Home >Java >javaTutorial >How to use SpringBoot+SpringSecurity+jwt to implement verification
springBoot 2.3.3
springSecurity 5.0
<dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency>Directory structure information
Please ignore the file namingjwtAccessDeniedHandler and JwtAuthenticationEntryPoint
The role of these two classes is to provide error return processing information classes for users to access unauthorized resources and carry error tokens. To use these two classes, you only need to Just configure it in the security configuration file and just useUserDetailsServiceImpl Login information verification/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 * 当用户在没有授权的时候,返回的指定信息 */ @Component public class jwtAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException { System.out.println("用户访问没有授权资源"); System.out.println(e.getMessage()); httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e==null?"用户访问没有授权资源":e.getMessage()); } }/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 */ @Component public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { System.out.println("用户访问资源没有携带正确的token"); System.out.println(e.getMessage()); httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e==null?"用户访问资源没有携带正确的token":e.getMessage()); } }
This class directly inherits UserDetailsService for login information verification, and then enter the account password When logging in, this class will be entered to verify the information. Of course I am directly using a hard-coded password here. Normally the user’s information and permission information should be obtained from the databaseJwtTokenUtils jwt packaging class@Service public class UserDetailsServiceImpl implements UserDetailsService { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { //直接写死数据信息,可以在这里获取数据库的信息并进行验证 UserDetails userDetails = User.withUsername(s).password(new BCryptPasswordEncoder().encode("123456")) .authorities("bxsheng").build(); return userDetails; } }
This class directly uses the class in the article of slyh's [SpringBoot JWT to implement login permission control (code))]((https://www.yisu.com/article/257119.htm).JwtAuthenticationFilter Custom verification jwtpackage cn.kdream.securityjwt.utlis; import io.jsonwebtoken.*; import java.util.Date; import java.util.HashMap; import java.util.Map; /** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/16 * since JDK 1.8 */ public class JwtTokenUtils { public static final String TOKEN_HEADER = "Authorization"; public static final String TOKEN_PREFIX = "Bearer "; public static final String SECRET = "jwtsecret"; public static final String ISS = "echisan"; private static final Long EXPIRATION = 60 * 60 * 3L; //过期时间3小时 private static final String ROLE = "role"; //创建token public static String createToken(String username, String role, boolean isRememberMe){ Map map = new HashMap(); map.put(ROLE, role); return Jwts.builder() .signWith(SignatureAlgorithm.HS512, SECRET) .setClaims(map) .setIssuer(ISS) .setSubject(username) .setIssuedAt(new Date()) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION * 1000)) .compact(); } //从token中获取用户名(此处的token是指去掉前缀之后的) public static String getUserName(String token){ String username; try { username = getTokenBody(token).getSubject(); } catch ( Exception e){ username = null; } return username; } public static String getUserRole(String token){ return (String) getTokenBody(token).get(ROLE); } private static Claims getTokenBody(String token){ Claims claims = null; try{ claims = Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody(); } catch(ExpiredJwtException e){ e.printStackTrace(); } catch(UnsupportedJwtException e){ e.printStackTrace(); } catch(MalformedJwtException e){ e.printStackTrace(); } catch(SignatureException e){ e.printStackTrace(); } catch(IllegalArgumentException e){ e.printStackTrace(); } return claims; } //是否已过期 public static boolean isExpiration(String token){ try{ return getTokenBody(token).getExpiration().before(new Date()); } catch(Exception e){ System.out.println(e.getMessage()); } return true; } }
This class directly uses slyh's [SpringBoot JWT to implement login permission control (code))](( https://www.yisu.com/article /257119.htm))) in the article's class. The main function of this class is to verify jwt information. It mainly carries token requests, parses jwt and sets it in the security context. Saving the permission information contained in the token to the context is one of the purposes of this approach. You can authenticate userssecurity configuration information/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/16 * since JDK 1.8 */ public class JwtAuthenticationFilter extends BasicAuthenticationFilter { public JwtAuthenticationFilter(AuthenticationManager authenticationManager) { super(authenticationManager); } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { String tokenHeader = request.getHeader(JwtTokenUtils.TOKEN_HEADER); //如果请求头中没有Authorization信息则直接放行了 if(tokenHeader == null || !tokenHeader.startsWith(JwtTokenUtils.TOKEN_PREFIX)){ chain.doFilter(request, response); return; } //如果请求头中有token,则进行解析,并且设置认证信息 if(!JwtTokenUtils.isExpiration(tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX,""))){ //设置上下文 UsernamePasswordAuthenticationToken authentication = getAuthentication(tokenHeader); SecurityContextHolder.getContext().setAuthentication(authentication); } super.doFilterInternal(request, response, chain); } //获取用户信息 private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader){ String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, ""); String username = JwtTokenUtils.getUserName(token); // 获得权限 添加到权限上去 String role = JwtTokenUtils.getUserRole(token); List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>(); roles.add(new GrantedAuthority() { @Override public String getAuthority() { return role; } }); if(username != null){ return new UsernamePasswordAuthenticationToken(username, null,roles); } return null; } }
@EnableGlobalMethodSecurity(prePostEnabled = true) Enable prePostEnabled annotation authorizationStartup class@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityJwtConfig extends WebSecurityConfigurerAdapter { @Autowired private jwtAccessDeniedHandler jwtAccessDeniedHandler; @Autowired private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; @Override protected void configure(HttpSecurity http) throws Exception { http.cors().and().csrf().disable().authorizeRequests() .antMatchers(HttpMethod.OPTIONS,"/**") .permitAll() .antMatchers("/").permitAll() //login 不拦截 .antMatchers("/login").permitAll() .anyRequest().authenticated() //授权 .and() // 禁用session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // 使用自己定义的拦截机制,拦截jwt http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class) //授权错误信息处理 .exceptionHandling() //用户访问资源没有携带正确的token .authenticationEntryPoint(jwtAuthenticationEntryPoint) //用户访问没有授权资源 .accessDeniedHandler(jwtAccessDeniedHandler); } @Bean public PasswordEncoder passwordEncoder(){ //使用的密码比较方式 return new BCryptPasswordEncoder(); } }
I configured three methods in the startup class, one is used for login information, and the other two are set to require permission accessEffectDirect access to user information that requires authorization@SpringBootApplication @RestController public class SecurityJwtApplication { private final AuthenticationManagerBuilder authenticationManagerBuilder; public SecurityJwtApplication(AuthenticationManagerBuilder authenticationManagerBuilder) { this.authenticationManagerBuilder = authenticationManagerBuilder; } public static void main(String[] args) { SpringApplication.run(SecurityJwtApplication.class, args); } @GetMapping("/") public String index(){ return "security jwt"; } @PostMapping("/login") public String login(@RequestParam String u,@RequestParam String p){ // 登陆验证 UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(u, p); Authentication authentication = authenticationManagerBuilder.getObject().authenticate(token); SecurityContextHolder.getContext().setAuthentication(authentication); //创建jwt信息 String token1 = JwtTokenUtils.createToken(u,"bxsheng", true); return token1; } @GetMapping("/role") @PreAuthorize("hasAnyAuthority('bxsheng')") public String roleInfo(){ return "需要获得bxsheng权限,才可以访问"; } @GetMapping("/roles") @PreAuthorize("hasAnyAuthority('kdream')") public String rolekdream(){ return "需要获得kdream权限,才可以访问"; } }
Directly accessing resource information that only requires authorization without using a token will enter the JwtAuthenticationEntryPoint classGet token
Access the login method in the startup class and get the token informationBecause I use a fixed password, I use When accessing with an incorrect password, you can capture the exception information in springboot's global exception handlingGet the token correctly and access protected resources/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 */ @RestControllerAdvice public class Error { @ExceptionHandler(BadCredentialsException.class) public void badCredentialsException(BadCredentialsException e){ System.out.println(e.getMessage());//用户名或密码错误 // throw new BadCredentialsException(e.getMessage()); } }
There is hard-coded bxsheng permission information in it, so normally the resource information identified by bxsheng can be obtained.Successfully obtained information Attempt to obtain unauthorized resource information
Using token to directly access unauthorized resource information will enter the jwtAccessDeniedHandler class
The above is the detailed content of How to use SpringBoot+SpringSecurity+jwt to implement verification. For more information, please follow other related articles on the PHP Chinese website!