一、什麼是單點登陸

單點登錄（Single Sign On），簡稱為 SSO，是目前比較流行的企業業務整合的解決方案之一。SSO的定義是在多個應用系統中，用戶只需要登錄一次就可以訪問所有相互信任的應用系統

二、簡單的運行機制

單點登錄的機制其實是比較簡單的，用一個現實中的例子做比較。某公園內部有許多獨立的景點，遊客可以在各個景點門口單獨買票。

對於需要遊玩所有的景點的遊客，這種買票方式很不方便，需要在每個景點門口排隊買票，錢包拿 進拿出的，容易丟失，很不安全。

於是絕大多數遊客選擇在大門口買一張通票（也叫套票），就可以玩遍所有的景點而不需要重新再買票。他們只需要在每個景點門 口出示一下剛才買的套票就能夠被允許進入每個獨立的景點。

單點登錄的機制也一樣，如下圖所示，

用戶認證：這一環節主要是用戶向認證服務器發起認證請求，認證服務器給用戶返回一個成功的令牌token，主要在認證服務器中完成，即圖中的認證系統，注意認證系統只能有一個。

身份校驗：這一環節是用戶攜帶token去訪問其他服務器時，在其他服務器中要對token的真偽進行檢驗，主要在資源服務器中完成，即圖中的應用系統2 3

三、JWT介紹

概念說明

從分佈式認證流程中，我們不難發現，這中間起最關鍵作用的就是token，token的安全與否，直接關係到系統的健壯性，這裡我們選擇使用JWT來實現token的生成和校驗。

JWT，全稱JSON Web Token，官網地址https://jwt.io，是一款出色的分佈式身份校驗方案。可以生成token，也可以解析檢驗token。

JWT生成的token由三部分組成：

• 頭部：主要設置一些規範信息，簽名部分的編碼格式就在頭部中聲明。
• 載荷：token中存放有效信息的部分，比如用戶名，用戶角色，過期時間等，但是不要放密碼，會泄露！
• 簽名：將頭部與載荷分別採用base64編碼後，用「.」相連，再加入鹽，最後使用頭部聲明的編碼類型進行編碼，就得到了簽名。

JWT生成token的安全性分析

從JWT生成的token組成上來看，要想避免token被偽造，主要就得看簽名部分了，而簽名部分又有三部分組成，其中頭部和載荷的base64編碼，幾乎是透明的，毫無安全性可言，那麼最終守護token安全的重擔就落在了加入的鹽上面了！

試想：如果生成token所用的鹽與解析token時加入的鹽是一樣的。豈不是類似於中國人民銀行把人民幣防偽技術公開了？大家可以用這個鹽來解析token，就能用來偽造token。這時，我們就需要對鹽採用非對稱加密的方式進行加密，以達到生成token與校驗token方所用的鹽不一致的安全效果！

非對稱加密RSA介紹

基本原理：同時生成兩把密鑰：私鑰和公鑰，私鑰隱秘保存，公鑰可以下發給信任客戶端

• 私鑰加密，持有私鑰或公鑰才可以解密
• 公鑰加密，持有私鑰才可解密

優點：安全，難以破解

缺點：算法比較耗時，為了安全，可以接受

歷史：三位數學家Rivest、Shamir 和 Adleman 設計了一種算法，可以實現非對稱加密。這種算法用他們三個人的名字縮寫：RSA。

四、SpringSecurity整合JWT

1.認證思路分析

SpringSecurity主要是通過過濾器來實現功能的！我們要找到SpringSecurity實現認證和校驗身份的過濾器！

回顧集中式認證流程

用戶認證：使用
UsernamePasswordAuthenticationFilter過濾器中attemptAuthentication方法實現認證功能，該過濾器父類中successfulAuthentication方法實現認證成功後的操作。

身份校驗：使用BasicAuthenticationFilter過濾器中doFilterInternal方法驗證是否登錄，以決定能否進入後續過濾器。

分析分佈式認證流程

用戶認證：

由於分佈式項目，多數是前後端分離的架構設計，我們要滿足可以接受異步post的認證請求參數，需要修改
UsernamePasswordAuthenticationFilter過濾器中attemptAuthentication方法，讓其能夠接收請求體。

另外，默認successfulAuthentication方法在認證通過後，是把用戶信息直接放入session就完事了，現在我們需要修改這個方法，在認證通過後生成token並返回給用戶。

