2021年奉上我最喜歡的一句話：愿你孤獨(dú)的努力都有回報(bào)，愿你前行的路上有人陪伴。加油😁！

項(xiàng)目下載：https://download.csdn.net/download/Kevinnsm/16751962

文章目錄

• 一、springsecuriyt基礎(chǔ)
• 二、jwt
• • Ⅰ、jwt是什么
  • Ⅱ、為什么要使用jwt
  • • 2.1、什么是有狀態(tài)
    • 2.2、什么是無狀態(tài)
  • Ⅲ、jwt的組成
• 三、springboot+springsecurity+mybatis+jwt實(shí)現(xiàn)單點(diǎn)登錄
• • Ⅰ、核心流程分析
  • Ⅱ、具體代碼實(shí)現(xiàn)及其分析
  • • 1.JwtTokenUtil
    • 2.統(tǒng)一結(jié)果返回封裝類
    • 3、handler處理類
    • • 3.1、AjaxAccessDeniedHandler權(quán)限不足處理類
      • 3.2、AjaxAuthenticationEntryPoint匿名無權(quán)限處理類
      • 3.3、AjaxAuthenticationFailureHandler認(rèn)證失敗處理類
      • 3.4、AjaxAuthenticationSuccessHandler認(rèn)證成功處理類
      • 3.5、AjaxLogoutSuccessHandler退出成功處理類
    • 4、AuthenticationFilter（token的驗(yàn)證類）
    • 5、SecurityConfig配置類
    • 6、自定義異常處理類
    • • 6.1、RegisterFailureException注冊(cè)失敗異常處理類
      • 6.2、RegisterUsernameHasBeenExists注冊(cè)時(shí)用戶名已經(jīng)存在異常處理類
      • 6.3、Controller層全局異常處理類
    • 7、controller，service，mapper，entity，mapper.xml編寫
    • • 7.1、controller
      • 7.2、service
      • 7.4、mapper
      • 7.5、mapper.xml
      • 7.6、entity
    • 8、application.yml
    • 9、html測(cè)試

---

一、springsecuriyt基礎(chǔ)

1、spring security安全框架入門篇：blog.csdn.net/Kevinnsm/article/details/11

2、springsecurity之用戶認(rèn)證：blog.csdn.net/Kevinnsm/article/details/12

3、springsecurity之用戶授權(quán)：blog.csdn.net/Kevinnsm/article/details/13

4、spring security實(shí)現(xiàn)登錄和注銷：blog.csdn.net/Kevinnsm/article/details/14

5、springsecurity出現(xiàn)重定向次數(shù)過多：blog.csdn.net/Kevinnsm/article/details/15

6、手把手帶你擼一把springsecurity框架源碼中的認(rèn)證流程：blog.csdn.net/Kevinnsm/article/details/16

---

二、jwt

Ⅰ、jwt是什么

JWT，全稱是Json Web Token， 是JSON風(fēng)格輕量級(jí)的授權(quán)和身份認(rèn)證規(guī)范，可實(shí)現(xiàn)無狀態(tài)、分布式的Web應(yīng)用授權(quán)。

Ⅱ、為什么要使用jwt

互聯(lián)網(wǎng)認(rèn)證方式由兩種：無狀態(tài)和有狀態(tài)

2.1、什么是有狀態(tài)

即服務(wù)端需要記錄每次會(huì)話的客戶端信息，典型的如session

有狀態(tài)流程

1.當(dāng)用戶登錄后，客戶端會(huì)保存該用戶的信息到服務(wù)端的session中，然后返回一個(gè)sessionId，將其保存到客戶端的Cookie中

2.當(dāng)下次用戶訪問時(shí)攜帶者Cokkie值，這樣服務(wù)端就能識(shí)別對(duì)應(yīng)的session

缺點(diǎn)

1.服務(wù)端保存大量用戶狀態(tài)信息，增大了服務(wù)端的壓力
2.服務(wù)端保存用戶狀態(tài)信息，無法進(jìn)行水平擴(kuò)展（用戶狀態(tài)信息只保存在這一個(gè)服務(wù)器中，訪問其他服務(wù)器還需要重新登錄認(rèn)證）

