How to use SpringBoot+SpringSecurity+jwt to implement verification
Environment
springBoot 2.3.3
springSecurity 5.0
- ##jjwt 0.91
<dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency>Directory structure information
Please ignore the file naming
The role of these two classes is to provide error return processing information classes for users to access unauthorized resources and carry error tokens. To use these two classes, you only need to Just configure it in the security configuration file and just useUserDetailsServiceImpl Login information verification/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 * 当用户在没有授权的时候,返回的指定信息 */ @Component public class jwtAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException { System.out.println("用户访问没有授权资源"); System.out.println(e.getMessage()); httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e==null?"用户访问没有授权资源":e.getMessage()); } }/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 */ @Component public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { System.out.println("用户访问资源没有携带正确的token"); System.out.println(e.getMessage()); httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e==null?"用户访问资源没有携带正确的token":e.getMessage()); } }
This class directly inherits UserDetailsService for login information verification, and then enter the account password When logging in, this class will be entered to verify the information. Of course I am directly using a hard-coded password here. Normally the user’s information and permission information should be obtained from the databaseJwtTokenUtils jwt packaging class@Service public class UserDetailsServiceImpl implements UserDetailsService { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { //直接写死数据信息,可以在这里获取数据库的信息并进行验证 UserDetails userDetails = User.withUsername(s).password(new BCryptPasswordEncoder().encode("123456")) .authorities("bxsheng").build(); return userDetails; } }
This class directly uses the class in the article of slyh's [SpringBoot JWT to implement login permission control (code))]((https://www.yisu.com/article/257119.htm).JwtAuthenticationFilter Custom verification jwtpackage cn.kdream.securityjwt.utlis; import io.jsonwebtoken.*; import java.util.Date; import java.util.HashMap; import java.util.Map; /** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/16 * since JDK 1.8 */ public class JwtTokenUtils { public static final String TOKEN_HEADER = "Authorization"; public static final String TOKEN_PREFIX = "Bearer "; public static final String SECRET = "jwtsecret"; public static final String ISS = "echisan"; private static final Long EXPIRATION = 60 * 60 * 3L; //过期时间3小时 private static final String ROLE = "role"; //创建token public static String createToken(String username, String role, boolean isRememberMe){ Map map = new HashMap(); map.put(ROLE, role); return Jwts.builder() .signWith(SignatureAlgorithm.HS512, SECRET) .setClaims(map) .setIssuer(ISS) .setSubject(username) .setIssuedAt(new Date()) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION * 1000)) .compact(); } //从token中获取用户名(此处的token是指去掉前缀之后的) public static String getUserName(String token){ String username; try { username = getTokenBody(token).getSubject(); } catch ( Exception e){ username = null; } return username; } public static String getUserRole(String token){ return (String) getTokenBody(token).get(ROLE); } private static Claims getTokenBody(String token){ Claims claims = null; try{ claims = Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody(); } catch(ExpiredJwtException e){ e.printStackTrace(); } catch(UnsupportedJwtException e){ e.printStackTrace(); } catch(MalformedJwtException e){ e.printStackTrace(); } catch(SignatureException e){ e.printStackTrace(); } catch(IllegalArgumentException e){ e.printStackTrace(); } return claims; } //是否已过期 public static boolean isExpiration(String token){ try{ return getTokenBody(token).getExpiration().before(new Date()); } catch(Exception e){ System.out.println(e.getMessage()); } return true; } }
This class directly uses slyh's [SpringBoot JWT to implement login permission control (code))](( https://www.yisu.com/article /257119.htm))) in the article's class. The main function of this class is to verify jwt information. It mainly carries token requests, parses jwt and sets it in the security context. Saving the permission information contained in the token to the context is one of the purposes of this approach. You can authenticate userssecurity configuration information/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/16 * since JDK 1.8 */ public class JwtAuthenticationFilter extends BasicAuthenticationFilter { public JwtAuthenticationFilter(AuthenticationManager authenticationManager) { super(authenticationManager); } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { String tokenHeader = request.getHeader(JwtTokenUtils.TOKEN_HEADER); //如果请求头中没有Authorization信息则直接放行了 if(tokenHeader == null || !tokenHeader.startsWith(JwtTokenUtils.TOKEN_PREFIX)){ chain.doFilter(request, response); return; } //如果请求头中有token,则进行解析,并且设置认证信息 if(!JwtTokenUtils.isExpiration(tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX,""))){ //设置上下文 UsernamePasswordAuthenticationToken authentication = getAuthentication(tokenHeader); SecurityContextHolder.getContext().setAuthentication(authentication); } super.doFilterInternal(request, response, chain); } //获取用户信息 private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader){ String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, ""); String username = JwtTokenUtils.getUserName(token); // 获得权限 添加到权限上去 String role = JwtTokenUtils.getUserRole(token); List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>(); roles.add(new GrantedAuthority() { @Override public String getAuthority() { return role; } }); if(username != null){ return new UsernamePasswordAuthenticationToken(username, null,roles); } return null; } }
@EnableGlobalMethodSecurity(prePostEnabled = true) Enable prePostEnabled annotation authorizationStartup class@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityJwtConfig extends WebSecurityConfigurerAdapter { @Autowired private jwtAccessDeniedHandler jwtAccessDeniedHandler; @Autowired private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; @Override protected void configure(HttpSecurity http) throws Exception { http.cors().and().csrf().disable().authorizeRequests() .antMatchers(HttpMethod.OPTIONS,"/**") .permitAll() .antMatchers("/").permitAll() //login 不拦截 .antMatchers("/login").permitAll() .anyRequest().authenticated() //授权 .and() // 禁用session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // 使用自己定义的拦截机制,拦截jwt http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class) //授权错误信息处理 .exceptionHandling() //用户访问资源没有携带正确的token .authenticationEntryPoint(jwtAuthenticationEntryPoint) //用户访问没有授权资源 .accessDeniedHandler(jwtAccessDeniedHandler); } @Bean public PasswordEncoder passwordEncoder(){ //使用的密码比较方式 return new BCryptPasswordEncoder(); } }
I configured three methods in the startup class, one is used for login information, and the other two are set to require permission accessEffectDirect access to user information that requires authorization@SpringBootApplication @RestController public class SecurityJwtApplication { private final AuthenticationManagerBuilder authenticationManagerBuilder; public SecurityJwtApplication(AuthenticationManagerBuilder authenticationManagerBuilder) { this.authenticationManagerBuilder = authenticationManagerBuilder; } public static void main(String[] args) { SpringApplication.run(SecurityJwtApplication.class, args); } @GetMapping("/") public String index(){ return "security jwt"; } @PostMapping("/login") public String login(@RequestParam String u,@RequestParam String p){ // 登陆验证 UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(u, p); Authentication authentication = authenticationManagerBuilder.getObject().authenticate(token); SecurityContextHolder.getContext().setAuthentication(authentication); //创建jwt信息 String token1 = JwtTokenUtils.createToken(u,"bxsheng", true); return token1; } @GetMapping("/role") @PreAuthorize("hasAnyAuthority('bxsheng')") public String roleInfo(){ return "需要获得bxsheng权限,才可以访问"; } @GetMapping("/roles") @PreAuthorize("hasAnyAuthority('kdream')") public String rolekdream(){ return "需要获得kdream权限,才可以访问"; } }
Directly accessing resource information that only requires authorization without using a token will enter the JwtAuthenticationEntryPoint class
Access the login method in the startup class and get the token informationBecause I use a fixed password, I use When accessing with an incorrect password, you can capture the exception information in springboot's global exception handling/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 */ @RestControllerAdvice public class Error { @ExceptionHandler(BadCredentialsException.class) public void badCredentialsException(BadCredentialsException e){ System.out.println(e.getMessage());//用户名或密码错误 // throw new BadCredentialsException(e.getMessage()); } }
There is hard-coded bxsheng permission information in it, so normally the resource information identified by bxsheng can be obtained.
Using token to directly access unauthorized resource information will enter the jwtAccessDeniedHandler class
The above is the detailed content of How to use SpringBoot+SpringSecurity+jwt to implement verification. For more information, please follow other related articles on the PHP Chinese website!