身份校驗：

原來BasicAuthenticationFilter過濾器中doFilterInternal方法校驗用戶是否登錄，就是看session中是否有用戶信息，我們要修改為，驗證用戶攜帶的token是否合法，並解析出用戶信息，交給SpringSecurity，以便於後續的授權功能可以正常使用。

2.具體實現

為了演示單點登錄的效果，我們設計如下項目結構

2.1父工程創建

因為本案例需要創建多個系統，所以我們使用maven聚合工程來實現，首先創建一個父工程，導入springboot的父依賴即可

<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.1.3.RELEASE</version><relativePath/></parent>

2.2公共工程創建

然後創建一個common工程，其他工程依賴此系統

導入JWT相關的依賴

<dependencies><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-api</artifactId><version>0.10.7</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-impl</artifactId><version>0.10.7</version><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-jackson</artifactId><version>0.10.7</version><scope>runtime</scope></dependency><!--jackson包--><dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-databind</artifactId><version>2.9.9</version></dependency><!--日誌包--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-logging</artifactId></dependency><dependency><groupId>joda-time</groupId><artifactId>joda-time</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId></dependency></dependencies>

創建相關的工具類

Payload

@Datapublic class Payload <T>{private String id;private T userInfo;private Date expiration;}

JsonUtils

public classJsonUtils{public static final ObjectMapper mapper = new ObjectMapper;private static final Logger logger = LoggerFactory.getLogger(JsonUtils.class);public static String toString(Object obj) {if (obj == ) {return ;}if (obj.getClass == String.class) {return (String) obj;}try {return mapper.writeValueAsString(obj);} catch (JsonProcessingException e) {logger.error("json序列化出錯：" + obj, e);return ;}}public static <T> T toBean(String json, Class<T> tClass) {try {return mapper.readValue(json, tClass);} catch (IOException e) {logger.error("json解析出錯：" + json, e);return ;}}public static <E> List<E> toList(String json, Class<E> eClass) {try {return mapper.readValue(json, mapper.getTypeFactory.constructCollectionType(List.class, eClass));} catch (IOException e) {logger.error("json解析出錯：" + json, e);return ;}}public static <K, V> Map<K, V> toMap(String json, Class<K> kClass, Class<V> vClass) {try {return mapper.readValue(json, mapper.getTypeFactory.constructMapType(Map.class, kClass, vClass));} catch (IOException e) {logger.error("json解析出錯：" + json, e);return ;}}public static <T> T nativeRead(String json, TypeReference<T> type) {try {return mapper.readValue(json, type);} catch (IOException e) {logger.error("json解析出錯：" + json, e);return ;}}}

JwtUtils

public classJwtUtils{private static final String JWT_PAYLOAD_USER_KEY = "user";/*** 私鑰加密token** @param userInfo 載荷中的數據* @param privateKey 私鑰* @param expire 過期時間，單位分鐘* @return JWT*/public static String generateTokenExpireInMinutes(Object userInfo, PrivateKey privateKey, int expire) {return Jwts.builder.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo)).setId(createJTI).setExpiration(DateTime.now.plusMinutes(expire).toDate).signWith(privateKey, SignatureAlgorithm.RS256).compact;}/*** 私鑰加密token** @param userInfo 載荷中的數據* @param privateKey 私鑰* @param expire 過期時間，單位秒* @return JWT*/public static String generateTokenExpireInSeconds(Object userInfo, PrivateKey privateKey, int expire) {return Jwts.builder.claim(JWT_PAYLOAD_USER_KEY, JsonUtils.toString(userInfo)).setId(createJTI).setExpiration(DateTime.now.plusSeconds(expire).toDate).signWith(privateKey, SignatureAlgorithm.RS256).compact;}/*** 公鑰解析token** @param token 用戶請求中的token* @param publicKey 公鑰* @return Jws<Claims>*/private static Jws<Claims> parserToken(String token, PublicKey publicKey) {return Jwts.parser.setSigningKey(publicKey).parseClaimsJws(token);}private static String createJTI {return new String(Base64.getEncoder.encode(UUID.randomUUID.toString.getBytes));}/*** 獲取token中的用戶信息** @param token 用戶請求中的令牌* @param publicKey 公鑰* @return 用戶信息*/public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey, Class<T> userType) {Jws<Claims> claimsJws = parserToken(token, publicKey);Claims body = claimsJws.getBody;Payload<T> claims = new Payload<>;claims.setId(body.getId);claims.setUserInfo(JsonUtils.toBean(body.get(JWT_PAYLOAD_USER_KEY).toString, userType));claims.setExpiration(body.getExpiration);return claims;}/*** 獲取token中的載荷信息** @param token 用戶請求中的令牌* @param publicKey 公鑰* @return 用戶信息*/public static <T> Payload<T> getInfoFromToken(String token, PublicKey publicKey) {Jws<Claims> claimsJws = parserToken(token, publicKey);Claims body = claimsJws.getBody;Payload<T> claims = new Payload<>;claims.setId(body.getId);claims.setExpiration(body.getExpiration);return claims;}}