簡(jiǎn)單了說有狀態(tài)就是服務(wù)端需要保存用戶狀態(tài)信息

2.2、什么是無狀態(tài)

服務(wù)端不需要保存任何客戶端的用戶狀態(tài)信息
我是劉松林的而

無狀態(tài)流程

1.用戶第一次訪問時(shí)，服務(wù)端要求用戶進(jìn)行身份認(rèn)證（登錄）
2.用戶認(rèn)證成功后，服務(wù)端返回一個(gè)token，返回給客戶端作為令牌
3.當(dāng)用戶再次訪問時(shí)需要攜帶該token(令牌)，服務(wù)端對(duì)令牌進(jìn)行解密判斷

優(yōu)點(diǎn)

1.減少了服務(wù)端的壓力
2.服務(wù)端可以進(jìn)行任意的伸縮
3.用戶登錄后可以向多個(gè)服務(wù)器進(jìn)行訪問而不用進(jìn)行二次登錄

當(dāng)然無狀態(tài)最重要的就是保證token的安全性

Ⅲ、jwt的組成

Jwt由三部分組成

1、header

header由兩部分組成

1、聲明類型：這里是jwt
2、簽名算法：比如SHA256、SHA512等

header經(jīng)過base64編碼之后就形成了jwt第一部分

2、Payload（載荷）

payload是JWT的主體內(nèi)容部分，也是一個(gè)JSON對(duì)象，包含需要傳遞的數(shù)據(jù)

iss：發(fā)行人
exp：到期時(shí)間
sub：主題
…

經(jīng)過base64編碼之后形成了jwt的第二部分

3、Signature（簽名）

一般根據(jù)前兩步的數(shù)據(jù)，再加上服務(wù)的的密鑰（secret），通過header里面聲明的加密算法生成jwt的第三部分。

secret是服務(wù)端用來進(jìn)行jwt的簽發(fā)和校驗(yàn)，所以說secret非常重要，任何時(shí)候都不應(yīng)該泄露jwt，一旦jwt泄露，意味著惡意用戶可以自我簽發(fā)jwt了。

三、springboot+springsecurity+mybatis+jwt實(shí)現(xiàn)單點(diǎn)登錄

Ⅰ、核心流程分析

如果使用springsecurity進(jìn)行過認(rèn)證操作，那么這下面將會(huì)對(duì)你來說很簡(jiǎn)單

1、根據(jù)前述的無狀態(tài)概念，當(dāng)用戶登錄成功后，我們需要在服務(wù)端進(jìn)行token的生成（當(dāng)然這里是使用jwt生成token)；然后當(dāng)用戶進(jìn)行再次訪問時(shí)，我們需要對(duì)token進(jìn)行解析、判斷等；所以我們可以將token的創(chuàng)建、解析、判斷等封裝到一個(gè)工具類JwtTokenUtil中。

2、我們還需要自定義一個(gè)AuthenticationFilter過濾器用來攔截請(qǐng)求；判斷請(qǐng)求中是否攜帶token，如果攜帶了token，那就進(jìn)行解析判斷；如果沒有token，則可能是首次登錄，所以可以放行，交給springsecurity進(jìn)行認(rèn)證（也就是交給UsernamePasswordAuthenticationFilter過濾器）

3、第二步中有一個(gè)關(guān)鍵點(diǎn)，我們自定義的AuthenticationFilter過濾器應(yīng)該加到哪個(gè)地方，我們都知道springsecurity本質(zhì)上是一串過濾器鏈，將請(qǐng)求進(jìn)行層層攔截、判斷、放行或者不放行。根據(jù)第二步的分析我們可以將AuthenticationFilter過濾器加入到UsernamePasswordAuthenticationFilter過濾器前面，這樣一來第二步就行很清晰了。

