SpringBoot 整合 Spring Security 、JWT 实现认证、权限控制

已于 2023-05-09 17:40:11 修改
阅读量1.4k 收藏 6
点赞数 3
分类专栏: spring security spring boot jwt 文章标签: jwt spring boot
于 2021-02-16 13:43:39 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/z1259678404/article/details/113822942
版权

此文章用到的版本

spring-boot : 2.6.8
java 1.8

引入依赖包(gradle) maven 请自行转换


dependencies {
    compile group: 'io.jsonwebtoken', name: 'jjwt', version: '0.9.1'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-web'
}

先说说原理

UsernamePasswordAuthenticationFilter 继承 AbstractAuthenticationProcessingFilter

AbstractAuthenticationProcessingFilter.doFilter() 会执行 抽象方法attemptAuthentication ()

通过观察发现 UsernamePasswordAuthenticationFilter 会拦截 POST /login 的请求

然后通过会通过Http parameter 获取 username 和 password 参数的值执行鉴权认证

	public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";

	public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";

	private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER = new AntPathRequestMatcher("/login",
			"POST");

	private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;

	private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;

	private boolean postOnly = true;

	public UsernamePasswordAuthenticationFilter() {
		super(DEFAULT_ANT_PATH_REQUEST_MATCHER);
	}

	public UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager) {
		super(DEFAULT_ANT_PATH_REQUEST_MATCHER, authenticationManager);
	}

	@Override
	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
			throws AuthenticationException {
		if (this.postOnly && !request.getMethod().equals("POST")) {
			throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
		}
		String username = obtainUsername(request);
		username = (username != null) ? username : "";
		username = username.trim();
		String password = obtainPassword(request);
		password = (password != null) ? password : "";
		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
		// Allow subclasses to set the "details" property
		setDetails(request, authRequest);
		return this.getAuthenticationManager().authenticate(authRequest);
	}

	@Nullable
	protected String obtainUsername(HttpServletRequest request) {
		return request.getParameter(this.usernameParameter);
	}

成功会执行 SavedRequestAwareAuthenticationSuccessHandler  重定向到指定url

public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

	protected final Log logger = LogFactory.getLog(this.getClass());

	private RequestCache requestCache = new HttpSessionRequestCache();

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) throws ServletException, IOException {
		SavedRequest savedRequest = this.requestCache.getRequest(request, response);
		if (savedRequest == null) {
			super.onAuthenticationSuccess(request, response, authentication);
			return;
		}
		String targetUrlParameter = getTargetUrlParameter();
		if (isAlwaysUseDefaultTargetUrl()
				|| (targetUrlParameter != null && StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
			this.requestCache.removeRequest(request, response);
			super.onAuthenticationSuccess(request, response, authentication);
			return;
		}
		clearAuthenticationAttributes(request);
		// Use the DefaultSavedRequest URL
		String targetUrl = savedRequest.getRedirectUrl();
		getRedirectStrategy().sendRedirect(request, response, targetUrl);
	}

	public void setRequestCache(RequestCache requestCache) {
		this.requestCache = requestCache;
	}

}

失败会执行  SimpleUrlAuthenticationFailureHandler

	@Override
	public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
			AuthenticationException exception) throws IOException, ServletException {
		if (this.defaultFailureUrl == null) {
			if (this.logger.isTraceEnabled()) {
				this.logger.trace("Sending 401 Unauthorized error since no failure URL is set");
			}
			else {
				this.logger.debug("Sending 401 Unauthorized error");
			}
			response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
			return;
		}
		saveException(request, exception);
		if (this.forwardToDestination) {
			this.logger.debug("Forwarding to " + this.defaultFailureUrl);
			request.getRequestDispatcher(this.defaultFailureUrl).forward(request, response);
		}
		else {
			this.redirectStrategy.sendRedirect(request, response, this.defaultFailureUrl);
		}
	}

这种方式不兼容json方式提交的登录 而且不能返回token 供前端使用 所以我们需要改造此Filter

实现思路:

1.  拦截Post /login 请求

2.  获取请求中的body参数 username 以及password 

3. 返回 UsernamePasswordAuthenticationFilter 不携带权限集合

4. 重写 UserDetailsService 查询数据库

5. 重写 AuthenticationSuccessHandler 登录成功后返回jwt token令牌

6. 重写 AuthenticationFailureHandler 失败返回失败原因 例如:密码错误,账户锁定, 账户不存在

定义token常量

public class SecurityConstants
{
    public static final long EXPIRATION_TIME = 864_000_000; // 10 days
    public static final String TOKEN_PREFIX = "Bearer ";
    public static final String HEADER_STRING = "Authorization";

    private SecurityConstants()
    {
        throw new IllegalStateException("Utility class");
    }
}

