How to use SpringBoot+SpringSecurity+jwt to implement verification
- WBOYforward
- 2023-05-24 20:07:131647browse
Environment
springBoot 2.3.3
springSecurity 5.0
- ##jjwt 0.91
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>Directory structure information
Please ignore the file naming
The role of these two classes is to provide error return processing information classes for users to access unauthorized resources and carry error tokens. To use these two classes, you only need to Just configure it in the security configuration file and just useUserDetailsServiceImpl Login information verification/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 * 当用户在没有授权的时候,返回的指定信息 */ @Component public class jwtAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException { System.out.println("用户访问没有授权资源"); System.out.println(e.getMessage()); httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e==null?"用户访问没有授权资源":e.getMessage()); } }/** * @author Bxsheng * @blogAddress www.kdream.cn * @createTIme 2020/9/17 * since JDK 1.8 */ @Component public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { System.out.println("用户访问资源没有携带正确的token"); System.out.println(e.getMessage()); httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e==null?"用户访问资源没有携带正确的token":e.getMessage()); } }
This class directly inherits UserDetailsService for login information verification, and then enter the account password When logging in, this class will be entered to verify the information. Of course I am directly using a hard-coded password here. Normally the user’s information and permission information should be obtained from the database@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
//直接写死数据信息,可以在这里获取数据库的信息并进行验证
UserDetails userDetails = User.withUsername(s).password(new BCryptPasswordEncoder().encode("123456"))
.authorities("bxsheng").build();
return userDetails;
}
}JwtTokenUtils jwt packaging class This class directly uses the class in the article of slyh's [SpringBoot JWT to implement login permission control (code))]((https://www.yisu.com/article/257119.htm). package cn.kdream.securityjwt.utlis;
import io.jsonwebtoken.*;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
/**
* @author Bxsheng
* @blogAddress www.kdream.cn
* @createTIme 2020/9/16
* since JDK 1.8
*/
public class JwtTokenUtils {
public static final String TOKEN_HEADER = "Authorization";
public static final String TOKEN_PREFIX = "Bearer ";
public static final String SECRET = "jwtsecret";
public static final String ISS = "echisan";
private static final Long EXPIRATION = 60 * 60 * 3L; //过期时间3小时
private static final String ROLE = "role";
//创建token
public static String createToken(String username, String role, boolean isRememberMe){
Map map = new HashMap();
map.put(ROLE, role);
return Jwts.builder()
.signWith(SignatureAlgorithm.HS512, SECRET)
.setClaims(map)
.setIssuer(ISS)
.setSubject(username)
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION * 1000))
.compact();
}
//从token中获取用户名(此处的token是指去掉前缀之后的)
public static String getUserName(String token){
String username;
try {
username = getTokenBody(token).getSubject();
} catch ( Exception e){
username = null;
}
return username;
}
public static String getUserRole(String token){
return (String) getTokenBody(token).get(ROLE);
}
private static Claims getTokenBody(String token){
Claims claims = null;
try{
claims = Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody();
} catch(ExpiredJwtException e){
e.printStackTrace();
} catch(UnsupportedJwtException e){
e.printStackTrace();
} catch(MalformedJwtException e){
e.printStackTrace();
} catch(SignatureException e){
e.printStackTrace();
} catch(IllegalArgumentException e){
e.printStackTrace();
}
return claims;
}
//是否已过期
public static boolean isExpiration(String token){
try{
return getTokenBody(token).getExpiration().before(new Date());
} catch(Exception e){
System.out.println(e.getMessage());
}
return true;
}
}JwtAuthenticationFilter Custom verification jwt
This class directly uses slyh's [SpringBoot JWT to implement login permission control (code))](( https://www.yisu.com/article /257119.htm))) in the article's class. The main function of this class is to verify jwt information. It mainly carries token requests, parses jwt and sets it in the security context. Saving the permission information contained in the token to the context is one of the purposes of this approach. You can authenticate users /**
* @author Bxsheng
* @blogAddress www.kdream.cn
* @createTIme 2020/9/16
* since JDK 1.8
*/
public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
String tokenHeader = request.getHeader(JwtTokenUtils.TOKEN_HEADER);
//如果请求头中没有Authorization信息则直接放行了
if(tokenHeader == null || !tokenHeader.startsWith(JwtTokenUtils.TOKEN_PREFIX)){
chain.doFilter(request, response);
return;
}
