目录

导入依赖

添加配置类

实现UserDetailsService

实现UserDetails

JWT工具类 

登录接口

自定义token过滤器

SpringContextUtils工具类

添加自定义token验证过滤器

自定义用户未登录的处理

自定义用户权限不足的处理

添加自定义处理器

静态资源放行

总结

        网上能找到的SpringBoot项目一般都是SpringBoot2 + SpringSecurity5，甚至是SSM的项目。这些老版本的教程很多已经不适用了，对于现在大部分的初学者来说，学了可能也是经典白雪。我还是不愿学那些老版本的东西，所以自己摸索了一下新版的SpringBoot项目应该怎么写。学习的过程也是非常折磨人的，看了很多的教程才知道个大概。

• 导入依赖

  SpringSecurity依赖

  
  
      org.springframework.boot
      spring-boot-starter-security
  

  JWT依赖

  
  
      io.jsonwebtoken
      jjwt
      0.9.1
  

  • 添加配置类

    对Security进行配置，Security中很多的默认配置都可以用自定义的替换。

    import lombok.RequiredArgsConstructor;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.http.HttpMethod;
    import org.springframework.security.authentication.AuthenticationManager;
    import org.springframework.security.authentication.AuthenticationProvider;
    import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
    import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.security.web.SecurityFilterChain;
    /**
     * @Description: SpringSecurity配置类
     * @Author: 翰戈.summer
     * @Date: 2023/11/17
     * @Param:
     * @Return:
     */
    @Configuration
    @EnableWebSecurity
    @RequiredArgsConstructor
    public class SecurityConfig {
        private final UserDetailsService userDetailsService;
        /**
         * 加载用户信息
         */
        @Bean
        public UserDetailsService userDetailsService() {
            return userDetailsService;
        }
        /**
         * 密码编码器
         */
        @Bean
        public BCryptPasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
        /**
         * 身份验证管理器
         */
        @Bean
        public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
            return configuration.getAuthenticationManager();
        }
        /**
         * 处理身份验证
         */
        @Bean
        public AuthenticationProvider authenticationProvider() {
            DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
            daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
            daoAuthenticationProvider.setUserDetailsService(userDetailsService);
            return daoAuthenticationProvider;
        }
        /**
         * @Description: 配置SecurityFilterChain过滤器链
         * @Author: 翰戈.summer
         * @Date: 2023/11/17
         * @Param: HttpSecurity
         * @Return: SecurityFilterChain
         */
        @Bean
        public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
                    .requestMatchers(HttpMethod.POST, "/api/user/login").permitAll() //登录放行
                    .anyRequest().authenticated()
            );
            httpSecurity.authenticationProvider(authenticationProvider());
            //禁用登录页面
            httpSecurity.formLogin(AbstractHttpConfigurer::disable);
            //禁用登出页面
            httpSecurity.logout(AbstractHttpConfigurer::disable);
            //禁用session
            httpSecurity.sessionManagement(AbstractHttpConfigurer::disable);
            //禁用httpBasic
            httpSecurity.httpBasic(AbstractHttpConfigurer::disable);
            //禁用csrf保护
            httpSecurity.csrf(AbstractHttpConfigurer::disable);
            return httpSecurity.build();
        }
    }

    • 实现UserDetailsService

      其中UserMapper、AuthorityMapper需要自己创建，不是重点。这两个Mapper的作用是获取用户信息（用户名、密码、用户权限），封装到User中返回给Security。

      import com.demo.mapper.AuthorityMapper;
      import com.demo.mapper.UserMapper;
      import com.demo.pojo.AuthorityEntity;
      import com.demo.pojo.UserEntity;
      import lombok.RequiredArgsConstructor;
      import org.springframework.security.core.authority.AuthorityUtils;
      import org.springframework.security.core.userdetails.User;
      import org.springframework.security.core.userdetails.UserDetails;
      import org.springframework.security.core.userdetails.UserDetailsService;
      import org.springframework.security.core.userdetails.UsernameNotFoundException;
      import org.springframework.stereotype.Service;
      import java.util.List;
      import java.util.StringJoiner;
      /**
       * @Description: 用户登录
       * @Author: 翰戈.summer
       * @Date: 2023/11/16
       * @Param:
       * @Return:
       */
      @Service
      @RequiredArgsConstructor
      public class UserLoginDetailsServiceImpl implements UserDetailsService {
          private final UserMapper userMapper;
          private final AuthorityMapper authorityMapper;
          @Override
          public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
              UserEntity userEntity = userMapper.selectUserByUsername(username);
              List authorities = authorityMapper.selectAuthorityByUsername(username);
              StringJoiner stringJoiner = new StringJoiner(",", "", "");
              authorities.forEach(authority -> stringJoiner.add(authority.getAuthorityName()));
              return new User(userEntity.getUsername(), userEntity.getPassword(),
                      AuthorityUtils.commaSeparatedStringToAuthorityList(stringJoiner.toString())
              );
          }
      }