实现工具类 JWTUtils 用户生成、解析token

@Component
public class JwtUtil
{

    /**
     * 签名用的密钥
     */
    private static String signKey = "nacl";


    /**
     * 用户登录成功后生成Jwt
     * 使用Hs256算法
     *
     * @param exp jwt过期时间
     * @param claims 保存在Payload(有效载荷)中的内容
     * @return token字符串
     */
    public static String createJWT(Date exp, Map<String, Object> claims)
    {
        //指定签名的时候使用的签名算法
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;

        //生成JWT的时间
        long nowMillis = System.currentTimeMillis();
        Date now = new Date(nowMillis);

        //创建一个JwtBuilder,设置jwt的body
        JwtBuilder builder = Jwts.builder()
            //保存在Payload(有效载荷)中的内容
            .setClaims(claims)
            //iat: jwt的签发时间
            .setIssuedAt(now)
            //设置过期时间
            .setExpiration(exp)
            //设置签名使用的签名算法和签名使用的秘钥
            .signWith(signatureAlgorithm, signKey);

        return builder.compact();
    }

    /**
     * 解析token,获取到Payload(有效载荷)中的内容,包括验证签名,判断是否过期
     *
     * @param token
     * @return
     */
    public static Claims parseJWT(String token)
    {
        //得到DefaultJwtParser
        return Jwts.parser()
            //设置签名的秘钥
            .setSigningKey(signKey)
            //设置需要解析的token
            .parseClaimsJws(token).getBody();
    }

}

开始实现身份认证过滤器(JWTAuthenticationFilter) 继承 UsernamePasswordAuthenticationFilter  重写 attemptAuthentication 方法

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter
{


    @Override
    public Authentication attemptAuthentication(HttpServletRequest req,
                                                HttpServletResponse res)
    {
        Map<String, String> creds = new HashMap<>();
        try
        {
            creds = new ObjectMapper().readValue(req.getInputStream(), Map.class); // 获取body中的参数
        } catch (IOException e)
        {
            e.printStackTrace();
        }
        return this.getAuthenticationManager().authenticate(
            new UsernamePasswordAuthenticationToken(
                creds.get("username"),
                creds.get("password"),
                new ArrayList<>())
        );
    }
}

重写UserDetailService

返回一个测试用户 用户名:123 密码:123 角色权限: ROLE_ADMIN

@Service
public class UserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService
{

    @Override
    public UserDetails loadUserByUsername(String username)
    {
        Collection<SimpleGrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN")); // 设定权限
        return new User(
            "123", // username
            new BCryptPasswordEncoder().encode("123") , // password
            true, // enabled – set to true if the user is enabled
            true, // accountNonExpired – set to true if the account has not expired
            true, // credentialsNonExpired – set to true if the credentials have not expired
            true, // accountNonLocked – set to true if the account is not locked
            authorities // authorities – the authorities that should be granted to the caller if they presented the
        );
    }
}

重写 AuthenticationSuccessHandler 成功后将生成的 token 放入 response header

@Component
public class CustomAuthenticateSuccessHandler implements AuthenticationSuccessHandler
{

    @Override
    public void onAuthenticationSuccess(
        HttpServletRequest request,
        HttpServletResponse response,
        Authentication auth) throws IOException, ServletException
    {
        Map<String, Object> claims = new HashMap<>();
        claims.put("username", ((User) auth.getPrincipal()).getUsername());

        String token = JwtUtil.createJWT(
            new Date(System.currentTimeMillis() + SecurityConstants.EXPIRATION_TIME),
            claims
        );

        response.addHeader(SecurityConstants.HEADER_STRING, SecurityConstants.TOKEN_PREFIX + token);
    }
}

重写 AuthenticationFailureHandler 返回账户失败原因

@Component
public class CustomAuthenticateFailureHandler implements AuthenticationFailureHandler
{
    @Override
    public void onAuthenticationFailure(
        HttpServletRequest request,
        HttpServletResponse response,
        AuthenticationException failed
    ) throws IOException, ServletException
    {
        String returnData = "";
        // 账号过期
        if (failed instanceof AccountExpiredException)
        {
            returnData = "账号过期";
        }
        // 密码错误
        else if (failed instanceof BadCredentialsException)
        {
            returnData = "密码错误";
        }
        // 密码过期
        else if (failed instanceof CredentialsExpiredException)
        {
            returnData = "密码过期";
        }
        // 账号不可用
        else if (failed instanceof DisabledException)
        {
            returnData = "账号不可用";
        }
        //账号锁定
        else if (failed instanceof LockedException)
        {
            returnData = "账号锁定";
        }
        // 用户不存在
        else if (failed instanceof InternalAuthenticationServiceException)
        {
            returnData = "用户不存在";
        }
        // 其他错误
        else
        {
            returnData = "未知异常";
        }

