springboot?security使用jwt認證方式
更新時間:2025年04月01日 08:42:18 作者:不識君的荒漠
這篇文章主要介紹了springboot?security使用jwt認證方式,具有很好的參考價值,希望對大家有所幫助,如有錯誤或未考慮完全的地方,望不吝賜教
前言
在前面的幾篇文章中:
- spring boot security快速使用示例
- spring boot security之前后端分離配置
- spring boot security自定義認證
- spring boot security驗證碼登錄示例
基本對常用的基于cookie和session的認證使用場景都已覆蓋。但是session屬于有狀態(tài)認證,本文給出一個無狀態(tài)的認證:jwt認證示例。
代碼示例
下面會提供完整的示例代碼:
依賴
使用的spring boot 2.6.11版本,jdk8。
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <version>1.18.20</version> <scope>provided</scope> </dependency> <dependency> <groupId>com.github.penggle</groupId> <artifactId>kaptcha</artifactId> <version>2.3.2</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency>
定義mapper
定義一個查詢用戶信息的接口:
@Component public class UserMapper { public User select(String username) { return new User(username, "pass"); } }
定義用戶信息的實體bean
@Data public class User { private String username; private String password; private String captcha; public User() { } public User(String username, String password) { this.username = username; this.password = password; } public User(String username, String password, String captcha) { this.username = username; this.password = password; this.captcha = captcha; } }
security相關的類
- 實現spring security內置的UserDetailsService接口,根據用戶名返回用戶信息:
@Slf4j @Component public class UserDetailsServiceImpl implements UserDetailsService { public static final UserDetails INVALID_USER = new org.springframework.security.core.userdetails.User("invalid_user", "invalid_password", Collections.emptyList()); private final UserMapper userMapper; public UserDetailsServiceImpl(UserMapper userMapper) { this.userMapper = userMapper; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { // 根據用戶名從數據庫查詢用戶信息 User user = userMapper.select(username); if (user == null) { /** * 如果沒查詢到這個用戶,考慮兩種選擇: * 1. 返回一個標記無效用戶的常量對象 * 2. 返回一個不可能認證通過的用戶 */ return INVALID_USER; // return new User(username, System.currentTimeMillis() + UUID.randomUUID().toString(), Collections.emptyList()); } /** * 這里返回的用戶密碼是否為庫里保存的密碼,是明文/密文,取決于認證時密碼比對部分的實現,每個人的場景不一樣, * 因為使用的是不加密的PasswordEncoder,所以可以返回明文 */ return new org.springframework.security.core.userdetails.User(username, user.getPassword(), Collections.emptyList()); } }
- 定義jwt工具類
public class JwtUtil { public static final String SECRET = TextCodec.BASE64.encode("secret"); public static final long EXPIRE_SECONDS = 3600L; /** * 從token中解析出用戶名 */ public static String getUsernameFromToken(String token) { return getClaimFromToken(token, Claims::getSubject); } /** * 從token中獲取過期時間 */ public static Date getExpirationDateFromToken(String token) { return getClaimFromToken(token, Claims::getExpiration); } /** * 解析出token聲明. */ public static <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) { final Claims claims = Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody(); return claimsResolver.apply(claims); } /** * token是否過期 */ public static Boolean isTokenExpired(String token) { final Date expiration = getExpirationDateFromToken(token); return expiration.before(new Date()); } /** * 生成token */ public static String generateToken(UserDetails userDetails) { Map<String, Object> claims = new HashMap<>(); return doGenerateToken(claims, userDetails.getUsername()); } /** * token是否合法. */ public static Boolean isValidateToken(String token, UserDetails userDetails) { final String username = getUsernameFromToken(token); return (username.equals(userDetails.getUsername()) && !isTokenExpired(token)); } private static String doGenerateToken(Map<String, Object> claims, String subject) { return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis())) .setExpiration(new Date(System.currentTimeMillis() + EXPIRE_SECONDS * 1000)) .signWith(SignatureAlgorithm.HS512, SECRET).compact(); } }
- 定義jwt認證的過濾器
@Slf4j @Component public class JwtRequestFilter extends OncePerRequestFilter { private final UserDetailsService userDetailsService; public JwtRequestFilter(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { final String requestTokenHeader = request.getHeader(HttpHeaders.AUTHORIZATION); String username = null; String jwtToken = null; if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) { jwtToken = requestTokenHeader.substring(7); try { username = JwtUtil.getUsernameFromToken(jwtToken); } catch (Exception e) { log.error("獲取token失敗: {}, {}", jwtToken, e.getMessage()); } } if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { // 根據用戶名加載用戶信息 UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); // 判斷token是否有效 if (JwtUtil.isValidateToken(jwtToken, userDetails)) { UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken( userDetails, null, userDetails.getAuthorities()); usernamePasswordAuthenticationToken .setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken); } } chain.doFilter(request, response); } }