Java is platform-independent because of its "write once, run everywhere" design philosophy, which relies on Java virtual machines (JVMs) and bytecode. 1) Java code is compiled into bytecode, interpreted by the JVM or compiled on the fly locally. 2) Pay attention to library dependencies, performance differences and environment configuration. 3) Using standard libraries, cross-platform testing and version management is the best practice to ensure platform independence.

Java'splatformindependenceisnotsimple;itinvolvescomplexities.1)JVMcompatibilitymustbeensuredacrossplatforms.2)Nativelibrariesandsystemcallsneedcarefulhandling.3)Dependenciesandlibrariesrequirecross-platformcompatibility.4)Performanceoptimizationacros

Java'splatformindependencebenefitswebapplicationsbyallowingcodetorunonanysystemwithaJVM,simplifyingdeploymentandscaling.Itenables:1)easydeploymentacrossdifferentservers,2)seamlessscalingacrosscloudplatforms,and3)consistentdevelopmenttodeploymentproce

TheJVMistheruntimeenvironmentforexecutingJavabytecode,crucialforJava's"writeonce,runanywhere"capability.Itmanagesmemory,executesthreads,andensuressecurity,makingitessentialforJavadeveloperstounderstandforefficientandrobustapplicationdevelop

Javaremainsatopchoicefordevelopersduetoitsplatformindependence,object-orienteddesign,strongtyping,automaticmemorymanagement,andcomprehensivestandardlibrary.ThesefeaturesmakeJavaversatileandpowerful,suitableforawiderangeofapplications,despitesomechall

Java'splatformindependencemeansdeveloperscanwritecodeonceandrunitonanydevicewithoutrecompiling.ThisisachievedthroughtheJavaVirtualMachine(JVM),whichtranslatesbytecodeintomachine-specificinstructions,allowinguniversalcompatibilityacrossplatforms.Howev

To set up the JVM, you need to follow the following steps: 1) Download and install the JDK, 2) Set environment variables, 3) Verify the installation, 4) Set the IDE, 5) Test the runner program. Setting up a JVM is not just about making it work, it also involves optimizing memory allocation, garbage collection, performance tuning, and error handling to ensure optimal operation.

ToensureJavaplatformindependence,followthesesteps:1)CompileandrunyourapplicationonmultipleplatformsusingdifferentOSandJVMversions.2)UtilizeCI/CDpipelineslikeJenkinsorGitHubActionsforautomatedcross-platformtesting.3)Usecross-platformtestingframeworkss


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

SublimeText3 Mac version
God-level code editing software (SublimeText3)

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

Notepad++7.3.1
Easy-to-use and free code editor

WebStorm Mac version
Useful JavaScript development tools
