集成 Spring Security 组件，重构后，整体逻辑更加清晰

2025-07-19 21:45:06 +08:00 · 2021-01-03 12:15:16 +08:00
parent ee9a358b11
commit fc8eac548a
27 changed files with 1821 additions and 177 deletions
--- a/src/main/java/cn/iocoder/dashboard/framework/security/config/SecurityConfiguration.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/config/SecurityConfiguration.java
@ -0,0 +1,149 @@
+package cn.iocoder.dashboard.framework.security.config;
+
+import cn.iocoder.dashboard.framework.security.core.filter.JwtAuthenticationTokenFilter;
+import cn.iocoder.dashboard.framework.security.core.handler.AuthenticationEntryPointImpl;
+import cn.iocoder.dashboard.framework.security.core.handler.LogoutSuccessHandlerImpl;
+import cn.iocoder.dashboard.framework.web.config.WebProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.web.filter.CorsFilter;
+
+import javax.annotation.Resource;
+
+/**
+ * spring security配置
+ *
+ * @author ruoyi
+ */
+@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+@EnableConfigurationProperties(SecurityProperties.class)
+public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+    /**
+     * 自定义用户认证逻辑
+     */
+    @Resource
+    private UserDetailsService userDetailsService;
+
+    /**
+     * 认证失败处理类
+     */
+    @Resource
+    private AuthenticationEntryPoint unauthorizedHandler;
+    /**
+     * 权限不够处理器
+     */
+    @Resource
+    private AccessDeniedHandler accessDeniedHandler;
+    /**
+     * 退出处理类
+     */
+    @Resource
+    private LogoutSuccessHandlerImpl logoutSuccessHandler;
+
+    /**
+     * Token 认证过滤器
+     */
+    @Resource
+    private JwtAuthenticationTokenFilter authenticationTokenFilter;
+
+    @Resource
+    private WebProperties webProperties;
+
+    /**
+     * 由于 Spring Security 创建 AuthenticationManager 对象时，没声明 @Bean 注解，导致无法被注入
+     * 通过覆写父类的该方法，添加 @Bean 注解，解决该问题
+     */
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    /**
+     * Spring Security 加密器
+     * 考虑到安全性，这里采用 BCryptPasswordEncoder 加密器
+     *
+     * @see <a href="http://stackabuse.com/password-encoding-with-spring-security/">Password Encoding with Spring Security</a>
+     */
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    /**
+     * 身份认证接口
+     */
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(userDetailsService)
+                .passwordEncoder(passwordEncoder());
+    }
+
+    /**
+     * 配置 URL 的安全配置
+     *
+     * anyRequest          |   匹配所有请求路径
+     * access              |   SpringEl表达式结果为true时可以访问
+     * anonymous           |   匿名可以访问
+     * denyAll             |   用户不能访问
+     * fullyAuthenticated  |   用户完全认证可以访问（非remember-me下自动登录）
+     * hasAnyAuthority     |   如果有参数，参数表示权限，则其中任何一个权限可以访问
+     * hasAnyRole          |   如果有参数，参数表示角色，则其中任何一个角色可以访问
+     * hasAuthority        |   如果有参数，参数表示权限，则其权限可以访问
+     * hasIpAddress        |   如果有参数，参数表示IP地址，如果用户IP和参数匹配，则可以访问
+     * hasRole             |   如果有参数，参数表示角色，则其角色可以访问
+     * permitAll           |   用户可以任意访问
+     * rememberMe          |   允许通过remember-me登录的用户访问
+     * authenticated       |   用户登录后可访问
+     */
+    @Override
+    protected void configure(HttpSecurity httpSecurity) throws Exception {
+        httpSecurity
+                // CSRF 禁用，因为不使用 Session
+                .csrf().disable()
+                // 基于 token 机制，所以不需要 Session
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+                // 一堆自定义的 Spring Security 处理器
+                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
+                    .accessDeniedHandler(accessDeniedHandler).and()
+                // TODO 过滤请求
+                .authorizeRequests()
+                // 登陆的接口，可匿名访问
+                .antMatchers(webProperties.getApiPrefix() + "/login").anonymous()
+                // 通用的接口，可匿名访问
+                .antMatchers( webProperties.getApiPrefix() + "/captcha/**").anonymous()
+                // TODO
+                .antMatchers(HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js").permitAll()
+                .antMatchers("/profile/**").anonymous()
+                .antMatchers("/common/download**").anonymous()
+                .antMatchers("/common/download/resource**").anonymous()
+                .antMatchers("/swagger-ui.html").anonymous()
+                .antMatchers("/swagger-resources/**").anonymous()
+                .antMatchers("/webjars/**").anonymous()
+                .antMatchers("/*/api-docs").anonymous()
+                .antMatchers("/druid/**").hasAnyAuthority("druid") // TODO 芋艿，未来需要在拓展下
+                // 除上面外的所有请求全部需要鉴权认证
+                .anyRequest().authenticated()
+                .and()
+                .headers().frameOptions().disable();
