## 前言
面试过很多Java开发,能把权限这块说的清楚的实在是不多,很多人因为公司项目职责问题,很难学到这类相关的流程和技术,本文梳理一个简单的场景,实现一个基于jwt前后端分离的权限框架。
## 简易流程
### 登录获取票据和缓存信息
### 鉴权流程
## 技术栈和功能规划
本文技术选型为SpringBoot+JWT+Redis, 实现上图的登录流程和鉴权流程,并提供完整项目代码。
**本项目已实现如下功能**:
- 跨域配置
- jwt集成
- redis集成
- BaseController封装,方便取出用户信息
- 拦截器和白名单
- 全局异常
- jwt工具类封装
- redis工具类封装
- redis枚举Key封装
### Redis安装和启动
使用Docker一行命令构建启动Redis,命令如下
```
docker run -itd --name redis-test -p 6379:6379 redis --requirepass "123456redis"
```
指定端口:`6379`
指定密码:`123456redis`
客户端连接测试,问题不大~
### 创建SpringBoot项目并引入JWT依赖
```
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
```
其实主要是引了这个包,其他的就不贴出来了。主要有redis以及json相关的,完整代码都在项目可以自己看
## 写一个登陆方法
`UserController`
```java
@PostMapping("/login")
public UserVO login(@RequestBody LoginDTO loginDTO) {
return userService.login(loginDTO);
}
```
`UserService`
用户信息就模拟的了,都看的懂。登录成功后根据uid生产jwt,然后缓存到redis,封装结果给到前端
```java
package com.lzp.auth.service;
@Service
public class UserService {
@Value("${server.session.timeout:3000}")
private Long timeout;
@Autowired
private RedisUtils redisUtils;
final static String USER_NAME = "admin";
//密码 演示用就不做加密处理了
final static String PWD = "admin";
public UserVO login(LoginDTO loginDTO){
User user = getByName(loginDTO.getUserName());
//用户信息校验和查询
if (user == null){
throw new ServiceException(ResultCodeEnum.LOGIN_FAIL);
}
//密码校验
if(!PWD.equals(loginDTO.getPwd())){
throw new ServiceException(ResultCodeEnum.LOGIN_FAIL);
}
//缓存用户信息并设置过期时间
UserVO userVO = new UserVO();
userVO.setName(user.getName());
userVO.setUid(user.getUid());
userVO.setToken(JWTUtils.generate(user.getUid()));
//信息入库redis
redisUtils.set(RedisKeyEnum.OAUTH_APP_TOKEN.keyBuilder(userVO.getUid()), JSONObject.toJSONString(userVO), timeout);
return userVO;
}
/**
* 通过用户名获取用户
* @param name
* @return
*/
public User getByName(String name){
User user = null;
if(USER_NAME.equals(name)){
user = new User("1","张三","Aa123456");
}
return user;
}
}
```
### 定义登录拦截器
`LoginInterceptor`
```java
package com.lzp.auth.config;
import com.lzp.auth.exception.ServiceException;
import com.lzp.auth.utils.JWTUtils;
import com.lzp.auth.utils.ResultCodeEnum;
import com.lzp.auth.utils.SessionContext;
import io.jsonwebtoken.Claims;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Slf4j
public class LoginInterceptor extends HandlerInterceptorAdapter {
@Autowired
StringRedisTemplate redisTemplate;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String token = request.getHeader("token");
String requestURI = request.getRequestURI().replaceAll("/+", "/");
log.info("requestURI:{}",requestURI);
if (StringUtils.isEmpty(token)) {
throw new ServiceException(ResultCodeEnum.AUTH_FAIL);
}
Claims claim = JWTUtils.getClaim(token);
if(claim == null){
throw new ServiceException(ResultCodeEnum.AUTH_FAIL);
}
String uid = null;
try {
uid = JWTUtils.getOpenId(token);
} catch (Exception e) {
throw new ServiceException(ResultCodeEnum.AUTH_FAIL);
}
//用户id放到上下文 可以当前请求进行传递
request.setAttribute(SessionContext.USER_ID_KEY, uid);
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
```
### 配置跨域、资源、定义拦截器、加白名单
```java
package com.lzp.auth.config;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsWebFilter;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.util.pattern.PathPatternParser;
@Configuration
public class WebMvcConfig extends WebMvcConfigurerAdapter implements ApplicationContextAware {
private ApplicationContext applicationContext;
public WebMvcConfig() {
super();
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
super.addResourceHandlers(registry);
}
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
this.applicationContext = applicationContext;
}
@Bean
public CorsWebFilter corsFilter() {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedMethod("*");
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(new PathPatternParser());
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
@Bean
LoginInterceptor loginInterceptor() {
return new LoginInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
//拦截规则:除了login,其他都拦截判断
registry.addInterceptor(loginInterceptor())
.addPathPatterns("/**")
.excludePathPatterns("/user/login");
super.addInterceptors(registry);
}
}
```
**postMan调试**
模拟成功和失败场景
成功如上图,返回用户信息和Token
失败如上图
### 测试非白名单接口
**使用token再来访问当前接口**
完美~
至此本项目就完美结束了哦
### 项目代码
https://github.com/pengziliu/GitHub-code-practice
