當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

springboot+springsecurity+mybatis+jwt实现单点登录（详细到爆了）

發布時間：2024/10/5 编程问答 25 豆豆

生活随笔收集整理的這篇文章主要介紹了 springboot+springsecurity+mybatis+jwt实现单点登录（详细到爆了）小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

2021年奉上我最喜歡的一句話：愿你孤獨的努力都有回報，愿你前行的路上有人陪伴。加油😁！

項目下載：https://download.csdn.net/download/Kevinnsm/16751962

文章目錄

一、springsecuriyt基礎
二、jwt
- Ⅰ、jwt是什么
- Ⅱ、為什么要使用jwt
- - 2.1、什么是有狀態
  - 2.2、什么是無狀態
- Ⅲ、jwt的組成
三、springboot+springsecurity+mybatis+jwt實現單點登錄
- Ⅰ、核心流程分析
- Ⅱ、具體代碼實現及其分析
- - 1.JwtTokenUtil
  - 2.統一結果返回封裝類
  - 3、handler處理類
  - - 3.1、AjaxAccessDeniedHandler權限不足處理類
    - 3.2、AjaxAuthenticationEntryPoint匿名無權限處理類
    - 3.3、AjaxAuthenticationFailureHandler認證失敗處理類
    - 3.4、AjaxAuthenticationSuccessHandler認證成功處理類
    - 3.5、AjaxLogoutSuccessHandler退出成功處理類
  - 4、AuthenticationFilter（token的驗證類）
  - 5、SecurityConfig配置類
  - 6、自定義異常處理類
  - - 6.1、RegisterFailureException注冊失敗異常處理類
    - 6.2、RegisterUsernameHasBeenExists注冊時用戶名已經存在異常處理類
    - 6.3、Controller層全局異常處理類
  - 7、controller，service，mapper，entity，mapper.xml編寫
  - - 7.1、controller
    - 7.2、service
    - 7.4、mapper
    - 7.5、mapper.xml
    - 7.6、entity
  - 8、application.yml
  - 9、html測試

一、springsecuriyt基礎

1、spring security安全框架入門篇：blog.csdn.net/Kevinnsm/article/details/11

2、springsecurity之用戶認證：blog.csdn.net/Kevinnsm/article/details/12

3、springsecurity之用戶授權：blog.csdn.net/Kevinnsm/article/details/13

4、spring security實現登錄和注銷：blog.csdn.net/Kevinnsm/article/details/14

5、springsecurity出現重定向次數過多：blog.csdn.net/Kevinnsm/article/details/15

6、手把手帶你擼一把springsecurity框架源碼中的認證流程：blog.csdn.net/Kevinnsm/article/details/16

二、jwt

Ⅰ、jwt是什么

JWT，全稱是Json Web Token，是JSON風格輕量級的授權和身份認證規范，可實現無狀態、分布式的Web應用授權。

Ⅱ、為什么要使用jwt

互聯網認證方式由兩種：無狀態和有狀態

2.1、什么是有狀態

即服務端需要記錄每次會話的客戶端信息，典型的如session

有狀態流程

1.當用戶登錄后，客戶端會保存該用戶的信息到服務端的session中，然后返回一個sessionId，將其保存到客戶端的Cookie中

2.當下次用戶訪問時攜帶者Cokkie值，這樣服務端就能識別對應的session

缺點

1.服務端保存大量用戶狀態信息，增大了服務端的壓力
2.服務端保存用戶狀態信息，無法進行水平擴展（用戶狀態信息只保存在這一個服務器中，訪問其他服務器還需要重新登錄認證）

簡單了說有狀態就是服務端需要保存用戶狀態信息

2.2、什么是無狀態

服務端不需要保存任何客戶端的用戶狀態信息
我是劉松林的而

無狀態流程

1.用戶第一次訪問時，服務端要求用戶進行身份認證（登錄）
2.用戶認證成功后，服務端返回一個token，返回給客戶端作為令牌
3.當用戶再次訪問時需要攜帶該token(令牌)，服務端對令牌進行解密判斷

