怎么在SpringBootSecurity中利用JWT授权RestAPI
本篇文章为大家展示了怎么在SpringBoot Security中利用JWT授权RestAPI,内容简明扼要并且容易理解,绝对能使你眼前一亮,通过这篇文章的详细介绍希望你能有所收获。
创新互联自2013年创立以来,是专业互联网技术服务公司,拥有项目网站设计制作、成都做网站网站策划,项目实施与项目整合能力。我们以让每一个梦想脱颖而出为使命,1280元宁乡做网站,已为上家服务,为宁乡各地企业和个人服务,联系电话:18982081108
基础环境
技术 | 版本 |
---|---|
Java | 1.8+ |
SpringBoot | 2.x.x |
Security | 5.x |
JWT | 0.9.0 |
创建项目
初始化项目
mvn archetype:generate -DgroupId=com.edurt.sli.slisj -DartifactId=spring-learn-integration-security-jwt -DarchetypeArtifactId=maven-archetype-quickstart -Dversion=1.0.0 -DinteractiveMode=false
修改pom.xml增加security和jwt的支持
spring-learn-integration-security com.edurt.sli 1.0.0 4.0.0 spring-learn-integration-security-jwt SpringBoot Security整合JWT授权RestAPI 1.8 3.3 2.0.3.RELEASE 1.18.6 0.9.0 2.9.9 org.springframework.boot spring-boot-starter-web ${dependency.springboot2.common.version} org.springframework.boot spring-boot-starter-security ${dependency.springboot2.common.version} io.jsonwebtoken jjwt ${dependency.jwt.version} org.projectlombok lombok ${dependency.lombok.version} com.fasterxml.jackson.core jackson-databind ${dependency.jackson.version} org.springframework.boot spring-boot-maven-plugin ${dependency.springboot2.common.version} true org.apache.maven.plugins maven-compiler-plugin ${plugin.maven.compiler.version} ${system.java.version}
spring-boot-starter-security启动spring security安全框架
jjwt启动spring security jwt框架支持
一个简单的应用类
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.stereotype.Component; /** *
SpringBootSecurityJwtIntegration
*Description : SpringBootSecurityJwtIntegration
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:45
*Author Email: qianmoQ
*/ @SpringBootApplication @Component(value = "com.edurt.sli.slisj") public class SpringBootSecurityJwtIntegration { public static void main(String[] args) { SpringApplication.run(SpringBootSecurityJwtIntegration.class, args); } }
配置 JWT
在/src/main/java/com/edurt/sli/slisj目录下创建config目录,并在该目录下新建jwt目录,在该目录下新建JwtTokenTemplate工具模板
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj.config.jwt; import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Component; import java.io.Serializable; import java.time.Instant; import java.util.Date; import java.util.HashMap; import java.util.Map; /** *
JwtTokenTemplate
*Description : JwtTokenTemplate
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:49
*Author Email: qianmoQ
*/ @Component public class JwtTokenTemplate implements Serializable { private static final String CLAIM_KEY_USERNAME = "sub"; private static final long EXPIRATION_TIME = 432000000; private static final String SECRET = "secret"; public String generateToken(UserDetails userDetails) { Mapclaims = new HashMap<>(16); claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername()); return Jwts.builder() .setClaims(claims) .setExpiration(new Date(Instant.now().toEpochMilli() + EXPIRATION_TIME)) .signWith(SignatureAlgorithm.HS512, SECRET) .compact(); } public Boolean validateToken(String token, UserDetails userDetails) { User user = (User) userDetails; String username = getUsernameFromToken(token); return (username.equals(user.getUsername()) && !isTokenExpired(token)); } public Boolean isTokenExpired(String token) { Date expiration = getExpirationDateFromToken(token); return expiration.before(new Date()); } public String getUsernameFromToken(String token) { String username = getClaimsFromToken(token).getSubject(); return username; } public Date getExpirationDateFromToken(String token) { Date expiration = getClaimsFromToken(token).getExpiration(); return expiration; } private Claims getClaimsFromToken(String token) { Claims claims = Jwts.parser() .setSigningKey(SECRET) .parseClaimsJws(token) .getBody(); return claims; } }
在jwt该目录下新建JwtTokenFilter过滤器
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj.config.jwt; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** *
JwtTokenFilter
*Description : JwtTokenFilter
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:49
*Author Email: qianmoQ
*/ @Component public class JwtTokenFilter extends OncePerRequestFilter { public static final String HEADER_STRING = "Authorization"; @Autowired private UserDetailsService userDetailsService; @Autowired private JwtTokenTemplate jwtTokenTemplate; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String token = request.getHeader(HEADER_STRING); if (null != token) { String username = jwtTokenTemplate.getUsernameFromToken(token); if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); if (jwtTokenTemplate.validateToken(token, userDetails)) { UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken( userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails( request)); SecurityContextHolder.getContext().setAuthentication(authentication); } } } chain.doFilter(request, response); } }
