一 引言

在基于springsecurity和jwt实现的单体项目token认证中我实现了基于jwt实现的认证,本文在此基础上继续实现权限认证

• 用户认证成功后携带jwt发起请求,请求被AuthenticationFilter拦截到,进行jwt的校验
• jwt校验成功后,调用JwtAuthenticationProvider从jwt中获得权限信息,加载到Authcation中
• 将Authcation加载安全上下文SecurityContextHolder
• FilterSecurityInterceptor从上下文中获得用户权限信息,根据校验规则进行用户数据的权限校验

二 代码实现

用户认证成功生成jwt时将权限信息加载到jwt中

package com.xlcp.xlcpdemo.auth.token;import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.convert.Convert;
import cn.hutool.core.date.DateField;
import cn.hutool.core.date.DateTime;
import cn.hutool.core.date.DateUtil;
import cn.hutool.core.io.resource.ResourceUtil;
import cn.hutool.core.util.IdUtil;
import cn.hutool.crypto.asymmetric.SignAlgorithm;
import cn.hutool.jwt.JWT;
import cn.hutool.jwt.JWTUtil;
import cn.hutool.jwt.JWTValidator;
import cn.hutool.jwt.RegisteredPayload;
import cn.hutool.jwt.signers.AlgorithmUtil;
import cn.hutool.jwt.signers.JWTSigner;
import cn.hutool.jwt.signers.JWTSignerUtil;
import com.xlcp.xlcpdemo.auth.common.AccessToken;
import com.xlcp.xlcpdemo.auth.common.AccessTokenType;
import com.xlcp.xlcpdemo.auth.common.AuthProperties;
import com.xlcp.xlcpdemo.auth.core.AccessTokenManager;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Date;
import java.util.HashMap;
import java.util.List;/*** @author likun* @date 2022年07月12日 13:48*/
@Slf4j
public class JwtAccessTokenManager implements AccessTokenManager {private final AuthProperties authProperties;private final JWTSigner jwtSigner;// 省略....@Overridepublic AccessToken createToken(Authentication authentication) {AccessToken accessToken = new AccessToken();accessToken.setTokenType(AccessTokenType.JWT.name());accessToken.setExpireInTimeMills(authProperties.getExpireInTimeMills());HashMap payloads = new HashMap();payloads.put(RegisteredPayload.AUDIENCE, authentication.getName());payloads.put(RegisteredPayload.JWT_ID, IdUtil.fastUUID());DateTime expiredAt = DateUtil.offset(new Date(), DateField.MILLISECOND, Convert.toInt(authProperties.getExpireInTimeMills()));payloads.put(RegisteredPayload.EXPIRES_AT, expiredAt);// todo 数据库查询权限信息List permissions = CollUtil.newArrayList("ROLE_BUYER","ROLE_SELLER","user_find_account");payloads.put("authDetails", permissions);String token = JWTUtil.createToken(payloads, this.jwtSigner);accessToken.setAccessToken(token);return accessToken;}}

定义JwtAuthenticationProvider和JwtAuthenticationToken用于认证成功从jwt中解析jwt中的权限信息

package com.xlcp.xlcpdemo.auth.core;import cn.hutool.jwt.JWT;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;import java.util.List;/*** @author likun* @date 2022年12月01日 12:25*/
public class JwtAuthenticationProvider implements AuthenticationProvider {@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authentication;String token = jwtAuthenticationToken.getToken();JWT jwt = JWT.create().parse(token);Object authDetails = jwt.getPayload("authDetails");Object aud = jwt.getPayload("aud");List permissions;if (authDetails!=null&&authDetails instanceof List){List auths = (List) authDetails;permissions=AuthorityUtils.createAuthorityList(auths.toArray(new String[0]));}else {permissions = AuthorityUtils.createAuthorityList("");}return new JwtAuthenticationToken(aud,null,permissions);}@Overridepublic boolean supports(Class authentication) {return (JwtAuthenticationToken.class.isAssignableFrom(authentication));}
}

