springsecurity6。0。2自定义token，实现权限控制

　　由于本系统目前还未集成redis等分布式缓存，目前用的是谷歌的guava做本地缓存来是实现token的时间有效期管理。
　　实现token生成工类TokenGeneratorpublic class TokenGenerator {      public static String generateValue() {         return generateValue(UUID.randomUUID().toString());     }      private static final char[] HEX_CODE = ＂0123456789abcdef＂.toCharArray();      public static String toHexString(byte[] data) {         if(data == null) {             return null;         }         StringBuilder r = new StringBuilder(data.length*2);         for ( byte b : data) {             r.append(HEX_CODE[(b >> 4) & 0xF]);             r.append(HEX_CODE[(b & 0xF)]);         }         return r.toString();     }      public static String generateValue(String param) {         try {             MessageDigest algorithm = MessageDigest.getInstance(＂MD5＂);             algorithm.reset();             algorithm.update(param.getBytes());             byte[] messageDigest = algorithm.digest();             return toHexString(messageDigest);         } catch (Exception e) {             throw new ServerException(＂token invalid＂, e);         }     } }
　　实现admin关token服务public interface SysUserTokenService extends IService {      /**      * 生成token      * @param loginUser  登录用户信息      */     RsObject createToken(UserDetail loginUser);       /**      * 获取用户身份信息      *      * @return 用户信息      */     public UserDetail getLoginUser(HttpServletRequest request);      /**      * 退出      * @param userId  用户ID      */     void logout(Long userId);  //    /** //     * 在线用户分页 //     */ //    PageData onlinePage(Map params);  }
　　新建一个filter用于校验登录信息AuthenticationTokenFilter@Component public class AuthenticationTokenFilter extends OncePerRequestFilter {     @Autowired     private SysUserTokenService tokenService;      @Override     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)             throws ServletException, IOException     {         UserDetail loginUser = tokenService.getLoginUser(request);         if (StringUtils.isNotNull(loginUser) && StringUtils.isNull(SecurityUser.getAuthentication()))         {             UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());             authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));             SecurityContextHolder.getContext().setAuthentication(authenticationToken);         }         chain.doFilter(request, response);     } }
　　天骄套SecurityConfig 配置
　　然后把如下配置从白名单中移除
　　启动服务刷新后台查询接口报错403
　　修改前端页面把后端返回的token保存下来并放到http请求头里面，如下编码
　　export const formatToken = (token: string): string => {   return ＂Bearer ＂ + token; };
　　然后从登录，带上token后就可以正常访问了