1,首先先贴一下项目结构更容易梳理思路,文章较长请细心阅读。 2.创建User用户和UserPermissons用户权限实体类,在生成token时会需要用户的账号密码和权限。还需要几个工具类,现在一步步为大家展示。 yml配置文件
# 端口 server: port: 8080 # 数据库连接配置 spring: datasource: driver-class-name: com.mysql.cj.jdbc.Driver url: jdbc:mysql://localhost:3306/数据库?useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai username: root password: root # 自定义jwt key jwt: tokenHeader: Authorization #JWT存储的请求头 secret: java@java #JWT加解密使用的密钥 expiration: 600 #JWT的超期限时间60*10 tokenHead: Bearer #JWT负载中拿到开头 # 配置Swagger swagger: basePackage: com.mujiwulian.controller title: Swagger-ui测试 description: SpringSecurity接口测试 version: 1.0 创建JwtTokenUtil工具类,这个类用来生成包含权限账户密码的token。 package com.mujiwulian.util; import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Component; import java.util.Date; import java.util.HashMap; import java.util.Map; /** * @author zhang * @since 2020-06-19 * TODO JwtToken生成的工具类 */ @Component public class JwtTokenUtil { private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenUtil.class); private static final String CLAIM_KEY_USERNAME = "sub"; private static final String CLAIM_KEY_CREATED = "created"; @Value("${jwt.secret}") private String secret; @Value("${jwt.expiration}") private Long expiration; @Value("${jwt.tokenHead}") private String tokenHead; /** * 从token中获取JWT中的负载 */ private Claims getClaimsFromToken(String token) { Claims claims = null; try { claims = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody(); } catch (Exception e) { LOGGER.info("JWT格式验证失败:{}",token); } return claims; } /** * 生成token的过期时间 */ private Date generateExpirationDate() { return new Date(System.currentTimeMillis() + expiration * 1000); } /** * 从token中获取登录用户名 * 从token中获取登录用户的信息 */ public String getUserNameFromToken(String token) { String username; try { Claims claims = getClaimsFromToken(token); username = claims.getSubject(); } catch (Exception e) { username = null; } return username; } /** * 验证token是否还有效 * * @param token 客户端传入的token * @param userDetails 从数据库中查询出来的用户信息 */ public boolean validateToken(String token, UserDetails userDetails) { String username = getUserNameFromToken(token); return username.equals(userDetails.getUsername()) && !isTokenExpired(token); } /** * 判断token是否已经失效 */ private boolean isTokenExpired(String token) { Date expiredDate = getExpiredDateFromToken(token); return expiredDate.before(new Date()); } /** * 从token中获取过期时间 */ private Date getExpiredDateFromToken(String token) { Claims claims = getClaimsFromToken(token); return claims.getExpiration(); } /** * 根据用户信息生成token */ public String generateToken(UserDetails userDetails) { Map<String, Object> claims = new HashMap<>(); claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername()); claims.put(CLAIM_KEY_CREATED, new Date()); return generateToken(claims); } /** * 用于根据登录用户信息生成token * 根据负责生成JWT的token */ private String generateToken(Map<String, Object> claims) { return tokenHead+Jwts.builder() .setClaims(claims) .setExpiration(generateExpirationDate()) .signWith(SignatureAlgorithm.HS512, secret) .compact(); } /** * 判断token是否可以被刷新 */ public boolean canRefresh(String token) { return !isTokenExpired(token); } /** * 刷新token */ public String refreshToken(String token) { Claims claims = getClaimsFromToken(token); claims.put(CLAIM_KEY_CREATED, new Date()); return generateToken(claims); } } 枚举定义下返回的code码,用来表示不同的权限。 package com.mujiwulian.util; /** * @author zhang * @since 2020-06-19 */ public enum ResultCode { SUCCESS(200, "操作成功"), FAILED(500, "操作失败"), VALIDATE_FAILED(404, "参数检验失败"), UNAUTHORIZED(401, "暂未登录或token已经过期"), FORBIDDEN(403, "没有相关权限"); private long code; private String message; private ResultCode(long code, String message) { this.code = code; this.message = message; } public long getCode() { return code; } public String getMessage() { return message; } } 设置了code码当然要有自己定义的Result返回类。 