其他就類似于springsecurity進(jìn)行認(rèn)證和授權(quán)的步驟了

Ⅱ、具體代碼實(shí)現(xiàn)及其分析

1.JwtTokenUtil

package com.jwt.utils;import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jws; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm;import java.util.Date; import java.util.HashMap; import java.util.Map;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/13* @description:*/ public class JwtTokenUtils {/*** 請(qǐng)求頭*/private static final String TOKEN_HEADER = "Authorization";/*** TOKEN 前綴*/public static final String TOKEN_PREFIX = "Bearer";/*** 私鑰*/private static final String TOKEN_SECRET = "secret";/*** 令牌過期時(shí)間 : one day*/private static final long TOKEN_EXPIRATION = 1000 * 60 * 60 * 24;/*** 角色權(quán)限定義*/private static final String ROLE_CLAIMS = "role";/*** 創(chuàng)建令牌** @param username* @param role*/public static String createToken(String username, String role) {Map<String, Object> map = new HashMap<>();map.put(ROLE_CLAIMS, role);return Jwts.builder().setClaims(map).setSubject(username).claim("username", username).setIssuedAt(new Date()).setExpiration(new Date(System.currentTimeMillis() + TOKEN_EXPIRATION)).signWith(SignatureAlgorithm.HS256, TOKEN_SECRET).compact();}/*** 獲取解析后的token信息* @param token* @return*/public static Claims getTokenBody(String token) {return parseToken(token).getBody();}/*** 檢查token是否存在* @param token* @return*/public static Claims checkToken(String token) {try {Claims claims = getTokenBody(token);return claims;} catch (Exception e) {return null;}}/*** 判斷令牌是否過期* @param token 令牌* @return boolean* @describe getExpiration()獲取令牌過期時(shí)間*/public static boolean isExpiration(String token) {return getTokenBody(token).getExpiration().before(new Date());}/*** 解析令牌* @param token* @return*/public static Jws<Claims> parseToken(String token) {return Jwts.parser().setSigningKey(TOKEN_SECRET).parseClaimsJws(token);}/*** 解析token，獲取用戶名*/public static String parseTokenToUsername(String token) {String username = getTokenBody(token).getSubject();return username;} }

2.統(tǒng)一結(jié)果返回封裝類

使用泛型，因?yàn)樵趯?shí)際的場(chǎng)景中可能由多種不同的數(shù)據(jù)要進(jìn)行返回

package com.jwt.utils;import lombok.Data;import java.io.Serializable;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/12* @description:*/ @Data public class ResponseBody<T> implements Serializable {private Integer code;private String msg;private T data;public ResponseBody(Integer code, String msg) {this.code = code;this.msg = msg;}public ResponseBody(Integer code, String msg, T data) {this.code = code;this.msg = msg;this.data = data;} }

3、handler處理類

這些處理類將在SecurityConfig配置類中進(jìn)行配置，所以需要先將每個(gè)handler處理類放到spring容器中====》@Component注解

3.1、AjaxAccessDeniedHandler權(quán)限不足處理類

package com.jwt.handler;import com.alibaba.fastjson.JSON; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/12* @description: 權(quán)限不足處理類*/ @Component public class AjaxAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {response.setStatus(HttpServletResponse.SC_FORBIDDEN);response.getWriter().write(JSON.toJSONString("權(quán)限不足"));} }

3.2、AjaxAuthenticationEntryPoint匿名無權(quán)限處理類

當(dāng)用戶匿名訪問資源時(shí)（即不登陸去訪問資源），會(huì)跳轉(zhuǎn)到登錄頁(yè)面

package com.jwt.handler;import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description: 匿名未認(rèn)證登錄處理類*/ @Component public class AjaxAuthenticationEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {response.setContentType("application/json;charset=utf-8");request.getRequestDispatcher("/login.html").forward(request,response);} }

