前后端分离的Web应用程序中使用Spring Security+Mybatis+JWT非对称加密+动态权限管理(六):身份验证过滤器
2021/6/10 12:23:13
本文主要是介绍前后端分离的Web应用程序中使用Spring Security+Mybatis+JWT非对称加密+动态权限管理(六):身份验证过滤器,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
在安全配置文件MySecurityConfig.java里配置了两个过滤器LoginFilter和JwtAuthenticationTokenFilter。
1、用户请求进来时,首先调用JwtAuthenticationTokenFilter过滤器,检查是否携带token,如果已有token,则验证token是否合法,如果合法,则直接通过验证。如果没有携带token,或者token不合法,则会进入下一个过滤器,即身份验证过滤器。以下是JwtAuthenticationTokenFilter过滤器代码:
package com.security;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import com.service.MyUserDetailsService;
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter{
@Autowired
MyUserDetailsService userDetailsService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
//请求头为 Authorization
//请求体为 Bearer token
String authHeader = request.getHeader("Authorization"); //获取请求头
if (authHeader != null && authHeader.startsWith("Bearer ")) { //如果请求头不为空,且以Bearer 开头
final String authToken = authHeader.substring("Bearer ".length()); //获取令牌
String username = JwtTokenUtils.parseToken(authToken); //从令牌中获取用户名
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { //如果用户认证信息不为空
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if (userDetails != null) {
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
}
chain.doFilter(request, response); //请求头为空,或重新认证不通过,则直接进入下一个过滤链
}
}
View Code
2、用户第一次登录时(无token)或者token不合法时,将调用身份验证过滤器,即LoginFilter。
package com.security;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
public class LoginFilter extends UsernamePasswordAuthenticationFilter{
String username;
String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
}
View Code
身份验证主要是通过改写Authentication方法,通过以下3行代码即完成用户名和密码校验,这是标准的身份校验方法,切不可直接根据加密算法算出加密密文,然后再比较密文是否与数据库中的密文相同这样的方法。
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest);
这篇关于前后端分离的Web应用程序中使用Spring Security+Mybatis+JWT非对称加密+动态权限管理(六):身份验证过滤器的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-06-26结对编程到底难不难?答案在这里
- 2024-06-19《2023版Java工程师》课程升级公告
- 2024-06-15matplotlib作图不显示3D图,怎么办?
- 2024-06-1503-Loki 日志监控
- 2024-06-1504-让LLM理解知识 -Prompt
- 2024-06-05做软件测试需要懂代码吗?
- 2024-06-0514-ShardingSphere的分布式主键实现
- 2024-06-03为什么以及如何要进行架构设计权衡?
- 2024-05-31全网首发第二弹!软考2024年5月《软件设计师》真题+解析+答案!(11-20题)
- 2024-05-31全网首发!软考2024年5月《软件设计师》真题+解析+答案!(21-30题)