      • 实现UserDetails

        登录操作会用到UserDetails，用于获取用户名和权限。

        import lombok.AllArgsConstructor;
        import lombok.NoArgsConstructor;
        import org.springframework.security.core.GrantedAuthority;
        import org.springframework.security.core.userdetails.UserDetails;
        import java.util.Collection;
        /**
         * @Description: SpringSecurity用户实体类
         * @Author: 翰戈.summer
         * @Date: 2023/11/18
         * @Param:
         * @Return:
         */
        @NoArgsConstructor
        @AllArgsConstructor
        public class UserDetailsEntity implements UserDetails {
            private String username;
            private String password;
            private Collection authorities;
            @Override
            public Collection getAuthorities() {
                return authorities;
            }
            @Override
            public String getPassword() {
                return password;
            }
            @Override
            public String getUsername() {
                return username;
            }
            @Override
            public boolean isAccountNonExpired() {
                return true;
            }
            @Override
            public boolean isAccountNonLocked() {
                return true;
            }
            @Override
            public boolean isCredentialsNonExpired() {
                return true;
            }
            @Override
            public boolean isEnabled() {
                return true;
            }
            @Override
            public String toString() {
                return "UserDetailsEntity{" +
                        "username='" + username + '\'' +
                        ", password='" + password + '\'' +
                        ", authorities=" + authorities +
                        '}';
            }
        }

        • JWT工具类 

          生成 jwt令牌 或解析，其中的JwtProperties（jwt令牌配置属性类）可以自己创建，不是重点。

          import io.jsonwebtoken.Claims;
          import io.jsonwebtoken.Jwts;
          import io.jsonwebtoken.SignatureAlgorithm;
          import lombok.RequiredArgsConstructor;
          import org.springframework.stereotype.Component;
          import java.util.Date;
          import java.util.Map;
          /**
           * @Description: 生成和解析jwt令牌
           * @Author: 翰戈.summer
           * @Date: 2023/11/16
           * @Param:
           * @Return:
           */
          @Component
          @RequiredArgsConstructor
          public class JwtUtils {
              private final JwtProperties jwtProperties;
              /**
               * @Description: 生成令牌
               * @Author: 翰戈.summer
               * @Date: 2023/11/16
               * @Param: Map
               * @Return: String jwt
               */
              public String getJwt(Map claims) {
                  String signingKey = jwtProperties.getSigningKey();
                  Long expire = jwtProperties.getExpire();
                  return Jwts.builder()
                          .setClaims(claims) //设置载荷内容
                          .signWith(SignatureAlgorithm.HS256, signingKey) //设置签名算法
                          .setExpiration(new Date(System.currentTimeMillis() + expire)) //设置有效时间
                          .compact();
              }
              /**
               * @Description: 解析令牌
               * @Author: 翰戈.summer
               * @Date: 2023/11/16
               * @Param: String jwt
               * @Return: Claims claims
               */
              public Claims parseJwt(String jwt) {
                  String signingKey = jwtProperties.getSigningKey();
                  return Jwts.parser()
                          .setSigningKey(signingKey) //指定签名密钥
                          .parseClaimsJws(jwt) //开始解析令牌
                          .getBody();
              }
          }