+        httpSecurity.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);
+        // 添加 JWT Filter
+        httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
+    }
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/config/SecurityProperties.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/config/SecurityProperties.java
@ -0,0 +1,52 @@
+package cn.iocoder.dashboard.framework.security.config;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.validation.annotation.Validated;
+
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import java.time.Duration;
+
+@ConfigurationProperties(prefix = "yudao.security")
+@Validated
+@Data
+public class SecurityProperties {
+
+    /**
+     * HTTP 请求时，访问令牌的请求 Header
+     */
+    @NotEmpty(message = "Token Header 不能为空")
+    private String tokenHeader;
+    /**
+     * Token 过期时间
+     */
+    @NotNull(message = "Token 过期时间不能为空")
+    private Duration tokenTimeout;
+    /**
+     * Token 秘钥
+     */
+    @NotEmpty(message = "Token 秘钥不能为空")
+    private String tokenSecret;
+    /**
+     * Session 过期时间
+     *
+     * 当 User 用户超过当前时间未操作，则 Session 会过期
+     */
+    @NotNull(message = "Session 过期时间不能为空")
+    private Duration sessionTimeout;
+
+    /**
+     * mock 模式的开关
+     */
+    @NotNull(message = "mock 模式的开关不能为空")
+    private Boolean mockEnable;
+    /**
+     * mock 模式的秘钥
+     * 一定要配置秘钥，保证安全性
+     */
+    @NotEmpty(message = "mock 模式的秘钥不能为空") // 这里设置了一个默认值，因为实际上只有 mockEnable 为 true 时才需要配置。
+    private String mockSecret = "yudaoyuanma";
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/LoginUser.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/LoginUser.java
@ -0,0 +1,90 @@
+package cn.iocoder.dashboard.framework.security.core;
+
+import cn.iocoder.dashboard.modules.system.enums.user.UserStatus;
+import com.alibaba.fastjson.annotation.JSONField;
+import lombok.Data;
+import org.springframework.data.annotation.Transient;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+import java.util.Date;
+import java.util.Set;
+
+/**
+ * 登陆用户信息
+ *
+ * @author 芋道源码
+ */
+@Data
+public class LoginUser implements UserDetails {
+
+    /**
+     * 用户编号
+     */
+    private Long userId;
+    /**
+     * 角色编号数组
+     */
+    private Set<Integer> roleIds;
+    /**
+     * 最后更新时间
+     */
+    private Date updateTime;
+
+    /**
+     * 用户名
+     */
+    private String username;
+    /**
+     * 密码
+     */
+    private String password;
+    /**
+     * 状态
+     */
+    private String status;
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public String getPassword() {
+        return password;
+    }
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public String getUsername() {
+        return username;
+    }
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public boolean isEnabled() {
+        return UserStatus.OK.getCode().equals(status);
+    }
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return null;
+    }
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public boolean isAccountNonExpired() {
+        return true; // 返回 true，不依赖 Spring Security 判断
+    }
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public boolean isAccountNonLocked() {
+        return true; // 返回 true，不依赖 Spring Security 判断
+    }
+
+    @Override
+    @JSONField(serialize = false) // 避免序列化
+    public boolean isCredentialsNonExpired() {
+        return true;  // 返回 true，不依赖 Spring Security 判断
+    }
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/filter/JwtAuthenticationTokenFilter.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/filter/JwtAuthenticationTokenFilter.java
@ -0,0 +1,89 @@
+package cn.iocoder.dashboard.framework.security.core.filter;
+
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.extra.servlet.ServletUtil;
+import cn.iocoder.dashboard.common.pojo.CommonResult;
+import cn.iocoder.dashboard.framework.security.config.SecurityProperties;
+import cn.iocoder.dashboard.framework.security.core.LoginUser;
+import cn.iocoder.dashboard.framework.security.core.util.SecurityUtils;
+import cn.iocoder.dashboard.framework.web.core.handler.GlobalExceptionHandler;
+import cn.iocoder.dashboard.modules.system.service.auth.SysAuthService;
+import cn.iocoder.dashboard.util.servlet.ServletUtils;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.annotation.Resource;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * JWT 过滤器，验证 token 的有效性
+ * 验证通过后，获得 {@link LoginUser} 信息，并加入到 Spring Security 上下文
+ *
+ * @author ruoyi
+ */
+@Component
+public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
+
+    @Resource
+    private SecurityProperties securityProperties;
+    @Resource
+    private SysAuthService authService;
+    @Resource
