***@author:波波烤鸭*生成token以及校验token相关方法*/publicclassJwtUtils{privatestaticfinalStringJWT_PAYLOAD_USER_KEY="user";/***私钥加密token**@paramuserInfo载荷中的数据*@paramprivateKey私钥*@paramexpire过期时间，单位分钟*@returnJWT*/publicstaticStringgenerateTokenExpireInMinutes(ObjectuserInfo,PrivateKeyprivateKey,intexpire){returnJwts.builder().claim(JWT_PAYLOAD_USER_KEY,JsonUtils.toString(userInfo)).setId(createJTI()).setExpiration(DateTime.now().plusMinutes(expire).toDate()).signWith(privateKey,SignatureAlgorithm.RS256).compact();}/***私钥加密token**@paramuserInfo载荷中的数据*@paramprivateKey私钥*@paramexpire过期时间，单位秒*@returnJWT*/publicstaticStringgenerateTokenExpireInSeconds(ObjectuserInfo,PrivateKeyprivateKey,intexpire){returnJwts.builder().claim(JWT_PAYLOAD_USER_KEY,JsonUtils.toString(userInfo)).setId(createJTI()).setExpiration(DateTime.now().plusSeconds(expire).toDate()).signWith(privateKey,SignatureAlgorithm.RS256).compact();}/***公钥解析token**@paramtoken用户请求中的token*@parampublicKey公钥*@returnJws<Claims>*/privatestaticJws<Claims>parserToken(Stringtoken,PublicKeypublicKey){returnJwts.parser().setSigningKey(publicKey).parseClaimsJws(token);}privatestaticStringcreateJTI(){returnnewString(Base64.getEncoder().encode(UUID.randomUUID().toString().getBytes()));}/***获取token中的用户信息**@paramtoken用户请求中的令牌*@parampublicKey公钥*@return用户信息*/publicstatic<T>Payload<T>getInfoFromToken(Stringtoken,PublicKeypublicKey,Class<T>userType){Jws<Claims>claimsJws=parserToken(token,publicKey);Claimsbody=claimsJws.getBody();Payload<T>claims=newPayload<>();claims.setId(body.getId());claims.setUserInfo(JsonUtils.toBean(body.get(JWT_PAYLOAD_USER_KEY).toString(),userType));claims.setExpiration(body.getExpiration());returnclaims;}/***获取token中的载荷信息**@paramtoken用户请求中的令牌*@parampublicKey公钥*@return用户信息*/publicstatic<T>Payload<T>getInfoFromToken(Stringtoken,PublicKeypublicKey){Jws<Claims>claimsJws=parserToken(token,publicKey);Claimsbody=claimsJws.getBody();Payload<T>claims=newPayload<>();claims.setId(body.getId());claims.setExpiration(body.getExpiration());returnclaims;}}12345678910111213141516171819222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104

