Spring Security结合JWT的方法教程

网友投稿 474 2023-03-06


Spring Security结合JWT的方法教程

概述

众所周知使用 JWT 做权限验证,相比 Session 的优点是,Session 需要占用大量服务器内存,并且在多服务器时就会涉及到共享 Session 问题,在手机等移动端访问时比较麻烦

而 JWT 无需存储在服务器,不占用服务器资源(也就是无状态的),用户在登录后拿到 Token 后,访问需要权限的请求时附上 Token(一般设置在Http请求头),JWT 不存在多服务器共享的问题,也没有手机移动端访问问题,若为了提高安全,可将 Token 与用户的 IP 地址绑定起来

前端流程

用户通过 AJAX 进行登录得到一个 Token

之后访问需要权限请求时附上 Token 进行访问

Please Login

后端流程(Spring Boot + Spring Security + JJWT)

思路:

创建用户、权限实体类与数据传输对象

编写 Dao 层接口,用于获取用户信息

实现 UserDetails(Security 支持的用户实体对象,包含权限信息)

实现 UserDetailsSevice(从uyJFncx数据库中获取用户信息,并包装成UserDetails)

编写 JWTToken 生成工具,用于生成、验证、解析 Token

配置 Security,配置请求处理 与 设置 UserDetails 获取方式为自定义的 UserDetailsSevice

编写 LoginController,接收用户登录名密码并进行验证,若验证成功返回 Token 给用户

编写过滤器,若用户请求头或参数中包含 Token 则解析,并生成 Authentication,绑定到 SecurityContext ,供 Security 使用

用户访问了需要权限的页面,却没附上正确的 Token,在过滤器处理时则没有生成 Authentication,也就不存在访问权限,则无法访问,否之访问成功

编写用户实体类,并插入一条数据

User(用户)实体类

@Data

@Entity

public class User {

@Id

@GeneratedValue

private int id;

private String name;

private String password;

@ManyToManhttp://y(cascade = {CascadeType.REFRESH}, fetch = FetchType.EAGER)

@JoinTable(name = "user_role", joinColumns = {@JoinColumn(name = "uid", referencedColumnName = "id")}, inverseJoinColumns = {@JoinColumn(name = "rid", referencedColumnName = "id")})

private List roles;

}

Role(权限)实体类

@Data

@Entity

public class Role {

@Id

@GeneratedValue

private int id;

private String name;

@ManyToMany(mappedBy = "roles")

private List users;

}

插入数据

User 表

id

name

password

1

linyuan

123

Role 表

id

name

1

USER

User_ROLE 表

uid

rid

1

1

Dao 层接口,通过用户名获取数据,返回值为 java8 的 Optional 对象

public interface UserRepository extends Repository {

Optional findByName(String name);

}

编写 LoginDTO,用于与前端之间数据传输

@Data

public class LoginDTO implements Serializable {

@NotBlank(message = "用户名不能为空")

private String username;

@NotBlank(message = "密码不能为空")

private String password;

}

编写 Token 生成工具,利用 JJWT 库创建,一共三个方法:生成 Token(返回String)、解析 Token(返回Authentication认证对象)、验证 Token(返回布尔值)

@Component

public class JWTTokenUtils {

private final Logger log = LoggerFactory.getLogger(JWTTokenUtils.class);

private static final String AUTHORITIES_KEY = "auth";

private String secretKey; //签名密钥

private long tokenValidityInMilliseconds; //失效日期

private long tokenValidityInMillisecondsForRememberMe; //(记住我)失效日期

@PostConstruct

public void init() {

this.secretKey = "LinuyJFncxyuanmima";

int secondIn1day = 1000 * 60 * 60 * 24;

this.tokenValidityInMilliseconds = secondIn1day * 2L; this.tokenValidityInMillisecondsForRememberMe = secondIn1day * 7L;

}

private final static long EXPIRATIONTIME = 432_000_000;

//创建Token

public String createToken(Authentication authentication, Boolean rememberMe){

String authorities = authentication.getAuthorities().stream() //获取用户的权限字符串,如 USER,ADMIN

.map(GrantedAuthority::getAuthority)

.collect(Collectors.joining(","));

long now = (new Date()).getTime(); //获取当前时间戳

Date validity; //存放过期时间

if (rememberMe){

validity = new Date(now + this.tokenValidityInMilliseconds);

}else {

validity = new Date(now + this.tokenValidityInMillisecondsForRememberMe);

}

return Jwts.builder() //创建Token令牌

.setSubject(authentication.getName()) //设置面向用户

.claim(AUTHORITIES_KEY,authorities) //添加权限属性

.setExpiration(validity) //设置失效时间

.signWith(SignatureAlgorithm.HS512,secretKey) //生成签名

.compact();