package com.mujiwulian.util; /** * @author zhang * @since 2020-06-19 */ public class Result <T> { private long code; private String message; private T data; protected Result() { } protected Result(long code, String message, T data) { this.code = code; this.message = message; this.data = data; } /** * 成功返回结果 * * @param data 获取的数据 */ public static <T> Result<T> success(T data) { return new Result<T>(ResultCode.SUCCESS.getCode(), ResultCode.SUCCESS.getMessage(), data); } /** * 成功返回结果 * * @param data 获取的数据 * @param message 提示信息 */ public static <T> Result<T> success(T data, String message) { return new Result<T>(ResultCode.SUCCESS.getCode(), message, data); } /** * 失败返回结果 * @param errorCode 错误码 */ public static <T> Result<T> failed(IErrorCode errorCode) { return new Result<T>(errorCode.getCode(), errorCode.getMessage(), null); } /** * 失败返回结果 * @param message 提示信息 */ public static <T> Result<T> failed(String message) { return new Result<T>(ResultCode.FAILED.getCode(), message, null); } /** * 失败返回结果 * @param failed */ public static <T> Result<T> failed(ResultCode failed) { return failed(ResultCode.FAILED); } /** * 参数验证失败返回结果 */ public static <T> Result<T> validateFailed() { return failed(ResultCode.VALIDATE_FAILED); } /** * 参数验证失败返回结果 * @param message 提示信息 */ public static <T> Result<T> validateFailed(String message) { return new Result<T>(ResultCode.VALIDATE_FAILED.getCode(), message, null); } /** * 未登录返回结果 */ public static <T> Result<T> unauthorized(T data) { return new Result<T>(ResultCode.UNAUTHORIZED.getCode(), ResultCode.UNAUTHORIZED.getMessage(), data); } /** * 未授权返回结果 */ public static <T> Result<T> forbidden(T data) { return new Result<T>(ResultCode.FORBIDDEN.getCode(), ResultCode.FORBIDDEN.getMessage(), data); } public long getCode() { return code; } public void setCode(long code) { this.code = code; } public String getMessage() { return message; } public void setMessage(String message) { this.message = message; } public T getData() { return data; } public void setData(T data) { this.data = data; } } package com.mujiwulian.util; /** * @author zhang * @since 2020-06-19 * TODO 封装API的错误码 */ public interface IErrorCode { long getCode(); String getMessage(); }3.准备工作做好后,就可以进入今天的主角了。我们通过jwt的工具类已经生成了token,现在肯定要对token进行拦截解析数据。所以需要来写一个过滤器。
创建JwtAuthenticationTokenFilter拦截器继承springframework.web.filter的OncePerRequestFilter拦截器。通过request.getHeader()的方法获取带自定义头部(在ymi文件配置的tokenHead属性),在把含有自定义的头部信息去除。token通过jwt的工具类取出用户名,完成比对。
package com.mujiwulian.security; import com.mujiwulian.util.JwtTokenUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @author zhang * @since 2020-06-19 * TODO JWT登录授权过滤器 , * 在用户名和密码校验前添加的过滤器, * 如果请求中有jwt的token且有效,会取出token中的用户名, * 然后调用SpringSecurity的API进行登录操作。 */ public class JwtAuthenticationTokenFilter extends OncePerRequestFilter { private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class); @Autowired private UserDetailsService userDetailsService; @Autowired private JwtTokenUtil jwtTokenUtil; @Value("${jwt.tokenHeader}") private String tokenHeader; @Value("${jwt.tokenHead}") private String tokenHead; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String authHeader = request.getHeader(this.tokenHeader); if (authHeader != null && authHeader.startsWith(this.tokenHead)) { String authToken = authHeader.substring(this.tokenHead.length()); // The part after "Bearer " String username = jwtTokenUtil.getUserNameFromToken(authToken); LOGGER.info("checking username:{}", username); if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); if (jwtTokenUtil.validateToken(authToken, userDetails)) { UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); LOGGER.info("authenticated user:{}", username); SecurityContextHolder.getContext().setAuthentication(authentication); } } } chain.doFilter(request, response); } }比对会产生不同的结果,就需要我们去自定义去实现各种不同的返回结果。
先定义当未登录或者token失效访问接口时,自定义的返回结果 package com.mujiwulian.security; import cn.hutool.json.JSONUtil; import com.mujiwulian.util.*; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @author zhang * @since 2020-06-19 * TODO 当未登录或者token失效访问接口时,自定义的返回结果 */ @Component public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException { response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); response.getWriter().println(JSONUtil.parse(Result.unauthorized(e.getMessage()))); response.getWriter().flush(); } } 在定义当访问接口没有权限时自定义的返回结果 package com.mujiwulian.security; import cn.hutool.json.JSONUtil; import com.mujiwulian.util.*; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @author zhang * @since 2020-06-19 * TODO 当访问接口没有权限时,自定义的返回结果 */ @Component public class RestfulAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException { response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); response.getWriter().println(JSONUtil.parse(Result.forbidden(e.getMessage()))); response.getWriter().flush(); } }到这里你肯定会有疑问,在做拦截器比对的时候UserDetailsService的数据从哪来的,这就需要我们将自己定义的AdminUserDetails来实现security自带的UserDetails接口了。