RsaUtils

packagecom.dpb.utils;importjava.io.File;importjava.io.IOException;importjava.nio.file.Files;importjava.security.*;importjava.security.spec.InvalidKeySpecException;importjava.security.spec.PKCS8EncodedKeySpec;importjava.security.spec.X509EncodedKeySpec;importjava.util.Base64;/***@author波波烤鸭*/publicclassRsaUtils{privatestaticfinalintDEFAULT_KEY_SIZE=2048;/***从文件中读取公钥**@paramfilename公钥保存路径，相对于classpath*@return公钥对象*@throwsException*/publicstaticPublicKeygetPublicKey(Stringfilename)throwsException{byte[]bytes=readFile(filename);returngetPublicKey(bytes);}/***从文件中读取密钥**@paramfilename私钥保存路径，相对于classpath*@return私钥对象*@throwsException*/publicstaticPrivateKeygetPrivateKey(Stringfilename)throwsException{byte[]bytes=readFile(filename);returngetPrivateKey(bytes);}/***获取公钥**@parambytes公钥的字节形式*@return*@throwsException*/privatestaticPublicKeygetPublicKey(byte[]bytes)throwsException{bytes=Base64.getDecoder().decode(bytes);X509EncodedKeySpecspec=newX509EncodedKeySpec(bytes);KeyFactoryfactory=KeyFactory.getInstance("RSA");returnfactory.generatePublic(spec);}/***获取密钥**@parambytes私钥的字节形式*@return*@throwsException*/privatestaticPrivateKeygetPrivateKey(byte[]bytes)throwsNoSuchAlgorithmException,InvalidKeySpecException{bytes=Base64.getDecoder().decode(bytes);PKCS8EncodedKeySpecspec=newPKCS8EncodedKeySpec(bytes);KeyFactoryfactory=KeyFactory.getInstance("RSA");returnfactory.generatePrivate(spec);}/***根据密文，生存rsa公钥和私钥,并写入指定文件**@parampublicKeyFilename公钥文件路径*@paramprivateKeyFilename私钥文件路径*@paramsecret生成密钥的密文*/publicstaticvoidgenerateKey(StringpublicKeyFilename,StringprivateKeyFilename,Stringsecret,intkeySize)throwsException{KeyPairGeneratorkeyPairGenerator=KeyPairGenerator.getInstance("RSA");SecureRandomsecureRandom=newSecureRandom(secret.getBytes());keyPairGenerator.initialize(Math.max(keySize,DEFAULT_KEY_SIZE),secureRandom);KeyPairkeyPair=keyPairGenerator.genKeyPair();//获取公钥并写出byte[]publicKeyBytes=keyPair.getPublic().getEncoded();publicKeyBytes=Base64.getEncoder().encode(publicKeyBytes);writeFile(publicKeyFilename,publicKeyBytes);//获取私钥并写出byte[]privateKeyBytes=keyPair.getPrivate().getEncoded();privateKeyBytes=Base64.getEncoder().encode(privateKeyBytes);writeFile(privateKeyFilename,privateKeyBytes);}privatestaticbyte[]readFile(StringfileName)throwsException{returnFiles.readAllBytes(newFile(fileName).toPath());}privatestaticvoidwriteFile(StringdestPath,byte[]bytes)throwsIOException{Filedest=newFile(destPath);if(!dest.exists()){dest.createNewFile();}Files.write(dest.toPath(),bytes);}}12345678910111213141516171819222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103

在通用子模块中编写测试类生成rsa公钥和私钥

/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0311:08*/publicclassJwtTest{privateStringprivateKey="c:/tools/auth_key/id_key_rsa";privateStringpublicKey="c:/tools/auth_key/id_key_rsa.pub";@Testpublicvoidtest1()throwsException{RsaUtils.generateKey(publicKey,privateKey,"dpb",1024);}}1234567891011121314151617

2.3认证系统创建

接下来我们创建我们的认证服务。

导入相关的依赖

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><artifactId>security-jwt-common</artifactId><groupId>com.dpb</groupId><version>1.0-SNAPSHOT</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.10</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId><optional>true</optional></dependency></dependencies>123456789101112131415161718192223242526272829303132333435

创建配置文件

spring:datasource:driver-class-name:com.mysql.jdbc.Driverurl:jdbc:mysql://localhost:3306/srmusername:rootpassword:123456type:com.alibaba.druid.pool.DruidDataSourcemybatis:type-aliases-package:com.dpb.domainmapper-locations:classpath:mapper/*.xmllogging:level:com.dpb:debugrsa:key:pubKeyFile:c:\tools\auth_key\id_key_rsa.pubpriKeyFile:c:\tools\auth_key\id_key_rsa1234567891011121314151617

提供公钥私钥的配置类

packagecom.dpb.config;importcom.dpb.utils.RsaUtils;importlombok.Data;importorg.springframework.boot.context.properties.ConfigurationProperties;importorg.springframework.context.annotation.Configuration;importjavax.annotation.PostConstruct;importjava.security.PrivateKey;importjava.security.PublicKey;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0311:25*/@Data@ConfigurationProperties(prefix="rsa.key")publicclassRsaKeyProperties{privateStringpubKeyFile;privateStringpriKeyFile;privatePublicKeypublicKey;privatePrivateKeyprivateKey;/***系统启动的时候触发*@throwsException*/@PostConstructpublicvoidcreateRsaKey()throwsException{publicKey=RsaUtils.getPublicKey(pubKeyFile);privateKey=RsaUtils.getPrivateKey(priKeyFile);}}123456789101112131415161718192223242526272829303132333435363738

创建启动类

/***@program:springboot-54-security-jwt-demo*@description:启动类*@author:波波烤鸭*@create:-12-0311:23*/@SpringBootApplication@MapperScan("com.dpb.mapper")@EnableConfigurationProperties(RsaKeyProperties.class)publicclassApp{publicstaticvoidmain(String[]args){SpringApplication.run(App.class,args);}}123456789101112131415

