精品網(wǎng)站建設比較好婚紗網(wǎng)站源代碼
鶴壁市浩天電氣有限公司
2026/01/24 17:36:02
精品網(wǎng)站建設比較好,婚紗網(wǎng)站源代碼,茂名企業(yè)做網(wǎng)站,外貿(mào)網(wǎng)站推廣營銷一、login接口鑒權流程1.1 流程概述login接口是用戶認證入口#xff0c;核心是驗證用戶名密碼并生成JWT Token。流程涉及控制器、認證管理器、用戶服務、密碼編碼器、JWT工具和過濾器協(xié)同工作。1.2 詳細步驟與代碼示例1.2.1 請求接收#xff08;Controller層接口#xff09;…一、login接口鑒權流程1.1 流程概述login接口是用戶認證入口核心是驗證用戶名密碼并生成JWT Token。流程涉及控制器、認證管理器、用戶服務、密碼編碼器、JWT工具和過濾器協(xié)同工作。1.2 詳細步驟與代碼示例1.2.1 請求接收Controller層接口組件標注表現(xiàn)層接口AuthController.login()RestControllerRequestMapping(/api/auth)RequiredArgsConstructorpublic class AuthController {private final AuthenticationManager authenticationManager;private final JwtUtils jwtUtils;PostMapping(/login)public ResultJwtResponse login(RequestBody LoginRequest request) {Authentication authentication authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(request.getUsername(), request.getPassword()));UserDetails userDetails (UserDetails) authentication.getPrincipal();String token jwtUtils.generateToken(userDetails);return Result.success(new JwtResponse(token, userDetails.getUsername()));}}Data class LoginRequest { private String username; private String password; }Data class JwtResponse { private String token; private String username; public JwtResponse(String t, String u) { tokent; usernameu; } }1.2.2 觸發(fā)認證與加載用戶信息Service層自定義用戶服務實現(xiàn)ServiceRequiredArgsConstructorpublic class UserDetailsServiceImpl implements UserDetailsService {private final UserMapper userMapper;private final RoleMapper roleMapper;Overridepublic UserDetails loadUserByUsername(String username) {UserPo user userMapper.selectOne(new QueryWrapperUserPo().eq(username, username));if (user null) throw new UsernameNotFoundException(用戶不存在);SetRolePo roles roleMapper.findRolesByUserId(user.getId());user.setRoles(roles);return user;}}Spring Security認證管理器源碼核心邏輯ProviderManagerpublic class ProviderManager implements AuthenticationManager {private ListAuthenticationProvider providers;public Authentication authenticate(Authentication auth) {for (AuthenticationProvider p : providers) {if (p.supports(auth.getClass())) {Authentication result p.authenticate(auth);if (result ! null) return result;}}throw new AuthenticationException(認證失敗) {};}}1.2.3 密碼校驗Util層配置類代碼Configurationpublic class SecurityConfig {Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }}密碼對比源碼核心邏輯DaoAuthenticationProviderpublic class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {protected void additionalAuthenticationChecks(UserDetails ud, UsernamePasswordAuthenticationToken auth) {String presented auth.getCredentials().toString();String encoded ud.getPassword();if (!passwordEncoder.matches(presented, encoded)) throw new BadCredentialsException(密碼錯誤);}}BCryptPasswordEncoder源碼核心邏輯public class BCryptPasswordEncoder implements PasswordEncoder {public boolean matches(CharSequence raw, String encoded) {BCrypt.HashData hashData decode(encoded);byte[] hashed BCrypt.hashpw(raw.toString(), hashData);return constantTimeEquals(hashed, hashData.password);}}1.2.4 生成JWT TokenUtil層JWT工具類代碼Componentpublic class JwtUtils {Value(${app.jwt.secret}) private String secret;Value(${app.jwt.expiration}) private long expiration;public String generateToken(UserDetails ud) {return Jwts.builder().setSubject(ud.getUsername()).setIssuedAt(new Date()).setExpiration(new Date(System.currentTimeMillis() expiration)).signWith(SignatureAlgorithm.HS256, secret).compact();}}1.2.5 后續(xù)請求認證插件層Filter自定義過濾器代碼ComponentRequiredArgsConstructorpublic class JwtAuthFilter extends OncePerRequestFilter {private final JwtUtils jwtUtils;private final UserDetailsServiceImpl userDetailsService;Override protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain) {String token parseJwt(req);if (token ! null jwtUtils.validateToken(token)) {String username jwtUtils.extractUsername(token);UserDetails ud userDetailsService.loadUserByUsername(username);UsernamePasswordAuthenticationToken auth new UsernamePasswordAuthenticationToken(ud, null, ud.getAuthorities());SecurityContextHolder.getContext().setAuthentication(auth);}chain.doFilter(req, res);}private String parseJwt(HttpServletRequest req) {String h req.getHeader(Authorization);return (h ! null h.startsWith(Bearer )) ? h.substring(7) : null;}}1.3 login接口執(zhí)行流程圖前端發(fā)起登錄請求