package com.mujiwulian.security; import com.mujiwulian.entity.*; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import java.util.Collection; import java.util.List; import java.util.stream.Collectors; /** * TODO: 实现UserDetails接口并实现方法 * * @author ZHANG * @email zhang@email.com * @date 2020/6/19 14:58 */ public class AdminUserDetails implements UserDetails { private User user; private List<UserPermissions> permissionList; public AdminUserDetails(User user, List<UserPermissions> permissionList) { this.user = user; this.permissionList = permissionList; } /** * 得到授权,返回权限 * @return */ @Override public Collection<? extends GrantedAuthority> getAuthorities() { return permissionList.stream() .filter(umsPermission -> umsPermission.getValue()!=null) .map(umsPermission -> new SimpleGrantedAuthority(umsPermission.getValue())) .collect(Collectors.toList()); } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUsername(); } /** * 账号未过期 * @return */ @Override public boolean isAccountNonExpired() { return true; } /** * 账号未锁定 * @return */ @Override public boolean isAccountNonLocked() { return true; } /** * 账号凭证是否过期 * @return */ @Override public boolean isCredentialsNonExpired() { return true; } /** * 账号是否启用 * @return */ @Override public boolean isEnabled() { return user.getStatus().equals(1); } }4.拦截各种工作都做好了,还需要配置security才能生效。 创建一个SecurityConfig配置类,里面的配置在下面也有详细的说明。
package com.mujiwulian.config; import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import com.mujiwulian.entity.*; import com.mujiwulian.security.AdminUserDetails; import com.mujiwulian.security.JwtAuthenticationTokenFilter; import com.mujiwulian.security.RestAuthenticationEntryPoint; import com.mujiwulian.security.RestfulAccessDeniedHandler; import com.mujiwulian.service.UserPermissionsService; import com.mujiwulian.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.util.StringUtils; import java.util.List; /** * TODO: 类描述 * * @author ZHANG * @email zhang@email.com * @date 2020/6/19 11:20 */ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled=true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserService userService; @Autowired private UserPermissionsService userPermissionsService; @Autowired private RestfulAccessDeniedHandler restfulAccessDeniedHandler; @Autowired private RestAuthenticationEntryPoint restAuthenticationEntryPoint; @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.csrf()// 由于使用的是JWT,我们这里不需要csrf .disable() .sessionManagement()// 基于token,所以不需要session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() // 允许对于网站静态资源的无授权访问 .antMatchers(HttpMethod.GET, "/", "/*.html", "/favicon.ico", "/**/*.html", "/**/*.css", "/**/*.js", "/swagger-resources/**", "/v2/api-docs/**", "/swagger-ui.html/*" ) .permitAll() // 对登录注册要允许匿名访问 .antMatchers("/admin/login", "/admin/register") .permitAll() //跨域请求会先进行一次options请求 .antMatchers(HttpMethod.OPTIONS) .permitAll() //测试时全部运行访问 .antMatchers("/**") .permitAll() .anyRequest()// 除上面外的所有请求全部需要鉴权认证 .authenticated(); // 禁用缓存 httpSecurity.headers().cacheControl(); // 添加JWT filter httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class); //添加自定义未授权和未登录结果返回 httpSecurity.exceptionHandling() .accessDeniedHandler(restfulAccessDeniedHandler) .authenticationEntryPoint(restAuthenticationEntryPoint); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService()) .passwordEncoder(passwordEncoder()); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override @Bean public UserDetailsService userDetailsService() { //获取登录用户信息 return username -> { QueryWrapper<User> qw=new QueryWrapper<>(); qw.lambda().eq(!StringUtils.isEmpty(username),User::getUsername,username); User user = userService.getOne(qw); if (user != null) { QueryWrapper<UserPermissions> qwp=new