完成数据认证的逻辑

pojo

packagecom.dpb.domain;importcom.fasterxml.jackson.annotation.JsonIgnore;importlombok.Data;importorg.springframework.security.core.GrantedAuthority;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0315:21*/@DatapublicclassRolePojoimplementsGrantedAuthority{privateIntegerid;privateStringroleName;privateStringroleDesc;@JsonIgnore@OverridepublicStringgetAuthority(){returnroleName;}}1234567891011121314151617181922232425packagecom.dpb.domain;importcom.fasterxml.jackson.annotation.JsonIgnore;importlombok.Data;importorg.springframework.security.core.GrantedAuthority;importorg.springframework.security.core.authority.SimpleGrantedAuthority;importorg.springframework.security.core.userdetails.UserDetails;importjava.util.ArrayList;importjava.util.Collection;importjava.util.List;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0311:33*/@DatapublicclassUserPojoimplementsUserDetails{privateIntegerid;privateStringusername;privateStringpassword;privateIntegerstatus;privateList<RolePojo>roles;@JsonIgnore@OverridepublicCollection<?extendsGrantedAuthority>getAuthorities(){List<SimpleGrantedAuthority>auth=newArrayList<>();auth.add(newSimpleGrantedAuthority("ADMIN"));returnauth;}@OverridepublicStringgetPassword(){returnthis.password;}@OverridepublicStringgetUsername(){returnthis.username;}@JsonIgnore@OverridepublicbooleanisAccountNonExpired(){returntrue;}@JsonIgnore@OverridepublicbooleanisAccountNonLocked(){returntrue;}@JsonIgnore@OverridepublicbooleanisCredentialsNonExpired(){returntrue;}@JsonIgnore@OverridepublicbooleanisEnabled(){returntrue;}}12345678910111213141516171819222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869

Mapper接口

publicinterfaceUserMapper{publicUserPojoqueryByUserName(@Param("userName")StringuserName);}123

Mapper映射文件

<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPEmapperPUBLIC"-////DTDMapper3.0//EN""/dtd/mybatis-3-mapper.dtd"><mappernamespace="com.dpb.mapper.UserMapper"><selectid="queryByUserName"resultType="UserPojo">select*fromt_userwhereusername=#{userName}</select></mapper>123456789

Service

publicinterfaceUserServiceextendsUserDetailsService{}123@Service@TransactionalpublicclassUserServiceImplimplementsUserService{@AutowiredprivateUserMappermapper;@OverridepublicUserDetailsloadUserByUsername(Strings)throwsUsernameNotFoundException{UserPojouser=mapper.queryByUserName(s);returnuser;}}1234567891011121314

自定义认证过滤器

packagecom.dpb.filter;importcom.dpb.config.RsaKeyProperties;importcom.dpb.domain.RolePojo;importcom.dpb.domain.UserPojo;importcom.dpb.utils.JwtUtils;importcom.fasterxml.jackson.databind.ObjectMapper;importnet.bytebuddy.agent.builder.AgentBuilder;importorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.Authentication;importorg.springframework.security.core.AuthenticationException;importorg.springframework.security.core.authority.SimpleGrantedAuthority;importorg.springframework.security.core.userdetails.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;importjavax.servlet.FilterChain;importjavax.servlet.ServletException;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.io.IOException;importjava.io.PrintWriter;importjava.util.ArrayList;importjava.util.HashMap;importjava.util.List;importjava.util.Map;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0311:57*/publicclassTokenLoginFilterextendsUsernamePasswordAuthenticationFilter{privateAuthenticationManagerauthenticationManager;privateRsaKeyPropertiesprop;publicTokenLoginFilter(AuthenticationManagerauthenticationManager,RsaKeyPropertiesprop){this.authenticationManager=authenticationManager;this.prop=prop;}publicAuthenticationattemptAuthentication(HttpServletRequestrequest,HttpServletResponseresponse)throwsAuthenticationException{try{UserPojosysUser=newObjectMapper().readValue(request.getInputStream(),UserPojo.class);UsernamePasswordAuthenticationTokenauthRequest=newUsernamePasswordAuthenticationToken(sysUser.getUsername(),sysUser.getPassword());returnauthenticationManager.authenticate(authRequest);}catch(Exceptione){try{response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);PrintWriterout=response.getWriter();MapresultMap=newHashMap();resultMap.put("code",HttpServletResponse.SC_UNAUTHORIZED);resultMap.put("msg","用户名或密码错误！");out.write(newObjectMapper().writeValueAsString(resultMap));out.flush();out.close();}catch(ExceptionoutEx){outEx.printStackTrace();}thrownewRuntimeException(e);}}publicvoidsuccessfulAuthentication(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainchain,AuthenticationauthResult)throwsIOException,ServletException{UserPojouser=newUserPojo();user.setUsername(authResult.getName());user.setRoles((List<RolePojo>)authResult.getAuthorities());Stringtoken=JwtUtils.generateTokenExpireInMinutes(user,prop.getPrivateKey(),24*60);response.addHeader("Authorization","Bearer"+token);try{response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_OK);PrintWriterout=response.getWriter();MapresultMap=newHashMap();resultMap.put("code",HttpServletResponse.SC_OK);resultMap.put("msg","认证通过！");out.write(newObjectMapper().writeValueAsString(resultMap));out.flush();out.close();}catch(ExceptionoutEx){outEx.printStackTrace();}}}123456789101112131415161718192223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889