配置Security
在config目录下新建JwtSecurityConfig文件
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj.config; import com.edurt.sli.slisj.config.jwt.JwtTokenFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; /** *
JwtSecurityConfig
*Description : JwtSecurityConfig
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:46
*Author Email: qianmoQ
*/ @Configuration @EnableWebSecurity public class JwtSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers("/auth/login").permitAll() .anyRequest().authenticated(); http.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); http.headers().cacheControl(); } @Bean public JwtTokenFilter authenticationTokenFilterBean() { return new JwtTokenFilter(); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } }
在config目录下新建JwtUserDetailsService文件
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj.config; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import java.util.ArrayList; /** *
JwtUserDetailsService
*Description : JwtUserDetailsService
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:54
*Author Email: qianmoQ
*/ @Service public class JwtUserDetailsService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException { if (userName.equals("admin")) { return new User("admin", "$2a$10$slYQmyNdGzTn7ZLBXBChFOC9f6kFjAqPhccnP6DxlWXx2lPk1C3G6", new ArrayList<>()); } return null; } }
在resources资源目录下创建一个application.properties的配置文件,内容如下
server.port=8989
创建授权参数
在/src/main/java/com/edurt/sli/slisj目录下创建param目录,并在该目录下新建JwtParam文件
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj.param; import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor; import lombok.ToString; /** *
JwtParam
*Description : JwtParam
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:59
*Author Email: qianmoQ
*/ @Data @ToString @AllArgsConstructor @NoArgsConstructor public class JwtParam { private String username; private String password; }
创建授权接口
在/src/main/java/com/edurt/sli/slisj目录下创建controller目录,并在该目录下新建HelloJwtController文件
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at ** http://www.apache.org/licenses/LICENSE-2.0 *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.edurt.sli.slisj.controller; import com.edurt.sli.slisj.config.JwtUserDetailsService; import com.edurt.sli.slisj.config.jwt.JwtTokenTemplate; import com.edurt.sli.slisj.param.JwtParam; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.web.bind.annotation.*; /** *
HelloJwtController
*Description : HelloJwtController
*Author : qianmoQ
*Version : 1.0
*Create Time : 2019-11-26 20:58
*Author Email: qianmoQ
*/ @RestController @RequestMapping(value = "auth") public class HelloJwtController { @Autowired private JwtTokenTemplate jwtTokenTemplate; @Autowired private AuthenticationManager authenticationManager; @Autowired private JwtUserDetailsService userDetailsService; @PostMapping(value = "login") public String login(@RequestBody JwtParam body) throws AuthenticationException { UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(body.getUsername(), body.getPassword()); Authentication authentication = authenticationManager.authenticate(authenticationToken); SecurityContextHolder.getContext().setAuthentication(authentication); UserDetails userDetails = userDetailsService.loadUserByUsername(body.getUsername()); return jwtTokenTemplate.generateToken(userDetails); } @GetMapping(value = "hello") public String hello() { return "Hello Jwt!!!"; } }
校验授权
在控制台输入以下命令(未授权时)
curl -X GET 'http://localhost:8989/auth/hello'
会出现以下错误信息
{ "timestamp": "2019-11-26T13:05:05.204+0000", "status": 403, "error": "Forbidden", "message": "Access Denied", "path": "/auth/hello" }
提示我们未授权,这时我们使用/auth/login去获得授权的token
curl -X POST 'http://127.0.0.1:8989/auth/login' --header 'Content-Type: application/json' -d '{"username": "admin", "password": "password"}'
返回以下token信息
eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTU3NTIwNTg4OH0.zc3JTsIHIZSmi-hrgCB1AKrrjVWtnWB4YJjOhzml2k9qRdTGdoDYKM1XriQIAInvIrTDDkpozT4Ny58Wcpm4JA
这时我们使用返回的token进行访问/auth/hello接口获取数据
curl -X GET 'http://127.0.0.1:8989/auth/hello' --header 'Authorization: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTU3NTIwNTg4OH0.zc3JTsIHIZSmi-hrgCB1AKrrjVWtnWB4YJjOhzml2k9qRdTGdoDYKM1XriQIAInvIrTDDkpozT4Ny58Wcpm4JA'
返回以下信息
Hello Jwt!!!
此时我们已经完成JWT授权配置
打包文件部署
打包数据
mvn clean package -Dmaven.test.skip=true -X
运行打包后的文件即可
java -jar target/spring-learn-integration-security-jwt-1.0.0.jar
上述内容就是怎么在SpringBoot Security中利用JWT授权RestAPI,你们学到知识或技能了吗?如果还想学到更多技能或者丰富自己的知识储备,欢迎关注创新互联行业资讯频道。
文章题目:怎么在SpringBootSecurity中利用JWT授权RestAPI
文章分享:http://myzitong.com/article/gchocs.html