        // 处理编码方式 防止中文乱码
        response.setContentType("text/json;charset=utf-8");
        // 将反馈塞到HttpServletResponse中返回给前台
        response.getWriter().write(returnData);
    }
}


 

改造BasicAuthenticationFilter基于JWT解析 实现权限认证

认证过滤器 BasicAuthenticationFilter

header里头有Authorization,而且value是以Basic开头的,则走BasicAuthenticationFilter,提取参数构造UsernamePasswordAuthenticationToken进行认证,成功则填充SecurityContextHolder的Authentication

而我们要做的是 header里头有Authorization,而且value是以Bearer开头的, 解析jwt token填充SecurityContextHolder的Authentication

@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		try {
			UsernamePasswordAuthenticationToken authRequest = this.authenticationConverter.convert(request);
			if (authRequest == null) {
				this.logger.trace("Did not process authentication request since failed to find "
						+ "username and password in Basic Authorization header");
				chain.doFilter(request, response);
				return;
			}
			String username = authRequest.getName();
			this.logger.trace(LogMessage.format("Found username '%s' in Basic Authorization header", username));
			if (authenticationIsRequired(username)) {
				Authentication authResult = this.authenticationManager.authenticate(authRequest);
				SecurityContextHolder.getContext().setAuthentication(authResult);
				if (this.logger.isDebugEnabled()) {
					this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));
				}
				this.rememberMeServices.loginSuccess(request, response, authResult);
				onSuccessfulAuthentication(request, response, authResult);
			}
		}
		catch (AuthenticationException ex) {
			SecurityContextHolder.clearContext();
			this.logger.debug("Failed to process authentication request", ex);
			this.rememberMeServices.loginFail(request, response);
			onUnsuccessfulAuthentication(request, response, ex);
			if (this.ignoreFailure) {
				chain.doFilter(request, response);
			}
			else {
				this.authenticationEntryPoint.commence(request, response, ex);
			}
			return;
		}

		chain.doFilter(request, response);
	}

@Override
	public UsernamePasswordAuthenticationToken convert(HttpServletRequest request) {
		String header = request.getHeader(HttpHeaders.AUTHORIZATION);
		if (header == null) {
			return null;
		}
		header = header.trim();
		if (!StringUtils.startsWithIgnoreCase(header, AUTHENTICATION_SCHEME_BASIC)) {
			return null;
		}
		if (header.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
			throw new BadCredentialsException("Empty basic authentication token");
		}
		byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);
		byte[] decoded = decode(base64Token);
		String token = new String(decoded, getCredentialsCharset(request));
		int delim = token.indexOf(":");
		if (delim == -1) {
			throw new BadCredentialsException("Invalid basic authentication token");
		}
		UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(token.substring(0, delim),
				token.substring(delim + 1));
		result.setDetails(this.authenticationDetailsSource.buildDetails(request));
		return result;
	}

开始实现 继承BasicAuthenticationFilter 并重写 doFilterInternal 方法

getAuthentication 获取 request header中的token 解析成username 并调用Userservice中的loadUserByName方法返回User鉴权信息

装入SecurityContextHolder

public class JWTAuthorizationFilter extends BasicAuthenticationFilter
{

    public JWTAuthorizationFilter(AuthenticationManager authManager)
    {
        super(authManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest req,
                                    HttpServletResponse res,
                                    FilterChain chain) throws IOException, ServletException
    {
        String header = req.getHeader(SecurityConstants.HEADER_STRING);

        if (header == null || !header.startsWith(SecurityConstants.TOKEN_PREFIX))
        {
            chain.doFilter(req, res);
            return;
        }
        try
        {
            UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            chain.doFilter(req, res);
        } catch (ExpiredJwtException e)
        {
            res.getWriter().write("token expired");
        } catch (JwtException e)
        {
            res.getWriter().write("token invalid");
        }