優點

1.減少了服務端的壓力
2.服務端可以進行任意的伸縮
3.用戶登錄后可以向多個服務器進行訪問而不用進行二次登錄

當然無狀態最重要的就是保證token的安全性

Ⅲ、jwt的組成

Jwt由三部分組成

1、header

header由兩部分組成

1、聲明類型：這里是jwt
2、簽名算法：比如SHA256、SHA512等

header經過base64編碼之后就形成了jwt第一部分

2、Payload（載荷）

payload是JWT的主體內容部分，也是一個JSON對象，包含需要傳遞的數據

iss：發行人
exp：到期時間
sub：主題
…

經過base64編碼之后形成了jwt的第二部分

3、Signature（簽名）

一般根據前兩步的數據，再加上服務的的密鑰（secret），通過header里面聲明的加密算法生成jwt的第三部分。

secret是服務端用來進行jwt的簽發和校驗，所以說secret非常重要，任何時候都不應該泄露jwt，一旦jwt泄露，意味著惡意用戶可以自我簽發jwt了。

三、springboot+springsecurity+mybatis+jwt實現單點登錄

Ⅰ、核心流程分析

如果使用springsecurity進行過認證操作，那么這下面將會對你來說很簡單

1、根據前述的無狀態概念，當用戶登錄成功后，我們需要在服務端進行token的生成（當然這里是使用jwt生成token)；然后當用戶進行再次訪問時，我們需要對token進行解析、判斷等；所以我們可以將token的創建、解析、判斷等封裝到一個工具類JwtTokenUtil中。

2、我們還需要自定義一個AuthenticationFilter過濾器用來攔截請求；判斷請求中是否攜帶token，如果攜帶了token，那就進行解析判斷；如果沒有token，則可能是首次登錄，所以可以放行，交給springsecurity進行認證（也就是交給UsernamePasswordAuthenticationFilter過濾器）

3、第二步中有一個關鍵點，我們自定義的AuthenticationFilter過濾器應該加到哪個地方，我們都知道springsecurity本質上是一串過濾器鏈，將請求進行層層攔截、判斷、放行或者不放行。根據第二步的分析我們可以將AuthenticationFilter過濾器加入到UsernamePasswordAuthenticationFilter過濾器前面，這樣一來第二步就行很清晰了。

其他就類似于springsecurity進行認證和授權的步驟了

Ⅱ、具體代碼實現及其分析

1.JwtTokenUtil

package com.jwt.utils;import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jws; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm;import java.util.Date; import java.util.HashMap; import java.util.Map;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/13* @description:*/ public class JwtTokenUtils {/*** 請求頭*/private static final String TOKEN_HEADER = "Authorization";/*** TOKEN 前綴*/public static final String TOKEN_PREFIX = "Bearer";/*** 私鑰*/private static final String TOKEN_SECRET = "secret";/*** 令牌過期時間 : one day*/private static final long TOKEN_EXPIRATION = 1000 * 60 * 60 * 24;/*** 角色權限定義*/private static final String ROLE_CLAIMS = "role";/*** 創建令牌** @param username* @param role*/public static String createToken(String username, String role) {Map<String, Object> map = new HashMap<>();map.put(ROLE_CLAIMS, role);return Jwts.builder().setClaims(map).setSubject(username).claim("username", username).setIssuedAt(new Date()).setExpiration(new Date(System.currentTimeMillis() + TOKEN_EXPIRATION)).signWith(SignatureAlgorithm.HS256, TOKEN_SECRET).compact();}/*** 獲取解析后的token信息* @param token* @return*/public static Claims getTokenBody(String token) {return parseToken(token).getBody();}/*** 檢查token是否存在* @param token* @return*/public static Claims checkToken(String token) {try {Claims claims = getTokenBody(token);return claims;} catch (Exception e) {return null;}}/*** 判斷令牌是否過期* @param token 令牌* @return boolean* @describe getExpiration()獲取令牌過期時間*/public static boolean isExpiration(String token) {return getTokenBody(token).getExpiration().before(new Date());}/*** 解析令牌* @param token* @return*/public static Jws<Claims> parseToken(String token) {return Jwts.parser().setSigningKey(TOKEN_SECRET).parseClaimsJws(token);}/*** 解析token，獲取用戶名*/public static String parseTokenToUsername(String token) {String username = getTokenBody(token).getSubject();return username;} }

2.統一結果返回封裝類

使用泛型，因為在實際的場景中可能由多種不同的數據要進行返回

package com.jwt.utils;import lombok.Data;import java.io.Serializable;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/12* @description:*/ @Data public class ResponseBody<T> implements Serializable {private Integer code;private String msg;private T data;public ResponseBody(Integer code, String msg) {this.code = code;this.msg = msg;}public ResponseBody(Integer code, String msg, T data) {this.code = code;this.msg = msg;this.data = data;} }

