Appearance
我们在应用中经常能用到的功能是获取当前用户id、账号等,id和账号存入token,但是token在SpringSecurity鉴权通过后,就只能通过request对象获取,在开发SpringBoot项目时,如果每次都需要单独获取request对象,然后解析token信息,未免太繁琐了些。
SecurityContextHolder
SecurityContextHolder用于将当前登录的用户数据缓存到TransmittableThreadLocal中:
java
public class SecurityContextHolder {
private static final TransmittableThreadLocal<Map<String, Object>> THREAD_LOCAL = new TransmittableThreadLocal<>();
public static void set(String key, Object value) {
Map<String, Object> map = getLocalMap();
map.put(key, value == null ? StrUtil.EMPTY : value);
}
public static String get(String key) {
Map<String, Object> map = getLocalMap();
return Convert.toStr(map.getOrDefault(key, StrUtil.EMPTY));
}
public static <T> T get(String key, Class<T> clazz) {
Map<String, Object> map = getLocalMap();
return (T) map.getOrDefault(key, null);
}
public static Map<String, Object> getLocalMap() {
Map<String, Object> map = THREAD_LOCAL.get();
if (map == null) {
map = new ConcurrentHashMap<>();
THREAD_LOCAL.set(map);
}
return map;
}
public static void setLocalMap(Map<String, Object> threadLocalMap) {
THREAD_LOCAL.set(threadLocalMap);
}
public static Integer getUserId() {
return Convert.toInt(get(TokenConstants.DETAILS_USER_ID), 0);
}
public static void setUserId(String account) {
set(TokenConstants.DETAILS_USER_ID, account);
}
public static String getUserName() {
return get(TokenConstants.DETAILS_USERNAME);
}
public static void setUserName(String username) {
set(TokenConstants.DETAILS_USERNAME, username);
}
public static String getPermission() {
return get(TokenConstants.ROLE_PERMISSION);
}
public static void setPermission(String permissions) {
set(TokenConstants.ROLE_PERMISSION, permissions);
}
public static void remove() {
THREAD_LOCAL.remove();
}
}Jwt过滤器响应头设置信息
在JwtAuthenticationTokenFilter解析Token后,设置头部信息,ObjUtil来自于Hutool工具包:
java
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ……{
// 1.获取token
String token = request.getHeader("token");
if (!StringUtils.hasText(token)) {
filterChain.doFilter(request, response); // 放行,交给SpringSecurity自行处理
return;
}
// 2.解析token,获取User对象封装成LoginUser对象
SecurityUser securityUser = JwtUtils.payloadToken(token);
LoginUser loginUser = new LoginUser(securityUser, new ArrayList<>());
// 3.存入SecurityContextHolder
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, null);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
// 4.将用户id和账号存入header
if (ObjUtil.isNotEmpty(loginUser.getUser())) {
response.setHeader(TokenConstants.DETAILS_USER_ID, loginUser.getUser().getId().toString());
response.setHeader(TokenConstants.DETAILS_USERNAME, loginUser.getUser().getUsername());
} else {
response.setHeader(TokenConstants.DETAILS_USER_ID, "");
response.setHeader(TokenConstants.DETAILS_USERNAME, "");
}
// 5.放行
filterChain.doFilter(request, response);
}
}配置拦截器缓存用户信息
在Token过滤器存入的用户信息,此时存入到SecurityContextHolder中,也激素
java
@Slf4j
@Configuration
public class HeaderInterceptor implements AsyncHandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (!(handler instanceof HandlerMethod)) {
return true;
}
SecurityContextHolder.setUserId(response.getHeader(TokenConstants.DETAILS_USER_ID));
SecurityContextHolder.setUserName(response.getHeader(TokenConstants.DETAILS_USERNAME));
String token = request.getHeader(TokenConstants.AUTHENTICATION);
if (StrUtil.isNotEmpty(token)) {
SecurityUser securityUser = JwtUtils.payloadToken(token);
LoginUser loginUser = new LoginUser(securityUser);
if (ObjUtil.isNotNull(securityUser)) {
SecurityContextHolder.set(TokenConstants.LOGIN_USER, loginUser);
}
}
return true;
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
SecurityContextHolder.remove();
}
}