+    private GlobalExceptionHandler globalExceptionHandler;
+
+    @Override
+    @SuppressWarnings("NullableProblems")
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+            throws ServletException, IOException {
+        String token = SecurityUtils.obtainAuthorization(request, securityProperties.getTokenHeader());
+        if (StrUtil.isNotEmpty(token)) {
+            try {
+                // 验证 token 有效性
+                LoginUser loginUser = authService.verifyTokenAndRefresh(token);
+                // 模拟 Login 功能，方便日常开发调试
+                if (loginUser == null) {
+                    loginUser = this.mockLoginUser(token);
+                }
+                // 设置当前用户
+                if (loginUser != null) {
+                    SecurityUtils.setLoginUser(loginUser, request);
+                }
+            } catch (Throwable ex) {
+                CommonResult<?> result = globalExceptionHandler.allExceptionHandler(request, ex);
+                ServletUtils.writeJSON(response, result);
+                return;
+            }
+        }
+
+        // 继续过滤链
+        chain.doFilter(request, response);
+    }
+
+    /**
+     * 模拟登陆用户，方便日常开发调试
+     *
+     * 注意，在线上环境下，一定要关闭该功能！！！
+     *
+     * @param token 模拟的 token，格式为 {@link SecurityProperties#getTokenSecret()} + 用户编号
+     * @return 模拟的 LoginUser
+     */
+    private LoginUser mockLoginUser(String token) {
+        if (!securityProperties.getMockEnable()) {
+            return null;
+        }
+        // 必须以 mockSecret 开头
+        if (!token.startsWith(securityProperties.getMockSecret())) {
+            return null;
+        }
+        Long userId = Long.valueOf(token.substring(securityProperties.getMockSecret().length()));
+        return authService.mockLogin(userId);
+    }
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/handler/AccessDeniedHandlerImpl.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/handler/AccessDeniedHandlerImpl.java
@ -0,0 +1,44 @@
+package cn.iocoder.dashboard.framework.security.core.handler;
+
+import cn.iocoder.dashboard.common.exception.enums.GlobalErrorCodeConstants;
+import cn.iocoder.dashboard.common.pojo.CommonResult;
+import cn.iocoder.dashboard.framework.security.core.util.SecurityUtils;
+import cn.iocoder.dashboard.util.servlet.ServletUtils;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import static cn.iocoder.dashboard.common.exception.enums.GlobalErrorCodeConstants.UNAUTHORIZED;
+
+/**
+ * 访问一个需要认证的 URL 资源，已经认证（登录）但是没有权限的情况下，返回 {@link GlobalErrorCodeConstants#FORBIDDEN} 错误码。
+ *
+ * 补充：Spring Security 通过 {@link ExceptionTranslationFilter#handleAccessDeniedException(HttpServletRequest, HttpServletResponse, FilterChain, AccessDeniedException)} 方法，调用当前类
+ *
+ * @author 芋道源码
+ */
+@Component
+@Slf4j
+@SuppressWarnings("JavadocReference")
+public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e)
+            throws IOException, ServletException {
+        // 打印 warn 的原因是，不定期合并 warn，看看有没恶意破坏
+        log.warn("[commence][访问 URL({}) 时，用户({}) 权限不够]", request.getRequestURI(),
+                SecurityUtils.getLoginUser().getUserId(), e);
+        // 返回 403
+        ServletUtils.writeJSON(response, CommonResult.error(UNAUTHORIZED));
+    }
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/handler/AuthenticationEntryPointImpl.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/handler/AuthenticationEntryPointImpl.java
@ -0,0 +1,37 @@
+package cn.iocoder.dashboard.framework.security.core.handler;
+
+import cn.iocoder.dashboard.common.exception.enums.GlobalErrorCodeConstants;
+import cn.iocoder.dashboard.common.pojo.CommonResult;
+import cn.iocoder.dashboard.util.servlet.ServletUtils;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static cn.iocoder.dashboard.common.exception.enums.GlobalErrorCodeConstants.UNAUTHORIZED;
+
+/**
+ * 访问一个需要认证的 URL 资源，但是此时自己尚未认证（登录）的情况下，返回 {@link GlobalErrorCodeConstants#UNAUTHORIZED} 错误码，从而使前端重定向到登录页
+ *
+ * 补充：Spring Security 通过 {@link ExceptionTranslationFilter#sendStartAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, AuthenticationException)} 方法，调用当前类
+ *
+ * @author ruoyi
+ */
+@Component
+@Slf4j
+@SuppressWarnings("JavadocReference") // 忽略文档引用报错
+public class AuthenticationEntryPointImpl implements AuthenticationEntryPoint {
+
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) {
+        log.debug("[commence][访问 URL({}) 时，没有登录]", request.getRequestURI(), e);
+        // 返回 401
+        ServletUtils.writeJSON(response, CommonResult.error(UNAUTHORIZED));
+    }
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/handler/LogoutSuccessHandlerImpl.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/handler/LogoutSuccessHandlerImpl.java