3.3、AjaxAuthenticationFailureHandler認(rèn)證失敗處理類

當(dāng)用戶登錄失敗時(shí)，會(huì)拋出相應(yīng)的異常，然后交給該類進(jìn)行判斷是哪一種異常。

package com.jwt.handler;import com.alibaba.fastjson.JSON; import lombok.extern.slf4j.Slf4j; import org.springframework.security.authentication.*; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/11* @description: 認(rèn)證失敗Handler處理類*/ @Slf4j //日志 @Component public class AjaxAuthenticationFailureHandler implements AuthenticationFailureHandler {private String url;public AjaxAuthenticationFailureHandler(){}public AjaxAuthenticationFailureHandler(String url) {this.url = url;}@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {String failData = "";if (exception instanceof AccountExpiredException) {failData = "賬號(hào)過期";} else if (exception instanceof UsernameNotFoundException) {failData = "賬號(hào)不存在";} else if (exception instanceof CredentialsExpiredException) {failData = "密碼過期";} else if (exception instanceof DisabledException) {failData = "賬號(hào)不可用";} else if (exception instanceof LockedException) {failData = "賬號(hào)鎖定";} else if (exception instanceof BadCredentialsException) {failData = "密碼錯(cuò)誤";} else {failData = "未知異常";}log.info("認(rèn)證失敗,"+failData);//設(shè)置編碼格式，否則中文會(huì)亂碼response.setCharacterEncoding("utf-8);response.setContentType("application/json;charset=utf-8");//返回統(tǒng)一數(shù)據(jù)response.getWriter().write(JSON.toJSONString(failData));} }

3.4、AjaxAuthenticationSuccessHandler認(rèn)證成功處理類

當(dāng)用戶認(rèn)證成功后，將交與該處理類處理；返回token（前綴帶bearer，所以服務(wù)端在進(jìn)行解析token時(shí)，應(yīng)該將bearer去掉。

package com.jwt.handler;import com.alibaba.fastjson.JSON; import com.jwt.entity.User; import com.jwt.utils.JwtTokenUtils; import com.jwt.utils.ResponseBody; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/11* @description: 認(rèn)證成功Handler處理類*/ @Component public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler {private String url;public AjaxAuthenticationSuccessHandler() {}public AjaxAuthenticationSuccessHandler(String url) {this.url = url;}@Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {User user = (User) authentication.getPrincipal();String token = JwtTokenUtils.createToken(user.getUsername(), String.valueOf(user.getAuthorities()));//設(shè)置編碼,如果不設(shè)置會(huì)亂碼response.setCharacterEncoding("utf-8");response.setContentType("application/json;charset=utf-8");//設(shè)置返回的token 帶有Bearer的前綴字符串response.setHeader("Authorization", JwtTokenUtils.TOKEN_PREFIX+token);response.getWriter().write(new ResponseBody<User>(200,"登錄成功",user).toString());} }

3.5、AjaxLogoutSuccessHandler退出成功處理類

當(dāng)用戶退出登錄成功時(shí)，跳轉(zhuǎn)到登錄頁(yè)面

package com.jwt.handler;import lombok.extern.slf4j.Slf4j; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/16* @description:*/ @Component @Slf4j public class AjaxLogoutSuccessHandler implements LogoutSuccessHandler {@Overridepublic void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {request.getRequestDispatcher("/login.html").forward(request,response);} }

4、AuthenticationFilter（token的驗(yàn)證類）

該類對(duì)請(qǐng)求進(jìn)行攔截，配置到UsernamePasswordAuthenticationFilter過濾器類的前面，至于功能前面已經(jīng)分析過。

Spring Security使用一個(gè)Authentication對(duì)象來描述當(dāng)前用戶的相關(guān)信息。SecurityContextHolder中持有的是當(dāng)前用戶的SecurityContext，而SecurityContext持有的是代表當(dāng)前用戶相關(guān)信息的Authentication的引用。這個(gè)Authentication對(duì)象不需要我們自己去創(chuàng)建，在與系統(tǒng)交互的過程中，Spring Security會(huì)自動(dòng)為我們創(chuàng)建相應(yīng)的Authentication對(duì)象，然后賦值給當(dāng)前的SecurityContext，我們經(jīng)常會(huì)使用SecurityContextHolder獲取SecurityContext實(shí)例，然后獲取Authentication實(shí)例。下面會(huì)是使用到

