SpringSecurity + JWT 2024最新版 SpringSecurity角色权限控制 SpringSecurity6

已于 2024-09-02 20:44:42 修改
阅读量1.2k 收藏 19
点赞数 9
文章标签: java spring spring boot servlet hibernate 后端 mysql
于 2024-09-01 23:28:01 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/commandblock/article/details/141790415
版权

文章目录

前言

本文默认读者已了解相关知识,所以只介绍代码。
本文尽量使用官方提供的方法尽量简略的实现SpringSecurity+JWT,更多自定义功能需读者扩展。
项目环境:SpringBoot3、JDK21、Mysql8、SpringSecurity6、auth0 JWT

完整代码

pom.xml(引入项目所需依赖)

		<!-- Lombok -->
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <scope>provided</scope>
        </dependency>

        <!--Json-->
        <dependency>
            <groupId>com.google.code.gson</groupId>
            <artifactId>gson</artifactId>
            <version>2.8.9</version>
        </dependency>

        <!--Spring Starter-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <!--JPA-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>

        <!-- MySQL -->
        <dependency>
            <groupId>com.mysql</groupId>
            <artifactId>mysql-connector-j</artifactId>
        </dependency>

        <!-- SpringSecurity -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <!-- auth0 JWT -->
        <dependency>
            <groupId>com.auth0</groupId>
            <artifactId>java-jwt</artifactId>
            <version>3.18.2</version>
        </dependency>

        <!--开发时用(自动应用程序重启,自动加载静态资源,禁用模板缓存,全局错误页面)-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <optional>true</optional>
        </dependency>

application.properties(配置数据库连接)

# Mysql数据库连接配置
spring.datasource.url=jdbc:mysql://localhost:3306/windows?serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=123456
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

# Hibernate配置
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true

JwtUtil.java(生成、校验、解析JWT)

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;

import jakarta.servlet.http.HttpServletRequest;

import java.util.*;

import org.springframework.util.StringUtils;

public class JwtUtil {
    private static final String jwtKey = "123456";
    private static final Integer expiredTimeInSeconds = 60;

    public static String generateToken(String username) {
        Algorithm algorithm = Algorithm.HMAC256(jwtKey);
        Date now = new Date();
        Date expiration = new Date(now.getTime() + expiredTimeInSeconds * 1000L);

        return JWT.create()
                .withClaim("username", username)
                .withExpiresAt(expiration)
                .withIssuedAt(now)
                .sign(algorithm);
    }

    public static Optional<Map<String, Claim>> getClaims(String token) {
        Algorithm algorithm = Algorithm.HMAC256(jwtKey);
        JWTVerifier verifier = JWT.require(algorithm).build();

        try {
            DecodedJWT decodedJWT = verifier.verify(token);
            return Optional.of(decodedJWT.getClaims());
        } catch (JWTVerificationException e) {
            return Optional.empty();
        }
    }

    public static boolean validateToken(String token) {
        Algorithm algorithm = Algorithm.HMAC256(jwtKey);
        JWTVerifier verifier = JWT.require(algorithm).build();

        try {
            verifier.verify(token);
            return true;
        } catch (JWTVerificationException e) {
            return false;
        }
    }

    public static String getTokenFromRequest(HttpServletRequest request) {
        String bearerToken = request.getHeader("Authorization");
        if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
            return bearerToken.substring(7, bearerToken.length());
        }
        return null;
    }
}

JsonUtil.java(对象转JSON)

import com.google.gson.Gson;

public class JsonUtil {
    public static String ObjectToJson(Object object) {
        Gson gson = new Gson();
        return gson.toJson(object);
    }
}

User.java(用户实体)

import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import lombok.Data;

@Data
@Entity
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    private String username;
    private String password;
    private String role;
}

UserRepository.java(用户数据接口)

import java.util.Optional;

import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;

import com.example.windows.windows.enity.User;

@Repository
public interface UserRepository extends JpaRepository<User, Long> {
    Optional<User> findByUsername(String username);
}

UserService(实现UserDetailsService)

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;

import com.example.windows.windows.enity.User;
import com.example.windows.windows.repository.UserRepository;

import java.io.File;
import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;

import com.example.windows.windows.enity.User;
import com.example.windows.windows.repository.UserRepository;

import java.io.File;
import java.util.ArrayList;
import java.util.List;

@Service
public class UserService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username)
                .orElseThrow(() -> new UsernameNotFoundException("User not found with username: " + username));