3、handler處理類

這些處理類將在SecurityConfig配置類中進行配置，所以需要先將每個handler處理類放到spring容器中====》@Component注解

3.1、AjaxAccessDeniedHandler權限不足處理類

package com.jwt.handler;import com.alibaba.fastjson.JSON; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/12* @description: 權限不足處理類*/ @Component public class AjaxAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {response.setStatus(HttpServletResponse.SC_FORBIDDEN);response.getWriter().write(JSON.toJSONString("權限不足"));} }

3.2、AjaxAuthenticationEntryPoint匿名無權限處理類

當用戶匿名訪問資源時（即不登陸去訪問資源），會跳轉到登錄頁面

package com.jwt.handler;import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description: 匿名未認證登錄處理類*/ @Component public class AjaxAuthenticationEntryPoint implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {response.setContentType("application/json;charset=utf-8");request.getRequestDispatcher("/login.html").forward(request,response);} }

3.3、AjaxAuthenticationFailureHandler認證失敗處理類

當用戶登錄失敗時，會拋出相應的異常，然后交給該類進行判斷是哪一種異常。

package com.jwt.handler;import com.alibaba.fastjson.JSON; import lombok.extern.slf4j.Slf4j; import org.springframework.security.authentication.*; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/11* @description: 認證失敗Handler處理類*/ @Slf4j //日志 @Component public class AjaxAuthenticationFailureHandler implements AuthenticationFailureHandler {private String url;public AjaxAuthenticationFailureHandler(){}public AjaxAuthenticationFailureHandler(String url) {this.url = url;}@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {String failData = "";if (exception instanceof AccountExpiredException) {failData = "賬號過期";} else if (exception instanceof UsernameNotFoundException) {failData = "賬號不存在";} else if (exception instanceof CredentialsExpiredException) {failData = "密碼過期";} else if (exception instanceof DisabledException) {failData = "賬號不可用";} else if (exception instanceof LockedException) {failData = "賬號鎖定";} else if (exception instanceof BadCredentialsException) {failData = "密碼錯誤";} else {failData = "未知異常";}log.info("認證失敗,"+failData);//設置編碼格式，否則中文會亂碼response.setCharacterEncoding("utf-8);response.setContentType("application/json;charset=utf-8");//返回統一數據response.getWriter().write(JSON.toJSONString(failData));} }

3.4、AjaxAuthenticationSuccessHandler認證成功處理類

當用戶認證成功后，將交與該處理類處理；返回token（前綴帶bearer，所以服務端在進行解析token時，應該將bearer去掉。

package com.jwt.handler;import com.alibaba.fastjson.JSON; import com.jwt.entity.User; import com.jwt.utils.JwtTokenUtils; import com.jwt.utils.ResponseBody; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/11* @description: 認證成功Handler處理類*/ @Component public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler {private String url;public AjaxAuthenticationSuccessHandler() {}public AjaxAuthenticationSuccessHandler(String url) {this.url = url;}@Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {User user = (User) authentication.getPrincipal();String token = JwtTokenUtils.createToken(user.getUsername(), String.valueOf(user.getAuthorities()));//設置編碼,如果不設置會亂碼response.setCharacterEncoding("utf-8");response.setContentType("application/json;charset=utf-8");//設置返回的token 帶有Bearer的前綴字符串response.setHeader("Authorization", JwtTokenUtils.TOKEN_PREFIX+token);response.getWriter().write(new ResponseBody<User>(200,"登錄成功",user).toString());} }

3.5、AjaxLogoutSuccessHandler退出成功處理類

當用戶退出登錄成功時，跳轉到登錄頁面

package com.jwt.handler;import lombok.extern.slf4j.Slf4j; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; import org.springframework.stereotype.Component;import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/16* @description:*/ @Component @Slf4j public class AjaxLogoutSuccessHandler implements LogoutSuccessHandler {@Overridepublic void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {request.getRequestDispatcher("/login.html").forward(request,response);} }