package com.jwt.filter; import com.jwt.entity.User; import com.jwt.service.LoginUserDetailService; import com.jwt.utils.JwtTokenUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;@Component public class AuthenticationFilter extends OncePerRequestFilter {@AutowiredLoginUserDetailService userDetailsService;@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {//獲取請(qǐng)求頭中的token加密串（名字是Authorization，JwtTokenUtils工具類里面定義的String authHeader = request.getHeader("Authorization"); //判斷是否是以Bearer開頭的，這是我自定義的前綴名）if (authHeader != null && authHeader.startsWith("Bearer ")) {//將Bearer去掉，因?yàn)榉祷豻oken時(shí)，我在token前綴加入了Bearer字符串String authToken = authHeader.substring("Bearer ".length()); //解析加密串，獲取用戶名String username = JwtTokenUtils.parseTokenToUsername(authToken);//看當(dāng)前SecurityContext中是否有Authentication實(shí)例（前面已經(jīng)介紹過）if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { //如果Authentication沒有當(dāng)前用戶的信息，然后從數(shù)據(jù)庫(kù)中查詢出相應(yīng)的信息User user = (User) userDetailsService.loadUserByUsername(username);if (user != null) {//封裝到UsernamePasswordAuthenticationToken令牌類中UsernamePasswordAuthenticationToken authentication =new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); //將用戶信息放到Authenticatin實(shí)例中進(jìn)行存儲(chǔ)SecurityContextHolder.getContext().setAuthentication(authentication);}}}filterChain.doFilter(request, response);} }

這個(gè)過濾器類里面是jwt最核心的點(diǎn)
首先請(qǐng)求進(jìn)入到該過濾器類時(shí)，獲取token串，進(jìn)行解析；然后查看Authentication是否為null，如果為null，根據(jù)解析到的用戶名去數(shù)據(jù)庫(kù)查詢相應(yīng)的信息，一并將其放到Authentication實(shí)例中。
當(dāng)你下一次再進(jìn)行token判斷時(shí)，直接從Authentication拿取相應(yīng)信息即可，不需要再查詢數(shù)據(jù)庫(kù)。

5、SecurityConfig配置類

package com.jwt.config; import com.jwt.filter.AuthenticationFilter; import com.jwt.handler.*; import com.jwt.service.LoginUserDetailService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl; import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;import javax.annotation.Resource; import javax.sql.DataSource;@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter {@Resourceprivate LoginUserDetailService userDetailsService;@Autowiredprivate AjaxAccessDeniedHandler deniedHandler;@Autowiredprivate AjaxAuthenticationEntryPoint ajaxAuthenticationEntryPoint;@Autowiredprivate AjaxAuthenticationSuccessHandler successHandler;@Autowiredprivate AjaxAuthenticationFailureHandler failureHandler;@Autowiredprivate DataSource dataSource;@Autowiredprivate AuthenticationFilter authenticationFilter;@Autowiredprivate AjaxLogoutSuccessHandler logoutSuccessHandler;/*** 攔截策略* @param http* @throws Exception*/@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().and().formLogin().loginPage("/login.html").loginProcessingUrl("/login").successHandler(successHandler).failureHandler(failureHandler).and().authorizeRequests().antMatchers("/login.html","/register.html","/register","/js/**").permitAll().and().exceptionHandling().accessDeniedHandler(deniedHandler).authenticationEntryPoint(ajaxAuthenticationEntryPoint).and().authorizeRequests().anyRequest().authenticated();http.addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class);//設(shè)置記住我http.rememberMe().tokenRepository(persistentTokenRepository()).tokenValiditySeconds(600).userDetailsService(userDetailsService);//配置退出登錄操作http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);//關(guān)閉csrf防護(hù)http.csrf().disable();}@Beanpublic BCryptPasswordEncoder bCryptPasswordEncoder(){return new BCryptPasswordEncoder();}/*** 配置忽略的URL* @param web* @throws Exception*/@Overridepublic void configure(WebSecurity web) throws Exception {web.ignoring().antMatchers("/");}/*** 攔截后需要使用自定義的類和加密解密方式* @param auth* @throws Exception*/@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.authenticationProvider(daoAuthenticationProvider());auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());}@Override@Beanprotected AuthenticationManager authenticationManager() throws Exception {return super.authenticationManager();}/*** * @return HideUserNotFoundExceptions(false)，否則UsernameNotFoundException異常會(huì)被BadCredentialsException異常覆蓋*/@Beanpublic AuthenticationProvider daoAuthenticationProvider() {DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(userDetailsService);daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());daoAuthenticationProvider.setHideUserNotFoundExceptions(false);return daoAuthenticationProvider;}//這是spirngsecurity記住我功能需要加入代碼 //JdbcTokenRepositoryImpl是將其保存到數(shù)據(jù)庫(kù)中@Beanpublic PersistentTokenRepository persistentTokenRepository() {//這個(gè)是記住我保存到數(shù)據(jù)庫(kù)的類，當(dāng)然還有保存到內(nèi)存的類JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();//設(shè)置數(shù)據(jù)源tokenRepository.setDataSource(dataSource);//這個(gè)會(huì)在第一次使用記住我時(shí)在數(shù)據(jù)庫(kù)中創(chuàng)建一張表(用戶、過期時(shí)間等）//在第二次一定要將其注釋掉，否者會(huì)報(bào)錯(cuò)。// tokenRepository.setCreateTableOnStartup(true);return tokenRepository;} }