//如果请求头中有token,则进行解析,并且设置认证信息
if(!JwtTokenUtils.isExpiration(tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX,""))){
//设置上下文
UsernamePasswordAuthenticationToken authentication = getAuthentication(tokenHeader);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
super.doFilterInternal(request, response, chain);
}
//获取用户信息
private UsernamePasswordAuthenticationToken getAuthentication(String tokenHeader){
String token = tokenHeader.replace(JwtTokenUtils.TOKEN_PREFIX, "");
String username = JwtTokenUtils.getUserName(token);
// 获得权限 添加到权限上去
String role = JwtTokenUtils.getUserRole(token);
List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
roles.add(new GrantedAuthority() {
@Override
public String getAuthority() {
return role;
}
});
if(username != null){
return new UsernamePasswordAuthenticationToken(username, null,roles);
}
return null;
}
}security configuration information
@EnableGlobalMethodSecurity(prePostEnabled = true) Enable prePostEnabled annotation authorization @Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityJwtConfig extends WebSecurityConfigurerAdapter {
@Autowired
private jwtAccessDeniedHandler jwtAccessDeniedHandler;
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,"/**")
.permitAll()
.antMatchers("/").permitAll()
//login 不拦截
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
//授权
.and()
// 禁用session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 使用自己定义的拦截机制,拦截jwt
http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class)
//授权错误信息处理
.exceptionHandling()
//用户访问资源没有携带正确的token
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
//用户访问没有授权资源
.accessDeniedHandler(jwtAccessDeniedHandler);
}
@Bean
public PasswordEncoder passwordEncoder(){
//使用的密码比较方式
return new BCryptPasswordEncoder();
}
}Startup class
I configured three methods in the startup class, one is used for login information, and the other two are set to require permission access@SpringBootApplication
@RestController
public class SecurityJwtApplication {
private final AuthenticationManagerBuilder authenticationManagerBuilder;
public SecurityJwtApplication(AuthenticationManagerBuilder authenticationManagerBuilder) {
this.authenticationManagerBuilder = authenticationManagerBuilder;
}
public static void main(String[] args) {
SpringApplication.run(SecurityJwtApplication.class, args);
}
@GetMapping("/")
public String index(){
return "security jwt";
}
@PostMapping("/login")
public String login(@RequestParam String u,@RequestParam String p){
// 登陆验证
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(u, p);
Authentication authentication = authenticationManagerBuilder.getObject().authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
//创建jwt信息
String token1 = JwtTokenUtils.createToken(u,"bxsheng", true);
return token1;
}
@GetMapping("/role")
@PreAuthorize("hasAnyAuthority('bxsheng')")
public String roleInfo(){
return "需要获得bxsheng权限,才可以访问";
}
@GetMapping("/roles")
@PreAuthorize("hasAnyAuthority('kdream')")
public String rolekdream(){
return "需要获得kdream权限,才可以访问";
}
} EffectDirect access to user information that requires authorization
Directly accessing resource information that only requires authorization without using a token will enter the JwtAuthenticationEntryPoint class
Access the login method in the startup class and get the token informationBecause I use a fixed password, I use When accessing with an incorrect password, you can capture the exception information in springboot's global exception handling/**
* @author Bxsheng
* @blogAddress www.kdream.cn
* @createTIme 2020/9/17
* since JDK 1.8
*/
@RestControllerAdvice
public class Error {
@ExceptionHandler(BadCredentialsException.class)
public void badCredentialsException(BadCredentialsException e){
System.out.println(e.getMessage());//用户名或密码错误
// throw new BadCredentialsException(e.getMessage());
}
}
There is hard-coded bxsheng permission information in it, so normally the resource information identified by bxsheng can be obtained.
Using token to directly access unauthorized resource information will enter the jwtAccessDeniedHandler class
The above is the detailed content of How to use SpringBoot+SpringSecurity+jwt to implement verification. For more information, please follow other related articles on the PHP Chinese website!
Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete
Previous article:How to implement lucky draw function in javaNext article:How to implement lucky draw function in java
Related articles
See more- Why does URLEncoder replace spaces with ' ' in HTML form URLs, and how can I get " " instead?
- Hacktoberfest 4!
- When Should You Use JSP Include Directives, Actions, or Tag Files?
- Why is the "OK" button in the Android Virtual Device (AVD) Manager unresponsive in Eclipse with ADT 22.6.0?
- How do I convert an integer to a string in Java?