Spring Boot 2结合Spring security + JWT实现微信小程序登录

项目源码：https://gitee.com/tanwubo/jwt-spring-security-demo

通过自定义的WxAppletAuthenticationFilter替换默认的UsernamePasswordAuthenticationFilter，在UsernamePasswordAuthenticationFilter中可任意定制自己的登录方式。

需要结合JWT来实现用户认证，第一步登录成功后如何颁发token。

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Autowired private JwtTokenUtils jwtTokenUtils; @Override public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException { // 使用jwt管理，所以封装用户信息生成jwt响应给前端 String token = jwtTokenUtils.generateToken(((WxAppletAuthenticationToken)authentication).getOpenid()); Map<String, Object> result = Maps.newHashMap(); result.put(ConstantEnum.AUTHORIZATION.getValue(), token); httpServletResponse.setContentType(ContentType.JSON.toString()); httpServletResponse.getWriter().write(JSON.toJSONString(result)); }}

第二步，弃用spring security默认的session机制，通过token来管理用户的登录状态。这里有俩段关键代码。

@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().sessionManagement()// 不创建Session, 使用jwt来管理用户的登录状态.sessionCreationPolicy(SessionCreationPolicy.STATELESS)......; }

第二步，添加token的认证过滤器。

public class JwtAuthenticationTokenFilter extends OncePerRequestFilter { @Autowired private AuthService authService; @Autowired private JwtTokenUtils jwtTokenUtils; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { log.debug('processing authentication for [{}]', request.getRequestURI()); String token = request.getHeader(ConstantEnum.AUTHORIZATION.getValue()); String openid = null; if (token != null) { try {openid = jwtTokenUtils.getUsernameFromToken(token); } catch (IllegalArgumentException e) {log.error('an error occurred during getting username from token', e);throw new BasicException(ExceptionEnum.JWT_EXCEPTION.customMessage('an error occurred during getting username from token , token is [%s]', token)); } catch (ExpiredJwtException e) {log.warn('the token is expired and not valid anymore', e);throw new BasicException(ExceptionEnum.JWT_EXCEPTION.customMessage('the token is expired and not valid anymore, token is [%s]', token)); }catch (SignatureException e) {log.warn('JWT signature does not match locally computed signature', e);throw new BasicException(ExceptionEnum.JWT_EXCEPTION.customMessage('JWT signature does not match locally computed signature, token is [%s]', token)); } }else { log.warn('couldn’t find token string'); } if (openid != null && SecurityContextHolder.getContext().getAuthentication() == null) { log.debug('security context was null, so authorizing user'); Account account = authService.findAccount(openid); List<Permission> permissions = authService.acquirePermission(account.getAccountId()); List<SimpleGrantedAuthority> authorities = permissions.stream().map(permission -> new SimpleGrantedAuthority(permission.getPermission())).collect(Collectors.toList()); log.info('authorized user [{}], setting security context', openid); SecurityContextHolder.getContext().setAuthentication(new WxAppletAuthenticationToken(openid, authorities)); } filterChain.doFilter(request, response); }}接口鉴权

第一步，开启注解@EnableGlobalMethodSecurity。

@SpringBootApplication@EnableGlobalMethodSecurity(prePostEnabled = true)public class JwtSpringSecurityDemoApplication { public static void main(String[] args) { SpringApplication.run(JwtSpringSecurityDemoApplication.class, args); }}

第二部，在需要鉴权的接口上添加@PreAuthorize注解。

@RestController@RequestMapping('/test')public class TestController { @GetMapping @PreAuthorize('hasAuthority(’user:test’)') public String test(){ return 'test success'; } @GetMapping('/authority') @PreAuthorize('hasAuthority(’admin:test’)') public String authority(){ return 'test authority success'; }}

到此这篇关于Spring Boot 2结合Spring security + JWT实现微信小程序登录的文章就介绍到这了,更多相关Spring Boot Spring security JWT微信小程序登录内容请搜索好吧啦网以前的文章或继续浏览下面的相关文章希望大家以后多多支持好吧啦网！