          • 登录接口

            用户登录成功并返回 jwt令牌，Result为统一响应的结果，UserLoginDTO用于封装用户登录信息，其中的UserDetails必须实现后才能获取到用户信息。

            import lombok.RequiredArgsConstructor;
            import org.springframework.security.authentication.AuthenticationManager;
            import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
            import org.springframework.security.core.Authentication;
            import org.springframework.security.core.GrantedAuthority;
            import org.springframework.security.core.context.SecurityContextHolder;
            import org.springframework.security.core.userdetails.UserDetails;
            import org.springframework.web.bind.annotation.PostMapping;
            import org.springframework.web.bind.annotation.RequestBody;
            import org.springframework.web.bind.annotation.RequestMapping;
            import org.springframework.web.bind.annotation.RestController;
            import java.util.Collection;
            import java.util.HashMap;
            import java.util.Map;
            /**
             * @Description: 用户登录操作相关接口
             * @Author: 翰戈.summer
             * @Date: 2023/11/20
             * @Param:
             * @Return:
             */
            @RestController
            @RequestMapping("/api/user/login")
            @RequiredArgsConstructor
            public class UserLoginController {
                private final AuthenticationManager authenticationManager;
                private final JwtUtils jwtUtils;
                @PostMapping
                public Result doLogin(@RequestBody UserLoginDTO userLoginDTO) {
                    try {
                        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userLoginDTO.getUsername(), userLoginDTO.getPassword());
                        Authentication authentication = authenticationManager.authenticate(auth);
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                        UserDetails userDetails = (UserDetails) authentication.getPrincipal();
                        //获取用户权限信息
                        String authorityString = "";
                        Collection authorities = userDetails.getAuthorities();
                        for (GrantedAuthority authority : authorities) {
                            authorityString = authority.getAuthority();
                        }
                        //用户身份验证成功，生成并返回jwt令牌
                        Map claims = new HashMap<>();
                        claims.put("username", userDetails.getUsername());
                        claims.put("authorityString", authorityString);
                        String jwtToken = jwtUtils.getJwt(claims);
                        return Result.success(jwtToken);
                    } catch (Exception ex) {
                        //用户身份验证失败，返回登陆失败提示
                        return Result.error("用户名或密码错误！");
                    }
                }
            }

            • 自定义token过滤器

              过滤器中抛出的异常是不会被全局异常处理器捕获到的，直接返回错误结果。这里用到了SpringContextUtils通过上下文来获取Bean组件，下面会提供。

              过滤器属于Servlet（作用范围更大），拦截器属于SpringMVC（作用范围较小），全局异常处理器只能捕获到拦截器中的异常。在过滤器中无法初始化Bean组件，可以通过上下文来获取。

              import com.fasterxml.jackson.databind.ObjectMapper;
              import io.jsonwebtoken.Claims;
              import jakarta.servlet.FilterChain;
              import jakarta.servlet.http.HttpServletRequest;
              import jakarta.servlet.http.HttpServletResponse;
              import org.springframework.security.authentication.AuthenticationManager;
              import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
              import org.springframework.security.core.Authentication;
              import org.springframework.security.core.authority.SimpleGrantedAuthority;
              import org.springframework.security.core.context.SecurityContextHolder;
              import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
              import org.springframework.util.StringUtils;
              import java.io.IOException;
              import java.util.Collections;
              /**
               * @Description: 自定义token验证过滤器，验证成功后将用户信息放入SecurityContext上下文
               * @Author: 翰戈.summer
               * @Date: 2023/11/18
               * @Param:
               * @Return:
               */
              public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
                  public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
                      super(authenticationManager);
                  }
                  @Override
                  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
                      try {
                          //获取请求头中的token
                          String jwtToken = request.getHeader("token");
                          if (!StringUtils.hasLength(jwtToken)) {
                              //token不存在，交给其他过滤器处理
                              filterChain.doFilter(request, response);
                              return; //结束方法
                          }
                          //过滤器中无法初始化Bean组件，使用上下文获取
                          JwtUtils jwtUtils = SpringContextUtils.getBean("jwtUtils");
                          if (jwtUtils == null) {
                              throw new RuntimeException();
                          }
                          //解析jwt令牌
                          Claims claims;
                          try {
                              claims = jwtUtils.parseJwt(jwtToken);
                          } catch (Exception ex) {
                              throw new RuntimeException();
                          }
                          //获取用户信息
                          String username = (String) claims.get("username"); //用户名
                          String authorityString = (String) claims.get("authorityString"); //权限信息
                          Authentication authentication = new UsernamePasswordAuthenticationToken(
                                  username, null,
                                  Collections.singleton(new SimpleGrantedAuthority(authorityString))
                          );
                          //将用户信息放入SecurityContext上下文
                          SecurityContextHolder.getContext().setAuthentication(authentication);
                          filterChain.doFilter(request, response);
                      } catch (Exception ex) {
                          //过滤器中抛出的异常无法被全局异常处理器捕获，直接返回错误结果
                          response.setCharacterEncoding("utf-8");
                          response.setContentType("application/json; charset=utf-8");
                          String value = new ObjectMapper().writeValueAsString(Result.error("用户未登录！"));
                          response.getWriter().write(value);
                      }
                  }
              }