自定义校验token的过滤器

packagecom.dpb.filter;importcom.dpb.config.RsaKeyProperties;importcom.dpb.domain.Payload;importcom.dpb.domain.UserPojo;importcom.dpb.utils.JwtUtils;importcom.fasterxml.jackson.databind.ObjectMapper;importorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.context.SecurityContextHolder;importorg.springframework.security.web.authentication.www.BasicAuthenticationFilter;importjavax.servlet.FilterChain;importjavax.servlet.ServletException;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.io.IOException;importjava.io.PrintWriter;importjava.util.HashMap;importjava.util.Map;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0312:39*/publicclassTokenVerifyFilterextendsBasicAuthenticationFilter{privateRsaKeyPropertiesprop;publicTokenVerifyFilter(AuthenticationManagerauthenticationManager,RsaKeyPropertiesprop){super(authenticationManager);this.prop=prop;}publicvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainchain)throwsIOException,ServletException{Stringheader=request.getHeader("Authorization");if(header==null||!header.startsWith("Bearer")){//如果携带错误的token，则给用户提示请登录！chain.doFilter(request,response);response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_FORBIDDEN);PrintWriterout=response.getWriter();MapresultMap=newHashMap();resultMap.put("code",HttpServletResponse.SC_FORBIDDEN);resultMap.put("msg","请登录！");out.write(newObjectMapper().writeValueAsString(resultMap));out.flush();out.close();}else{//如果携带了正确格式的token要先得到tokenStringtoken=header.replace("Bearer","");//验证tken是否正确Payload<UserPojo>payload=JwtUtils.getInfoFromToken(token,prop.getPublicKey(),UserPojo.class);UserPojouser=payload.getUserInfo();if(user!=null){UsernamePasswordAuthenticationTokenauthResult=newUsernamePasswordAuthenticationToken(user.getUsername(),null,user.getAuthorities());SecurityContextHolder.getContext().setAuthentication(authResult);chain.doFilter(request,response);}}}}1234567891011121314151617181922232425262728293031323334353637383940414243444546474849505152535455565758596061626364

###编写SpringSecurity的配置类

packagecom.dpb.config;importcom.dpb.filter.TokenLoginFilter;importcom.dpb.filter.TokenVerifyFilter;importcom.dpb.service.UserService;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;importorg.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.config.annotation.web.configuration.EnableWebSecurity;importorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;importorg.springframework.security.config.http.SessionCreationPolicy;importorg.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0312:41*/@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled=true)publicclassWebSecurityConfigextendsWebSecurityConfigurerAdapter{@AutowiredprivateUserServiceuserService;@AutowiredprivateRsaKeyPropertiesprop;@BeanpublicBCryptPasswordEncoderpasswordEncoder(){returnnewBCryptPasswordEncoder();}//指定认证对象的来源publicvoidconfigure(AuthenticationManagerBuilderauth)throwsException{auth.userDetailsService(userService).passwordEncoder(passwordEncoder());}//SpringSecurity配置信息publicvoidconfigure(HttpSecurityhttp)throwsException{http.csrf().disable().authorizeRequests().antMatchers("/user/query").hasAnyRole("ADMIN").anyRequest().authenticated().and().addFilter(newTokenLoginFilter(super.authenticationManager(),prop)).addFilter(newTokenVerifyFilter(super.authenticationManager(),prop)).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}}123456789101112131415161718192223242526272829303132333435363738394041424344454647484950515253545556

启动服务测试

启动服务

通过Postman来访问测试

根据token信息我们访问其他资源

2.4资源系统创建

说明资源服务可以有很多个，这里只拿产品服务为例，记住，资源服务中只能通过公钥验证认证。不能签发token！创建产品服务并导入jar包根据实际业务导包即可，咱们就暂时和认证服务一样了。

