【Springboot】Security Filter

[fayeah]

Security是一个比较大的课题，这里主要看Authentication（你是谁）和Authorization（你有啥权限），由于时间关系，目前只实现了一个简单的版本。思路如下：

• 前端request的Authorization与后端环境变量进行匹配
• 使用SecurityFilter技术
• 前端将拿到的token存在localstorage（暂时没有加密）
• ignore静态资源的认证

具体实现：

• 需要引入security相关的dependencies

  implementation 'org.springframework.boot:spring-boot-starter-security'
  implementation 'org.springframework.security:spring-security-test'

• 需要一个SecurityConfig类来进行相关的配置

  @Configuration
  @EnableWebSecurity
  @EnableGlobalMethodSecurity(securedEnabled = true)
  public class SecurityConfig extends WebSecurityConfigurerAdapter {
  
  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http
              .addFilterBefore(new AuthenticationFilter(), BasicAuthenticationFilter.class)
              .csrf().disable()
              .authorizeRequests()
              .antMatchers("/api/**")
              .permitAll();
  }
  
  @Override
  public void configure(WebSecurity web) {
      web.ignoring().regexMatchers(GET,
              ".*(js|js\\.map|html|css|ico|woff2|png|jpg|gif)$",
              ".*woff2\\?v=(\\d|\\.)*");
  }
  }

• 一个AuthenticationFilter类进行token的校验等

  public class AuthenticationFilter extends OncePerRequestFilter {
  
  @Override
  protected void doFilterInternal(HttpServletRequest request,
                                  HttpServletResponse response, FilterChain filterChain)
          throws ServletException, IOException {
      String path = request.getRequestURI();
      if ("/token".equals(path)) {
          filterChain.doFilter(request, response);
          return;
      }
      String auth = request.getHeader("Authorization");
      if(!isTokenValid(auth)){
          response.sendError(HttpStatus.UNAUTHORIZED.value(), "An unauthorized request.");
      }
      filterChain.doFilter(request, response);
  }
  
  private boolean isTokenValid(String auth) {
      return auth != null && auth.equals(getToken());
  }
  
  public String getToken() {
      return ConfigProperty.getConfigValue("envToken");
  }
  }

• 需要一个获取token的api
• by the way, 从properties里面获取数据的方式

  public static String getConfigValue(String property, String defaultValue) {
      Properties properties = new Properties();
      String value = "";
      try {
          File file = ResourceUtils.getFile("classpath: ***.properties");
          InputStream in = new FileInputStream(file);
          properties.load(in);
          value = properties.getProperty(property, defaultValue);
      } catch (IOException e) {
          log.error(e.getMessage(), e);
      }
      return value;
  }

前端就不细说了，拿到token之后存到storage里面，然后在request的interceptor里面把该token设置到header里，保证所有api都含有该token。只是要注意获取token的时机，我是在app启动的最初始阶段去获取，然后也要考虑到异步的问题。