上篇 Spring Security 登录校验 源码解析  分析了使用Spring Security时用户登录时验证并返回token过程,本篇分析下用户带token访问时,如何验证用户登录状态及权限问题

用户访问控制相对简单,本质同登录验证一样,均采用过滤器拦截请求进行验证

这里需要自定义过滤器JwtAuthenticationTokenFilter并自定义路径匹配器RequestMatcher ,JwtAuthenticationTokenFilter继承AbstractAuthenticationProcessingFilter,并实现attemptAuthentication、successfulAuthentication、unsuccessfulAuthentication方法

1 AbstractAuthenticationProcessingFilter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest)req;

        HttpServletResponse response = (HttpServletResponse)res;

        //判断访问是否需要过滤

        if(!this.requiresAuthentication(request, response)) {

            chain.doFilter(request, response);

        } else {

            if(this.logger.isDebugEnabled()) {

                this.logger.debug("Request is to process authentication");

            }

            Authentication authResult;

            //调用子类JwtAuthenticationTokenFilter实现

            try {

                authResult = this.attemptAuthentication(request, response);

                if(authResult == null) {

                    return;

                }

                //session控制策略,因为用jwt,故不进行深入分析

                this.sessionStrategy.onAuthentication(authResult, request, response);

            } catch (InternalAuthenticationServiceException var8) {

                this.logger.error("An internal error occurred while trying to authenticate the user.", var8);

                //验证失败,调用子类unsuccessfulAuthentication方法

                this.unsuccessfulAuthentication(request, response, var8);

                return;

            } catch (AuthenticationException var9) {

                //验证失败,调用子类unsuccessfulAuthentication方法

                this.unsuccessfulAuthentication(request, response, var9);

                return;

            }

            if(this.continueChainBeforeSuccessfulAuthentication) {

                chain.doFilter(request, response);

            }

            //验证成功,调用子类successfulAuthentication方法

            this.successfulAuthentication(request, response, chain, authResult);

        }

    }

2 JwtAuthenticationTokenFilter

@Component

public class JwtAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {

    @Autowired

    private UserDetailsService userDetailsService;

    @Autowired

    private JwtTokenUtil jwtTokenUtil;

    @Autowired

    private ObjectMapper mapper;

    @Value("${jwt.header}")

    private String tokenHeader;

    @Value("${jwt.tokenHead}")

    private String tokenHead;

    @Value("${jwt.appExpiration}")

    private Long appExpiration;

    @Value("${jwt.pcExpiration}")

    private Long pcExpiration;

    public JwtAuthenticationTokenFilter(RequestMatcher requiresAuthenticationRequestMatcher) {

        super(requiresAuthenticationRequestMatcher);

        setAuthenticationManager(authentication -> authentication);

    }

    @Override

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {

        //获得header

        String authHeader = httpServletRequest.getHeader(this.tokenHeader);

        throwException(authHeader == null,

                new TokenVerifyException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌缺失"));

        throwException(!authHeader.startsWith(this.tokenHead),

                new TokenVerifyException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌格式不正确"));

        String authToken = authHeader.substring(this.tokenHead.length());

        UserDetails userDetails;

        try {

            Claims claims = jwtTokenUtil.getClaimsFromToken(authToken);

            throwException(claims.getSubject() == null,

                    new TokenVerifyException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌格式不正确"));

            // 校验密码是否已修改

            userDetails = this.verifyPasswordChanged(claims.getSubject(), claims.getIssuedAt());

        } catch (ExpiredJwtException ex) {

            this.refreshToken(httpServletResponse, authToken);

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_ACCESS_KEY_NOT_EFFECT, "令牌已过期");

        } catch (UnsupportedJwtException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌错误");

        } catch (MalformedJwtException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌格式不正确");

        } catch (SignatureException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "签名错误");

        }

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication == null) {

            authentication = new UsernamePasswordAuthenticationToken(

                    userDetails, null, userDetails.getAuthorities());

            ((UsernamePasswordAuthenticationToken) authentication).setDetails(

                    new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));

        }

        return this.getAuthenticationManager().authenticate(authentication);

    }

    private void refreshToken(HttpServletResponse response, String oldToken) {

        try {

            Claims claims = jwtTokenUtil.getClaimsAllowedClockSkew(oldToken, Integer.MAX_VALUE);

            String username = claims.getSubject();

            this.verifyPasswordChanged(username, claims.getIssuedAt());

            String newToken;

            if (JwtUser.LOGIN_WAY_APP.equals(claims.getAudience())) {

                newToken = jwtTokenUtil.refreshToken(oldToken, appExpiration);