        List<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority(user.getRole()));

        return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(),
                authorities);
    }

    public User register(String username,String password) {
        User user = new User();
        if (userRepository.findByUsername(username).isPresent()) {
            return null;
        }
        user.setUsername(username);
        user.setPassword(new BCryptPasswordEncoder().encode(password));
        user.setRole("user");
        return userRepository.save(user);
    }
}

UserController.java(测试权限)

import org.springframework.web.bind.annotation.*;
import org.springframework.web.bind.annotation.GetMapping;

@RestController
@RequestMapping("/api/user")
public class UserController {
    @GetMapping("/test")
    public String test() {
        return "test";
    }

    @GetMapping("/adminTest")
    public String adminTest() {
        return "adminTest";
    }

    @GetMapping("/userTest")
    public String userTest() {
        return "userTest";
    }
}

JwtAuthenticationFilter(验证JWT是否合法)

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

import com.auth0.jwt.interfaces.Claim;
import com.example.windows.windows.service.UserService;
import com.example.windows.windows.utils.JwtUtil;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;

import java.io.IOException;
import java.util.Map;
import java.util.Optional;

@RequiredArgsConstructor
public class JwtAuthenticationFilter extends OncePerRequestFilter {
    private UserService userService;

    public JwtAuthenticationFilter(UserService userService) {
        this.userService = userService;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        String jwt = JwtUtil.getTokenFromRequest(request);
        if (StringUtils.hasText(jwt) && JwtUtil.validateToken(jwt)) {
            Optional<Map<String, Claim>> claims = JwtUtil.getClaims(jwt);
            Claim usernameClaim = claims.get().get("username");
            String username = usernameClaim.asString();
            UserDetails userDetails = userService.loadUserByUsername(username);
            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
                    userDetails,
                    null,
                    userDetails.getAuthorities());

            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
        }
        filterChain.doFilter(request, response);
    }
}

SecurityConfig.java(SpringSecurity配置类)

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import com.example.windows.windows.filter.JwtAuthenticationFilter;
import com.example.windows.windows.handle.JwtAccessDeniedHandler;
import com.example.windows.windows.handle.JwtAuthenticationEntryPoint;
import com.example.windows.windows.handle.LoginFailureHandler;
import com.example.windows.windows.handle.LoginSuccessHandler;
import com.example.windows.windows.service.UserService;

import lombok.RequiredArgsConstructor;

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
    private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
    private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
    private final UserService userService;
    private final LoginFailureHandler loginFailureHandler;
    private final LoginSuccessHandler loginSuccessHandler;

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration)
            throws Exception {
        return configuration.getAuthenticationManager();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(csrf -> csrf.disable())
                .addFilterBefore(new JwtAuthenticationFilter(userService), UsernamePasswordAuthenticationFilter.class)
               	.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.NEVER))
                .formLogin(login -> login
                        .loginProcessingUrl("/api/user/login")
                        .usernameParameter("username")
                        .passwordParameter("password")
                        .successHandler(loginSuccessHandler)
                        .failureHandler(loginFailureHandler))
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/api/user/userTest").hasAnyAuthority("user")
                        .requestMatchers("/api/user/adminTest").hasAnyAuthority("admin")
                        .anyRequest().authenticated())
                .exceptionHandling(exception -> exception
                        .accessDeniedHandler(jwtAccessDeniedHandler)
                        .authenticationEntryPoint(jwtAuthenticationEntryPoint));
        return http.build();
    }
}

Result.java(封装返回信息)

package com.example.windows.windows.enity;

import java.io.Serializable;
import lombok.Data;

@Data
public class Result implements Serializable {
    private int code;
    private String message;
    private Object data;

    public Result() {}

    public Result(int code, String message, Object data) {
        this.code = code;
        this.message = message;
        this.data = data;
    }
}

JwtAccessDeniedHandler.java(处理请求路径无权限)

import java.io.IOException;
import java.nio.charset.StandardCharsets;

import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;

import com.example.windows.windows.enity.Result;
import com.example.windows.windows.utils.JsonUtil;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
            AccessDeniedException e) throws IOException, ServletException {
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();

        Result result = new Result(401, "权限不足", null);
        outputStream.write(JsonUtil.ObjectToJson(result).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

JwtAuthenticationEntryPoint.java(处理无效JWT/未认证用户)

import java.io.IOException;
import java.nio.charset.StandardCharsets;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import com.example.windows.windows.enity.Result;
import com.example.windows.windows.utils.JsonUtil;
import com.example.windows.windows.utils.JwtUtil;

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
            AuthenticationException authenticationException) throws IOException, ServletException {
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        String jwt = JwtUtil.getTokenFromRequest(httpServletRequest);
        Result result = new Result();
        if (StringUtils.hasText(jwt) && JwtUtil.validateToken(jwt)){
            result.setCode(401);
            result.setMessage("JWT无效");
        }
        else{
            result.setCode(401);
            result.setMessage("请先登录");
        }

        outputStream.write(JsonUtil.ObjectToJson(result).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

