springsecurity整合jwt具体代码
时间: 2023-08-24 10:04:58 浏览: 48
Spring Security是一个功能强大的框架,可以保护我们的应用程序免受各种攻击,而JWT是一种轻量级的身份验证和授权机制。将它们结合使用可以提供更好的安全性。
下面是整合Spring Security和JWT的代码示例:
1. 添加依赖
在pom.xml文件中添加以下依赖:
```
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
```
2. 创建JWT工具类
创建一个JWT工具类,用于生成和解析JWT令牌。下面是一个简单的实现:
```
public class JwtUtil {
private static final String SECRET_KEY = "secret";
public static String createToken(String username) {
Date now = new Date();
Date expiration = new Date(now.getTime() + 3600000); // 1 hour
return Jwts.builder()
.setSubject(username)
.setIssuedAt(now)
.setExpiration(expiration)
.signWith(SignatureAlgorithm.HS256, SECRET_KEY)
.compact();
}
public static String getUsernameFromToken(String token) {
return Jwts.parser()
.setSigningKey(SECRET_KEY)
.parseClaimsJws(token)
.getBody()
.getSubject();
}
public static boolean validateToken(String token) {
try {
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token);
return true;
} catch (JwtException | IllegalArgumentException e) {
return false;
}
}
}
```
3. 创建用户服务
创建一个用户服务,用于从数据库中获取用户信息。这里我们假设我们的用户信息存储在一个User类中。
```
@Service
public class UserService implements UserDetailsService {
private final UserRepository userRepository;
public UserService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("User not found with username: " + username));
return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(),
new ArrayList<>());
}
}
```
4. 创建安全配置
创建一个安全配置类,用于配置Spring Security和JWT。下面是一个简单的实现:
```
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final UserService userService;
public SecurityConfig(UserService userService) {
this.userService = userService;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Bean
public JwtTokenFilter jwtTokenFilter() {
return new JwtTokenFilter();
}
}
```
5. 创建JWT过滤器
创建一个JWT过滤器,用于从请求中提取JWT令牌并验证用户身份。下面是一个简单的实现:
```
public class JwtTokenFilter extends OncePerRequestFilter {
private final UserService userService;
public JwtTokenFilter(UserService userService) {
this.userService = userService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
String header = request.getHeader("Authorization");
if (header != null && header.startsWith("Bearer ")) {
String token = header.substring(7);
if (JwtUtil.validateToken(token)) {
String username = JwtUtil.getUsernameFromToken(token);
UserDetails userDetails = userService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
chain.doFilter(request, response);
}
}
```
6. 创建登录控制器
创建一个登录控制器,用于验证用户身份并生成JWT令牌。下面是一个简单的实现:
```
@RestController
public class LoginController {
@PostMapping("/login")
public ResponseEntity<String> login(@RequestBody LoginForm loginForm) {
try {
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginForm.getUsername(), loginForm.getPassword()));
SecurityContextHolder.getContext().setAuthentication(authentication);
String token = JwtUtil.createToken(loginForm.getUsername());
return ResponseEntity.ok(token);
} catch (AuthenticationException e) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
}
}
```
这样我们就完成了Spring Security和JWT的整合。当用户登录时,我们将使用JWT令牌来保护应用程序的安全性。