spring security6.0.2自定义token，实现权限控制

由于本系统目前还未集成redis等分布式缓存，目前用的是谷歌的guava做本地缓存来是实现token的时间有效期管理。

实现token生成工类TokenGenerator

public class TokenGenerator {

    public static String generateValue() {
        return generateValue(UUID.randomUUID().toString());
    }

    private static final char[] HEX_CODE = "0123456789abcdef".toCharArray();

    public static String toHexString(byte[] data) {
        if(data == null) {
            return null;
        }
        StringBuilder r = new StringBuilder(data.length*2);
        for ( byte b : data) {
            r.append(HEX_CODE[(b >> 4) & 0xF]);
            r.append(HEX_CODE[(b & 0xF)]);
        }
        return r.toString();
    }

    public static String generateValue(String param) {
        try {
            MessageDigest algorithm = MessageDigest.getInstance("MD5");
            algorithm.reset();
            algorithm.update(param.getBytes());
            byte[] messageDigest = algorithm.digest();
            return toHexString(messageDigest);
        } catch (Exception e) {
            throw new ServerException("token invalid", e);
        }
    }
}           

实现admin关token服务

public interface SysUserTokenService extends IService<SysUserTokenEntity> {

    /**
     * 生成token
     * @param loginUser  登录用户信息
     */
    RsObject createToken(UserDetail loginUser);


    /**
     * 获取用户身份信息
     *
     * @return 用户信息
     */
    public UserDetail getLoginUser(HttpServletRequest request);

    /**
     * 退出
     * @param userId  用户ID
     */
    void logout(Long userId);

//    /**
//     * 在线用户分页
//     */
//    PageData<SysOnlineEntity> onlinePage(Map<String, Object> params);

}
           

新建一个filter用于校验登录信息AuthenticationTokenFilter

@Component
public class AuthenticationTokenFilter extends OncePerRequestFilter
{
    @Autowired
    private SysUserTokenService tokenService;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException
    {
        UserDetail loginUser = tokenService.getLoginUser(request);
        if (StringUtils.isNotNull(loginUser) && StringUtils.isNull(SecurityUser.getAuthentication()))
        {
            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());
            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
        }
        chain.doFilter(request, response);
    }
}           

天骄套SecurityConfig 配置

然后把如下配置从白名单中移除

启动服务刷新后台查询接口报错403

修改前端页面把后端返回的token保存下来并放到http请求头里面，如下编码

export const formatToken = (token: string): string => {
  return "Bearer " + token;
};           

然后从登录，带上token后就可以正常访问了