              • SpringContextUtils工具类

                import jakarta.annotation.Nonnull;
                import org.springframework.beans.BeansException;
                import org.springframework.context.ApplicationContext;
                import org.springframework.context.ApplicationContextAware;
                import org.springframework.stereotype.Component;
                /**
                 * @Description: 用于创建上下文，实现ApplicationContextAware接口
                 * @Author: 翰戈.summer
                 * @Date: 2023/11/17
                 * @Param:
                 * @Return:
                 */
                @Component
                public class SpringContextUtils implements ApplicationContextAware {
                    private static ApplicationContext applicationContext;
                    public static ApplicationContext getApplicationContext() {
                        return applicationContext;
                    }
                    @Override
                    public void setApplicationContext(@Nonnull ApplicationContext applicationContext) throws BeansException {
                        SpringContextUtils.applicationContext = applicationContext;
                    }
                    @SuppressWarnings("unchecked")
                    public static  T getBean(String name) throws BeansException {
                        if (applicationContext == null) {
                            return null;
                        }
                        return (T) applicationContext.getBean(name);
                    }
                }

                • 添加自定义token验证过滤器

                  将自定义token验证过滤器，添加到UsernamePasswordAuthenticationFilter前面。

                  UsernamePasswordAuthenticationFilter实现了基于用户名和密码的认证逻辑，我们利用token进行身份验证，所以用不到这个过滤器。

                      /**
                       * @Description: 配置SecurityFilterChain过滤器链
                       * @Author: 翰戈.summer
                       * @Date: 2023/11/17
                       * @Param: HttpSecurity
                       * @Return: SecurityFilterChain
                       */
                      @Bean
                      public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
                          httpSecurity.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
                                  .requestMatchers(HttpMethod.POST, "/api/user/login").permitAll() //登录放行
                                  .anyRequest().authenticated()
                          );
                          httpSecurity.authenticationProvider(authenticationProvider());
                          //禁用登录页面
                          httpSecurity.formLogin(AbstractHttpConfigurer::disable);
                          //禁用登出页面
                          httpSecurity.logout(AbstractHttpConfigurer::disable);
                          //禁用session
                          httpSecurity.sessionManagement(AbstractHttpConfigurer::disable);
                          //禁用httpBasic
                          httpSecurity.httpBasic(AbstractHttpConfigurer::disable);
                          //禁用csrf保护
                          httpSecurity.csrf(AbstractHttpConfigurer::disable);
                          //通过上下文获取AuthenticationManager
                          AuthenticationManager authenticationManager = SpringContextUtils.getBean("authenticationManager");
                          //添加自定义token验证过滤器
                          httpSecurity.addFilterBefore(new JwtAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
                          return httpSecurity.build();
                      }

                  • 自定义用户未登录的处理

                    用户请求未携带token的处理，替换AuthenticationEntryPoint

                    import com.fasterxml.jackson.databind.ObjectMapper;
                    import jakarta.servlet.http.HttpServletRequest;
                    import jakarta.servlet.http.HttpServletResponse;
                    import org.springframework.security.core.AuthenticationException;
                    import org.springframework.security.web.AuthenticationEntryPoint;
                    import org.springframework.stereotype.Component;
                    import java.io.IOException;
                    /**
                     * @Description: 自定义用户未登录的处理（未携带token）
                     * @Author: 翰戈.summer
                     * @Date: 2023/11/19
                     * @Param:
                     * @Return:
                     */
                    @Component
                    public class AuthEntryPointHandler implements AuthenticationEntryPoint {
                        @Override
                        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
                            response.setCharacterEncoding("utf-8");
                            response.setContentType("application/json; charset=utf-8");
                            String value = new ObjectMapper().writeValueAsString(Result.error("未携带token！"));
                            response.getWriter().write(value);
                        }
                    }

