security 配置档配置 token

redis-demo/pom.xml

@@ -17,11 +17,14 @@
         <java.version>8</java.version>
     </properties>
     <dependencies>
-<!--        <dependency>-->
-<!--            <groupId>org.springframework.boot</groupId>-->
-<!--            <artifactId>spring-boot-starter-security</artifactId>-->
-<!--        </dependency>-->
 
+        <!-- security 依赖 -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <!-- redis 依赖 -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-redis</artifactId>

redis-demo/src/main/java/com/lovecoding/redis/redisdemo/DemoController.java

@@ -0,0 +1,26 @@
+package com.lovecoding.redis.redisdemo;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class DemoController {
+
+    @Autowired
+    RedisService redisService;
+
+    @RequestMapping("/t1")
+    public String t1(){
+        System.out.println(  "Hello Redis"  );
+        return "Hello Redis";
+    }
+
+    @RequestMapping("/user/login")
+    public String t2( String token ){
+
+        redisService.set( "token:" + token,  token  );
+
+        return "User Login";
+    }
+}

redis-demo/src/main/java/com/lovecoding/redis/redisdemo/SecurityConfig.java

@@ -0,0 +1,50 @@
+package com.lovecoding.redis.redisdemo;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    @Autowired
+    SpringSecurityFilter springSecurityFilter;
+
+    @Bean
+    public SecurityFilterChain t(HttpSecurity http) throws Exception {
+
+        HttpSecurity and = http
+                //配置跨站攻击
+                .csrf()
+                //禁用跨站攻击
+                .disable()
+                //配置session
+                .sessionManagement()
+                //关闭session
+                .sessionCreationPolicy(SessionCreationPolicy.NEVER)
+                //结束session配置
+                .and()
+                //配置用户权限
+                .authorizeRequests()
+                //通过URL 匹配权限路径， 配置权限
+                //URL 匹配了  /user/login 这个请求， 则放心
+                .mvcMatchers("/user/login").permitAll()
+                //其他请求  全部必须登录才能访问
+                .anyRequest().authenticated()
+                //结束权限配置
+                .and();
+
+        //把我们自定义的过滤器添加到  Security 过滤器链路的 前端，， 保证我们的过滤器优先执行
+        and.addFilterBefore( springSecurityFilter, UsernamePasswordAuthenticationFilter.class);
+
+        //返回鉴权对象
+        return and.build();
+    }
+
+}

redis-demo/src/main/java/com/lovecoding/redis/redisdemo/SpringSecurityFilter.java

@@ -0,0 +1,71 @@
+package com.lovecoding.redis.redisdemo;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Objects;
+
+@Component
+public class SpringSecurityFilter  extends OncePerRequestFilter {
+
+    @Autowired
+    RedisService redisService;
+
+    /**
+     * 自己建过滤器 是为了 整合 JWT
+     * Security 就是一个基于 过滤器 实现的 权限控制框架
+     * 第一点 我们要自己鉴权控制权限
+     * 我们还要使用 Security 的权限管理
+     * 我们必须要保证 我们的过滤器 优先执行
+     * @param request
+     * @param response
+     * @param filterChain
+     * @throws ServletException
+     * @throws IOException
+     */
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+
+        //从 Header取 token
+        String token = request.getHeader("token");
+
+        //如果header没有token则从URL取
+        if ( !StringUtils.hasText( token ) ) {
+            token = request.getParameter("token");
+        }
+
+        //如果没有token 则放行不处理
+        if ( !StringUtils.hasText( token )) {
+            filterChain.doFilter( request, response );
+            return;
+        }
+
+        //从 redis里 查询用户信息
+        Object o = redisService.get("token:" + token);
+
+        //如果能查到用户信息 则认为用户已登录 直接给 Security 赋值权限
+        if (Objects.nonNull( o )) {
+            //用户存在
+            UsernamePasswordAuthenticationToken userToken =
+                    new UsernamePasswordAuthenticationToken( "username", null, null );
+            SecurityContextHolder.getContext().setAuthentication( userToken );
+        } else {
+            //如果 redis 查不到 用户信息 则认为 登录过期 清空Security上下文
+            SecurityContextHolder.clearContext();
+        }
+
+        //过滤器放心
+        filterChain.doFilter( request, response );
+
+    }
+}

redis-demo/src/main/resources/application.properties

@@ -1 +0,0 @@
-server.port=8088

redis-demo/src/main/resources/application.yml

@@ -0,0 +1,16 @@
+server:
+  port: 8088
+
+
+spring:
+  redis:
+    database: 10
+    host: 127.0.0.1
+    port: 6379
+    password:
+
+
+  security:
+    user:
+      name: admin
+      password: 123456