RsaUtils

public classRsaUtils{private static final int DEFAULT_KEY_SIZE = 2048;/*** 從文件中讀取公鑰** @param filename 公鑰保存路徑，相對於classpath* @return 公鑰對象* @throws Exception*/public static PublicKey getPublicKey(String filename) throws Exception {byte bytes = readFile(filename);return getPublicKey(bytes);}/*** 從文件中讀取密鑰** @param filename 私鑰保存路徑，相對於classpath* @return 私鑰對象* @throws Exception*/public static PrivateKey getPrivateKey(String filename) throws Exception {byte bytes = readFile(filename);return getPrivateKey(bytes);}/*** 獲取公鑰** @param bytes 公鑰的位元組形式* @return* @throws Exception*/private static PublicKey getPublicKey(byte[] bytes) throws Exception {bytes = Base64.getDecoder.decode(bytes);X509EncodedKeySpec spec = new X509EncodedKeySpec(bytes);KeyFactory factory = KeyFactory.getInstance("RSA");return factory.generatePublic(spec);}/*** 獲取密鑰** @param bytes 私鑰的位元組形式* @return* @throws Exception*/private static PrivateKey getPrivateKey(byte[] bytes) throws NoSuchAlgorithmException, InvalidKeySpecException {bytes = Base64.getDecoder.decode(bytes);PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);KeyFactory factory = KeyFactory.getInstance("RSA");return factory.generatePrivate(spec);}/*** 根據密文，生存rsa公鑰和私鑰,並寫入指定文件** @param publicKeyFilename 公鑰文件路徑* @param privateKeyFilename 私鑰文件路徑* @param secret 生成密鑰的密文*/public static void generateKey(String publicKeyFilename, String privateKeyFilename, String secret, int keySize) throws Exception {KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");SecureRandom secureRandom = new SecureRandom(secret.getBytes);keyPairGenerator.initialize(Math.max(keySize, DEFAULT_KEY_SIZE), secureRandom);KeyPair keyPair = keyPairGenerator.genKeyPair;// 獲取公鑰並寫出byte publicKeyBytes = keyPair.getPublic.getEncoded;publicKeyBytes = Base64.getEncoder.encode(publicKeyBytes);writeFile(publicKeyFilename, publicKeyBytes);// 獲取私鑰並寫出byte privateKeyBytes = keyPair.getPrivate.getEncoded;privateKeyBytes = Base64.getEncoder.encode(privateKeyBytes);writeFile(privateKeyFilename, privateKeyBytes);}private static byte readFile(String fileName) throws Exception {return Files.readAllBytes(new File(fileName).toPath);}private static void writeFile(String destPath, byte[] bytes) throws IOException {File dest = new File(destPath);if (!dest.exists) {dest.createNewFile;}Files.write(dest.toPath, bytes);}}

在通用子模塊中編寫測試類生成rsa公鑰和私鑰

public classJwtTest{private String privateKey = "c:/tools/auth_key/id_key_rsa";private String publicKey = "c:/tools/auth_key/id_key_rsa.pub";@Testpublic void test1 throws Exception{RsaUtils.generateKey(publicKey,privateKey,"dpb",1024);}}

2.3認證系統創建

接下來我們創建我們的認證服務。

導入相關的依賴

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><artifactId>security-jwt-common</artifactId><groupId>com.dpb</groupId><version>1.0-SNAPSHOT</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.10</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId><optional>true</optional></dependency></dependencies>

創建配置文件

spring:datasource:driver-class-name: com.mysql.jdbc.Driverurl: jdbc:mysql://localhost:3306/srmusername: rootpassword: 123456type: com.alibaba.druid.pool.DruidDataSourcemybatis:type-aliases-package: com.dpb.domainmapper-locations: classpath:mapper/*.xmllogging:level:com.dpb: debugrsa:key:pubKeyFile: c:toolsauth_keyid_key_rsa.pubpriKeyFile: c:toolsauth_keyid_key_rsa