QueryWrapper<>(); qwp.lambda().eq(!StringUtils.isEmpty(user.getAuthorities()),UserPermissions::getId,user.getAuthorities()); List<UserPermissions> permissionList =userPermissionsService.list(); return new AdminUserDetails(user,permissionList); } throw new UsernameNotFoundException("用户名或密码错误"); }; } @Bean public JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter(){ return new JwtAuthenticationTokenFilter(); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * configure(HttpSecurity httpSecurity):用于配置需要拦截的url路径、jwt过滤器及出异常后的处理器; * configure(AuthenticationManagerBuilder auth):用于配置UserDetailsService及PasswordEncoder; * RestfulAccessDeniedHandler:当用户没有访问权限时的处理器,用于返回JSON格式的处理结果; * RestAuthenticationEntryPoint:当未登录或token失效时,返回JSON格式的结果; * UserDetailsService:SpringSecurity定义的核心接口,用于根据用户名获取用户信息,需要自行实现; * UserDetails:SpringSecurity定义用于封装用户信息的类(主要是用户信息和权限),需要自行实现; * PasswordEncoder:SpringSecurity定义的用于对密码进行编码及比对的接口,目前使用的是BCryptPasswordEncoder; * JwtAuthenticationTokenFilter:在用户名和密码校验前添加的过滤器,如果有jwt的token,会自行根据token信息进行登录。 */ }5.配置完成后我们来测试一下。 写一个登录的controller
package com.mujiwulian.controller; import com.mujiwulian.entity.User; import com.mujiwulian.entity.UserPermissions; import com.mujiwulian.service.UserService; import com.mujiwulian.util.Result; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.HashMap; import java.util.List; import java.util.Map; /** * <p> * 前端控制器 * </p> * * @author zhang * @since 2020-06-19 */ @Api(tags = "UserController" ,description = "后台用户管理") @RestController @RequestMapping("/user") public class UserController { @Autowired private UserService userService; @Value("${jwt.tokenHeader}") private String tokenHeader; @Value("${jwt.tokenHead}") private String tokenHead; @ApiOperation(value = "用户注册") @PostMapping(value = "/register") public Result<User> register(@RequestBody User user) { User umsAdmin = userService.register(user); if (umsAdmin == null) { Result.failed("注册失败,该用户已被注册!"); } return Result.success(umsAdmin); } @ApiOperation(value = "登录以后返回token") @PostMapping(value = "/login") public Result login(@RequestBody User user) { String token = userService.login(user.getUsername(), user.getPassword()); if (token == null) { return Result.validateFailed("用户名或密码错误"); } Map<String, String> tokenMap = new HashMap<>(); tokenMap.put("token", token); tokenMap.put("tokenHead", tokenHead); System.out.println("token:"+token); return Result.success(tokenMap); } @ApiOperation("获取用户所有权限(包括+-权限)") @GetMapping(value = "/permission/{userId}") public Result<List<UserPermissions>> getPermissionList(@PathVariable Long userId) { List<UserPermissions> permissionList = userService.getPermissionList(userId); return Result.success(permissionList); } @ApiOperation("根据条件获取所有的用户") @PostMapping(value = "/list") @PreAuthorize("hasAuthority('pms:brand:order')") public Result<List<User>> getuserList(@RequestBody User user) { List<User> list=userService.getlist(user); return Result.success(list); } } 这里在显示下我的service实体接口就不显示了。我这里用的是mybatis-plus。这些都不是重点。。。。。。 package com.mujiwulian.service.impl; import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import com.mujiwulian.entity.User; import com.mujiwulian.entity.UserPermissions; import com.mujiwulian.mapper.UserMapper; import com.mujiwulian.service.UserPermissionsService; import com.mujiwulian.service.UserService; import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl; import com.mujiwulian.util.JwtTokenUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Service; import org.springframework.util.StringUtils; import javax.annotation.Resource; import java.util.List; /** * <p> * 服务实现类 * </p> * * @author zhang * @since 2020-06-19 */ @Service public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements UserService { private static final Logger LOGGER = LoggerFactory.getLogger(UserServiceImpl.class); @Resource private UserMapper userMapper; @Resource private PasswordEncoder passwordEncoder; @Resource private UserDetailsService userDetailsService; @Resource private JwtTokenUtil jwtTokenUtil; @Resource private UserPermissionsService userPermissionsService; @Override public User register(User user) { QueryWrapper<User> qw=new QueryWrapper<>(); qw.lambda().eq(!StringUtils.isEmpty(user.getUsername()),User::getUsername,user.getUsername()); if( this.list(qw).size()>0){ return null; } //密码加密 user.setPassword(passwordEncoder.encode(user.getPassword())); userMapper.insert(user); return user; } @Override public String login(String username, String password) { String token=""; try { UserDetails userDetails = userDetailsService.loadUserByUsername(username); if (!passwordEncoder.matches(password, userDetails.getPassword())) { throw new BadCredentialsException("密码不正确"); } UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(authentication); token = jwtTokenUtil.generateToken(userDetails); } catch (AuthenticationException e) { LOGGER.warn("登录异常:{}", e.getMessage()); } return token; } @Override public List<UserPermissions> getPermissionList(Long userId) { QueryWrapper<UserPermissions> qwp=new QueryWrapper<>(); qwp.lambda().eq(!StringUtils.isEmpty(userId),UserPermissions::getId,userId); List<UserPermissions> permissionList =userPermissionsService.list(); return permissionList; } @Override public List<User> getlist(User user) { QueryWrapper<User> qw=new QueryWrapper<>(); qw.lambda() .like(!StringUtils.isEmpty(user.getUsername()),User::getUsername,user.getUsername()) .eq(!StringUtils.isEmpty(user.getPassword()),User::getPassword,user.getPassword()) .like(!StringUtils.isEmpty(user.getNickName()),User::getNickName,user.getNickName()) .eq(!StringUtils.isEmpty(user.getStatus()),User::getStatus,user.getStatus()); return this.list(qw); } } 我这里是导入了swagger的包,就用swqgger测试下。老规矩先展示swagger的配置类。 package com.mujiwulian.config; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import springfox.documentation.builders.ApiInfoBuilder; import springfox.documentation.builders.PathSelectors; import springfox.documentation.builders.RequestHandlerSelectors; import springfox.documentation.service.ApiInfo; import springfox.documentation.service.ApiKey; import springfox.documentation.service.AuthorizationScope; import springfox.documentation.service.SecurityReference; import springfox.documentation.spi.DocumentationType; import springfox.documentation.spi.service.contexts.SecurityContext; import springfox.documentation.spring.web.plugins.Docket; import springfox.documentation.swagger2.annotations.EnableSwagger2; import java.util.ArrayList; import java.util.List; /** * TODO: 类描述 * * @author ZHANG * @email zhang@email.com * @date 2020/6/19 10:21 */ @Configuration @EnableSwagger2 public class Swagger2Config { /** * controller接口所在的包 */ @Value("${swagger.basePackage}") private String basePackage; /** * 当前文档的标题 */ @Value("${swagger.title}") private String title; /** * 当前文档的详细描述 */ @Value("${swagger.description}") private String description; /** * 当前文档的版本 */ @Value("${swagger.version}") private String version; @Bean public Docket createRestApi() { return new Docket(DocumentationType.SWAGGER_2) .apiInfo(apiInfo()) .select() //为当前包下controller生成API文档 .apis(RequestHandlerSelectors.basePackage(basePackage)) .paths(PathSelectors.any()) .build() //添加登录认证 .securitySchemes(securitySchemes()) .securityContexts(securityContexts()); } private ApiInfo apiInfo() { return new ApiInfoBuilder() .description(description) .version(version) .title(title) .build(); } private List<ApiKey> securitySchemes(){ //设置请求头信息 List<ApiKey> result = new ArrayList<>(); ApiKey apiKey = new ApiKey("Authorization", "Authorization", "header"); result.add(apiKey); return result; } private List<SecurityContext> securityContexts() { //设置需要登录认证的路径 List<SecurityContext> result = new ArrayList<>(); result.add(SecurityContext.builder() .securityReferences(defaultAuth()) .forPaths(PathSelectors.regex("^(?!auth).*$")) .build()); return result; } private List<SecurityReference> defaultAuth() { List<SecurityReference> result = new ArrayList<>(); AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything"); AuthorizationScope[] authorizationScopes = new AuthorizationScope[1]; authorizationScopes[0] = authorizationScope; result.add(new SecurityReference("Authorization", authorizationScopes)); return result; } }6.输入localhost:8080/swagger-ui.html,找到登陆的接口进行测试 这就是登录后产生的token,前面的Bearer是我们自定义的开头,后面的是jwt的token。将token复制后放到Authorize。这个表示为全局token 如果接口无@PreAuthorize()不会进行权限拦截,加入后如果无对应的权限则会提示无权限。 7.本次分享到此结束。发现问题及时联系,大家一起共同成长。
