🌟博主介绍:Java、Python、js全栈开发 “多面手”,精通多种编程语言和技术,痴迷于人工智能领域。秉持着对技术的热爱与执着,持续探索创新,愿在此分享交流和学习,与大家共进步。
📖全栈开发环境搭建运行攻略:多语言一站式指南(环境搭建+运行+调试+发布+保姆级详解)
👉感兴趣的可以先收藏起来,希望帮助更多的人
SpringBoot安全框架深度整合:OAuth2+JWT实现权限控制的最佳实践
一、引言
在当今的Web应用开发中,安全性是至关重要的一环。随着微服务架构的流行,如何有效地管理和控制用户的访问权限成为了一个挑战。Spring Boot作为一个广泛使用的Java开发框架,提供了强大的安全框架支持。OAuth2和JWT(JSON Web Token)作为现代身份验证和授权的标准解决方案,它们的结合可以为Spring Boot应用提供高效、灵活且安全的权限控制机制。本文将深入探讨如何在Spring Boot应用中深度整合OAuth2和JWT,实现最佳的权限控制实践。
二、OAuth2和JWT基础概念
2.1 OAuth2概述
OAuth2是一种开放标准的授权协议,它允许用户让第三方应用在不提供用户名和密码的情况下,访问用户在另一个服务提供商处存储的特定资源。OAuth2定义了四种授权模式:授权码模式、简化模式、密码模式和客户端模式。其中,授权码模式是最安全和常用的模式。
2.2 JWT概述
JWT是一种用于在网络应用之间安全传输声明的开放标准(RFC 7519)。它由三部分组成:头部(Header)、负载(Payload)和签名(Signature)。JWT通常以紧凑的URL安全字符串形式传输,可以包含用户的身份信息、权限信息等,并且可以通过签名验证其完整性和真实性。
三、Spring Boot项目搭建
3.1 创建Spring Boot项目
可以使用Spring Initializr(https://start.spring.io/)来快速创建一个Spring Boot项目。选择以下依赖:
- Spring Web
- Spring Security
- Spring Boot DevTools
3.2 项目结构
创建好项目后,项目的基本结构如下:
src
├── main
│ ├── java
│ │ └── com
│ │ └── example
│ │ └── demo
│ │ ├── DemoApplication.java
│ │ ├── controller
│ │ │ └── HelloController.java
│ │ ├── config
│ │ │ └── SecurityConfig.java
│ │ └── service
│ │ └── UserService.java
│ └── resources
│ ├── application.properties
│ └── static
│ └── index.html
└── test
└── java
└── com
└── example
└── demo
└── DemoApplicationTests.java
四、OAuth2服务端配置
4.1 添加依赖
在pom.xml中添加OAuth2相关依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-authorization-server</artifactId>
</dependency>
4.2 配置OAuth2服务端
创建AuthorizationServerConfig类来配置OAuth2服务端:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableAuthorizationServer
@EnableResourceServer
@EnableWebSecurity
public class AuthorizationServerConfig extends ResourceServerConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/oauth/token").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
return http.build();
}
}
4.3 配置客户端详情
创建ClientDetailsServiceConfig类来配置OAuth2客户端详情:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.client.InMemoryClientDetailsService;
import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import javax.sql.DataSource;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class ClientDetailsServiceConfig {
@Bean
public ClientDetailsService clientDetailsService() {
InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService();
Map<String, BaseClientDetails> clientDetailsStore = new HashMap<>();
BaseClientDetails clientDetails = new BaseClientDetails();
clientDetails.setClientId("client");
clientDetails.setClientSecret("{noop}secret");
clientDetails.setScope("read,write");
clientDetails.setAuthorizedGrantTypes("password,refresh_token");
clientDetails.setAccessTokenValiditySeconds(3600);
clientDetails.setRefreshTokenValiditySeconds(86400);
clientDetailsStore.put(clientDetails.getClientId(), clientDetails);
clientDetailsService.setClientDetailsStore(clientDetailsStore);
return clientDetailsService;
}
}
五、JWT集成
5.1 添加依赖
在pom.xml中添加JWT相关依赖:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
5.2 创建JWT工具类
创建JwtUtils类来生成和验证JWT:
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@Component
public class JwtUtils {
private static final String SECRET_KEY = "yourSecretKey";
private static final long EXPIRATION_TIME = 86400000; // 24 hours
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
return Jwts.builder()
.setClaims(claims)
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS256, SECRET_KEY)
.compact();
}
public Claims extractClaims(String token) {
return Jwts.parser()
.setSigningKey(SECRET_KEY)
.parseClaimsJws(token)
.getBody();
}
public String extractUsername(String token) {
return extractClaims(token).getSubject();
}
public Date extractExpiration(String token) {
return extractClaims(token).getExpiration();
}
public Boolean isTokenExpired(String token) {
return extractExpiration(token).before(new Date());
}
public Boolean validateToken(String token, UserDetails userDetails) {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
}
}
5.3 配置JWT过滤器
创建JwtAuthenticationFilter类来拦截请求并验证JWT:
import io.jsonwebtoken.ExpiredJwtException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtUtils jwtUtils;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
try {
username = jwtUtils.extractUsername(jwt);
} catch (ExpiredJwtException e) {
// Handle expired token
}
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtUtils.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
usernamePasswordAuthenticationToken
.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
}
filterChain.doFilter(request, response);
}
}
5.4 配置安全过滤器链
在SecurityConfig类中配置JWT过滤器:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtAuthenticationFilter jwtAuthenticationFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/authenticate").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
六、权限控制实现
6.1 定义角色和权限
在User类中定义用户角色和权限:
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
import java.util.Collections;
public class User implements UserDetails {
private String username;
private String password;
private String role;
public User(String username, String password, String role) {
this.username = username;
this.password = password;
this.role = role;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + role));
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
6.2 配置角色权限访问
在SecurityConfig类中配置角色权限访问:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasAnyRole("ADMIN", "USER")
.antMatchers("/authenticate").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
七、测试与验证
7.1 获取访问令牌
使用Postman或其他工具向/oauth/token端点发送POST请求,获取访问令牌:
POST http://localhost:8080/oauth/token
Content-Type: application/x-www-form-urlencoded
client_id=client
client_secret=secret
grant_type=password
username=user
password=password
7.2 访问受保护资源
在请求头中添加Authorization字段,值为Bearer <access_token>,访问受保护的资源:
GET http://localhost:8080/user/resource
Authorization: Bearer <access_token>
八、总结
通过本文的介绍,我们详细阐述了如何在Spring Boot应用中深度整合OAuth2和JWT,实现高效、灵活且安全的权限控制。OAuth2提供了强大的授权机制,而JWT则为身份验证和信息传输提供了安全可靠的方式。通过合理配置和使用这两个技术,我们可以构建出具有高安全性的Web应用。
扫一扫
1209
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
