pojo层

@Data
@AllArgsConstructor
@NoArgsConstructor
public class OnlineUser {private String userName;private String nickName;private String job;private String browser;private String ip;private String address;private String key;private Date loginTime;}

security 配置类

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {private final TokenProvider tokenProvider;private final CorsFilter corsFilter;private final JwtAuthenticationEntryPoint authenticationErrorHandler;private final JwtAccessDeniedHandler jwtAccessDeniedHandler;private final ApplicationContext applicationContext;public SecurityConfig(TokenProvider tokenProvider, CorsFilter corsFilter, JwtAuthenticationEntryPoint authenticationErrorHandler, JwtAccessDeniedHandler jwtAccessDeniedHandler, ApplicationContext applicationContext) {this.tokenProvider = tokenProvider;this.corsFilter = corsFilter;this.authenticationErrorHandler = authenticationErrorHandler;this.jwtAccessDeniedHandler = jwtAccessDeniedHandler;this.applicationContext = applicationContext;}@BeanGrantedAuthorityDefaults grantedAuthorityDefaults() {// 去除 ROLE_ 前缀return new GrantedAuthorityDefaults("");}@Beanpublic PasswordEncoder passwordEncoder() {// 密码加密方式return new BCryptPasswordEncoder();}@Overrideprotected void configure(HttpSecurity httpSecurity) throws Exception {// 搜寻匿名标记 url： @AnonymousAccessMap<RequestMappingInfo, HandlerMethod> handlerMethodMap = applicationContext.getBean(RequestMappingHandlerMapping.class).getHandlerMethods();Set<String> anonymousUrls = new HashSet<>();for (Map.Entry<RequestMappingInfo, HandlerMethod> infoEntry : handlerMethodMap.entrySet()) {HandlerMethod handlerMethod = infoEntry.getValue();AnonymousAccess anonymousAccess = handlerMethod.getMethodAnnotation(AnonymousAccess.class);if (null != anonymousAccess) {anonymousUrls.addAll(infoEntry.getKey().getPatternsCondition().getPatterns());}}httpSecurity// 禁用 CSRF.csrf().disable().addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)// 授权异常.exceptionHandling().authenticationEntryPoint(authenticationErrorHandler).accessDeniedHandler(jwtAccessDeniedHandler)// 防止iframe 造成跨域.and().headers().frameOptions().disable()// 不创建会话.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()// 静态资源等等.antMatchers(HttpMethod.GET,"/*.html","/**/*.html","/**/*.css","/**/*.js","/webSocket/**").permitAll()// swagger 文档.antMatchers("/swagger-ui.html").permitAll().antMatchers("/swagger-resources/**").permitAll().antMatchers("/webjars/**").permitAll().antMatchers("/*/api-docs").permitAll().antMatchers("/v2/api-docs-ext").permitAll()//.antMatchers("/api/wxmp/**").permitAll()// 文件.antMatchers("/avatar/**").permitAll().antMatchers("/file/**").permitAll()// 阿里巴巴 druid.antMatchers("/druid/**").permitAll()// 放行OPTIONS请求.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()// 所有请求都需要认证.anyRequest().authenticated().and().apply(securityConfigurerAdapter());}private TokenConfigurer securityConfigurerAdapter() {return new TokenConfigurer(tokenProvider);}
}

其中TokenProvider ， JwtAuthenticationEntryPoint，JwtAccessDeniedHandler 均为自定义的类，代码过多就不贴了

security工具类

public class SecurityUtils {public static UserDetails getUserDetails() {final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();if (authentication == null) {throw new BadRequestException(HttpStatus.UNAUTHORIZED, "当前登录状态过期");}if (authentication.getPrincipal() instanceof UserDetails) {UserDetails userDetails = (UserDetails) authentication.getPrincipal();UserDetailsService userDetailsService = SpringContextHolder.getBean(UserDetailsService.class);return userDetailsService.loadUserByUsername(userDetails.getUsername());}throw new BadRequestException(HttpStatus.UNAUTHORIZED, "找不到当前登录的信息");}/*** 获取系统用户名称* @return 系统用户名称*/public static String getUsername() {final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();if (authentication == null) {throw new BadRequestException(HttpStatus.UNAUTHORIZED, "当前登录状态过期");}UserDetails userDetails = (UserDetails) authentication.getPrincipal();return userDetails.getUsername();}/*** 获取系统用户id* @return 系统用户id*/public static Long getUserId() {Object obj = getUserDetails();JSONObject json = new JSONObject(obj);return json.get("id", Long.class);}
}

controller:

@RestController
@RequestMapping("/auth")
@Api(tags = "系统：系统授权接口")
public class AuthController {@Value("${loginCode.expiration}")private Long expiration;@Value("${rsa.private_key}")private String privateKey;@Value("${single.login}")private Boolean singleLogin;private final SecurityProperties properties;private final RedisUtils redisUtils;private final UserDetailsService userDetailsService;private final OnlineUserService onlineUserService;private final TokenProvider tokenProvider;private final AuthenticationManagerBuilder authenticationManagerBuilder;public AuthController(SecurityProperties properties, RedisUtils redisUtils, UserDetailsService userDetailsService, OnlineUserService onlineUserService, TokenProvider tokenProvider, AuthenticationManagerBuilder authenticationManagerBuilder) {this.properties = properties;this.redisUtils = redisUtils;this.userDetailsService = userDetailsService;this.onlineUserService = onlineUserService;this.tokenProvider = tokenProvider;this.authenticationManagerBuilder = authenticationManagerBuilder;}@Log("用户登录")@ApiOperation("登录授权")@AnonymousAccess@PostMapping(value = "/login")public ResponseEntity<Object> login(@Validated @RequestBody AuthUser authUser, HttpServletRequest request) {// 密码解密RSA rsa = new RSA(privateKey, null);String password = new String(rsa.decrypt(authUser.getPassword(), KeyType.PrivateKey));// 查询验证码String code = (String) redisUtils.get(authUser.getUuid());// 清除验证码redisUtils.del(authUser.getUuid());if (StringUtils.isBlank(code)) {throw new BadRequestException("验证码不存在或已过期");}if (StringUtils.isBlank(authUser.getCode()) || !authUser.getCode().equalsIgnoreCase(code)) {throw new BadRequestException("验证码错误");}UsernamePasswordAuthenticationToken authenticationToken =new UsernamePasswordAuthenticationToken(authUser.getUsername(), password);Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);SecurityContextHolder.getContext().setAuthentication(authentication);//上下文设置用户权限// 生成令牌String token = tokenProvider.createToken(authentication);final JwtUser jwtUser = (JwtUser) authentication.getPrincipal();// 保存在线信息onlineUserService.save(jwtUser, token, request);// 返回 token 与 用户信息Map<String, Object> authInfo = new HashMap<String, Object>(2) {{put("token", properties.getTokenStartWith() + token);put("user", jwtUser);}};if (singleLogin) {//踢掉之前已经登录的tokenonlineUserService.checkLoginOnUser(authUser.getUsername(), token);}return ResponseEntity.ok(authInfo);}@ApiOperation("获取验证码")@GetMapping(value = "/code")public ResponseEntity<Object> getCode() {// 算术类型 https://gitee.com/whvse/EasyCaptchaArithmeticCaptcha captcha = new ArithmeticCaptcha(111, 36);// 几位数运算，默认是两位captcha.setLen(2);// 获取运算的结果String result = "";try {result = new Double(Double.parseDouble(captcha.text())).intValue() + "";} catch (Exception e) {result = captcha.text();}String uuid = properties.getCodeKey() + IdUtil.simpleUUID();// 保存redisUtils.set(uuid, result, expiration, TimeUnit.MINUTES);// 验证码信息Map<String, Object> imgResult = new HashMap<String, Object>(2) {{put("img", captcha.toBase64());put("uuid", uuid);}};return ResponseEntity.ok(imgResult);}@ApiOperation("退出登录")@DeleteMapping(value = "/logout")public ResponseEntity<Object> logout(HttpServletRequest request) {onlineUserService.logout(tokenProvider.getToken(request));return new ResponseEntity<>(HttpStatus.OK);}
}

service:

 /*** 检测用户是否在之前已经登录，已经登录踢下线* @param userName 用户名*/public void checkLoginOnUser(String userName, String igoreToken) {List<OnlineUser> onlineUsers = getAll(userName, 0);if (onlineUsers == null || onlineUsers.isEmpty()) {return;}for (OnlineUser onlineUser : onlineUsers) {if (onlineUser.getUserName().equals(userName)) {try {String token = EncryptUtils.desDecrypt(onlineUser.getKey());if (StringUtils.isNotBlank(igoreToken) && !igoreToken.equals(token)) {this.kickOut(onlineUser.getKey());} else if (StringUtils.isBlank(igoreToken)) {this.kickOut(onlineUser.getKey());}} catch (Exception e) {log.error("checkUser is error", e);}}}}}/*** 踢出用户* @param key /* @throws Exception /*/public void kickOut(String key) throws Exception {key = properties.getOnlineKey() + EncryptUtils.desDecrypt(key);redisUtils.del(key);}/*** 退出登录* @param token /*/public void logout(String token) {String key = properties.getOnlineKey() + token;redisUtils.del(key);}

其中EncryptUtils.desDecrypt方法：

 /*** 对称解密*/public static String desDecrypt(String source) throws Exception {byte[] src = hex2byte(source.getBytes());DESKeySpec desKeySpec = getDesKeySpec(source);SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");SecretKey secretKey = keyFactory.generateSecret(desKeySpec);cipher.init(Cipher.DECRYPT_MODE, secretKey, iv);byte[] retByte = cipher.doFinal(src);return new String(retByte);}