一文上手SpringSecurity【七】

之前我们在测试的时候,都是使用的字符串充当用户名称和密码,本篇将其换成MySQL数据库.

一、替换为真实的MySQL

1.1 引入依赖

<dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>8.0.33</version>
</dependency><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-spring-boot3-starter</artifactId><version>3.5.5</version>
</dependency>

1.2 创建表语句

DROP TABLE IF EXISTS `tb_sys_user`;
CREATE TABLE `tb_sys_user`  (`id` bigint NOT NULL AUTO_INCREMENT COMMENT '编号',`name` varchar(50) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '用户名',`nick_name` varchar(150) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '昵称',`password` varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '密码',`create_time` datetime NULL DEFAULT NULL COMMENT '创建时间',PRIMARY KEY (`id`) USING BTREE,UNIQUE INDEX `name`(`name` ASC) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci COMMENT = '用户管理' ROW_FORMAT = DYNAMIC;INSERT INTO `tb_sys_user` VALUES (4, 'zhangsan', '张三', '$2a$10$dCr8Skk7kLa2kNCms.23aeiYI2RS2vrdoSae6Jz3.0w.YCiu9lmT2', NULL);
INSERT INTO `tb_sys_user` VALUES (5, 'jack', '杰克', '$2a$10$dCr8Skk7kLa2kNCms.23aeiYI2RS2vrdoSae6Jz3.0w.YCiu9lmT2', NULL);

1.3 编写接口、实体类

• 实体类

/*** 用户管理* @TableName tb_sys_user*/
@TableName(value ="tb_sys_user")
@Data
public class TbSysUser implements Serializable {/*** 编号*/@TableId(type = IdType.AUTO)private Long id;/*** 用户名*/@TableField(value = "name")private String username;/*** 昵称*/private String nickName;/*** 密码*/private String password;/*** 创建时间*/private Date createTime;@TableField(exist = false)private static final long serialVersionUID = 1L;
}

• Mapper接口

@Mapper
public interface TbSysUserMapper extends BaseMapper<TbSysUser> {}

• service接口

public interface TbSysUserService extends IService<TbSysUser> {/*** 根据用户名称查询出用户信息* @param username* @return*/TbSysUser findUserByUsername(String username);/*** 登录接口* @param tbSysUser* @return*/Result login(TbSysUser tbSysUser);
}

@Service
public class TbSysUserServiceImpl extends ServiceImpl<TbSysUserMapper, TbSysUser>implements TbSysUserService {private final TbSysUserMapper tbSysUserMapper;private final AuthenticationManager authenticationManager;public TbSysUserServiceImpl(TbSysUserMapper tbSysUserMapper, AuthenticationManager authenticationManager) {this.tbSysUserMapper = tbSysUserMapper;this.authenticationManager = authenticationManager;}@Overridepublic TbSysUser findUserByUsername(String username) {// 判断一下用户名称是否正确LambdaQueryWrapper<TbSysUser> lambdaQueryWrapper = new LambdaQueryWrapper<>();lambdaQueryWrapper.eq(TbSysUser::getUsername, username);List<TbSysUser> userList = tbSysUserMapper.selectList(lambdaQueryWrapper);if (userList.size() != 1) {throw new RuntimeException("用户名错误");}return userList.get(0);}@Overridepublic Result login(TbSysUser tbSysUser) {String username = tbSysUser.getUsername();String password = tbSysUser.getPassword();if (!StringUtils.hasText(username)) {return Result.error(-1, "用户名称不能为空");}if (!StringUtils.hasText(password)) {return Result.error(-2, "用户密码不能为空");}// 封装请求参数UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken= new UsernamePasswordAuthenticationToken(username, password);// 手动调用认证方法// 如果没有抛出异常,则表示认证成功,则返回一个完整对象,我们从中获取封装的UserDetails对象try {Authentication authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);// 获取认证对象User user = (User) authenticate.getPrincipal();// 生成jwtString id = UUID.randomUUID().toString().replace("-", "");String token = JwtUtil.createJwt(id, user.getUsername());return Result.success(0, "登录成功", token);} catch (Exception e) {e.printStackTrace();}return Result.error(-1, "用户名称或者密码错误");}
}

1.4 修改UserDetailsServiceImpl

@Service
public class UserDetailsServiceImpl implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {// 根据用户名称去数据当中查询出用户信息,这里还是先模拟一下// String name = "admin";// String password = "admin";// String password = "$2a$10$4/S6K/z/nF5eTk9KlF/PgOGtv2jlLGrzpO3oXINQAkNNlMqtVT6ru";TbSysUserService sysUserService = ApplicationContextAwareUtil.getBean(TbSysUserService.class);TbSysUser sysUser = sysUserService.findUserByUsername(username);// 如果根据用户名称没有查询到到用户信息,则抛出异常,这里模拟操作// 如果没有问题,则将用户信息封装成UserDetails对象return new User(sysUser.getUsername(), sysUser.getPassword(), Collections.emptyList());}
}

这里有一个工具类ApplicationContextAwareUtil, 从容器当中查找bean,解决一下这里可能会产生的循环依赖问题.

