个人创办网站亚马逊做品牌备案自有网站
前言
在现代 Web 开发中,前后端分离架构已经成为主流。后端专注于提供 RESTful API,而前端通过 AJAX 请求与后端交互。在这种架构下,如何对用户进行 认证(Authentication) 和 授权(Authorization) 成为了系统设计中的核心问题。
Spring Security 是 Spring 框架中用于构建安全系统的模块,它不仅提供了强大的安全机制,还支持灵活的自定义配置。本文将围绕 鉴权失败和成功时的行为、需要拦截的路径配置、以及具体的代码实现方式 展开讲解,并结合多个实际例子,帮助你深入理解 Spring Security 在前后端分离项目中的使用。
本文将从以下三个方面详细展开:
- 基础概念:包括认证、授权、关键组件及其作用;
- 配置流程:从登录请求到权限控制的完整流程;
- 实战示例:JWT 认证、异常处理、多种路径保护等具体实现;
无论你是初学者还是有一定经验的开发者,这篇文章都将为你提供一套完整的解决方案。
一、基础概念详解
Spring Security 的核心在于 认证(Authentication) 和 授权(Authorization)。
1. SecurityFilterChain(安全过滤器链)
- 作用:定义 HTTP 请求的安全策略。
- 位置:通常在配置类中通过
@Bean注解创建。 - 示例:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(auth -> auth.requestMatchers("/public/**").permitAll().anyRequest().authenticated()).formLogin(withDefaults()).httpBasic(withDefaults());return http.build();
}
可以定义多个
SecurityFilterChain来处理不同路径的权限策略。
2. UserDetailsService(用户详情服务)
- 作用:负责加载用户信息(用户名、密码、权限)。
- 实现方式:
- 内存方式(适合测试):
@Bean
public UserDetailsService userDetailsService() {UserDetails user = User.withUsername("user").password(passwordEncoder().encode("123456")).roles("USER").build();return new InMemoryUserDetailsManager(user);
}
- 数据库方式(推荐生产环境):
@Service
public class CustomUserDetailsService implements UserDetailsService {@Autowiredprivate UserRepository userRepository;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userRepository.findByUsername(username).orElseThrow(() -> new UsernameNotFoundException("用户不存在"));return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),getAuthorities(user.getRoles()));}private Collection<? extends GrantedAuthority> getAuthorities(Collection<Role> roles) {return roles.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role.getName())).collect(Collectors.toList());}
}
3. PasswordEncoder(密码编码器)
- 作用:加密存储密码,并验证密码是否匹配。
- 常用实现:
BCryptPasswordEncoder(推荐)NoOpPasswordEncoder(不加密,仅用于开发阶段)
@Bean
public PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();
}
4. JwtRequestFilter(自定义 JWT 过滤器)
- 作用:拦截每个请求,解析 Token 并设置当前用户认证信息。
- 实现方式:
@Component
public class JwtRequestFilter extends OncePerRequestFilter {@Autowiredprivate JwtTokenUtil jwtTokenUtil;@Autowiredprivate UserDetailsService userDetailsService;@Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain filterChain)throws ServletException, IOException {String token = extractToken(request);if (token != null && jwtTokenUtil.validateToken(token)) {String username = jwtTokenUtil.getUsernameFromToken(token);UserDetails userDetails = userDetailsService.loadUserByUsername(username);UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(authentication);}filterChain.doFilter(request, response);}private String extractToken(HttpServletRequest request) {String header = request.getHeader("Authorization");if (header != null && header.startsWith("Bearer ")) {return header.substring(7);}return null;}
}
5. AuthenticationEntryPoint(鉴权失败处理器)
- 作用:当用户未认证访问受保护资源时触发该处理器。
- 实现方式:
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request,HttpServletResponse response,AuthenticationException authException) throws IOException {response.setContentType("application/json;charset=UTF-8");response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);response.getWriter().write("{\"error\": \"Unauthorized\", \"message\": \"认证失败,请重新登录\"}");}
}
6. AccessDeniedHandler(权限不足处理器)
- 作用:当用户已认证但没有访问权限时触发。
- 实现方式:
@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request,HttpServletResponse response,AccessDeniedException accessDeniedException) throws IOException {response.setContentType("application/json;charset=UTF-8");response.setStatus(HttpServletResponse.SC_FORBIDDEN);response.getWriter().write("{\"error\": \"Forbidden\", \"message\": \"你没有权限访问该资源\"}");}
}
二、配置流程详解
成功时的流程:
- 用户发送登录请求 →
/api/auth/login - 后端验证用户名密码,生成 JWT Token 并返回给前端
- 前端保存 Token(如 localStorage)
- 后续请求携带 Token(放在 Header 中)
- 后端通过自定义 JWT 过滤器解析 Token 并设置认证信息
- 用户访问受保护资源成功
失败时的流程:
- Token 缺失或格式错误 → 返回
401 Unauthorized - Token 已过期或签名无效 → 返回
401 Unauthorized - 用户没有权限访问某资源 → 返回
403 Forbidden
三、实战示例详解
示例 1:JWT Token 工具类(完整版)
@Component
public class JwtTokenUtil {private static final long JWT_TOKEN_VALIDITY = 5 * 60 * 60; // 5小时private String secret = "your-secret-key-here";public String getUsernameFromToken(String token) {return getClaimFromToken(token, Claims::getSubject);}public Date getExpirationDateFromToken(String token) {return getClaimFromToken(token, Claims::getExpiration);}public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {final Claims claims = getAllClaimsFromToken(token);return claimsResolver.apply(claims);}private Claims getAllClaimsFromToken(String token) {return Jwts.parserBuilder().setSigningKey(secret).build().parseClaimsJws(token).getBody();}private Boolean isTokenExpired(String token) {final Date expiration = getExpirationDateFromToken(token);return expiration.before(new Date());}public String generateToken(UserDetails userDetails) {Map<String, Object> claims = new HashMap<>();return doGenerateToken(claims, userDetails.getUsername());}private String doGenerateToken(Map<String, Object> claims, String subject) {return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis())).setExpiration(new Date(System.currentTimeMillis() + JWT_TOKEN_VALIDITY * 1000)).signWith(SignatureAlgorithm.HS512, secret).compact();}public Boolean validateToken(String token, UserDetails userDetails) {final String username = getUsernameFromToken(token);return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));}
}
示例 2:登录接口
@RestController
@RequestMapping("/api/auth")
public class AuthController {@Autowiredprivate AuthenticationManager authenticationManager;@Autowiredprivate JwtTokenUtil jwtTokenUtil;@Autowiredprivate UserDetailsService userDetailsService;@PostMapping("/login")public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) throws Exception {try {authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));} catch (AuthenticationException e) {throw new Exception("用户名或密码错误");}final UserDetails userDetails = userDetailsService.loadUserByUsername(loginRequest.getUsername());final String token = jwtTokenUtil.generateToken(userDetails);return ResponseEntity.ok().header("Authorization", "Bearer " + token).build();}
}
示例 3:多种路径保护方式
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.csrf(AbstractHttpConfigurer::disable).cors(cors -> cors.configurationSource(corsConfigurationSource())).sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)).addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class).exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler)).authorizeHttpRequests(auth -> auth.requestMatchers("/api/public/**").permitAll().requestMatchers("/api/admin/**").hasRole("ADMIN").requestMatchers("/api/user/**").hasAnyRole("USER", "ADMIN").anyRequest().authenticated());return http.build();
}
结语
本文从 Spring Security 的基础概念出发,详细介绍了认证与授权的核心组件,并结合多个实战示例展示了 JWT 的集成、路径保护、异常处理等常见场景的实现方式。