}

//获取用户权限

public Authentication getAuthentication(String token){

System.out.println("token:"+token);

Claims claims = Jwts.parser() //解析Token的payload

.setSigningKey(secretKey)

.parseClaimsJws(token)

.getBody();

Collection extends GrantedAuthority> authorities =

Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(",")) //获取用户权限字符串

.map(SimpleGrantedAuthority::new)

.collect(Collectors.toList()); //将元素转换为GrantedAuthority接口集合

User principal = new User(claims.getSubject(), "", authorities);

return new UsernamePasswordAuthenticationToken(principal, "", authorities);

}

//验证Token是否正确

public boolean validateToken(String token){

try {

Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token); //通过密钥验证Token

return true;

}catch (SignatureException e) { //签名异常

log.info("Invalid JWT signature.");

log.trace("Invalid JWT signature trace: {}", e);

} catch (MalformedJwtException e) { //JWT格式错误

log.info("Invalid JWT token.");

log.trace("Invalid JWT token trace: {}", e);

} catch (ExpiredJwtException e) { //JWT过期

log.info("Expired JWT token.");

log.trace("Expired JWT token trace: {}", e);

} catch (UnsupportedJwtException e) { //不支持该JWT

log.info("Unsupported JWT token.");

log.trace("Unsupported JWT token trace: {}", e);

} catch (IllegalArgumentException e) { //参数错误异常

log.info("JWT token compact of handler are invalid.");

log.trace("JWT token compact of handler are invalid trace: {}", e);

}

return false;

}

}

实现 UserDetails 接口,代表用户实体类,在我们的 User 对象上在进行包装,包含了权限等性质,可以供 Spring Security 使用

public class MyUserDetails implements UserDetails{

private User user;

public MyUserDetails(User user) {

this.user = user;

}

@Override

public Collection extends GrantedAuthority> getAuthorities() {

List roles = user.getRoles();

List authorities = new ArrayList<>();

StringBuilder sb = new StringBuilder();

if (roles.size()>=1){

for (Role role : roles){

authorities.add(new SimpleGrantedAuthority(role.getName()));

}

return authorities;

}

return AuthorityUtils.commaSeparatedStringToAuthorityList("");

}

@Override

public String getPassword() {

return user.getPassword();

}

@Override

public String getUsername() {

return user.getName();

}

@Override

public boolean isAccountNonExpired() {

return true;

}

@Override

public boolean isAccountNonLocked() {

return true;

}

@Override

public boolean isCredentialsNonExpired() {

return true;

}

@Override

public boolean isEnabled() {

return true;

}

}

实现 UserDetailsService 接口,该接口仅有一个方法,用来获取 UserDetails,我们可以从数据库中获取 User 对象,然后将其包装成 UserDetails 并返回

@Service

public class MyUserDetailsService implements UserDetailsService {

@Autowired

UserRepository userRepository;

@Override

public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {

//从数据库中加载用户对象

Optional user = userRepository.findByName(s);

//调试用,如果值存在则输出下用户名与密码

user.ifPresent((value)->System.out.println("用户名:"+value.getName()+" 用户密码:"+value.getPassword()));

//若值不再则返回null

return new MyUserDetails(user.orElse(null));

}

}

编写过滤器,用户如果携带 Token 则获取 Token,并根据 Token 生成 Authentication 认证对象,并存放到 SecurityContext 中,供 Spring Security 进行权限控制

public class JwtAuthenticationTokenFilter extends GenericFilterBean {

private final Logger log = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);

@Autowired

private JWTTokenUtils tokenProvider;

@Override

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

System.out.println("JwtAuthenticationTokenFilter");

try {

HttpServletRequest httpReq = (HttpServletRequest) servletRequest;

String jwt = resolveToken(httpReq);

if (StringUtils.hasText(jwt) && this.tokenProvider.validateToken(jwt)) { //验证JWT是否正确

Authentication authentication = this.tokenProvider.getAuthentication(jwt); //获取用户认证信息

SecurityContextHolder.getContext().setAuthentication(authentication); //将用户保存到SecurityContext

}

filterChain.doFilter(servletRequest, servletResponse);

}catch (ExpiredJwtException e){ //JWT失效

log.info("Security exception for user {} - {}",

e.getClaims().getSubject(), e.getMessage());

log.trace("Security exception trace: {}", e);

((HttpServletResponse) servletResponse).setStatus(HttpServletResponse.SC_UNAUTHORIZED);