    }

    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request)
    {
        String token = request.getHeader(SecurityConstants.HEADER_STRING);
        if (token != null)
        {
            // parse the token.
            Claims claims = JwtUtil.parseJWT(token.replace(SecurityConstants.TOKEN_PREFIX, ""));

            if (claims != null)
            {
                UserDetailsService userDetailsService = new UserDetailsService();
                User u = (User) userDetailsService.loadUserByUsername((String) claims.get("username"));
                return new UsernamePasswordAuthenticationToken(u.getUsername(), u.getPassword(), u.getAuthorities());
            }
        }
        return null;
    }
}
CustomAccessDeniedHandler 非匿名下的错误拦截器
@Component
public class CustomAccessDeniedHandler implements AccessDeniedHandler
{
    @Override
    public void handle(
        HttpServletRequest request,
        HttpServletResponse response,
        AccessDeniedException accessDeniedException) throws IOException, ServletException
    {
        response.setContentType("text/json;charset=utf-8");
        response.getWriter().write("权限错误");
    }
}

CustomAuthenticationEntryPoint 匿名下的错误拦截器
@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint
{
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException
    {
        response.getWriter().write("no login");
    }
}

OK 准备大功告成, 最后设定一下Spring Security的配置

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter
{

    private final UserDetailsService userDetailsService;
    private final BCryptPasswordEncoder bCryptPasswordEncoder;
    private final CustomAccessDeniedHandler customAccessDeniedHandler;
    private final CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
    private final CustomAuthenticateSuccessHandler customAuthenticateSuccessHandler;
    private final CustomAuthenticateFailureHandler customAuthenticateFailureHandler;

    public SpringSecurityConfig(
        UserDetailsService userDetailsService,
        BCryptPasswordEncoder bCryptPasswordEncoder,
        CustomAccessDeniedHandler customAccessDeniedHandler,
        CustomAuthenticationEntryPoint customAuthenticationEntryPoint,
        CustomAuthenticateSuccessHandler customAuthenticateSuccessHandler,
        CustomAuthenticateFailureHandler customAuthenticateFailureHandler
    )
    {
        this.userDetailsService = userDetailsService;
        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
        this.customAccessDeniedHandler = customAccessDeniedHandler;
        this.customAuthenticationEntryPoint = customAuthenticationEntryPoint;
        this.customAuthenticateFailureHandler = customAuthenticateFailureHandler;
        this.customAuthenticateSuccessHandler = customAuthenticateSuccessHandler;
    }

    @Override
    public void configure(HttpSecurity http) throws Exception
    {
        http
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().csrf().disable()
            .authorizeRequests().antMatchers("/sign-up").permitAll()
            .anyRequest().authenticated()
            .and()
            .exceptionHandling()
            .accessDeniedHandler(customAccessDeniedHandler)
            .authenticationEntryPoint(customAuthenticationEntryPoint)
            .and()
            .addFilter(jwtAuthenticationFilter())
            .addFilter(jwtAuthorizationFilter());
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
    }

    @Bean
    public JWTAuthenticationFilter jwtAuthenticationFilter() throws Exception
    {
        JWTAuthenticationFilter filter = new JWTAuthenticationFilter();
        filter.setAuthenticationManager(authenticationManager());
        filter.setAuthenticationSuccessHandler(customAuthenticateSuccessHandler);
        filter.setAuthenticationFailureHandler(customAuthenticateFailureHandler);
        return filter;
    }

    @Bean
    public JWTAuthorizationFilter jwtAuthorizationFilter () throws Exception
    {
        return new JWTAuthorizationFilter(authenticationManager());
    }
}

编写测试Controller

@RestController
public class TestController
{
    @PostMapping("/sign-up")
    public String signUp ()
    {
        return "1111";
    }

    @PostMapping("/admin")
    @PreAuthorize("hasRole('ADMIN')")
    public String admin ()
    {
        return "222";
    }

    @PostMapping("/user")
    @PreAuthorize("hasRole('USER')")
    public String user ()
    {
        return "333";
    }
}