6、自定義異常處理類

6.1、RegisterFailureException注冊(cè)失敗異常處理類

package com.jwt.exception;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ public class RegisterFailureException extends Exception{private String message;public RegisterFailureException() {super();}public RegisterFailureException(String message) {this.message = message;} }

6.2、RegisterUsernameHasBeenExists注冊(cè)時(shí)用戶名已經(jīng)存在異常處理類

package com.jwt.exception;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/15* @description:*/ public class RegisterUsernameHasBeenExists extends Exception{private String message;public RegisterUsernameHasBeenExists(String message) {this.message = message;} }

6.3、Controller層全局異常處理類

package com.jwt.exception.controllerException;import com.jwt.exception.RegisterUsernameHasBeenExists; import lombok.extern.slf4j.Slf4j; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; import org.springframework.validation.BindException; import org.springframework.validation.BindingResult; import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.RestControllerAdvice;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.sql.SQLException; import java.util.Objects;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/15* @description:*/ @Slf4j @RestControllerAdvice public class ControllerHandlerExceptionAdvice {private static final Logger logger = LoggerFactory.getLogger(ControllerHandlerExceptionAdvice.class);/*** 攔截表單參數(shù)異常處理* @param exception* @param request* @return*/@ResponseStatus(HttpStatus.OK)@ExceptionHandler({BindException.class})public String bindException(BindException exception, HttpServletRequest request) {logger.info("表單攔截校驗(yàn)處理=====>");logger.info("表單數(shù)據(jù)======>"+request.getContentType());BindingResult bindingResult = exception.getBindingResult();return Objects.requireNonNull(bindingResult.getFieldError().getDefaultMessage());}@ExceptionHandlerpublic String handler(HttpServletRequest request, HttpServletResponse response, Exception e) {logger.info("RestFul 請(qǐng)求發(fā)生異常........");if (response.getStatus() == HttpStatus.BAD_REQUEST.value()) {logger.info("狀態(tài)值不是200,正準(zhǔn)備修改為200");response.setStatus(HttpStatus.OK.value());}if (e instanceof NullPointerException) {logger.error("發(fā)生了空指針異常======》",e.getMessage());return "空指針異常";} else if (e instanceof IllegalArgumentException) {logger.error("請(qǐng)求參數(shù)不匹配異常======>",e.getMessage());return "請(qǐng)求參數(shù)不匹配";} else if (e instanceof SQLException) {logger.error("數(shù)據(jù)庫(kù)訪問異常======>",e.getMessage());return "數(shù)據(jù)庫(kù)訪問異常";} else if (e instanceof BindException) {BindingResult bindingResult = ((BindException) e).getBindingResult();logger.error("表單校驗(yàn)異常",bindingResult.getFieldError().getDefaultMessage());return Objects.requireNonNull(bindingResult.getFieldError().getDefaultMessage());} else if (e instanceof RegisterUsernameHasBeenExists) {logger.info("用戶名已經(jīng)存在");return "用戶名已經(jīng)存在";} else {logger.error("未知異常",e.getMessage());return "服務(wù)器端未知異常,請(qǐng)去檢查!";}} }