LoginFailureHandler.java(处理登录失败逻辑)

import java.io.IOException;
import java.nio.charset.StandardCharsets;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import com.example.windows.windows.enity.Result;
import com.example.windows.windows.service.UserService;
import com.example.windows.windows.utils.JsonUtil;
import com.example.windows.windows.utils.JwtUtil;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;

@Component
@RequiredArgsConstructor
public class LoginFailureHandler implements AuthenticationFailureHandler {
    private final UserService userService;
    Logger logger = LoggerFactory.getLogger(LoginFailureHandler.class);
    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
            AuthenticationException authenticationException) throws IOException, ServletException {
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        String username = httpServletRequest.getParameter("username");
        String password = httpServletRequest.getParameter("password");
        Result result = new Result();
        if (userService.register(username,password) == null) {
            result.setCode(401);
            result.setMessage("用户名或密码错误");
        }
        else{
            String jwt = JwtUtil.generateToken(username);
            result.setCode(200);
            result.setMessage("注册成功");
            result.setData(jwt);
        }
        
        outputStream.write(JsonUtil.ObjectToJson(result).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

LoginSuccessHandler.java(处理登录成功逻辑)

import java.io.IOException;
import java.nio.charset.StandardCharsets;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import com.example.windows.windows.enity.Result;
import com.example.windows.windows.utils.JsonUtil;
import com.example.windows.windows.utils.JwtUtil;

@Component
public class LoginSuccessHandler implements AuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
            Authentication authentication) throws IOException, ServletException {
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();

        String username = httpServletRequest.getParameter("username");
        String jwt = JwtUtil.generateToken(username);
        Result result = new Result(200, "登录成功", jwt);

        outputStream.write(JsonUtil.ObjectToJson(result).getBytes(StandardCharsets.UTF_8));
        outputStream.flush();
        outputStream.close();
    }
}

效果检验

以下均使用postman测试

1.测试用户注册功能

代码中设置了用户不存在自动注册的逻辑
user注册成功
在这里插入图片描述
admin注册成功
在这里插入图片描述
去数据库修改admin用户的权限用于测试
在这里插入图片描述

2.测试角色user功能

登录user用户
在这里插入图片描述
将返回的jwt(data中的字符串)放到Headers中的Authorization中,并添加前缀((Bearer )有个空格)。
有user权限
在这里插入图片描述
没有admin权限
在这里插入图片描述

