Open fayeah opened 4 years ago
Security是一个比较大的课题,这里主要看Authentication(你是谁)和Authorization(你有啥权限),由于时间关系,目前只实现了一个简单的版本。思路如下:
具体实现:
implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.security:spring-security-test'
需要一个SecurityConfig类来进行相关的配置
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(new AuthenticationFilter(), BasicAuthenticationFilter.class) .csrf().disable() .authorizeRequests() .antMatchers("/api/**") .permitAll(); } @Override public void configure(WebSecurity web) { web.ignoring().regexMatchers(GET, ".*(js|js\\.map|html|css|ico|woff2|png|jpg|gif)$", ".*woff2\\?v=(\\d|\\.)*"); } }
一个AuthenticationFilter类进行token的校验等
public class AuthenticationFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String path = request.getRequestURI(); if ("/token".equals(path)) { filterChain.doFilter(request, response); return; } String auth = request.getHeader("Authorization"); if(!isTokenValid(auth)){ response.sendError(HttpStatus.UNAUTHORIZED.value(), "An unauthorized request."); } filterChain.doFilter(request, response); } private boolean isTokenValid(String auth) { return auth != null && auth.equals(getToken()); } public String getToken() { return ConfigProperty.getConfigValue("envToken"); } }
properties
public static String getConfigValue(String property, String defaultValue) { Properties properties = new Properties(); String value = ""; try { File file = ResourceUtils.getFile("classpath: ***.properties"); InputStream in = new FileInputStream(file); properties.load(in); value = properties.getProperty(property, defaultValue); } catch (IOException e) { log.error(e.getMessage(), e); } return value; }
前端就不细说了,拿到token之后存到storage里面,然后在request的interceptor里面把该token设置到header里,保证所有api都含有该token。只是要注意获取token的时机,我是在app启动的最初始阶段去获取,然后也要考虑到异步的问题。
Security是一个比较大的课题,这里主要看Authentication(你是谁)和Authorization(你有啥权限),由于时间关系,目前只实现了一个简单的版本。思路如下:
具体实现:
需要一个SecurityConfig类来进行相关的配置
一个AuthenticationFilter类进行token的校验等
properties
里面获取数据的方式前端就不细说了,拿到token之后存到storage里面,然后在request的interceptor里面把该token设置到header里,保证所有api都含有该token。只是要注意获取token的时机,我是在app启动的最初始阶段去获取,然后也要考虑到异步的问题。