@ -0,0 +1,42 @@
+package cn.iocoder.dashboard.framework.security.core.handler;
+
+import cn.hutool.core.util.StrUtil;
+import cn.iocoder.dashboard.framework.security.config.SecurityProperties;
+import cn.iocoder.dashboard.framework.security.core.service.SecurityFrameworkService;
+import cn.iocoder.dashboard.framework.security.core.util.SecurityUtils;
+import cn.iocoder.dashboard.util.servlet.ServletUtils;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.stereotype.Component;
+
+import javax.annotation.Resource;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ * 自定义退出处理器
+ *
+ * @author ruoyi
+ */
+@Component
+public class LogoutSuccessHandlerImpl implements LogoutSuccessHandler {
+
+    @Resource
+    private SecurityProperties securityProperties;
+
+    @Resource
+    private SecurityFrameworkService securityFrameworkService;
+
+    @Override
+    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+        // 执行退出
+        String token = SecurityUtils.obtainAuthorization(request, securityProperties.getTokenHeader());
+        if (StrUtil.isNotBlank(token)) {
+            securityFrameworkService.logout(token);
+        }
+        // 返回成功
+        ServletUtils.writeJSON(response, null);
+//        ServletUtils.renderString(response, JSON.toJSONString(AjaxResult.error(HttpStatus.OK.value(), "退出成功")));
+    }
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/service/SecurityFrameworkService.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/service/SecurityFrameworkService.java
@ -0,0 +1,35 @@
+package cn.iocoder.dashboard.framework.security.core.service;
+
+import cn.iocoder.dashboard.framework.security.core.LoginUser;
+import org.springframework.security.core.userdetails.UserDetailsService;
+
+/**
+ * Security 框架 Service 接口，定义 security 组件需要的功能
+ */
+public interface SecurityFrameworkService extends UserDetailsService {
+
+    /**
+     * 基于 token 退出登录
+     *
+     * @param token token
+     */
+    void logout(String token);
+
+    /**
+     * 校验 token 的有效性，并获取用户信息
+     * 通过后，刷新 token 的过期时间
+     *
+     * @param token token
+     * @return 用户信息
+     */
+    LoginUser verifyTokenAndRefresh(String token);
+
+    /**
+     * 模拟指定用户编号的 LoginUser
+     *
+     * @param userId 用户编号
+     * @return 登录用户
+     */
+    LoginUser mockLogin(Long userId);
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/core/util/SecurityUtils.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/core/util/SecurityUtils.java
@ -0,0 +1,59 @@
+package cn.iocoder.dashboard.framework.security.core.util;
+
+import cn.iocoder.dashboard.framework.security.core.LoginUser;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.util.StringUtils;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * 安全服务工具类
+ *
+ * @author ruoyi
+ */
+public class SecurityUtils {
+
+    /**
+     * 从请求中，获得认证 Token
+     *
+     * @param request 请求
+     * @param header 认证 Token 对应的 Header 名字
+     * @return 认证 Token
+     */
+    public static String obtainAuthorization(HttpServletRequest request, String header) {
+        String authorization = request.getHeader(header);
+        if (!StringUtils.hasText(authorization)) {
+            return null;
+        }
+        int index = authorization.indexOf("Bearer ");
+        if (index == -1) { // 未找到
+            return null;
+        }
+        return authorization.substring(index + 7).trim();
+    }
+
+    /**
+     * 获取当前用户
+     */
+    public static LoginUser getLoginUser() {
+        return (LoginUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+    }
+
+    /**
+     * 设置当前用户
+     *
+     * @param loginUser 登陆用户
+     * @param request 请求
+     */
+    public static void setLoginUser(LoginUser loginUser, HttpServletRequest request) {
+        // 创建 UsernamePasswordAuthenticationToken 对象
+        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
+                loginUser, null, null);
+        authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+        // 设置到上下文
+        SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+    }
+
+}
--- a/src/main/java/cn/iocoder/dashboard/framework/security/package-info.java
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/package-info.java
@ -0,0 +1,7 @@
+/**
+ * 基于 Spring Security 框架
+ * 实现安全认证功能
+ *
+ * @author 芋道源码
+ */
+package cn.iocoder.dashboard.framework.security;
--- a/src/main/java/cn/iocoder/dashboard/framework/security/《芋道
+++ b/src/main/java/cn/iocoder/dashboard/framework/security/《芋道
@ -0,0 +1,2 @@
+* 芋道 Spring Security 入门：<http://www.iocoder.cn/Spring-Boot/Spring-Security/?dashboard>
+* Spring Security 基本概念：<http://www.iocoder.cn/Fight/Spring-Security-4-1-0-Basic-concept-description/?dashboard>