7、controller，service，mapper，entity，mapper.xml編寫

這幾個(gè)類就是簡(jiǎn)單的crud了，沒什么可說的

7.1、controller

package com.jwt.controller;import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/7* @description:*/ @Controller public class LoginController {@RequestMapping("/toMain")public String main() {return "redirect:success.html";}@RequestMapping("/")public String demo() {return "main";}@RequestMapping("/logout")public String logout() {return "redirect:login.html";} } package com.jwt.controller;import com.jwt.entity.User; import com.jwt.entity.UserDto; import com.jwt.exception.RegisterFailureException; import com.jwt.exception.RegisterUsernameHasBeenExists; import com.jwt.service.RegisterService; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.RequestMapping;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ @Controller @Slf4j public class RegisterController {@Autowiredprivate RegisterService registerService;@RequestMapping("/register")public String register(@Validated UserDto userDto) throws RegisterUsernameHasBeenExists {log.info("注冊(cè)的數(shù)據(jù)為:"+userDto.toString() );User user = registerService.selectDup(userDto.getUsername());if (user == null) {throw new RegisterUsernameHasBeenExists("用戶已存在");}try {registerService.register(userDto);} catch (RegisterFailureException e) {e.printStackTrace();}return "/";} } package com.jwt.controller;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.web.bind.annotation.*;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/15* @description:*/ @RestController @RequestMapping("/api") @EnableWebSecurity public class TestController {@RequestMapping("/add")public String add() {return "add";}@RequestMapping("select")public String select() {return "select";}@RequestMapping("/delete")public String delete() {return "delete";}@RequestMapping("/update")public String update() {return "update";} }

7.2、service

package com.jwt.service;import com.jwt.entity.User; import com.jwt.entity.UserDto; import com.jwt.exception.RegisterFailureException; import com.jwt.exception.RegisterUsernameHasBeenExists;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ public interface RegisterService {boolean register(UserDto userDto) throws RegisterFailureException;User selectDup(String username) throws RegisterUsernameHasBeenExists; }

這個(gè)LoginUserDetailService是要實(shí)現(xiàn)UserDetailService，根據(jù)用戶名查詢數(shù)據(jù)數(shù)據(jù)庫(kù)用戶信息，將其交給SpringSecurity進(jìn)行認(rèn)證

至于為什么要這樣：https://blog.csdn.net/Kevinnsm/article/details/115189976

package com.jwt.service;import com.jwt.entity.User; import com.jwt.mapper.LoginMapper; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Service;import java.util.ArrayList; import java.util.List;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/7* @description: 根據(jù)傳來的username去數(shù)據(jù)庫(kù)中查詢用戶信息,然后交給springsecurity去認(rèn)證*/ @Service @Slf4j public class LoginUserDetailService implements UserDetailsService {@Autowiredprivate LoginMapper loginMapper;@Autowiredprivate PasswordEncoder passwordEncoder;/**** 自定義認(rèn)證* @param username* @return* @throws UsernameNotFoundException*/@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {if (username == null || username.equals("")) {throw new RuntimeException("用戶名不能為空!");}User user = loginMapper.findByUsername(username);if (user == null) {throw new UsernameNotFoundException("用戶不能為空!");}log.info("根據(jù)username查詢的用戶信息為===>"+user.toString() + "==》等待認(rèn)證！");List<GrantedAuthority> authorities = new ArrayList<>(); // loginMapper.findAuthorityByUsername(username).forEach(role-> // authorities.add(new SimpleGrantedAuthority((String) role)) // );authorities.add(new SimpleGrantedAuthority(loginMapper.findAuthorityByUsername(username)));user.setAuthorities(authorities);log.info(user.getUsername()+"用戶的所有權(quán)限為權(quán)限===>"+authorities.toString());return new User(user.getUsername(), passwordEncoder.encode(user.getPassword()),authorities);}} package com.jwt.service.impl;import com.jwt.entity.User; import com.jwt.entity.UserDto; import com.jwt.exception.RegisterFailureException; import com.jwt.exception.RegisterUsernameHasBeenExists; import com.jwt.mapper.RegisterMapper; import com.jwt.service.RegisterService; import com.sun.deploy.association.RegisterFailedException; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ @Service @Slf4j public class RegisterServiceImpl implements RegisterService {@Autowiredprivate RegisterMapper registerMapper;@Overridepublic boolean register(UserDto userDto) throws RegisterFailureException {boolean b = registerMapper.register(userDto);System.out.println(b);if (!b) {log.info("注冊(cè)失敗");throw new RegisterFailureException("注冊(cè)失敗");}return b;}@Overridepublic User selectDup(String username) throws RegisterUsernameHasBeenExists {User user = registerMapper.selectDup(username);if (user != null) {throw new RegisterUsernameHasBeenExists("用戶名已經(jīng)存在");}return null;} }