            } else if (JwtUser.LOGIN_WAY_PC.equals(claims.getAudience())) {

                newToken = jwtTokenUtil.refreshToken(oldToken, pcExpiration);

            } else {

                throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "未识别的客户端");

            }

            response.addHeader(this.tokenHeader, this.tokenHead + newToken);

        } catch (ExpiredJwtException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_RELOGIN, "登录已过期");

        } catch (UnsupportedJwtException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌错误");

        } catch (MalformedJwtException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "令牌格式不正确");

        } catch (SignatureException ex) {

            throw new TokenParseException(RESPONSE_CODE.BACK_CODE_UNAUTHORIZED, "签名错误");

        }

    }

    //验证密码是否变更

    private UserDetails verifyPasswordChanged(String username, Date tokenCreateTime) {

        JwtUser user = (JwtUser) userDetailsService.loadUserByUsername(username);

        if (jwtTokenUtil.isCreatedBeforeLastPasswordReset(tokenCreateTime, user.getLastPasswordResetDate())) {

            throw new TokenVerifyException(RESPONSE_CODE.BACK_CODE_RELOGIN, "密码变更,需重新登录");

        }

        return user;

    }

    private void throwException(boolean expression, AuthenticationException ex) {

        if (expression) {

            throw ex;

        }

    }

    //认证结果放入缓存

    @Override

    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {

        SecurityContextHolder.getContext().setAuthentication(authResult);

        chain.doFilter(request, response);

    }

    //认证失败,封装返回信息

    @Override

    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {

        BackResult<String> result = new BackResult<>();

        result.setCode(RESPONSE_CODE.BACK_CODE_EXCEPTION.value);

        if (failed instanceof TokenVerifyException) {

            TokenVerifyException ex = (TokenVerifyException) failed;

            result.setCode(ex.getResponseCode().value);

            result.setExceptions(ex.getMessage());

        } else if (failed instanceof TokenParseException) {

            TokenParseException ex = (TokenParseException) failed;

            result.setCode(ex.getResponseCode().value);

            result.setExceptions(ex.getMessage());

        } else {

            logger.error("Token校验异常", failed);

            result.setExceptions(SystemConstant.HIDE_ERROR_TIP);

        }

        response.setContentType(MediaType.APPLICATION_JSON_VALUE);

        response.setCharacterEncoding("UTF-8");

        mapper.writeValue(response.getWriter(), result);

    }

}

3 SkipPathRequestMatcher

public class SkipPathRequestMatcher implements RequestMatcher {

    private OrRequestMatcher matchers;

    private RequestMatcher processingMatcher;

    public SkipPathRequestMatcher(@NotEmpty List<String> pathsToSkip, String processingPath) {

        List<RequestMatcher> m = pathsToSkip.stream().map(AntPathRequestMatcher::new).collect(Collectors.toList());

        matchers = new OrRequestMatcher(m);

        processingMatcher = new AntPathRequestMatcher(processingPath);

    }

    @Override

    public boolean matches(HttpServletRequest request) {

        return !matchers.matches(request) && processingMatcher.matches(request);

    }

}

WebSecurityConfig 类中定义SkipPathRequestMatcher

   public static final String TOKEN_BASED_ENTRY_POINT = "/limit/**";

    public static final String TOKEN_AUTH_ENTRY_POINT = "/auth/**";

    public static final String TOKEN_LOGIN_ENTRY_POINT = "/login/**";

    public static final String TOKEN_OPEN_ENTRY_POINT = "/open/**";

    //路径匹配器,跳过/auth/**类请求,验证/limit/**类请求

    @Bean

    public SkipPathRequestMatcher skipPathRequestMatcher() {

        List<String> pathsToSkip = Collections.singletonList(TOKEN_AUTH_ENTRY_POINT);

        return new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_ENTRY_POINT);

    }

    //JwtAuthenticationTokenFilter设置路径匹配器

    @Bean

    public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter() {

        return new JwtAuthenticationTokenFilter(skipPathRequestMatcher());

    }

Spring Security 访问控制 源码解析的更多相关文章

  1. Spring Security 解析(七) —— Spring Security Oauth2 源码解析

    Spring Security 解析(七) -- Spring Security Oauth2 源码解析   在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因 ...

  2. spring security 认证源码跟踪

    spring security 认证源码跟踪 ​ 在跟踪认证源码之前,我们先根据官网说明一下security的内部原理,主要是依据一系列的filter来实现,大家可以根据https://docs.sp ...