@Component
public class ApplicationContextAwareUtil implements ApplicationContextAware {private static ApplicationContext context;@Overridepublic void setApplicationContext(ApplicationContext applicationContext) throws BeansException {context = applicationContext;}public static ApplicationContext getApplicationContext(){return context;}public static <T> T getBean(Class<T> clazz){return context.getBean(clazz);}public static <T> T getBean(String beanName, Class<T> clazz){return context.getBean(beanName, clazz);}
}

1.5 修改TokenAuthenticationFilter

@Component
@Slf4j
public class TokenAuthenticationFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {// 1. 从请求头当中取出前端传递过来的tokenString token = request.getHeader("token");String uri = request.getRequestURI().toString();if (uri.contains("/login")) {filterChain.doFilter(request, response);return;}// 2. 判断一下token是否为空if (!StringUtils.hasText(token)) {// 如果请求头当中没有传递token,直接放行.交给下一下过滤器去处理即可.filterChain.doFilter(request, response);return;}// 3. 解析tokentry {Claims claims = JwtUtil.parseJWT(token);String id = claims.getId();String subject = claims.getSubject();log.info("id:{},subject:{}", id, subject);// 解析出来subject和id了,这里的subject就是用户名称,由于这个token是由服务器下发的,服务能给发token,表示// 肯定已经认证成功了.我们要做的是根据解析出来的token信息,去数据库查询,能不能找到匹配的信息.如果能,则表示// 这个用户已经认证过了,直接放行就行了,如果找不到,那这个token可能是伪造的,就不能让访问资源 如果不匹配,也// 不能访问资源// 这里我们并没有使用数据库作为数据源,默认的用户名称和密码都是admin,不过密码是加密处理的密文而已.// 根据用户名称查询用户信息. 【我们这里模拟一下这个操作】// String name = "admin";// String password = "$2a$10$4/S6K/z/nF5eTk9KlF/PgOGtv2jlLGrzpO3oXINQAkNNlMqtVT6ru";TbSysUserService sysUserService = ApplicationContextAwareUtil.getBean(TbSysUserService.class);TbSysUser sysUser = sysUserService.findUserByUsername(subject);// 封装认证对象UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken= new UsernamePasswordAuthenticationToken(sysUser.getUsername(), sysUser.getPassword(), Collections.emptyList());// 存储用户认证凭证,已经校验通过,表示已经认证过了,不必再去执行spring security的过滤器链了.SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);// 放行操作filterChain.doFilter(request, response);} catch (Exception e) { // token抛出异常了,譬如说,过期了, 伪造啥的.不管是啥,我们都直接返回就行了// 记录一下日志,直接返回即可// 将错误信息写回给浏览器ResponseWriteUtils.write2Client(response, Result.error(-1, "认证异常,请重新登录"));}}
}

1.6 修改UserController

@RestController
public class UserController {private final TbSysUserService sysUserService;public UserController(TbSysUserService sysUserService) {this.sysUserService = sysUserService;}// private final ISysUserService sysUserService;//// public UserController(ISysUserService sysUserService) {//     this.sysUserService = sysUserService;// }@PostMapping("/api/pub/v1/login")public Result login(@RequestBody TbSysUser sysUser){return sysUserService.login(sysUser);}
}

1.7 修改application.yml文件

server:port: 9527
spring:application:name: spring-security-demo-02datasource:driver-class-name: com.mysql.cj.jdbc.Driverurl: jdbc:mysql://localhost:3306/rj-security-db?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=Asia/Shanghaiusername: rootpassword: rootmybatis-plus:configuration:map-underscore-to-camel-case: truelogging:level:com.rj.mapper: debug

1.8 测试

查看服务器端日志

spring security 抛出了异常了,此处后续再处理.

以上整个流程我们就完成了.

二、总结

2.1 重点内容

• 替换为真实的数据库,这里使用的是MySQL
• 跑通整个自定义认证的流程
• 在校验token的过滤器当中,会频繁的查询数据库,此时可以将认证信息存储到redis当中,避免频繁的查询数据库

2.2 下篇内容

• RBAC模型