jwt
jwt(jSON Web Token)相关知识自行百度
什么是 JWT – JSON WEB TOKEN
jwt官网
spring secruity实现jwt步骤
- 导入jwt实现框架
- 重写UsernamePasswordFilter
- 重写BasicAuthFilter
导入jwt实现框架
首先打开jwt官网
https://jwt.io/
点击Libary或者向下滚动,找到实现的第三方框架
选择一个框架使用即可
我选择的是:
https://github.com/jwtk/jjwt
根据官网提示,引入第三方框架
maven
gradle
编写测试类测试是否引入成功
成功生成token,说明框架引入成功!
重写UsernamePasswordFilter
public class JwtAuthenticateFilter extends UsernamePasswordAuthenticationFilter {
private static final String strKey = "JABC-wdPO129854HAdsaLIY087FAwef235=";
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
Authentication authentication;
try(InputStream inputStream = request.getInputStream()) {
ObjectMapper mapper = new ObjectMapper();
Map<String,String> map = mapper.readValue(inputStream, Map.class);
String username = map.get("username");
String password = map.get("password");
authentication = this.getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken(username,password));
}catch (IOException e) {
e.printStackTrace();
authentication = this.getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken("",""));
}finally {
}
return authentication;
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
User user = (User) authResult.getPrincipal();
List<String> roles = user.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList());
Key key = Keys.hmacShaKeyFor(strKey.getBytes());
String token = Jwts.builder()
.setHeaderParam("TYP","JWT")
.setSubject(user.getUsername())
.setIssuer("www.boycharse.top")
.claim("role",roles)
.signWith(key)
.compact();
response.setHeader("Authorization","Bearer " + token);
}
}
首先,spring secruity在进行登录时,登录的数据会通过UsernamePasswordAuthenticationFilter,默认是表单登录,因为我们要通过json登录,所以我们在这里重写了它的attempAuthentication方法,在里面获取登录的账号密码,然后将账号密码交给AuthenticationManager的authenticate方法完成后续的认证。
认证成功后,我们要返回token,所以我们重写了successfulAuthentication
然后我们把UsernamePasswordFilter配置到spring secruity里(先忽略我注释掉的那部分代码)
@Configuration
public class WebSecruityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/guest").permitAll()
.anyRequest()
.authenticated();
http.addFilterAt(jwtAuthenticateFilter(), UsernamePasswordAuthenticationFilter.class);
// http.addFilterAt(new JwtAuthorizationFilter(authenticationManager()), BasicAuthenticationFilter.class);
}
@Bean
public JwtAuthenticateFilter jwtAuthenticateFilter() throws Exception{
JwtAuthenticateFilter filter = new JwtAuthenticateFilter();
filter.setAuthenticationManager(authenticationManager());
filter.setFilterProcessesUrl("/api/token");
return filter;
}
}
在application.properties里面我配置了一个用户
spring.security.user.name=user
spring.security.user.password=123456
spring.security.user.roles=admin
我们测试一下
这里成功的将token带回来了,我们携带这个token访问一下其他接口试试。
guest接口可以访问,因为guest所有人都可以访问
admin却403表示没有权限?但我们登陆的账号是有权限的才对!
我们需要重写BasicAuthFilter
重写BasiceAuthFilter
public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
private static final String strKey = "JABC-wdPO129854HAdsaLIY087FAwef235=";
public JwtAuthorizationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
UsernamePasswordAuthenticationToken authenticationToken = getAuthentication(request);
if (authenticationToken == null) {
chain.doFilter(request,response);
return;
}
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request,response);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String token = request.getHeader("Authorization");
if (!StringUtils.isEmpty(token) && token.startsWith("Bearer ")) {
try {
Jws<Claims> parseToken = Jwts.parserBuilder()
.setSigningKey(strKey.getBytes())
.build()
.parseClaimsJws(token.replace("Bearer ",""));
String username = parseToken.getBody().getSubject();
// 获得username对应的权限,这里写死,默认username对应的权限是admin
GrantedAuthority authoritie = new SimpleGrantedAuthority("admin");
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(authoritie);
if (!StringUtils.isEmpty(username)) {
return new UsernamePasswordAuthenticationToken(username,null,authorities);
}
}catch (Exception e) {
e.printStackTrace();
}
}
return null;
}
}
这里我们获取头部的token,拿到token的username并解析对应的权限,然后配置到AuthenticationToken中。
WebSecruityConfig配置如下:
public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
private static final String strKey = "JABC-wdPO129854HAdsaLIY087FAwef235=";
public JwtAuthorizationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
UsernamePasswordAuthenticationToken authenticationToken = getAuthentication(request);
if (authenticationToken == null) {
chain.doFilter(request,response);
return;
}
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request,response);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String token = request.getHeader("Authorization");
if (!StringUtils.isEmpty(token) && token.startsWith("Bearer ")) {
try {
Jws<Claims> parseToken = Jwts.parserBuilder()
.setSigningKey(strKey.getBytes())
.build()
.parseClaimsJws(token.replace("Bearer ",""));
String username = parseToken.getBody().getSubject();
// 获得username对应的权限,这里写死,默认username对应的权限是admin
GrantedAuthority authoritie = new SimpleGrantedAuthority("admin");
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(authoritie);
if (!StringUtils.isEmpty(username)) {
return new UsernamePasswordAuthenticationToken(username,null,authorities);
}
}catch (Exception e) {
e.printStackTrace();
}
}
return null;
}
}
我们再测试一次:
首先通过token接口获取token
然后测试admin
大功告成!