4、AuthenticationFilter（token的驗證類）

該類對請求進行攔截，配置到UsernamePasswordAuthenticationFilter過濾器類的前面，至于功能前面已經分析過。

Spring Security使用一個Authentication對象來描述當前用戶的相關信息。SecurityContextHolder中持有的是當前用戶的SecurityContext，而SecurityContext持有的是代表當前用戶相關信息的Authentication的引用。這個Authentication對象不需要我們自己去創建，在與系統交互的過程中，Spring Security會自動為我們創建相應的Authentication對象，然后賦值給當前的SecurityContext，我們經常會使用SecurityContextHolder獲取SecurityContext實例，然后獲取Authentication實例。下面會是使用到

package com.jwt.filter; import com.jwt.entity.User; import com.jwt.service.LoginUserDetailService; import com.jwt.utils.JwtTokenUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;@Component public class AuthenticationFilter extends OncePerRequestFilter {@AutowiredLoginUserDetailService userDetailsService;@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {//獲取請求頭中的token加密串（名字是Authorization，JwtTokenUtils工具類里面定義的String authHeader = request.getHeader("Authorization"); //判斷是否是以Bearer開頭的，這是我自定義的前綴名）if (authHeader != null && authHeader.startsWith("Bearer ")) {//將Bearer去掉，因為返回token時，我在token前綴加入了Bearer字符串String authToken = authHeader.substring("Bearer ".length()); //解析加密串，獲取用戶名String username = JwtTokenUtils.parseTokenToUsername(authToken);//看當前SecurityContext中是否有Authentication實例（前面已經介紹過）if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { //如果Authentication沒有當前用戶的信息，然后從數據庫中查詢出相應的信息User user = (User) userDetailsService.loadUserByUsername(username);if (user != null) {//封裝到UsernamePasswordAuthenticationToken令牌類中UsernamePasswordAuthenticationToken authentication =new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); //將用戶信息放到Authenticatin實例中進行存儲SecurityContextHolder.getContext().setAuthentication(authentication);}}}filterChain.doFilter(request, response);} }

這個過濾器類里面是jwt最核心的點
首先請求進入到該過濾器類時，獲取token串，進行解析；然后查看Authentication是否為null，如果為null，根據解析到的用戶名去數據庫查詢相應的信息，一并將其放到Authentication實例中。
當你下一次再進行token判斷時，直接從Authentication拿取相應信息即可，不需要再查詢數據庫。

5、SecurityConfig配置類

package com.jwt.config; import com.jwt.filter.AuthenticationFilter; import com.jwt.handler.*; import com.jwt.service.LoginUserDetailService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl; import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;import javax.annotation.Resource; import javax.sql.DataSource;@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter {@Resourceprivate LoginUserDetailService userDetailsService;@Autowiredprivate AjaxAccessDeniedHandler deniedHandler;@Autowiredprivate AjaxAuthenticationEntryPoint ajaxAuthenticationEntryPoint;@Autowiredprivate AjaxAuthenticationSuccessHandler successHandler;@Autowiredprivate AjaxAuthenticationFailureHandler failureHandler;@Autowiredprivate DataSource dataSource;@Autowiredprivate AuthenticationFilter authenticationFilter;@Autowiredprivate AjaxLogoutSuccessHandler logoutSuccessHandler;/*** 攔截策略* @param http* @throws Exception*/@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().and().formLogin().loginPage("/login.html").loginProcessingUrl("/login").successHandler(successHandler).failureHandler(failureHandler).and().authorizeRequests().antMatchers("/login.html","/register.html","/register","/js/**").permitAll().and().exceptionHandling().accessDeniedHandler(deniedHandler).authenticationEntryPoint(ajaxAuthenticationEntryPoint).and().authorizeRequests().anyRequest().authenticated();http.addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class);//設置記住我http.rememberMe().tokenRepository(persistentTokenRepository()).tokenValiditySeconds(600).userDetailsService(userDetailsService);//配置退出登錄操作http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);//關閉csrf防護http.csrf().disable();}@Beanpublic BCryptPasswordEncoder bCryptPasswordEncoder(){return new BCryptPasswordEncoder();}/*** 配置忽略的URL* @param web* @throws Exception*/@Overridepublic void configure(WebSecurity web) throws Exception {web.ignoring().antMatchers("/");}/*** 攔截后需要使用自定義的類和加密解密方式* @param auth* @throws Exception*/@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.authenticationProvider(daoAuthenticationProvider());auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());}@Override@Beanprotected AuthenticationManager authenticationManager() throws Exception {return super.authenticationManager();}/*** * @return HideUserNotFoundExceptions(false)，否則UsernameNotFoundException異常會被BadCredentialsException異常覆蓋*/@Beanpublic AuthenticationProvider daoAuthenticationProvider() {DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(userDetailsService);daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());daoAuthenticationProvider.setHideUserNotFoundExceptions(false);return daoAuthenticationProvider;}//這是spirngsecurity記住我功能需要加入代碼 //JdbcTokenRepositoryImpl是將其保存到數據庫中@Beanpublic PersistentTokenRepository persistentTokenRepository() {//這個是記住我保存到數據庫的類，當然還有保存到內存的類JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();//設置數據源tokenRepository.setDataSource(dataSource);//這個會在第一次使用記住我時在數據庫中創建一張表(用戶、過期時間等）//在第二次一定要將其注釋掉，否者會報錯。// tokenRepository.setCreateTableOnStartup(true);return tokenRepository;} }

