if (StringUtils.hasText(token) && token.startsWith("Bearer ")) { return token.substring(7); // 去除 "Bearer " 前缀 }这个是干嘛
时间: 2024-04-14 07:31:24 浏览: 18
这段代码是用于在请求中提取 JWT(JSON Web Token)的内容,并去除 JWT 前缀 "Bearer "。
首先,通过调用 `StringUtils.hasText(token)`,判断 `token` 是否为非空且不为纯空格的字符串。
接着,通过调用 `token.startsWith("Bearer ")` 来检查 `token` 是否以 "Bearer " 作为前缀。JWT 的标准格式是以 "Bearer " 作为前缀的,例如 "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."。
如果 `token` 非空且以 "Bearer " 作为前缀,则执行 `token.substring(7)`,即去除前缀 "Bearer ",返回除去前缀后的 JWT 内容。
例如,如果 `token` 是 "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",那么经过这段代码处理后,返回的结果将是 "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",即去除了 "Bearer " 前缀。
这段代码的作用是将请求中包含的 JWT 提取出来,并去除前缀,以便后续进行 JWT 的验证或其他处理。
相关问题
用springsecurity写一个登陆过滤器,包含token校验
好的,下面是一个简单的基于Spring Security的登录过滤器示例,包含token校验:
```java
public class TokenAuthenticationFilter extends OncePerRequestFilter {
private final TokenService tokenService;
public TokenAuthenticationFilter(TokenService tokenService) {
this.tokenService = tokenService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String token = getTokenFromRequest(request);
if (StringUtils.hasText(token) && tokenService.validateToken(token)) {
Authentication authentication = tokenService.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(request, response);
}
private String getTokenFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7);
}
return null;
}
}
```
这个过滤器会从请求头中获取token,并通过TokenService进行校验。如果token有效,则将认证信息放入SecurityContextHolder中,否则继续执行过滤器链。
在配置Spring Security时,需要将该过滤器添加到过滤器链中:
```java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final TokenService tokenService;
public SecurityConfig(TokenService tokenService) {
this.tokenService = tokenService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(new TokenAuthenticationFilter(tokenService), UsernamePasswordAuthenticationFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
```
在配置中,我们将TokenAuthenticationFilter添加到了UsernamePasswordAuthenticationFilter之前,并且设置了sessionCreationPolicy为STATELESS,使得每次请求都需要进行认证。
websocket配合spring-security使用token认证
可以通过在Spring Security中配置一个Token认证过滤器来实现基于WebSocket的Token认证。具体步骤如下:
1. 创建一个TokenAuthenticationFilter类,继承自OncePerRequestFilter并实现doFilterInternal方法。该类负责检查请求中是否包含有效的Token,并进行相应的认证处理。
```java
public class TokenAuthenticationFilter extends OncePerRequestFilter {
private final TokenProvider tokenProvider;
public TokenAuthenticationFilter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String token = getTokenFromRequest(request);
if (StringUtils.hasText(token) && tokenProvider.validateToken(token)) {
Authentication authentication = tokenProvider.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(request, response);
}
private String getTokenFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7);
}
return null;
}
}
```
2. 创建一个TokenProvider类,用于生成Token和验证Token的有效性,并根据Token获取用户信息。
```java
@Component
public class TokenProvider {
private static final String SECRET_KEY = "my-secret-key";
private static final long EXPIRATION_TIME = 86400000; // 1 day
public String generateToken(Authentication authentication) {
UserPrincipal principal = (UserPrincipal) authentication.getPrincipal();
Date expirationDate = new Date(System.currentTimeMillis() + EXPIRATION_TIME);
return Jwts.builder()
.setSubject(Long.toString(principal.getId()))
.setIssuedAt(new Date())
.setExpiration(expirationDate)
.signWith(SignatureAlgorithm.HS512, SECRET_KEY)
.compact();
}
public boolean validateToken(String token) {
try {
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token);
return true;
} catch (Exception e) {
return false;
}
}
public Authentication getAuthentication(String token) {
Claims claims = Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
Long userId = Long.parseLong(claims.getSubject());
UserPrincipal principal = new UserPrincipal(userId);
return new UsernamePasswordAuthenticationToken(principal, "", principal.getAuthorities());
}
}
```
3. 在配置类中注册TokenAuthenticationFilter和TokenProvider,并将TokenAuthenticationFilter添加到Spring Security的过滤器链中。
```java
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
@Autowired
private TokenProvider tokenProvider;
@Override
public void configureMessageBroker(MessageBrokerRegistry config) {
config.enableSimpleBroker("/topic");
config.setApplicationDestinationPrefixes("/app");
}
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/ws").setAllowedOriginPatterns("*").withSockJS();
}
@Override
public void configureClientInboundChannel(ChannelRegistration registration) {
registration.interceptors(new ChannelInterceptorAdapter() {
@Override
public Message<?> preSend(Message<?> message, MessageChannel channel) {
StompHeaderAccessor accessor = MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class);
if (StompCommand.CONNECT.equals(accessor.getCommand())) {
String token = accessor.getFirstNativeHeader("Authorization");
if (StringUtils.hasText(token) && token.startsWith("Bearer ")) {
token = token.substring(7);
TokenAuthenticationFilter filter = new TokenAuthenticationFilter(tokenProvider);
SecurityContextHolder.getContext().setAuthentication(filter.getAuthentication(token));
}
}
return message;
}
});
}
@Override
public void configureClientOutboundChannel(ChannelRegistration registration) {
}
@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
}
@Override
public void addReturnValueHandlers(List<HandlerMethodReturnValueHandler> returnValueHandlers) {
}
@Override
public boolean configureMessageConverters(List<MessageConverter> messageConverters) {
return true;
}
@Override
public void configureWebSocketTransport(WebSocketTransportRegistration registry) {
}
@Bean
public TokenAuthenticationFilter tokenAuthenticationFilter() throws Exception {
TokenAuthenticationFilter filter = new TokenAuthenticationFilter(tokenProvider);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/api/auth/**").permitAll()
.anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsServiceImpl();
}
}
```
在上述代码中,我们通过重写configureClientInboundChannel方法,在连接到WebSocket时获取请求中的Token,并使用TokenAuthenticationFilter进行认证。注意,我们需要将TokenAuthenticationFilter添加到Spring Security的过滤器链中,以便它能够在WebSocket连接期间对请求进行拦截。
最后,我们需要在客户端的连接请求中添加Authorization头部,以便在服务端进行Token认证。例如:
```javascript
stompClient.connect({},
function(frame) {
console.log('Connected: ' + frame);
stompClient.subscribe('/topic/greetings', function(greeting) {
showGreeting(JSON.parse(greeting.body).content);
});
},
function(error) {
console.log('Error: ' + error);
},
{"Authorization": "Bearer " + token});
```