提供公鑰私鑰的配置類

@Data@ConfigurationProperties(prefix = "rsa.key")publicclassRsaKeyProperties{private String pubKeyFile;private String priKeyFile;private PublicKey publicKey;private PrivateKey privateKey;/*** 系統啟動的時候觸發* @throws Exception*/@PostConstructpublic void createRsaKey throws Exception {publicKey = RsaUtils.getPublicKey(pubKeyFile);privateKey = RsaUtils.getPrivateKey(priKeyFile);}}

創建啟動類

@SpringBootApplication@MapperScan("com.dpb.mapper")@EnableConfigurationProperties(RsaKeyProperties.class)public class App {public static void main(String[] args) {SpringApplication.run(App.class,args);}}

完成數據認證的邏輯

pojo

@Datapublic class RolePojo implements GrantedAuthority {private Integer id;private String roleName;private String roleDesc;@JsonIgnore@Overridepublic String getAuthority {return roleName;}}

@DatapublicclassUserPojoimplementsUserDetails{private Integer id;private String username;private String password;private Integer status;private List<RolePojo> roles;@JsonIgnore@Overridepublic Collection<? extends GrantedAuthority> getAuthorities {List<SimpleGrantedAuthority> auth = new ArrayList<>;auth.add(new SimpleGrantedAuthority("ADMIN"));return auth;}@Overridepublic String getPassword {return this.password;}@Overridepublic String getUsername {return this.username;}@JsonIgnore@OverridepublicbooleanisAccountNonExpired {return true;}@JsonIgnore@OverridepublicbooleanisAccountNonLocked {return true;}@JsonIgnore@OverridepublicbooleanisCredentialsNonExpired {return true;}@JsonIgnore@OverridepublicbooleanisEnabled {return true;}}

Mapper接口

public interface UserMapper {public UserPojo queryByUserName(@Param("userName") String userName);}

Mapper映射文件

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.dpb.mapper.UserMapper"><select id="queryByUserName" resultType="UserPojo">select * from t_user where username = #{userName}</select></mapper>

Service

public interfaceUserServiceextendsUserDetailsService{}

@Service@TransactionalpublicclassUserServiceImplimplementsUserService{@Autowiredprivate UserMapper mapper;@Overridepublic UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {UserPojo user = mapper.queryByUserName(s);return user;}}

自定義認證過濾器

public class TokenLoginFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;private RsaKeyProperties prop;public TokenLoginFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {this.authenticationManager = authenticationManager;this.prop = prop;}public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {try {UserPojo sysUser = new ObjectMapper.readValue(request.getInputStream, UserPojo.class);UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(sysUser.getUsername, sysUser.getPassword);return authenticationManager.authenticate(authRequest);}catch (Exception e){try {response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);PrintWriter out = response.getWriter;Map resultMap = new HashMap;resultMap.put("code", HttpServletResponse.SC_UNAUTHORIZED);resultMap.put("msg", "用戶名或密碼錯誤！");out.write(new ObjectMapper.writeValueAsString(resultMap));out.flush;out.close;}catch (Exception outEx){outEx.printStackTrace;}throw new RuntimeException(e);}}public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {UserPojo user = new UserPojo;user.setUsername(authResult.getName);user.setRoles((List<RolePojo>)authResult.getAuthorities);String token = JwtUtils.generateTokenExpireInMinutes(user, prop.getPrivateKey, 24 * 60);response.addHeader("Authorization", "Bearer "+token);try {response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_OK);PrintWriter out = response.getWriter;Map resultMap = new HashMap;resultMap.put("code", HttpServletResponse.SC_OK);resultMap.put("msg", "認證通過！");out.write(new ObjectMapper.writeValueAsString(resultMap));out.flush;out.close;}catch (Exception outEx){outEx.printStackTrace;}}}

