SpringSecurity 实现token 认证
-
配置类
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {@Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } // 由于过滤器 比 servelt 先加载 在这里注入一下 负责 TokenAuthenticationTokenFilter 中redisuntity @Bean public TokenAuthenticationTokenFilter getTokenFiter(){ return new TokenAuthenticationTokenFilter(); } @Override protected void configure(HttpSecurity http) throws Exception { //http.addFilterBefore(new VerCodeFi lter("/Login/Login"), UsernamePasswordAuthenticationFilter.class); http.addFilterBefore(getTokenFiter(), UsernamePasswordAuthenticationFilter.class); http .authorizeRequests() .antMatchers("/Login/**").permitAll() // 放行Login .anyRequest().authenticated() // 所有请求都需要验证 .and() .formLogin() // 使用默认的登录页面 .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .csrf().disable();// post请求要关闭csrf验证,不然访问报错;实际开发中开启,需要前端配合传递其他参数 }}
-
定义token 验证过滤器
public class TokenAuthenticationTokenFilter extends OncePerRequestFilter {
@Autowired private RedisUtils redisUtils; public TokenAuthenticationTokenFilter(){ } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { //1、获取请求头携带的token String token = request.getHeader("token"); if(!StringUtils.hasText(token)){ //不需要token的路由可以直接放行 filterChain.doFilter(request,response); return; } Object o =redisUtils.get(token); if (o==null){ response.setStatus(200); response.setCharacterEncoding("utf-8"); response.getWriter().write(JSON.toJSONString(Result.failed(401,"token 非法",""))); return; } Map<String,String> maps=new HashMap<>(); Map Values = JSON.parseObject(o.toString(), maps.getClass()); Collection<GrantedAuthority> authorities = new ArrayList<>(); authorities.add(new SimpleGrantedAuthority(Values.get("role").toString())); UsernamePasswordAuthenticationToken authenticationToken=new UsernamePasswordAuthenticationToken(new Userdto(), null, authorities); SecurityContextHolder.getContext().setAuthentication(authenticationToken); filterChain.doFilter(request,response); //放行 }}