3.测试角色admin功能

admin登录
在这里插入图片描述
有admin权限
在这里插入图片描述
没有user权限
在这里插入图片描述

4.测试超时处理

在这里插入图片描述

5.测试未登录用户

在这里插入图片描述

爪哇岛的蟒
关注
  • 9
    点赞
  • 19
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
spring Security + jwt使用
wenlai123456的博客
08-22 1194
spring Security + jwt
SpringSecurity详细解释
m0_59208630的博客
11-02 187
Spring 家族中的一个安全管理框架。相比与另外一个安全框架Shiro,它提供了更丰富的功能,社区资源也比Shiro丰富。一般来说中大型的项目都是使用来做安全框架。小项目有Shiro的比较多,因为相比与SpringSecurity,Shiro的上手更加的简单。一般Web应用的需要进行认证和授权。认证:验证当前访问系统的是不是本系统的用户,并且要确认具体是哪个用户授权:经过认证后判断当前用户是否有权限进行某个操作而认证和授权也是SpringSecurity作为安全框架的核心功能。
Spring Security 超详细整合 JWT,能否拿下看你自己!
最新发布
m0_62113349的博客
07-02 365
Spring Security是一个功能强大并且高度可定制的Java安全框架,用于保护基于Spring的应用程序。JWT(JSON Web Tokens)是一种用于在网络应用环境间传递声明的一种紧凑的、URL安全的方式。将Spring SecurityJWT整合可以为应用程序提供一个安全且高效的认证机制。整合Spring SecurityJWT涉及到许多细节,上述步骤提供了一个大致的框架。确保你的开发环境中已经包含了Spring BootSpring Security的依赖。
spring security中动态更新用户的权限
qq_40127376的博客
10-27 5189
业务背景: 管理员更改其他用户权限,正好用户在登陆状态下,无法刷新管理员刚赋值的权限,只能退出登录,重新登录才能拥有新权限. 业务需求:管理员更改权限,其他用户不退出登录,可以拥有新权限,动态刷新session 感谢这位博客提供的线索 前提条件需要拥有 @Autowired SessionRegistry sessionRegistry; 如果找不到SessionRegistrybean...
spring如何实现权限实时生效,如何获取在线用户,getAllPrincipals()为空
TingSty小z的博客
10-27 1444
spring security权限修改后无法实时更新,由于使用的spring security权限控制,并且在用户登录时,将该时刻用户的权限(authority)读到用户的UserDetails(org.springframework.security.core.userdetails.UserDetails)类中,如果用户不主动重新登录,那么这个写入到session中的类无法刷新。需要获取当前spring服务的登录用户,哪些用户在登录状态,我大致思路和这个类似,也是用。
Nacos启动异常
you_get_me_there的博客
08-11 7060
可能原因一: 集群切换单机 startup -m standalone 可能原因二: derby-data文件夹内文件解析失败 解决方案: 删了derby-data文件夹重启就行 报错信息(供网友搜索): 2021-08-11 13:11:37,550 WARN Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.U
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证
08-26
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证,可根据注解的格式不同,做到角色权限控制角色加资源权限控制等,粒度比较细化。 @PreAuthorize("hasAnyRole('ADMIN','USER')"):具有admin或...
通用权限管理系统+springboot+mybatis plus+spring security+jwt+redis+mysql
05-30
后端使用SpringBoot框架进行业务逻辑开发,利用Spring Security实现权限控制。数据库采用MySQL进行数据存储,使用MyBatis进行数据访问。 权限控制模块设计包括用户、角色权限三个主要模块。用户模块用于管理用户...
基于SpringBoot2+MybatisPlus+SpringSecurity+jwt+redis+Vue的前后端商城系统源码
05-13
yshop基于当前流行技术组合的前后端分离商城系统: SpringBoot2+MybatisPlus+SpringSecurity+jwt+redis+Vue的前后端分离的商城系统, 包含分类、sku、运费模板、素材库、小程序直播、拼团、砍价、商户管理、 秒杀、...
SpringBoot2+MybatisPlus+SpringSecurity+jwt+redis+Vue的前后端分离的商城系统
04-30
基于当前流行技术组合的前后端分离商城系统:SpringBoot2+MybatisPlus+SpringSecurity+jwt+redis+Vue的前后端分离的商城系统, 包含商城、sku、运费模板、素材库、小程序直播、拼团、砍价、商户管理、 秒杀、优惠券...
SpringBoot2.7整合SpringSecurity+Jwt+Redis+MySQL+MyBatis完整项目代码
10-30
在本项目中,我们主要关注的是SpringBoot 2.7版本与多个技术的深度整合,包括Spring SecurityJWT(JSON Web Token)、Redis缓存以及MySQL数据库,并利用MyBatis作为持久层框架。以下是对这些技术及其整合应用的...
Tomcat启动问题(debug无法启动,正常可以启动)
zhang0135789的博客
11-14 4315
FATAL ERROR in native method: JDWP No transports initialized, jvmtiError=AGENT_ERROR_TRANSPORT_INIT(197) 最近遇到了这样一个问题,项目正常启动没毛病,但是用debug启动就会报上图的这个错误。查了百度,上面很多解决方案,最终找到了答案,不知道什么操作,触动了防火墙,导致防火墙把tomcat
idea中debugger启动就一直卡在这里jwtAuthenticationTokenFilter
dowhil的博客
08-02 519
idea中debugger启动就一直卡在这里jwtAuthenticationTokenFilter
spring boot 启动报错 java.lang.IllegalAccessError: javax/el/Util
qianwenzhi的博客
03-14 2525
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultValidator' defined in class path resource [org/springframework/boot/autoconfigure/validation/ValidationAu...
spring security使用jwt,在进行添加jwt过滤器时(解析jwt)的前提条件
taiguolaotu的博客
03-16 2363
今天在搞jwt的时候,出现一系列的问题。 说明问题。就是用户登录过后,会给用户生成一个token。用户以后发出请求,就需要用户携带这个token。但是用户传过来token的时候,却进不去我的jwt过滤器。这就很苦恼。但是最终还是发现了问题所在,废话不多说,直接上代码 // 基于Token不需要session http.sessionManagement().sessionCreationPolic...
jwt+token验证
qq_51127361的博客
09-19 2056
导入依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId
从零开始,手打一个权限管理系统(第五章 权限控制
ailot的专栏
11-28 358
这章主要通过SpringSecurity来实现对权限控制权限粒度是到每个方法。
SpringSecurity笔记2
蒋劲豪的博客
07-02 348
【代码】SpringSecurity笔记2。
认证过滤器
Leon_Jinhai_Sun的博客
06-05 2210
认证
SpringSecurity+JWT 角色权限
11-30