自定義校驗token的過濾器

public class TokenVerifyFilter extends BasicAuthenticationFilter {private RsaKeyProperties prop;public TokenVerifyFilter(AuthenticationManager authenticationManager, RsaKeyProperties prop) {super(authenticationManager);this.prop = prop;}public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {String header = request.getHeader("Authorization");if (header == || !header.startsWith("Bearer ")) {//如果攜帶錯誤的token，則給用戶提示請登錄！chain.doFilter(request, response);response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_FORBIDDEN);PrintWriter out = response.getWriter;Map resultMap = new HashMap;resultMap.put("code", HttpServletResponse.SC_FORBIDDEN);resultMap.put("msg", "請登錄！");out.write(new ObjectMapper.writeValueAsString(resultMap));out.flush;out.close;} else {//如果攜帶了正確格式的token要先得到tokenString token = header.replace("Bearer ", "");//驗證tken是否正確Payload<UserPojo> payload = JwtUtils.getInfoFromToken(token, prop.getPublicKey, UserPojo.class);UserPojo user = payload.getUserInfo;if(user!=){UsernamePasswordAuthenticationToken authResult = new UsernamePasswordAuthenticationToken(user.getUsername, , user.getAuthorities);SecurityContextHolder.getContext.setAuthentication(authResult);chain.doFilter(request, response);}}}}

編寫SpringSecurity的配置類

@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled=true)public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserService userService;@Autowiredprivate RsaKeyProperties prop;@Beanpublic BCryptPasswordEncoder passwordEncoder{return new BCryptPasswordEncoder;}//指定認證對象的來源public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userService).passwordEncoder(passwordEncoder);}//SpringSecurity配置信息public void configure(HttpSecurity http) throws Exception {http.csrf.disable.authorizeRequests.antMatchers("/user/query").hasAnyRole("ADMIN").anyRequest.authenticated.and.addFilter(new TokenLoginFilter(super.authenticationManager, prop)).addFilter(new TokenVerifyFilter(super.authenticationManager, prop)).sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS);}}

啟動服務測試

啟動服務

通過Postman來訪問測試

根據token信息我們訪問其他資源

2.4資源系統創建

說明

資源服務可以有很多個，這裡只拿產品服務為例，記住，資源服務中只能通過公鑰驗證認證。不能簽發token！創建產品服務並導入jar包根據實際業務導包即可，咱們就暫時和認證服務一樣了。

接下來我們再創建一個資源服務

導入相關的依賴

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><artifactId>security-jwt-common</artifactId><groupId>com.dpb</groupId><version>1.0-SNAPSHOT</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.10</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-configuration-processor</artifactId><optional>true</optional></dependency></dependencies>

編寫產品服務配置文件

切記這裡只能有公鑰地址！

server:port: 9002spring:datasource:driver-class-name: com.mysql.jdbc.Driverurl: jdbc:mysql://localhost:3306/srmusername: rootpassword: 123456type: com.alibaba.druid.pool.DruidDataSourcemybatis:type-aliases-package: com.dpb.domainmapper-locations: classpath:mapper/*.xmllogging:level:com.dpb: debugrsa:key:pubKeyFile: c:toolsauth_keyid_key_rsa.pub

編寫讀取公鑰的配置類

@Data@ConfigurationProperties(prefix = "rsa.key")publicclassRsaKeyProperties{private String pubKeyFile;private PublicKey publicKey;/*** 系統啟動的時候觸發* @throws Exception*/@PostConstructpublic void createRsaKey throws Exception {publicKey = RsaUtils.getPublicKey(pubKeyFile);}}

編寫啟動類

@SpringBootApplication@MapperScan("com.dpb.mapper")@EnableConfigurationProperties(RsaKeyProperties.class)public class App {public static void main(String[] args) {SpringApplication.run(App.class,args);}}

複製認證服務中，用戶對象，角色對象和校驗認證的接口

複製認證服務中的相關內容即可

複製認證服務中SpringSecurity配置類做修改

@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled=true)public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserService userService;@Autowiredprivate RsaKeyProperties prop;@Beanpublic BCryptPasswordEncoder passwordEncoder{return new BCryptPasswordEncoder;}//指定認證對象的來源public void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userService).passwordEncoder(passwordEncoder);}//SpringSecurity配置信息public void configure(HttpSecurity http) throws Exception {http.csrf.disable.authorizeRequests//.antMatchers("/user/query").hasAnyRole("USER").anyRequest.authenticated.and.addFilter(new TokenVerifyFilter(super.authenticationManager, prop))// 禁用掉session.sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS);}}

去掉「增加自定義認證過濾器」即可！

編寫產品處理器

@RestController@RequestMapping("/user")publicclassUserController{@RequestMapping("/query")public String query{return "success";}@RequestMapping("/update")public String update{return "update";}}

測試