POST /api/auth/loginAuthController.loginAuthenticationManager.authenticateDaoAuthenticationProvider.authenticateUserDetailsServiceImpl.loadUserByUsernameUserMapper.selectOne
查詢用戶基礎信息RoleMapper.findRolesByUserId
加載角色權限additionalAuthenticationChecks
密碼校驗BCryptPasswordEncoder.matches
比對密碼生成已認證憑證
UsernamePasswordAuthenticationTokenJwtUtils.generateToken
生成JWT Token返回Token給前端二、PreAuthorize接口鑒權流程2.1 流程概述PreAuthorize是方法級權限控制注解核心是在方法執(zhí)行前校驗用戶權限。流程涉及AOP攔截、權限解析、授權決策三個階段。2.2 詳細步驟與代碼示例2.2.1 控制器接口標注PreAuthorize表現(xiàn)層RestControllerRequestMapping(/api/order)RequiredArgsConstructorpublic class OrderController {private final OrderService orderService;GetMappingPreAuthorize(hasAuthority(order:view))public PageResultOrderVo listOrders(OrderQuery query) {return orderService.queryOrders(query);}}2.2.2 AOP攔截與權限表達式解析插件層配置類代碼ConfigurationEnableGlobalMethodSecurity(prePostEnabled true)public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {Override protected MethodSecurityExpressionHandler createExpressionHandler() {DefaultMethodSecurityExpressionHandler h new DefaultMethodSecurityExpressionHandler();h.setPermissionEvaluator(new CustomPermissionEvaluator());return h;}}MethodSecurityInterceptor源碼核心邏輯public class MethodSecurityInterceptor implements MethodInterceptor {public Object invoke(MethodInvocation mi) {CollectionConfigAttribute attrs attributeSource.getAttributes(mi);if (attrs null) return mi.proceed();Authentication auth SecurityContextHolder.getContext().getAuthentication();accessDecisionManager.decide(auth, mi, attrs);return mi.proceed();}}2.2.3 權限校驗邏輯Service層自定義權限檢查器Componentpublic class PermissionChecker {public boolean hasPermission(String code) {Authentication auth SecurityContextHolder.getContext().getAuthentication();return auth.getAuthorities().stream().anyMatch(a - a.getAuthority().equals(code));}}表達式解析源碼核心邏輯SecurityExpressionRootpublic class SecurityExpressionRoot {public boolean hasAuthority(String auth) {return authentication.getAuthorities().stream().anyMatch(a - a.getAuthority().equals(auth));}}授權決策管理器源碼核心邏輯AffirmativeBasedpublic class AffirmativeBased implements AccessDecisionManager {public void decide(Authentication auth, Object obj, CollectionConfigAttribute attrs) {for (AccessDecisionVoter v : decisionVoters) {int r v.vote(auth, obj, attrs);if (r ACCESS_GRANTED) return;}throw new AccessDeniedException(權限不足);}}2.2.4 業(yè)務邏輯執(zhí)行Service層ServiceRequiredArgsConstructorpublic class OrderServiceImpl implements OrderService {private final OrderMapper orderMapper;private final DataScopeService dataScopeService;public PageResultOrderVo queryOrders(OrderQuery q) {DataScopeService.DataScope scope dataScopeService.getCurUserDataScope();LambdaQueryWrapperOrderPo w new LambdaQueryWrapper();if (scope.getScopeType() 1) w.eq(OrderPo::getCreatorId, scope.getUserId());else if (scope.getScopeType() 2) w.eq(OrderPo::getDeptId, scope.getDeptIds().get(0));PageOrderPo p orderMapper.selectPage(new Page(q.getPageNum(), q.getPageSize()), w);return convertToPageResult(p);}}2.3 PreAuthorize接口執(zhí)行流程圖前端攜帶Token請求GET /api/orderJwtAuthFilter.doFilterInternal提取Token并驗證設置SecurityContextUsernamePasswordAuthenticationTokenDispatcherServlet分發(fā)請求OrderController.listOrdersPreAuthorize標注方法MethodSecurityInterceptor.invokeAOP攔截attributeSource.getAttributes獲取權限表達式accessDecisionManager.decide授權決策WebExpressionVoter.vote表達式投票SecurityExpressionRoot.hasAuthority解析權限邏輯PermissionChecker.hasPermission校驗權限OrderServiceImpl.queryOrders執(zhí)行業(yè)務邏輯返回數(shù)據(jù)給前端三、Spring Security過濾器鏈詳解3.1 過濾器執(zhí)行順序與功能順序 過濾器名稱 功能描述 使用場景1 SecurityContextPersistenceFilter 恢復或清理SecurityContext隔離請求間狀態(tài)。 所有請求必經(jīng)前后端分離可簡化。2 LogoutFilter 處理退出請求清理認證信息。 需顯式退出功能時啟用。3 UsernamePasswordAuthenticationFilter 處理傳統(tǒng)用戶名密碼登錄請求。 前后端分離通常替換為自定義登錄接口。4 JwtAuthFilter 自定義過濾器提取Bearer Token并設置認證信息。 前后端分離核心過濾器手動配置。5 AnonymousAuthenticationFilter 為未認證用戶分配匿名身份。 區(qū)分未登錄與已登錄用戶。6 ExceptionTranslationFilter 捕獲安全異常并轉換為HTTP響應401/403。 所有異常處理中樞必配置。7 FilterSecurityInterceptor URL級權限校驗根據(jù)authorizeRequests配置判斷訪問權限。 粗粒度權限控制。