springboot 集成security jwt redis
时间: 2023-07-22 18:22:53 浏览: 229
Spring Boot 集成 Security、JWT 和 Redis 可以实现基于 Token 的权限认证和会话管理。
首先,需要在 pom.xml 文件中添加相应的依赖:
```xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
```
接下来,在 Spring Boot 的配置文件中添加 Redis 的配置和 JWT 的配置:
```yml
spring:
redis:
host: localhost
port: 6379
password:
database: 0
jwt:
secret: your_secret
expiration: 86400
```
其中,jwt.secret 为 JWT 的密钥,jwt.expiration 为 Token 的有效期。
然后,需要实现一个 Security 的配置类,用于配置 Token 的认证和会话管理:
```java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Bean
public JwtAuthenticationFilter authenticationTokenFilterBean() throws Exception {
return new JwtAuthenticationFilter();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/api/auth/**").permitAll()
.anyRequest().authenticated();
// 添加 JWT filter
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
}
```
其中,UserDetailsServiceImpl 是自定义的用户详情服务,JwtAuthenticationEntryPoint 是自定义的 Token 无效或过期的处理器,JwtAuthenticationFilter 是自定义的 Token 认证过滤器。
最后,需要实现一个 JWT 的工具类,用于生成 Token 和解析 Token:
```java
@Component
public class JwtTokenUtil {
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
return Jwts.builder()
.setClaims(claims)
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
public String getUsernameFromToken(String token) {
return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody().getSubject();
}
public boolean validateToken(String token, UserDetails userDetails) {
final String username = getUsernameFromToken(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
private Boolean isTokenExpired(String token) {
final Date expiration = getExpirationDateFromToken(token);
return expiration.before(new Date());
}
private Date getExpirationDateFromToken(String token) {
return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody().getExpiration();
}
}
```
在需要进行 Token 认证的控制器中,可以通过 @AuthenticationPrincipal 注解获取当前登录的用户信息:
```java
@RestController
@RequestMapping("/api")
public class UserController {
@Autowired
private UserService userService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@GetMapping("/user/me")
public User getCurrentUser(@AuthenticationPrincipal UserDetails userDetails) {
String username = userDetails.getUsername();
return userService.findByUsername(username);
}
@PostMapping("/auth/login")
public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) {
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword())
);
SecurityContextHolder.getContext().setAuthentication(authentication);
String token = jwtTokenUtil.generateToken(authentication.getPrincipal());
return ResponseEntity.ok(new JwtAuthenticationResponse(token));
}
}
```
以上就是 Spring Boot 集成 Security、JWT 和 Redis 的基本配置和使用方式。
阅读全文