6、自定義異常處理類

6.1、RegisterFailureException注冊失敗異常處理類

package com.jwt.exception;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ public class RegisterFailureException extends Exception{private String message;public RegisterFailureException() {super();}public RegisterFailureException(String message) {this.message = message;} }

6.2、RegisterUsernameHasBeenExists注冊時用戶名已經存在異常處理類

package com.jwt.exception;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/15* @description:*/ public class RegisterUsernameHasBeenExists extends Exception{private String message;public RegisterUsernameHasBeenExists(String message) {this.message = message;} }

6.3、Controller層全局異常處理類

package com.jwt.exception.controllerException;import com.jwt.exception.RegisterUsernameHasBeenExists; import lombok.extern.slf4j.Slf4j; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; import org.springframework.validation.BindException; import org.springframework.validation.BindingResult; import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.RestControllerAdvice;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.sql.SQLException; import java.util.Objects;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/15* @description:*/ @Slf4j @RestControllerAdvice public class ControllerHandlerExceptionAdvice {private static final Logger logger = LoggerFactory.getLogger(ControllerHandlerExceptionAdvice.class);/*** 攔截表單參數異常處理* @param exception* @param request* @return*/@ResponseStatus(HttpStatus.OK)@ExceptionHandler({BindException.class})public String bindException(BindException exception, HttpServletRequest request) {logger.info("表單攔截校驗處理=====>");logger.info("表單數據======>"+request.getContentType());BindingResult bindingResult = exception.getBindingResult();return Objects.requireNonNull(bindingResult.getFieldError().getDefaultMessage());}@ExceptionHandlerpublic String handler(HttpServletRequest request, HttpServletResponse response, Exception e) {logger.info("RestFul 請求發生異常........");if (response.getStatus() == HttpStatus.BAD_REQUEST.value()) {logger.info("狀態值不是200,正準備修改為200");response.setStatus(HttpStatus.OK.value());}if (e instanceof NullPointerException) {logger.error("發生了空指針異常======》",e.getMessage());return "空指針異常";} else if (e instanceof IllegalArgumentException) {logger.error("請求參數不匹配異常======>",e.getMessage());return "請求參數不匹配";} else if (e instanceof SQLException) {logger.error("數據庫訪問異常======>",e.getMessage());return "數據庫訪問異常";} else if (e instanceof BindException) {BindingResult bindingResult = ((BindException) e).getBindingResult();logger.error("表單校驗異常",bindingResult.getFieldError().getDefaultMessage());return Objects.requireNonNull(bindingResult.getFieldError().getDefaultMessage());} else if (e instanceof RegisterUsernameHasBeenExists) {logger.info("用戶名已經存在");return "用戶名已經存在";} else {logger.error("未知異常",e.getMessage());return "服務器端未知異常,請去檢查!";}} }

