Spring Security怎么使用JWT来验证用户的身份和权限

时间: 2024-02-22 15:49:34 浏览: 144

SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证

4星 · 用户满意度95%

Spring Security可以使用JWT（JSON Web Token）来验证用户的身份和权限。 1.添加JWT依赖项：在pom.xml文件中添加以下依赖项： ``` <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency> ``` 2.创建JWT工具类：创建一个JWT工具类来生成和验证JWT。 ``` import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.User; import org.springframework.stereotype.Component; import java.util.Date; @Component public class JwtUtils { private final String JWT_SECRET = "mysecretkey"; private final int JWT_EXPIRATION_MS = 86400000; public String generateJwtToken(Authentication authentication) { User user = (User) authentication.getPrincipal(); return Jwts.builder() .setSubject((user.getUsername())) .setIssuedAt(new Date()) .setExpiration(new Date((new Date()).getTime() + JWT_EXPIRATION_MS)) .signWith(SignatureAlgorithm.HS512, JWT_SECRET) .compact(); } public boolean validateJwtToken(String authToken) { try { Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(authToken); return true; } catch (Exception e) { e.printStackTrace(); } return false; } public String getUsernameFromJwtToken(String token) { return Jwts.parser() .setSigningKey(JWT_SECRET) .parseClaimsJws(token) .getBody().getSubject(); } } ``` 3.创建JWT过滤器：创建一个JWT过滤器来验证JWT并设置用户的身份和权限。 ``` import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; import com.example.demo.security.services.UserDetailsServiceImpl; import io.jsonwebtoken.ExpiredJwtException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @Component public class JwtAuthTokenFilter extends OncePerRequestFilter { @Autowired private JwtUtils jwtUtils; @Autowired private UserDetailsServiceImpl userDetailsService; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { try { String jwt = parseJwt(request); if (jwt != null && jwtUtils.validateJwtToken(jwt)) { String username = jwtUtils.getUsernameFromJwtToken(jwt); UserDetails userDetails = userDetailsService.loadUserByUsername(username); UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(authentication); } } catch (ExpiredJwtException e) { logger.error("JWT token is expired: {}", e.getMessage()); } catch (Exception e) { logger.error("Cannot set user authentication: {}", e.getMessage()); } chain.doFilter(request, response); } private String parseJwt(HttpServletRequest request) { String headerAuth = request.getHeader("Authorization"); if (headerAuth != null && headerAuth.startsWith("Bearer ")) { return headerAuth.substring(7, headerAuth.length()); } return null; } } ``` 4.配置Spring Security：在Spring Security配置中添加JWT过滤器。 ``` import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import com.example.demo.security.jwt.JwtAuthTokenFilter; import com.example.demo.security.services.UserDetailsServiceImpl; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity( // securedEnabled = true, // jsr250Enabled = true, prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private JwtAuthTokenFilter jwtAuthTokenFilter; @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private BCryptPasswordEncoder bCryptPasswordEncoder; @Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); authProvider.setUserDetailsService(userDetailsService); authProvider.setPasswordEncoder(bCryptPasswordEncoder); return authProvider; } @Override public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception { authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public BCryptPasswordEncoder bCryptPasswordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/api/auth/**").permitAll() .anyRequest().authenticated(); http.addFilterBefore(jwtAuthTokenFilter, UsernamePasswordAuthenticationFilter.class); } } ``` 现在，Spring Security将使用JWT来验证用户的身份和权限。您可以在需要身份验证和授权的端点上使用Spring Security注释，例如@PreAuthorize和@PostAuthorize。

阅读全文

Spring Security怎么使用JWT来验证用户的身份和权限

相关推荐

Springboot+SpringSecurity+JWT实现用户登录和权限认证示例

jwt + spring security 登陆验证和权限管理

Spring Security使用JWT来验证用户的身份和权限

springboot整合springsecurity、jwt权限验证

spring-security-jwt-guide:从零入门 ！Spring Security With JWT（含权限验证）后端部分代码

Spring Security整合JWT权限验证实战教程

Spring Boot与Spring Security及JWT的权限验证整合教程

SpringBoot整合Spring Security与JWT实现用户权限管理

Spring Boot项目中使用Spring Security和JWT进行权限与认证

微信小程序使用springsecurity和jwt实现权限验证

微信小程序获取openid使用springsecurity和jwt实现权限验证过程和代码实现

微信小程序使用springsecurity和jwt实现权限验证java代码

Spring security和jwt实现用户身份的认证授权、鉴权业务流程

spring security和jwt

springsecurity 和jwt

Spring Security和jwt

sanic-jwt:Sanic的身份验证，JWT和权限范围

SpringBoot使用JWT实现登录验证的方法示例

SpringBoot 使用jwt进行身份验证的方法示例

最新推荐

Springboot+SpringSecurity+JWT实现用户登录和权限认证示例

SpringBoot+Spring Security+JWT实现RESTful Api权限控制的方法

SpringBoot集成SpringSecurity和JWT做登陆鉴权的实现

Spring Security OAuth过期的解决方法

详解Spring Security的formLogin登录认证模式

高清艺术文字图标资源，PNG和ICO格式免费下载

管理建模和仿真的文件

DMA技术：绕过CPU实现高效数据传输

SGM8701电压比较器如何在低功耗电池供电系统中实现高效率运作？

mui框架HTML5应用界面组件使用示例教程

spring-security-jwt-guide:从零入门！Spring Security With JWT（含权限验证）后端部分代码