热门标签
热门文章
- 1程序人生:新媒体运营毅然转行测试涨薪3k,我的入行秘籍是什么..._java转测试还是新媒体运营
- 2媒体梦工厂AI智聊:轻松提升工作效率的智能助手
- 3Java面试题总结(1-111)_java: 方法不会覆盖或实现超类型的方法且函数名变灰色
- 4结构设计到项目管理:工程师是怎么练成的._冰箱结构工程师项目经验怎么写
- 5为大模型而生!顶流大佬发起成立学术会议 COLM,或成为未来 NLP 最强顶会?!_如何看待 colm 顶会
- 6Java【动态规划】图文详解 “路径问题模型“ , 教你手撕动态规划_java 动态规划
- 7让 macOS 终端走代理的四种方法_mac 终端不能访问代理
- 8RabbitMQ集群搭建详细介绍以及解决搭建过程中的各种问题 + 配置镜像队列——实操型
- 9Oracle中的plsql编程_oracle plsql编程
- 10基于Springboot+Vue的Java项目-大学生租房平台系统(附演示视频+源码+LW)
当前位置: article > 正文
【springboot】整合JWT+spring-security_springboot整合security+jwt
作者:Gausst松鼠会 | 2024-04-28 01:36:01
赞
踩
springboot整合security+jwt
在Spring Boot应用中整合Spring Security和JSON Web Tokens (JWT) 以实现无状态的身份验证,通常涉及以下步骤:
-
添加依赖:
在您的pom.xml(Maven)或build.gradle(Gradle)文件中添加Spring Security和JWT所需的依赖。例如,使用jjwt库来生成和解析JWT令牌:Maven:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>最新版本号</version> </dependency>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
Gradle:
implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'io.jsonwebtoken:jjwt:最新版本号'- 1
- 2
-
配置Spring Security:
创建一个配置类,继承WebSecurityConfigurerAdapter并覆盖configure(HttpSecurity http)方法来配置安全规则,例如,启用JWT验证:import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Value("${app.jwt.secret}") private String jwtSecret; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.POST, "/login").permitAll() .anyRequest().authenticated() .and() .exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED)) .and() .addFilterBefore(new JWTAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Bean PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } // JWT 相关类,如 JWTAuthenticationFilter 和 JWTAuthorizationFilter // ... }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
-
创建JWT过滤器:
创建JWT过滤器,如JWTAuthenticationFilter用于处理登录请求并生成JWT,JWTAuthorizationFilter用于验证请求头中的JWT并建立认证。public class JWTAuthenticationFilter extends OncePerRequestFilter { private final AuthenticationManager authenticationManager; public JWTAuthenticationFilter(AuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { // 从登录请求中提取用户名和密码,执行身份验证 // ... // 成功后,生成JWT并返回给客户端 String token = Jwts.builder() .setSubject(principal.getUsername()) .setExpiration(Date.from(Instant.now().plus(Duration.ofMinutes(30))) // 设置有效期 .signWith(SignatureAlgorithm.HS512, jwtSecret.getBytes()) // 使用密钥签名 .compact(); // 返回JWT至客户端 } } public class JWTAuthorizationFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { // 从请求头中提取JWT String token = getTokenFromRequest(request); if (token != null && JWTUtil.validateToken(token, jwtSecret)) { // 自定义JWTUtil类验证JWT有效性 // 解析JWT获取用户名并建立身份认证 // ... } else { // 无效或缺失的JWT,可选择跳转至登录页或返回错误信息 } chain.doFilter(request, response); } private String getTokenFromRequest(HttpServletRequest request) { // 从请求头 Authorization 中提取Bearer类型的JWT // ... } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
-
实现UserDetailsService接口:
实现UserDetailsService接口以从数据库或其他存储中加载用户详细信息。 -
配置JWT密钥和过期时间:
在application.properties或application.yml中配置JWT密钥和过期时间。app.jwt.secret=your_jwt_secret_key_here- 1
通过上述步骤,您将在Spring Boot应用中整合了Spring Security和JWT,实现无状态的身份验证机制。请注意,以上代码片段仅供参考,实际开发中请根据您的需求和环境进行适当调整。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Gausst松鼠会/article/detail/499759
推荐阅读
相关标签