                    • 自定义用户权限不足的处理

                      用户权限不足的处理，替换AccessDeniedHandler

                      import com.fasterxml.jackson.databind.ObjectMapper;
                      import jakarta.servlet.http.HttpServletRequest;
                      import jakarta.servlet.http.HttpServletResponse;
                      import org.springframework.security.access.AccessDeniedException;
                      import org.springframework.security.web.access.AccessDeniedHandler;
                      import org.springframework.stereotype.Component;
                      import java.io.IOException;
                      /**
                       * @Description: 自定义用户权限不足的处理
                       * @Author: 翰戈.summer
                       * @Date: 2023/11/19
                       * @Param:
                       * @Return:
                       */
                      @Component
                      public class AuthAccessDeniedHandler implements AccessDeniedHandler {
                          @Override
                          public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
                              response.setCharacterEncoding("utf-8");
                              response.setContentType("application/json; charset=utf-8");
                              String value = new ObjectMapper().writeValueAsString(Result.error("权限不足！"));
                              response.getWriter().write(value);
                          }
                      }

                      • 添加自定义处理器

                        修改 SecurityConfig 配置类，注入 AuthAccessDeniedHandler 和 AuthEntryPointHandler

                            /**
                             * @Description: 配置SecurityFilterChain过滤器链
                             * @Author: 翰戈.summer
                             * @Date: 2023/11/17
                             * @Param: HttpSecurity
                             * @Return: SecurityFilterChain
                             */
                            @Bean
                            public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
                                httpSecurity.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
                                        .requestMatchers(HttpMethod.POST, "/api/user/login").permitAll() //登录放行
                                        .anyRequest().authenticated()
                                );
                                httpSecurity.authenticationProvider(authenticationProvider());
                                //禁用登录页面
                                httpSecurity.formLogin(AbstractHttpConfigurer::disable);
                                //禁用登出页面
                                httpSecurity.logout(AbstractHttpConfigurer::disable);
                                //禁用session
                                httpSecurity.sessionManagement(AbstractHttpConfigurer::disable);
                                //禁用httpBasic
                                httpSecurity.httpBasic(AbstractHttpConfigurer::disable);
                                //禁用csrf保护
                                httpSecurity.csrf(AbstractHttpConfigurer::disable);
                                //通过上下文获取AuthenticationManager
                                AuthenticationManager authenticationManager = SpringContextUtils.getBean("authenticationManager");
                                //添加自定义token验证过滤器
                                httpSecurity.addFilterBefore(new JwtAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
                                //自定义处理器
                                httpSecurity.exceptionHandling(exceptionHandling -> exceptionHandling
                                        .accessDeniedHandler(authAccessDeniedHandler) //处理用户权限不足
                                        .authenticationEntryPoint(authEntryPointHandler) //处理用户未登录（未携带token）
                                );
                                return httpSecurity.build();
                            }

                        • 静态资源放行

                          SpringBoot3 中使用 Swagger3 接口文档，在整合了 SpringSecurity 后会出现无法访问的情况，需要给静态资源放行。

                          在 SecurityConfig 中添加

                              /**
                               * 静态资源放行
                               */
                              @Bean
                              public WebSecurityCustomizer webSecurityCustomizer() {
                                  return (web) -> web.ignoring().requestMatchers(
                                          "/doc.html",
                                          "/doc.html/**",
                                          "/v3/api-docs",
                                          "/v3/api-docs/**",
                                          "/webjars/**",
                                          "/authenticate",
                                          "/swagger-ui.html/**",
                                          "/swagger-resources",
                                          "/swagger-resources/**"
                                  );
                              }

                          • 总结

                            SpringSecurity6 的用法和以前版本的有较大差别，比如WebSecurityConfigurerAdapter的废除，看到配置类继承了这个的都是过时的教程。因为不再继承，所以不能通过重写方法的方式去配置。另外很多配置的方式都变成使用Lambda表达式，或者是方法引用。

                             创作不易，如果对你有帮助的话就点个赞鼓励一下吧 (人 •͈ᴗ•͈) (୨୧•͈ᴗ•͈)◞ᵗʱᵃᵑᵏઽ*♡

                             
                             免费开通网站  西部数码域名备案  黄山风景区门票官网  开发一个网页需要多少钱  云南网站建设公司哪家好  企业网页制作步骤