  3. spring boot @Value源码解析

    Spring boot 的@Value只能用于bean中,在bean的实例化时,会给@Value的属性赋值:如下面的例子: @SpringBootApplication @Slf4j public c ...

  4. Feign 系列(05)Spring Cloud OpenFeign 源码解析

    Feign 系列(05)Spring Cloud OpenFeign 源码解析 [TOC] Spring Cloud 系列目录(https://www.cnblogs.com/binarylei/p/ ...

  5. 异步任务spring @Async注解源码解析

    1.引子 开启异步任务使用方法: 1).方法上加@Async注解 2).启动类或者配置类上@EnableAsync 2.源码解析 虽然spring5已经出来了,但是我们还是使用的spring4,本文就 ...

  6. Spring @Import注解源码解析

    简介 Spring 3.0之前,创建Bean可以通过xml配置文件与扫描特定包下面的类来将类注入到Spring IOC容器内.而在Spring 3.0之后提供了JavaConfig的方式,也就是将IO ...

  7. spring security 实践 + 源码分析

    前言 本文将从示例.原理.应用3个方面介绍 spring data jpa. 以下分析基于spring boot 2.0 + spring 5.0.4版本源码 概述 Spring Security 是 ...

  8. 社交媒体登录Spring Social的源码解析

    在上一篇文章中我们给大家介绍了OAuth2授权标准,并且着重介绍了OAuth2的授权码认证模式.目前绝大多数的社交媒体平台,都是通过OAuth2授权码认证模式对外开放接口(登录认证及用户信息接口等). ...

  9. api网关揭秘--spring cloud gateway源码解析

    要想了解spring cloud gateway的源码,要熟悉spring webflux,我的上篇文章介绍了spring webflux. 1.gateway 和zuul对比 I am the au ...

随机推荐

  1. HTML5之webSocket使用

    webSocket是什么 webSocket是HTML5新出的一种协议,底层是基于TCP/IP协议的.跟http没有关系,只是复用了http握手通道,用来升级协议. webSocket的作用 轮询:客 ...

  2. Android Studio工程项目打包成SDK(jar或aar格式)

    Android工程项目打包成SDK 在app的gradle下进行设置: (1)将apply plugin: ‘com.android.application’ 改为apply plugin: ‘com ...

  3. 深入理解Git的实现原理

      0.导读   本文适合对git有过接触,但知其然不知其所以然的小伙伴,也适合想要学习git的初学者,通过这篇文章,能让大家对git有豁然开朗的感觉.在写作过程中,我力求通俗易懂,深入浅出,不堆砌概 ...

  4. Pycharm安装并配置jupyter notebook

    Pycharm安装并配置jupyter notebook Pycharm安装并配置jupyter notebook 一: 安装命令jupyter: pip install jupyter 如果缺少依赖 ...

  5. win7下怎么安装IIS

    工具/原料 win7旗舰版系统 笔记本一台 WIN7下怎么安装iis教程: 点击开始→控制面板,然后再点击程序和功能,勿点击卸载程序,否则到不了目标系统界面. 然后在程序和功能下面,点击打开和关闭wi ...

  6. July 11th, 2018. Wednesday, Week 28th.

    It is during our darkest moments that we must focus to see the light. 越是在艰难的时候就越要着眼于光明. From Aristol ...

  7. 前端/C# 前后台交互文件上传、下载

    试了很多方式,最终确认这个全面简单版的.废话不多说,贴码. 文件上传 input的type命名为file,即可实现文件上传.嗯~~~现在html还是很强大的.Good! 前端 单个文件上传 Html: ...

  8. 安装sql server2017出现错误:Visual Studio 运行时"Microsoft visual c++2017 X64 Minimum Runtime - 14.10.25008"需要修复

    安装sql server 2017 Developer Edition时,安装选择“基本”,发生如下错误: 解决方法: 1.进入控制面板→程序中,找到“Microsoft visual c++2017 ...

  9. 安装Cnario Player 3.8.1.156或其他版本时提示"Warning 4154. Adobe Flash Player 13 ...not correctly installed"

    错误提示 安装Cnario Player 3.8.1.156或其他版本时, 有时会出现如下提示: Warning 4154. Adobe Flash Player 13 ...not correctl ...

  10. 使用py,根据日志记录自动生成周报

    日志格式如下,思路是如果检测到文件中的内容为5位或者8位,即12.11或18.12.11,同时存在.即认为当前行为日期数据仅作为方便查看日志使用,生成脚本时过滤此行.每次读取到空白行的时候则认为下一条 ...