热门标签
热门文章
- 1iOS14升级后企业级安装失败_ios14企业级描述文件失败
- 22024年成功入职字节,25K小哥甩出的超详细面试总结,我就不信你还参透不了重点(1)_2024字节社招面试算法题
- 3双向链表中插入元素的几种方式_双向链表插入
- 4软件项目-1.5_逐层剖析系统开发的三层架构(经典)_软件项目1.5 三层
- 5如何训练一个大语言模型(LLMs)
- 6【GNSS】常见的GNSS免费软件和开源软件(持续更新)_gnss 形变监测开源软件
- 7STM32之HAL开发——FSMC(灵活静态存储控制器)
- 8Docker overview_docker start --checkpoint looper2 looper2
- 9生产环境部署NodeJs最佳实践
- 10onlyoffice7.5.1基础环境搭建+部署+demo可直接运行 最简单的入门_only office独立部署
当前位置: article > 正文
【springboot】整合JWT+spring-security_springboot整合security+jwt
作者:Gausst松鼠会 | 2024-04-28 01:36:01
赞
踩
springboot整合security+jwt
在Spring Boot应用中整合Spring Security和JSON Web Tokens (JWT) 以实现无状态的身份验证,通常涉及以下步骤:
-
添加依赖:
在您的pom.xml(Maven)或build.gradle(Gradle)文件中添加Spring Security和JWT所需的依赖。例如,使用jjwt库来生成和解析JWT令牌:Maven:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>最新版本号</version> </dependency>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
Gradle:
implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'io.jsonwebtoken:jjwt:最新版本号'- 1
- 2
-
配置Spring Security:
创建一个配置类,继承WebSecurityConfigurerAdapter并覆盖configure(HttpSecurity http)方法来配置安全规则,例如,启用JWT验证:import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Value("${app.jwt.secret}") private String jwtSecret; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.POST, "/login").permitAll() .anyRequest().authenticated() .and() .exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED)) .and() .addFilterBefore(new JWTAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Bean PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } // JWT 相关类,如 JWTAuthenticationFilter 和 JWTAuthorizationFilter // ... }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
-
创建JWT过滤器:
创建JWT过滤器,如JWTAuthenticationFilter用于处理登录请求并生成JWT,JWTAuthorizationFilter用于验证请求头中的JWT并建立认证。public class JWTAuthenticationFilter extends OncePerRequestFilter { private final AuthenticationManager authenticationManager; public JWTAuthenticationFilter(AuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { // 从登录请求中提取用户名和密码,执行身份验证 // ... // 成功后,生成JWT并返回给客户端 String token = Jwts.builder() .setSubject(principal.getUsername()) .setExpiration(Date.from(Instant.now().plus(Duration.ofMinutes(30))) // 设置有效期 .signWith(SignatureAlgorithm.HS512, jwtSecret.getBytes()) // 使用密钥签名 .compact(); // 返回JWT至客户端 } } public class JWTAuthorizationFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { // 从请求头中提取JWT String token = getTokenFromRequest(request); if (token != null && JWTUtil.validateToken(token, jwtSecret)) { // 自定义JWTUtil类验证JWT有效性 // 解析JWT获取用户名并建立身份认证 // ... } else { // 无效或缺失的JWT,可选择跳转至登录页或返回错误信息 } chain.doFilter(request, response); } private String getTokenFromRequest(HttpServletRequest request) { // 从请求头 Authorization 中提取Bearer类型的JWT // ... } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
-
实现UserDetailsService接口:
实现UserDetailsService接口以从数据库或其他存储中加载用户详细信息。 -
配置JWT密钥和过期时间:
在application.properties或application.yml中配置JWT密钥和过期时间。app.jwt.secret=your_jwt_secret_key_here- 1
通过上述步骤,您将在Spring Boot应用中整合了Spring Security和JWT,实现无状态的身份验证机制。请注意,以上代码片段仅供参考,实际开发中请根据您的需求和环境进行适当调整。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Gausst松鼠会/article/detail/499759
推荐阅读
相关标签