接下来我们再创建一个资源服务

导入相关的依赖

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><artifactId>security-jwt-common</artifactId><groupId>com.dpb</groupId><version>1.0-SNAPSHOT</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.10</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId><optional>true</optional></dependency></dependencies>123456789101112131415161718192223242526272829303132333435

编写产品服务配置文件

切记这里只能有公钥地址！

server:port:9002spring:datasource:driver-class-name:com.mysql.jdbc.Driverurl:jdbc:mysql://localhost:3306/srmusername:rootpassword:123456type:com.alibaba.druid.pool.DruidDataSourcemybatis:type-aliases-package:com.dpb.domainmapper-locations:classpath:mapper/*.xmllogging:level:com.dpb:debugrsa:key:pubKeyFile:c:\tools\auth_key\id_key_rsa.pub123456789101112131415161718

编写读取公钥的配置类

packagecom.dpb.config;importcom.dpb.utils.RsaUtils;importlombok.Data;importorg.springframework.boot.context.properties.ConfigurationProperties;importjavax.annotation.PostConstruct;importjava.security.PrivateKey;importjava.security.PublicKey;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0311:25*/@Data@ConfigurationProperties(prefix="rsa.key")publicclassRsaKeyProperties{privateStringpubKeyFile;privatePublicKeypublicKey;/***系统启动的时候触发*@throwsException*/@PostConstructpublicvoidcreateRsaKey()throwsException{publicKey=RsaUtils.getPublicKey(pubKeyFile);}}1234567891011121314151617181922232425262728293031323334

编写启动类

packagecom.dpb;importcom.dpb.config.RsaKeyProperties;importorg.mybatis.spring.annotation.MapperScan;importorg.springframework.boot.SpringApplication;importorg.springframework.boot.autoconfigure.SpringBootApplication;importorg.springframework.boot.context.properties.EnableConfigurationProperties;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0317:23*/@SpringBootApplication@MapperScan("com.dpb.mapper")@EnableConfigurationProperties(RsaKeyProperties.class)publicclassApp{publicstaticvoidmain(String[]args){SpringApplication.run(App.class,args);}}123456789101112131415161718192223

复制认证服务中，用户对象，角色对象和校验认证的接口

复制认证服务中的相关内容即可

复制认证服务中SpringSecurity配置类做修改

packagecom.dpb.config;importcom.dpb.filter.TokenVerifyFilter;importcom.dpb.service.UserService;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;importorg.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.config.annotation.web.configuration.EnableWebSecurity;importorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;importorg.springframework.security.config.http.SessionCreationPolicy;importorg.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0312:41*/@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled=true)publicclassWebSecurityConfigextendsWebSecurityConfigurerAdapter{@AutowiredprivateUserServiceuserService;@AutowiredprivateRsaKeyPropertiesprop;@BeanpublicBCryptPasswordEncoderpasswordEncoder(){returnnewBCryptPasswordEncoder();}//指定认证对象的来源publicvoidconfigure(AuthenticationManagerBuilderauth)throwsException{auth.userDetailsService(userService).passwordEncoder(passwordEncoder());}//SpringSecurity配置信息publicvoidconfigure(HttpSecurityhttp)throwsException{http.csrf().disable().authorizeRequests()//.antMatchers("/user/query").hasAnyRole("USER").anyRequest().authenticated().and().addFilter(newTokenVerifyFilter(super.authenticationManager(),prop))//禁用掉session.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}}123456789101112131415161718192223242526272829303132333435363738394041424344454647484950515253545556

去掉“增加自定义认证过滤器”即可！

编写产品处理器

packagecom.dpb.controller;importorg.springframework.security.access.annotation.Secured;importorg.springframework.web.bind.annotation.RequestMapping;importorg.springframework.web.bind.annotation.RestController;/***@program:springboot-54-security-jwt-demo*@description:*@author:波波烤鸭*@create:-12-0311:55*/@RestController@RequestMapping("/user")publicclassUserController{@RequestMapping("/query")publicStringquery(){return"success";}@RequestMapping("/update")publicStringupdate(){return"update";}}123456789101112131415161718192223242526

测试

搞定~

Redis、Kafka或RabbitMQ，哪个更和微服务更般配？JDK 16 即将发布，看完这些新特性，我感觉已经学不动了..Redis 分布式锁使用不当，超卖了100瓶飞天茅台！！！SQL优化最干货总结（最新版）Redis 分布式锁使用不当，超卖了100瓶飞天茅台！！！为什么MySQL不推荐使用 UUID 或者雪花id作为主键？今天，又被Java8的时间库恶心到了，有同感的举手...Docker从入门到干活，看这一篇足矣好文章，我在看