Spring Security是一个基于Spring的安全框架,它提供了一组可以在Spring应用程序中配置的安全服务。JWT(JSON Web Token)是一种用于在网络应用间传递信息的简洁的、URL安全的表述性声明规范。JWT通过在用户和服务器之间传递安全令牌来实现身份验证和授权。结合使用Spring SecurityJWT可以实现角色权限控制。 具体实现步骤如下: 1.添加Spring SecurityJWT的依赖。 2.创建一个实现UserDetailsService接口的类,用于从数据库中获取用户信息。 3.创建一个实现JwtTokenUtil接口的类,用于生成和解析JWT。 4.创建一个实现AuthenticationEntryPoint接口的类,用于处理未授权的请求。 5.创建一个实现AccessDeniedHandler接口的类,用于处理授权失败的请求。 6.创建一个继承WebSecurityConfigurerAdapter的类,用于配置Spring Security。 7.在配置类中添加一个JwtAuthenticationTokenFilter过滤器,用于验证JWT。 8.在需要进行权限控制的方法上添加@PreAuthorize注解,指定需要的角色权限。 示例代码如下: ```java // UserDetailsService实现类 @Service public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private UserService userService; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userService.getUserByUsername(username); if (user == null) { throw new UsernameNotFoundException("用户名不存在"); } return new JwtUserDetails(user); } } // JwtTokenUtil实现类 @Component public class JwtTokenUtilImpl implements JwtTokenUtil { private static final String CLAIM_KEY_USERNAME = "sub"; private static final String CLAIM_KEY_CREATED = "created"; @Value("${jwt.secret}") private String secret; @Value("${jwt.expiration}") private Long expiration; @Override public String generateToken(UserDetails userDetails) { Map<String, Object> claims = new HashMap<>(); claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername()); claims.put(CLAIM_KEY_CREATED, new Date()); return generateToken(claims); } @Override public String getUsernameFromToken(String token) { String username; try { Claims claims = getClaimsFromToken(token); username = claims.getSubject(); } catch (Exception e) { username = null; } return username; } @Override public boolean validateToken(String token, UserDetails userDetails) { JwtUserDetails user = (JwtUserDetails) userDetails; String username = getUsernameFromToken(token); return username.equals(user.getUsername()) && !isTokenExpired(token); } private Claims getClaimsFromToken(String token) { Claims claims; try { claims = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody(); } catch (Exception e) { claims = null; } return claims; } private boolean isTokenExpired(String token) { Date expirationDate = getExpirationDateFromToken(token); return expirationDate.before(new Date()); } private Date getExpirationDateFromToken(String token) { Claims claims = getClaimsFromToken(token); return claims.getExpiration(); } private String generateToken(Map<String, Object> claims) { Date expirationDate = new Date(System.currentTimeMillis() + expiration * 1000); return Jwts.builder() .setClaims(claims) .setExpiration(expirationDate) .signWith(SignatureAlgorithm.HS512, secret) .compact(); } } // AuthenticationEntryPoint实现类 @Component public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "未授权的请求"); } } // AccessDeniedHandler实现类 @Component public class JwtAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException { response.sendError(HttpServletResponse.SC_FORBIDDEN, "权限不足"); } } // 配置类 @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Autowired private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; @Autowired private JwtAccessDeniedHandler jwtAccessDeniedHandler; @Autowired private JwtTokenFilter jwtTokenFilter; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService) .passwordEncoder(passwordEncoder()); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/login").permitAll() .anyRequest().authenticated() .and() .exceptionHandling() .authenticationEntryPoint(jwtAuthenticationEntryPoint) .accessDeniedHandler(jwtAccessDeniedHandler) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class); } } // JwtAuthenticationTokenFilter过滤器 @Component public class JwtTokenFilter extends OncePerRequestFilter { @Autowired private UserDetailsService userDetailsService; @Autowired private JwtTokenUtil jwtTokenUtil; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String authHeader = request.getHeader("Authorization"); if (authHeader != null && authHeader.startsWith("Bearer ")) { String authToken = authHeader.substring(7); String username = jwtTokenUtil.getUsernameFromToken(authToken); if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { UserDetails userDetails = userDetailsService.loadUserByUsername(username); if (jwtTokenUtil.validateToken(authToken, userDetails)) { UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(authentication); } } } chain.doFilter(request, response); } } // 在需要进行权限控制的方法上添加@PreAuthorize注解 @PreAuthorize("hasAnyRole('ADMIN','USER')") public void someMethod() { // do something } ```
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值