7、controller，service，mapper，entity，mapper.xml編寫

這幾個類就是簡單的crud了，沒什么可說的

7.1、controller

package com.jwt.controller;import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/7* @description:*/ @Controller public class LoginController {@RequestMapping("/toMain")public String main() {return "redirect:success.html";}@RequestMapping("/")public String demo() {return "main";}@RequestMapping("/logout")public String logout() {return "redirect:login.html";} } package com.jwt.controller;import com.jwt.entity.User; import com.jwt.entity.UserDto; import com.jwt.exception.RegisterFailureException; import com.jwt.exception.RegisterUsernameHasBeenExists; import com.jwt.service.RegisterService; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.RequestMapping;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ @Controller @Slf4j public class RegisterController {@Autowiredprivate RegisterService registerService;@RequestMapping("/register")public String register(@Validated UserDto userDto) throws RegisterUsernameHasBeenExists {log.info("注冊的數據為:"+userDto.toString() );User user = registerService.selectDup(userDto.getUsername());if (user == null) {throw new RegisterUsernameHasBeenExists("用戶已存在");}try {registerService.register(userDto);} catch (RegisterFailureException e) {e.printStackTrace();}return "/";} } package com.jwt.controller;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.web.bind.annotation.*;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/15* @description:*/ @RestController @RequestMapping("/api") @EnableWebSecurity public class TestController {@RequestMapping("/add")public String add() {return "add";}@RequestMapping("select")public String select() {return "select";}@RequestMapping("/delete")public String delete() {return "delete";}@RequestMapping("/update")public String update() {return "update";} }

7.2、service

package com.jwt.service;import com.jwt.entity.User; import com.jwt.entity.UserDto; import com.jwt.exception.RegisterFailureException; import com.jwt.exception.RegisterUsernameHasBeenExists;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ public interface RegisterService {boolean register(UserDto userDto) throws RegisterFailureException;User selectDup(String username) throws RegisterUsernameHasBeenExists; }

這個LoginUserDetailService是要實現UserDetailService，根據用戶名查詢數據數據庫用戶信息，將其交給SpringSecurity進行認證

至于為什么要這樣：https://blog.csdn.net/Kevinnsm/article/details/115189976

package com.jwt.service;import com.jwt.entity.User; import com.jwt.mapper.LoginMapper; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Service;import java.util.ArrayList; import java.util.List;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/7* @description: 根據傳來的username去數據庫中查詢用戶信息,然后交給springsecurity去認證*/ @Service @Slf4j public class LoginUserDetailService implements UserDetailsService {@Autowiredprivate LoginMapper loginMapper;@Autowiredprivate PasswordEncoder passwordEncoder;/**** 自定義認證* @param username* @return* @throws UsernameNotFoundException*/@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {if (username == null || username.equals("")) {throw new RuntimeException("用戶名不能為空!");}User user = loginMapper.findByUsername(username);if (user == null) {throw new UsernameNotFoundException("用戶不能為空!");}log.info("根據username查詢的用戶信息為===>"+user.toString() + "==》等待認證！");List<GrantedAuthority> authorities = new ArrayList<>(); // loginMapper.findAuthorityByUsername(username).forEach(role-> // authorities.add(new SimpleGrantedAuthority((String) role)) // );authorities.add(new SimpleGrantedAuthority(loginMapper.findAuthorityByUsername(username)));user.setAuthorities(authorities);log.info(user.getUsername()+"用戶的所有權限為權限===>"+authorities.toString());return new User(user.getUsername(), passwordEncoder.encode(user.getPassword()),authorities);}} package com.jwt.service.impl;import com.jwt.entity.User; import com.jwt.entity.UserDto; import com.jwt.exception.RegisterFailureException; import com.jwt.exception.RegisterUsernameHasBeenExists; import com.jwt.mapper.RegisterMapper; import com.jwt.service.RegisterService; import com.sun.deploy.association.RegisterFailedException; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ @Service @Slf4j public class RegisterServiceImpl implements RegisterService {@Autowiredprivate RegisterMapper registerMapper;@Overridepublic boolean register(UserDto userDto) throws RegisterFailureException {boolean b = registerMapper.register(userDto);System.out.println(b);if (!b) {log.info("注冊失敗");throw new RegisterFailureException("注冊失敗");}return b;}@Overridepublic User selectDup(String username) throws RegisterUsernameHasBeenExists {User user = registerMapper.selectDup(username);if (user != null) {throw new RegisterUsernameHasBeenExists("用戶名已經存在");}return null;} }

7.4、mapper

@Repository public interface LoginMapper {User findByUsername(String username);String findAuthorityByUsername(String username); } @Repository public interface RegisterMapper {boolean register(UserDto userDto);User selectDup(String username); }