package com.xlcp.xlcpdemo.auth.core;import lombok.Getter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;import java.util.Collection;/*** @author likun* @date 2022年12月01日 11:51*/
public class JwtAuthenticationToken extends AbstractAuthenticationToken {private  Object principal;private Object credentials;@Getterprivate String token;public JwtAuthenticationToken(Object principal,Object credentials,Collection authorities) {super(authorities);this.principal= principal;this.credentials= credentials;setAuthenticated(true);}public JwtAuthenticationToken(String token){super(null);this.token=token;setAuthenticated(false);}@Overridepublic Object getCredentials() {return credentials;}@Overridepublic Object getPrincipal() {return principal;}
}

jwt校验成功后解析jwt并加载到安全上下文中

package com.xlcp.xlcpdemo.auth.core;import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.StrUtil;
import cn.hutool.http.Header;
import cn.hutool.jwt.JWT;
import cn.hutool.jwt.RegisteredPayload;
import com.baomidou.mybatisplus.core.toolkit.StringUtils;
import com.xlcp.xlcpdemo.auth.common.AuthProperties;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Set;import static com.xlcp.xlcpdemo.entity.PtUser.ACCOUNT;/*** @author likun* @date 2022年07月12日 15:14*/
@Slf4j
public class AuthenticationFilter extends OncePerRequestFilter {private static final String BEARER = "bearer";private final AuthProperties authProperties;private final AccessTokenManager accessTokenManager;private final AntPathMatcher antPathMatcher;private final AuthenticationManager authenticationManager;public AuthenticationFilter(AuthProperties authProperties, AccessTokenManager accessTokenManager, AntPathMatcher antPathMatcher,AuthenticationManager authenticationManager){this.authProperties=authProperties;this.accessTokenManager=accessTokenManager;this.antPathMatcher=antPathMatcher;this.authenticationManager=authenticationManager;}@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {// 判断当前请求是否为忽略的路径Set ignorePaths = authProperties.getIgnorePaths();if (CollUtil.isNotEmpty(ignorePaths)){for (String ignorePath : ignorePaths) {if (antPathMatcher.match(ignorePath,request.getRequestURI())){filterChain.doFilter(request, response);return;}}}// token校验String bearerToken = request.getHeader(Header.AUTHORIZATION.getValue());if (StrUtil.isBlank(bearerToken)){response.setStatus(HttpStatus.UNAUTHORIZED.value());throw new InsufficientAuthenticationException("unauthorized request.");}final String accessToken = bearerToken.trim().substring(BEARER.length()).trim();boolean valid = false;try {valid = accessTokenManager.verify(accessToken);} catch (Exception e) {log.warn("verify access token [{}] failed.", accessToken);throw new InsufficientAuthenticationException("invalid access token + [ " + accessToken + " ].");}if (!valid) {throw new InsufficientAuthenticationException("invalid access token + [ " + accessToken + " ].");}final String account = request.getParameter(ACCOUNT);if (StringUtils.isBlank(account)) {SetAuthentication(accessToken);filterChain.doFilter(request, response);return;}//校验是否本人final String audience = JWT.of(accessToken).getPayload(RegisteredPayload.AUDIENCE).toString();if (!account.equalsIgnoreCase(audience)) {throw new AccessDeniedException("invalid account. parameter [ " + account + " ]. account in token [ " + audience + " ].");}SetAuthentication(accessToken);filterChain.doFilter(request, response);}// 解析jwt并加载到安全上下文中private void SetAuthentication(String accessToken) {JwtAuthenticationToken jwtAuthenticationToken = new JwtAuthenticationToken(accessToken);Authentication authenticate = authenticationManager.authenticate(jwtAuthenticationToken);SecurityContextHolder.getContext().setAuthentication(authenticate);}
}

自定义权限不足返回异常处理

public class CustomAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {response.setStatus(HttpStatus.FORBIDDEN.value());R