精品网站建设比较好婚纱网站源代码

精品网站建设比较好,婚纱网站源代码,茂名企业做网站,外贸网站推广营销一、login接口鉴权流程1.1 流程概述login接口是用户认证入口#xff0c;核心是验证用户名密码并生成JWT Token。流程涉及控制器、认证管理器、用户服务、密码编码器、JWT工具和过滤器协同工作。1.2 详细步骤与代码示例1.2.1 请求接收#xff08;Controller层接口#xff09;…一、login接口鉴权流程1.1 流程概述login接口是用户认证入口核心是验证用户名密码并生成JWT Token。流程涉及控制器、认证管理器、用户服务、密码编码器、JWT工具和过滤器协同工作。1.2 详细步骤与代码示例1.2.1 请求接收Controller层接口组件标注表现层接口AuthController.login()RestControllerRequestMapping(/api/auth)RequiredArgsConstructorpublic class AuthController {private final AuthenticationManager authenticationManager;private final JwtUtils jwtUtils;PostMapping(/login)public ResultJwtResponse login(RequestBody LoginRequest request) {Authentication authentication authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(request.getUsername(), request.getPassword()));UserDetails userDetails (UserDetails) authentication.getPrincipal();String token jwtUtils.generateToken(userDetails);return Result.success(new JwtResponse(token, userDetails.getUsername()));}}Data class LoginRequest { private String username; private String password; }Data class JwtResponse { private String token; private String username; public JwtResponse(String t, String u) { tokent; usernameu; } }1.2.2 触发认证与加载用户信息Service层自定义用户服务实现ServiceRequiredArgsConstructorpublic class UserDetailsServiceImpl implements UserDetailsService {private final UserMapper userMapper;private final RoleMapper roleMapper;Overridepublic UserDetails loadUserByUsername(String username) {UserPo user userMapper.selectOne(new QueryWrapperUserPo().eq(username, username));if (user null) throw new UsernameNotFoundException(用户不存在);SetRolePo roles roleMapper.findRolesByUserId(user.getId());user.setRoles(roles);return user;}}Spring Security认证管理器源码核心逻辑ProviderManagerpublic class ProviderManager implements AuthenticationManager {private ListAuthenticationProvider providers;public Authentication authenticate(Authentication auth) {for (AuthenticationProvider p : providers) {if (p.supports(auth.getClass())) {Authentication result p.authenticate(auth);if (result ! null) return result;}}throw new AuthenticationException(认证失败) {};}}1.2.3 密码校验Util层配置类代码Configurationpublic class SecurityConfig {Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }}密码对比源码核心逻辑DaoAuthenticationProviderpublic class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {protected void additionalAuthenticationChecks(UserDetails ud, UsernamePasswordAuthenticationToken auth) {String presented auth.getCredentials().toString();String encoded ud.getPassword();if (!passwordEncoder.matches(presented, encoded)) throw new BadCredentialsException(密码错误);}}BCryptPasswordEncoder源码核心逻辑public class BCryptPasswordEncoder implements PasswordEncoder {public boolean matches(CharSequence raw, String encoded) {BCrypt.HashData hashData decode(encoded);byte[] hashed BCrypt.hashpw(raw.toString(), hashData);return constantTimeEquals(hashed, hashData.password);}}1.2.4 生成JWT TokenUtil层JWT工具类代码Componentpublic class JwtUtils {Value(${app.jwt.secret}) private String secret;Value(${app.jwt.expiration}) private long expiration;public String generateToken(UserDetails ud) {return Jwts.builder().setSubject(ud.getUsername()).setIssuedAt(new Date()).setExpiration(new Date(System.currentTimeMillis() expiration)).signWith(SignatureAlgorithm.HS256, secret).compact();}}1.2.5 后续请求认证插件层Filter自定义过滤器代码ComponentRequiredArgsConstructorpublic class JwtAuthFilter extends OncePerRequestFilter {private final JwtUtils jwtUtils;private final UserDetailsServiceImpl userDetailsService;Override protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain) {String token parseJwt(req);if (token ! null jwtUtils.validateToken(token)) {String username jwtUtils.extractUsername(token);UserDetails ud userDetailsService.loadUserByUsername(username);UsernamePasswordAuthenticationToken auth new UsernamePasswordAuthenticationToken(ud, null, ud.getAuthorities());SecurityContextHolder.getContext().setAuthentication(auth);}chain.doFilter(req, res);}private String parseJwt(HttpServletRequest req) {String h req.getHeader(Authorization);return (h ! null h.startsWith(Bearer )) ? h.substring(7) : null;}}1.3 login接口执行流程图前端发起登录请求\nPOST /api/auth/loginAuthController.loginAuthenticationManager.authenticateDaoAuthenticationProvider.authenticateUserDetailsServiceImpl.loadUserByUsernameUserMapper.selectOne\n查询用户基础信息RoleMapper.findRolesByUserId\n加载角色权限additionalAuthenticationChecks\n密码校验BCryptPasswordEncoder.matches\n比对密码生成已认证凭证\nUsernamePasswordAuthenticationTokenJwtUtils.generateToken\n生成JWT Token返回Token给前端二、PreAuthorize接口鉴权流程2.1 流程概述PreAuthorize是方法级权限控制注解核心是在方法执行前校验用户权限。