}

}

private String resolveToken(HttpServletRequest request){

String bearerToken = request.getHeader(WebSecurityConfig.AUTHORIZATION_HEADER); //从HTTP头部获取TOKEN

if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")){

return bearerToken.substring(7, bearerToken.length()); //返回Token字符串,去除Bearer

}

String jwt = request.getParameter(WebSecurityConfig.AUTHORIZATION_TOKEN); //从请求参数中获取TOKEN

if (StringUtils.hasText(jwt)) {

return jwt;

}

return null;

}

}

编写 LoginController,用户通过用户名、密码访问 /auth/login,通过 LoginDTO 对象接收,创建一个 Authentication 对象,代码中为 UsernamePasswordAuthenticationToken,判断对象是否存在,通过 AuthenticationManager 的 authenticate 方法对认证对象进行验证,AuthenticationManager 的实现类 ProviderManager 会通过 AuthentionProvider(认证处理) 进行验证,默认 ProviderManager 调用 DaoAuthenticationProvider 进行认证处理,DaoAuthenticationProvider 中会通过 UserDetailsService(认证信息来源) 获取 UserDetails ,若认证成功则返回一个包含权限的 Authention,然后通过 SecurityContextHolder.getContext().setAuthentication() 设置到 SecurityContext 中,根据 Authentication 生成 Token,并返回给用户

@RestController

public class LoginController {

@Autowired

private UserRepository userRepository;

@Autowired

private AuthenticationManager authenticationManager;

@Autowired

private JWTTokenUtils jwtTokenUtils;

@RequestMapping(value = "/auth/login",method = RequestMethod.POST)

public String login(@Valid LoginDTO loginDTO, HttpServletResponse httpResponse) throws Exception{

//通过用户名和密码创建一个 Authentication 认证对象,实现类为 UsernamePasswordAuthenticationToken

UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginDTO.getUsername(),loginDTO.getPassword());

//如果认证对象不为空

if (Objects.nonNull(authenticationToken)){

userRepository.findByName(authenticationToken.getPrincipal().toString())

.orElseThrow(()->new Exception("用户不存在"));

}

try {

//通过 AuthenticationManager(默认实现为ProviderManager)的authenticate方法验证 Authentication 对象

Authentication authentication = authenticationManager.authenticate(authenticationToken);

//将 Authentication 绑定到 SecurityContext

SecurityContextHolder.getContext().setAuthentication(authentication);

//生成Token

String token = jwtTokenUtils.createToken(authentication,false);

//将Token写入到Http头部

httpResponse.addHeader(WebSecurityConfig.AUTHORIZATION_HEADER,"Bearer "+token);

return "Bearer "+token;

}catch (BadCredentialsException authentication){

throw new Exception("密码错误");

}

}

}

编写 Security 配置类,继承 WebSecurityConfigurerAdapter,重写 configure 方法

@Configuration

@EnableWebSecurity

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

public static final String AUTHORIZATION_HEADER = "Authorization";

public static final String AUTHORIZATION_TOKEN = "access_token";

@Autowired

private UserDetailsService userDetailsService;

@Override

protected void configure(AuthenticationManagerBuilder auth) throws Exception {

auth

//自定义获取用户信息

.userDetailsService(userDetailsService)

//设置密码加密

.passwordEncoder(passwordEncoder());

}

@Override

protected void configure(HttpSecurity http) throws Exception {

//配置请求访问策略

http

//关闭CSRF、CORS

.cors().disable()

.csrf().disable()

//由于使用Token,所以不需要Session

.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

.and()

//验证Http请求

.authorizeRequests()

//允许所有用户访问首页 与 登录

.antMatchers("/","/auth/login").permitAll()

//其它任何请求都要经过认证通过

.anyRequest().authenticated()

//用户页面需要用户权限

.antMatchers("/userpage").hasAnyRole("USER")

.and()

//设置登出

.logout().permitAll();

//添加JWT filter 在

http

.addFilterBefore(genericFilterBean(), UsernamePasswordAuthenticationFilter.class);

}

@Bean

public PasswordEncoder passwordEncoder() {

return new BCryptPasswordEncoder();

}

@Bean

public GenericFilterBean genericFilterBean() {

return new JwtAuthenticationTokenFilter();

}

}

编写用于测试的Controller

@RestController

public class UserController {

@PostMapping("/login")

public String login() {

return "login";

}

@GetMapping("/")

public String index() {

return "hello";

}

@GetMapping("/userpage")

public String httpApi() {

System.out.println(SecurityContextHolder.getContext().getAuthentication().getPrincipal());

return "userpage";

}

@GetMapping("/adminpage")

public String httpSuite() {

return "userpage";

}

}

案例源码下载  (本地下载)

总结

以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对我们的支持。


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:在线api管理团队(api管理平台)
下一篇:java设计接口(java设计接口类型和使用场景)
相关文章

 发表评论

暂时没有评论,来抢沙发吧~