7.5、mapper.xml

<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.jwt.mapper.LoginMapper"><select id="findByUsername" resultType="User" parameterType="string">select * from user where username = #{username} limit 1</select><select id="findAuthorityByUsername" resultType="string">select authority from role where username = #{username} limit 1</select> </mapper> <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.jwt.mapper.RegisterMapper"><insert id="register" parameterType="userDto">insert into user (username,password) values(#{username},#{password})</insert><select id="selectDup" resultType="user">select * from user where username=#{username} limit 1</select> </mapper>

7.6、entity

@Data @NoArgsConstructor public class User implements UserDetails {private String username;private String password;private List<GrantedAuthority> authorities;@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return this.authorities;}public User(String username, String password, List<GrantedAuthority> authorities) {this.username = username;this.password = password;this.authorities = authorities;}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;} } @Data public class Authority implements Serializable {private String roles; } package com.jwt.entity;import com.sun.istack.internal.NotNull; import lombok.Data;import javax.validation.constraints.Size; import java.io.Serializable;/*** @author:抱著魚睡覺的喵喵* @date:2021/4/14* @description:*/ @Data public class UserDto implements Serializable {@NotNull@Size(min = 3, max = 15, message = "用戶名必須在3~15之間")private String username;@NotNull@Size(min = 5, max = 15, message = "密碼必須在5~15之間")private String password; }

8、application.yml

spring:datasource:url: jdbc:mysql://localhost:3306/security?serverTimezone=UTCusername: rootpassword: hao20001010mybatis:mapper-locations: mapper/**type-aliases-package: com.jwt.entityserver:port: 8081

9、html測試

templates模板下的main.html

<!DOCTYPE html> <html lang="en" xmlns="http://www.w3.org/1999/xhtml" > <head><meta charset="UTF-8"><title>Title</title> </head> <body><h1>這是主頁面</h1> <br/><a href="login.html">登錄</a><a href="register.html">注冊</a><br><hr><h2>操作如下</h2><a href="/api/add">添加商品</a><a href="/api/select">查詢商品</a><a href="/api/update">修改商品</a><a href="/api/delete">刪除商品</a><a href="/logout">退出登錄</a></body> </html>

static文件下

<!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title></head> <body> <h2>=======登錄頁面=========</h2><form action="/login" method="post">username:<input type="text" name="username"/><br/>password:<input type="password" name="password" /><br/>remember me:<input type="checkbox" name="remember-me" value="true"/><br/><input type="submit" value="提交" /></form> </body></html> <!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title> </head> <body> <h2>=========注冊頁面=========</h2> <form action="/register" method="post"><table>username:<input type="text" name="username"/><br/>password:<input type="password" name="password"/><br/><input type="submit" value="提交"/></table> </form> </body> </html> <!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title> </head> <body> <h1>分頁面</h1><br> <a href="/toMain">主頁面</a><br> <a href="/logout">退出</a></body> </html>

到這里也就是結束了，測試截圖就不再發了，Controller層應該使用Rest風格的。

回顧這個小demo，其實簡單了分析就是：springsecurity是一串過濾器鏈，然后自定義jwt的校驗token過濾器，最后將其加入到過濾器鏈中，至于加到什么位置，想必都明白了。

核心就前端那一段，其他的基本數就是springsecurity的基本操作和一些crud操作及其某些細節。把握住核心即可。

總結

以上是生活随笔為你收集整理的springboot+springsecurity+mybatis+jwt实现单点登录（详细到爆了）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：经验：在mysql中避免重复插入数据的4
下一篇： springcloud初体验（一句话，真

编程问答

springboot+springsecurity+mybatis+jwt实现单点登录（详细到爆了）

文章目錄

一、springsecuriyt基礎

二、jwt

Ⅰ、jwt是什么

Ⅱ、為什么要使用jwt

2.1、什么是有狀態

2.2、什么是無狀態

Ⅲ、jwt的組成

三、springboot+springsecurity+mybatis+jwt實現單點登錄

Ⅰ、核心流程分析

Ⅱ、具體代碼實現及其分析

1.JwtTokenUtil

2.統一結果返回封裝類

3、handler處理類

3.1、AjaxAccessDeniedHandler權限不足處理類

3.2、AjaxAuthenticationEntryPoint匿名無權限處理類

3.3、AjaxAuthenticationFailureHandler認證失敗處理類

3.4、AjaxAuthenticationSuccessHandler認證成功處理類

3.5、AjaxLogoutSuccessHandler退出成功處理類