流程涉及AOP拦截、权限解析、授权决策三个阶段。2.2 详细步骤与代码示例2.2.1 控制器接口标注PreAuthorize表现层RestControllerRequestMapping(/api/order)RequiredArgsConstructorpublic class OrderController {private final OrderService orderService;GetMappingPreAuthorize(hasAuthority(order:view))public PageResultOrderVo listOrders(OrderQuery query) {return orderService.queryOrders(query);}}2.2.2 AOP拦截与权限表达式解析插件层配置类代码ConfigurationEnableGlobalMethodSecurity(prePostEnabled true)public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {Override protected MethodSecurityExpressionHandler createExpressionHandler() {DefaultMethodSecurityExpressionHandler h new DefaultMethodSecurityExpressionHandler();h.setPermissionEvaluator(new CustomPermissionEvaluator());return h;}}MethodSecurityInterceptor源码核心逻辑public class MethodSecurityInterceptor implements MethodInterceptor {public Object invoke(MethodInvocation mi) {CollectionConfigAttribute attrs attributeSource.getAttributes(mi);if (attrs null) return mi.proceed();Authentication auth SecurityContextHolder.getContext().getAuthentication();accessDecisionManager.decide(auth, mi, attrs);return mi.proceed();}}2.2.3 权限校验逻辑Service层自定义权限检查器Componentpublic class PermissionChecker {public boolean hasPermission(String code) {Authentication auth SecurityContextHolder.getContext().getAuthentication();return auth.getAuthorities().stream().anyMatch(a - a.getAuthority().equals(code));}}表达式解析源码核心逻辑SecurityExpressionRootpublic class SecurityExpressionRoot {public boolean hasAuthority(String auth) {return authentication.getAuthorities().stream().anyMatch(a - a.getAuthority().equals(auth));}}授权决策管理器源码核心逻辑AffirmativeBasedpublic class AffirmativeBased implements AccessDecisionManager {public void decide(Authentication auth, Object obj, CollectionConfigAttribute attrs) {for (AccessDecisionVoter v : decisionVoters) {int r v.vote(auth, obj, attrs);if (r ACCESS_GRANTED) return;}throw new AccessDeniedException(权限不足);}}2.2.4 业务逻辑执行Service层ServiceRequiredArgsConstructorpublic class OrderServiceImpl implements OrderService {private final OrderMapper orderMapper;private final DataScopeService dataScopeService;public PageResultOrderVo queryOrders(OrderQuery q) {DataScopeService.DataScope scope dataScopeService.getCurUserDataScope();LambdaQueryWrapperOrderPo w new LambdaQueryWrapper();if (scope.getScopeType() 1) w.eq(OrderPo::getCreatorId, scope.getUserId());else if (scope.getScopeType() 2) w.eq(OrderPo::getDeptId, scope.getDeptIds().get(0));PageOrderPo p orderMapper.selectPage(new Page(q.getPageNum(), q.getPageSize()), w);return convertToPageResult(p);}}2.3 PreAuthorize接口执行流程图前端携带Token请求GET /api/orderJwtAuthFilter.doFilterInternal提取Token并验证设置SecurityContextUsernamePasswordAuthenticationTokenDispatcherServlet分发请求OrderController.listOrdersPreAuthorize标注方法MethodSecurityInterceptor.invokeAOP拦截attributeSource.getAttributes获取权限表达式accessDecisionManager.decide授权决策WebExpressionVoter.vote表达式投票SecurityExpressionRoot.hasAuthority解析权限逻辑PermissionChecker.hasPermission校验权限OrderServiceImpl.queryOrders执行业务逻辑返回数据给前端三、Spring Security过滤器链详解3.1 过滤器执行顺序与功能顺序 过滤器名称 功能描述 使用场景1 SecurityContextPersistenceFilter 恢复或清理SecurityContext隔离请求间状态。 所有请求必经前后端分离可简化。2 LogoutFilter 处理退出请求清理认证信息。 需显式退出功能时启用。3 UsernamePasswordAuthenticationFilter 处理传统用户名密码登录请求。 前后端分离通常替换为自定义登录接口。4 JwtAuthFilter 自定义过滤器提取Bearer Token并设置认证信息。 前后端分离核心过滤器手动配置。5 AnonymousAuthenticationFilter 为未认证用户分配匿名身份。 区分未登录与已登录用户。6 ExceptionTranslationFilter 捕获安全异常并转换为HTTP响应401/403。 所有异常处理中枢必配置。7 FilterSecurityInterceptor URL级权限校验根据authorizeRequests配置判断访问权限。 粗粒度权限控制。