SpringSecurity集成JWT资源-CSDN文库

共19个文件

java：16个

xml：2个

yml：1个

需积分: 1 200 浏览量 2024-05-15 00:20:07 上传评论收藏 21KB ZIP 举报

SpringSecurity是Java领域中一款强大的安全框架，它提供了一套完整的解决方案来保护Spring应用程序。而JWT（Json Web Token）是一种轻量级的身份验证机制，广泛应用于API的安全授权。本篇文章将详细探讨如何将SpringSecurity与JWT相结合，实现高效且安全的身份验证。让我们了解一下SpringSecurity的基本配置。在SpringSecurity中，我们通常会创建一个`WebSecurityConfigurerAdapter`的子类，重写其`configure(HttpSecurity http)`方法来定制我们的安全规则。这包括定义访问控制、登录页面、授权策略等。例如，你可以设置某些URL只允许已认证用户访问，或者配置CSRF保护等。以下是一个基础配置的示例： ```java @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/public").permitAll() // 允许所有人访问公共API .antMatchers("/api/**").authenticated() // 需要认证才能访问其他API .and() .formLogin().disable() // 关闭默认的表单登录 .httpBasic().disable(); // 关闭HTTP Basic认证 } } ``` 接下来，我们要实现自定义认证。SpringSecurity支持多种认证方式，这里我们将使用JWT来处理。我们需要创建一个`UserDetailsService`实现，用于从数据库或其他数据源加载用户信息。然后，创建一个`AuthenticationProvider`，在其中处理JWT的生成和验证。这通常涉及到一个密钥（secret key），用于对JWT进行签名和验证。 ```java @Service public class JwtUserDetailsService implements UserDetailsService { // 实现加载用户信息的方法 } @Component public class JwtAuthenticationProvider implements AuthenticationProvider { private final JwtUserDetailsService userDetailsService; private final String secretKey; // 实现authenticate方法，生成或验证JWT } ``` 集成JWT到SpringSecurity中。我们需要定义一个过滤器，检查每个请求的Authorization头，并从中提取JWT。如果JWT有效，我们将创建一个`Authentication`对象并将其放入SecurityContextHolder，使得SpringSecurity可以使用这个信息进行授权。 ```java @Component public class JwtRequestFilter extends OncePerRequestFilter { private final JwtAuthenticationProvider authenticationProvider; private final String secretKey; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { // 检查请求头并处理JWT } } ``` 完成上述步骤后，你的SpringBoot应用就已经成功地集成了SpringSecurity和JWT。现在，每当用户通过正确的凭证登录时，系统将返回一个JWT，用户在后续的API调用中需要附带此JWT以证明其身份。这种方式避免了频繁的数据库查询，提高了系统的性能。总结来说，SpringSecurity集成JWT涉及以下几个关键步骤：配置SpringSecurity的基本规则、实现自定义的用户服务和认证提供者、以及创建JWT过滤器处理请求。这样的组合提供了高效、安全的身份验证和授权机制，尤其适用于RESTful API的场景。在实际项目中，你可能还需要考虑刷新JWT、处理JWT过期等问题，以提供更完善的用户体验。

资源推荐

资源详情

资源评论

收起资源包目录

boot-business1.zip （19个子文件）

boot-business1

pom.xml 2KB

boot-business-security

pom.xml 3KB

src

main

resources

application.yml 184B

java

com

qiangesoft

security

SecurityApplication.java 417B

handler

CustomAuthenticationSuccessHandler.java 2KB

CustomAuthenticationFailHandler.java 2KB

CustomLogoutSuccessHandler.java 1KB

controller

TestController.java 2KB

utils

JwtUtil.java 2KB

point

CustomAuthenticationEntryPoint.java 1KB

pojo

ResultVO.java 1KB

service

CustomUserDetailsService.java 1KB

CustomUserDetails.java 2KB

filter

TokenFilter.java 2KB

CaptchaFilter.java 1KB

exception

CaptchaException.java 433B

TokenException.java 423B

access

CustomAccessDeniedHandler.java 1KB

config

WebSecurityConfig.java 5KB

package com.qiangesoft.security.config; import com.qiangesoft.security.access.CustomAccessDeniedHandler; import com.qiangesoft.security.filter.CaptchaFilter; import com.qiangesoft.security.filter.TokenFilter; import com.qiangesoft.security.handler.CustomAuthenticationFailHandler; import com.qiangesoft.security.handler.CustomAuthenticationSuccessHandler; import com.qiangesoft.security.handler.CustomLogoutSuccessHandler; import com.qiangesoft.security.point.CustomAuthenticationEntryPoint; import com.qiangesoft.security.service.CustomUserDetailsService; import com.qiangesoft.security.utils.JwtUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; /** * 配置类 * * @author qiangesoft * @date 2024-05-14 */ @EnableWebSecurity // 开启方法级安全验证 @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler; @Autowired private CustomAuthenticationFailHandler customAuthenticationFailHandler; @Autowired private CustomLogoutSuccessHandler customLogoutSuccessHandler; @Autowired private CustomAccessDeniedHandler customAccessDeniedHandler; @Autowired private CustomAuthenticationEntryPoint customAuthenticationEntryPoint; @Autowired private CaptchaFilter captchaFilter; @Autowired private JwtUtil jwtUtil; @Bean protected UserDetailsService userDetailsService() { return new CustomUserDetailsService(); } @Bean public TokenFilter tokenFilter() throws Exception { return new TokenFilter(authenticationManager(), userDetailsService(), jwtUtil); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(userDetailsService()) .passwordEncoder(passwordEncoder()); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity http) throws Exception { http // 禁用csrf .csrf().disable() // 禁用session .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 接口授权 .and() .authorizeRequests() .antMatchers( HttpMethod.GET, "/", "/captcha", "/static/**", "/templates/**", "/favicon.ico" ).permitAll() .antMatchers(HttpMethod.POST, "/login").permitAll() .anyRequest().authenticated() // 登录逻辑 .and() .formLogin() .successHandler(customAuthenticationSuccessHandler) .failureHandler(customAuthenticationFailHandler) // 退出逻辑 .and() .logout() .logoutSuccessHandler(customLogoutSuccessHandler) // 验证账号密码之前执行 .and() .addFilter(tokenFilter()) .addFilterBefore(captchaFilter, UsernamePasswordAuthenticationFilter.class) // 异常处理器 .exceptionHandling() .authenticationEntryPoint(customAuthenticationEntryPoint) .accessDeniedHandler(customAccessDeniedHandler) // 禁用缓存 .and() .headers().cacheControl(); } }

评论收藏

内容反馈