- 注冊相關bean到spring容器
@Configuration public class WebConfiguration { @Bean public PasswordEncoder passwordEncoder() { // 示例,不對密碼進行加密處理 return NoOpPasswordEncoder.getInstance(); } @Bean public AuthenticationManager authenticationManager(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) { DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); // 設置加載用戶信息的類 provider.setUserDetailsService(userDetailsService); // 比較用戶密碼的時候,密碼加密方式 provider.setPasswordEncoder(passwordEncoder); return new ProviderManager(Arrays.asList(provider)); } @Bean public Producer defaultKaptcha() { Properties properties = new Properties(); // 還有一些其它屬性,可以進行源碼自己看相關配置,比較清楚了,根據變量名也能猜出來什么意思了 properties.setProperty(Constants.KAPTCHA_IMAGE_WIDTH, "150"); properties.setProperty(Constants.KAPTCHA_IMAGE_HEIGHT, "50"); properties.setProperty(Constants.KAPTCHA_TEXTPRODUCER_CHAR_STRING, "0123456789abcdefghigklmnopqrstuvwxyz"); properties.setProperty(Constants.KAPTCHA_TEXTPRODUCER_CHAR_LENGTH, "4"); Config config = new Config(properties); DefaultKaptcha defaultKaptcha = new DefaultKaptcha(); defaultKaptcha.setConfig(config); return defaultKaptcha; } }
- 自定義 WebSecurityConfigurer
@Component public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter { private final JwtRequestFilter jwtRequestFilter; public WebSecurityConfigurer(JwtRequestFilter jwtRequestFilter) { this.jwtRequestFilter = jwtRequestFilter; } @Override protected void configure(HttpSecurity http) throws Exception { // 在這里自定義配置 http.authorizeRequests() // 登錄相關接口都允許訪問 .antMatchers("/login/**").permitAll() .anyRequest() .authenticated() .and() .exceptionHandling() // 認證失敗返回401狀態(tài)碼,前端頁面可以根據401狀態(tài)碼跳轉到登錄頁面 .authenticationEntryPoint((request, response, authException) -> response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase())) .and().cors() // csrf是否決定禁用,請自行考量 .and().csrf().disable() // 采用http 的基本認證. .httpBasic() // 設置session是無關的 .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); } }
提供登錄接口
@RequestMapping("/login") @RestController public class LoginController { private final AuthenticationManager authenticationManager; private final Producer producer; public LoginController(AuthenticationManager authenticationManager, Producer producer) { this.authenticationManager = authenticationManager; this.producer = producer; } @PostMapping() public Object login(@RequestBody User user, HttpSession session) { Object captcha = session.getAttribute(Constants.KAPTCHA_SESSION_KEY); if (captcha == null || !captcha.toString().equalsIgnoreCase(user.getCaptcha())) { return "captcha is not correct."; } try { // 使用定義的AuthenticationManager進行認證處理 Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword())); // 認證通過,設置到當前上下文,如果當前認證過程后續(xù)還有處理的邏輯需要的話。這個示例是沒有必要了 SecurityContextHolder.getContext().setAuthentication(authenticate); String token = JwtUtil.generateToken((UserDetails) authenticate.getPrincipal()); return token; } catch (Exception e) { return "login failed"; } } /** * 獲取驗證碼,需要的話,可以提供一個驗證碼獲取的接口,在上面的login里把驗證碼傳進來進行比對 */ @GetMapping("/captcha") public void captcha(HttpServletResponse response, HttpSession session) throws IOException { response.setContentType("image/jpeg"); String text = producer.createText(); session.setAttribute(Constants.KAPTCHA_SESSION_KEY, text); BufferedImage image = producer.createImage(text); try (ServletOutputStream out = response.getOutputStream()) { ImageIO.write(image, "jpg", out); } } }
測試
提供一個用于測試的接口
@RequestMapping("/hello") @RestController public class HelloController { @GetMapping("/world") public Object helloWorld() { return "hello, world"; } }
驗證
- 獲取驗證碼
- 登錄
- 使用登錄的token訪問接口
- 如果沒有token或不正確是訪問受限的
總結
以上為個人經驗,希望能給大家一個參考,也希望大家多多支持腳本之家。
相關文章
SpringBoot @PostConstruct原理用法解析
這篇文章主要介紹了SpringBoot @PostConstruct原理用法解析,文中通過示例代碼介紹的非常詳細,對大家的學習或者工作具有一定的參考學習價值,需要的朋友可以參考下2020-08-08