7.4、mapper

@Repository public interface LoginMapper {User findByUsername(String username);String findAuthorityByUsername(String username); } @Repository public interface RegisterMapper {boolean register(UserDto userDto);User selectDup(String username); }

7.5、mapper.xml

<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.jwt.mapper.LoginMapper"><select id="findByUsername" resultType="User" parameterType="string">select * from user where username = #{username} limit 1</select><select id="findAuthorityByUsername" resultType="string">select authority from role where username = #{username} limit 1</select> </mapper> <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.jwt.mapper.RegisterMapper"><insert id="register" parameterType="userDto">insert into user (username,password) values(#{username},#{password})</insert><select id="selectDup" resultType="user">select * from user where username=#{username} limit 1</select> </mapper>

7.6、entity

@Data @NoArgsConstructor public class User implements UserDetails {private String username;private String password;private List<GrantedAuthority> authorities;@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return this.authorities;}public User(String username, String password, List<GrantedAuthority> authorities) {this.username = username;this.password = password;this.authorities = authorities;}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;} } @Data public class Authority implements Serializable {private String roles; } package com.jwt.entity;import com.sun.istack.internal.NotNull; import lombok.Data;import javax.validation.constraints.Size; import java.io.Serializable;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ @Data public class UserDto implements Serializable {@NotNull@Size(min = 3, max = 15, message = "用戶名必須在3~15之間")private String username;@NotNull@Size(min = 5, max = 15, message = "密碼必須在5~15之間")private String password; }

8、application.yml

spring:datasource:url: jdbc:mysql://localhost:3306/security?serverTimezone=UTCusername: rootpassword: hao20001010mybatis:mapper-locations: mapper/**type-aliases-package: com.jwt.entityserver:port: 8081

9、html測(cè)試

templates模板下的main.html

<!DOCTYPE html> <html lang="en" xmlns="http://www.w3.org/1999/xhtml" > <head><meta charset="UTF-8"><title>Title</title> </head> <body><h1>這是主頁(yè)面</h1> <br/><a href="login.html">登錄</a><a href="register.html">注冊(cè)</a><br><hr><h2>操作如下</h2><a href="/api/add">添加商品</a><a href="/api/select">查詢商品</a><a href="/api/update">修改商品</a><a href="/api/delete">刪除商品</a><a href="/logout">退出登錄</a></body> </html>

static文件下

<!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title></head> <body> <h2>=======登錄頁(yè)面=========</h2><form action="/login" method="post">username:<input type="text" name="username"/><br/>password:<input type="password" name="password" /><br/>remember me:<input type="checkbox" name="remember-me" value="true"/><br/><input type="submit" value="提交" /></form> </body></html> <!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title> </head> <body> <h2>=========注冊(cè)頁(yè)面=========</h2> <form action="/register" method="post"><table>username:<input type="text" name="username"/><br/>password:<input type="password" name="password"/><br/><input type="submit" value="提交"/></table> </form> </body> </html> <!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title> </head> <body> <h1>分頁(yè)面</h1><br> <a href="/toMain">主頁(yè)面</a><br> <a href="/logout">退出</a></body> </html>

到這里也就是結(jié)束了，測(cè)試截圖就不再發(fā)了，Controller層應(yīng)該使用Rest風(fēng)格的。

回顧這個(gè)小demo，其實(shí)簡(jiǎn)單了分析就是：springsecurity是一串過濾器鏈，然后自定義jwt的校驗(yàn)token過濾器，最后將其加入到過濾器鏈中，至于加到什么位置，想必都明白了。

核心就前端那一段，其他的基本數(shù)就是springsecurity的基本操作和一些crud操作及其某些細(xì)節(jié)。把握住核心即可。

總結(jié)

以上是生活随笔為你收集整理的springboot+springsecurity+mybatis+jwt实现单点登录（详细到爆了）的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。