测试 /login 登录

输入错误的账号密码

输入正确的账号密码

放行请求/sign-up 

身份鉴权认证

无token

错误token

正确token 无权限

正确token 有权限

Nacl.Zz
关注
  • 3
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Spring Boot + Spring Security + JWT 从零开始
喵喵分享师
05-29 1225
这个LDAP服务器将在内存中保存所有信息,这对于开发目的来说就够了,当我们构建一个连接到这个本地LDAP服务器的应用程序时,我们所构建的东西可以轻松地指向一个真实的LDAP服务,然后仍然可以工作相同的方式。所以我要做的是去我的POM文件,添加一些依赖项。这篇笔记中,我们将学习如何从头开始设置一个带有Spring SecuritySpring Boot应用程序,它连接到一个LDAP身份验证的Spring Security身份验证提供程序,这将是即将出现的,这个连接和工作都是开箱即用的。
SpringBoot+SpringSecurity+RBAC+JWT实现动态权限框架
weixin_43867933的博客
07-01 1632
一、创建数据库表 DROP TABLE IF EXISTS ; CREATE TABLE ( bigint(20) NOT NULL AUTO_INCREMENT, varchar(64) DEFAULT NULL, varchar(64) DEFAULT NULL, varchar(500) DEFAULT NULL COMMENT ‘头像’, varchar(100) DEFAULT NULL COMMENT ‘邮箱’, varchar(200) DEFAULT NULL COMMENT
SpringBoot整合SpringSecurity+JWT
qq_43975645的博客
07-18 689
注意:SIGNATURE是生成token的公钥,当外部token进来时需要公钥解密。
Spring Security 超详细整合 JWT,能否拿下看你自己!
08-31 6798
文章目录1.JWT 入门1.1 JWT 概念1.2 JWT 应用场景1.3 为何选择 JWT基于 Session 的传统认证基于 JWT认证1.4 JWT 的结构标头(Header)载荷(Payload)签名(Signature)1.5 RBAC (Role-Based Access Control)1.6 JWT 基本使用添加依赖生成 Token解析 Token2.Security 整合 JWT2.1 单独抽离 Security 模块添加相关依赖JWT 工具类JWT 相关配置JWT 登录授权过滤器自定
SpringBoot整合Spring Security + JWT实现用户认证
leveretz的博客
07-13 1642
SpringBoot整合Spring Security + JWT实现用户认证
Springboot——整合SpringSecurity
qq_41297145的博客
12-30 2821
认证过程主要是实现AuthenticationManager, AuthenticationManager最重要的实现类是ProviderManager, 通过ProviderManager,可以管理AuthenticationProvider, 每个AuthenticationProvider都对应一种认证方式, 当所有认证方式不支持时,调用ProviderManager的parent认证。如果想要自定义配置,如自定义登录界面、自定义验证过程,或者想要整合一些工具,如Jwt,这个时候需要在。
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证
08-26
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证,可根据注解的格式不同,做到角色权限控制,角色加资源权限控制等,粒度比较细化。 @PreAuthorize("hasAnyRole('ADMIN','USER')"):具有admin或...
Springboot整合Spring security+Oauth2+JWT搭建认证服务器,网关,微服务之间权限认证及授权
04-22
4. **整合Spring Security与OAuth2**:在Spring Boot中,我们可以使用`spring-security-oauth2-autoconfigure`库来简化OAuth2的配置。通过设置`@EnableAuthorizationServer`和`@EnableResourceServer`注解,分别启动...
springboot+springSecurity+jwt实现登录认证后令牌授权
09-12
在这个项目中,我们将探讨如何利用Spring BootSpring SecurityJWT实现登录认证后的令牌授权。 首先,让我们从Spring Boot开始。Spring Boot简化了Spring应用的初始搭建以及开发过程。通过提供默认配置,它极...
SpringBoot+SpringSecurity整合实现了登录认证权限验证)完整案例,基于IDEA项目
02-16
SpringBoot+SpringSecurity整合示例代码,实现了从数据库中获取信息进行登录认证权限认证。 本项目为idea工程,请用idea2019导入(老版应该也可以)。 本项目用户信息所需sql文件,在工程的resources文件夹下,...
SpringBoot集成Spring Security实现权限控制【完整源码+数据库】
02-16
SpringBoot集成Spring Security是现代Java应用中常见的安全框架组合,它们为开发者提供了强大的权限管理和访问控制功能。Spring Security是一个全面的、高度可配置的安全框架,它涵盖了认证、授权以及会话管理等多个...
SpringBoot:集成SpringSecurity
qq_43161404的博客
01-05 1403
前言:B站狂神说Java中SpringBoot笔记,传送门 UP很nice,课程生动形象,欢迎支持。 一、认识SpringSecurity Spring Security 是针对Spring项目的安全框架,也是Spring Boot底层安全模块默认的技术选型,他可以实现强大的Web安全控制,对于安全控制,我们仅需要引入 spring-boot-starter-security 模块,进行少量的配置,即可实现强大的安全管理! 记住几个类: WebSecurityConfigurerAdapter:自定义Se
token系列2—解析(解码)及实际应用
yzw3270978316的博客
03-31 3915
Jwt系列2-解析及应用
java JWT 解析 token
weixin_42612405的博客
12-28 846
好的,我们可以使用Java的第三方库来解析JWT token。 首先,需要在项目中引入相应的依赖。例如,我们可以使用JJWT来解析JWT token。在你的项目的build.gradle文件中添加以下依赖: compile 'io.jsonwebtoken:jjwt:0.9.1' 然后,你可以使用Jwts.parser()静态方法来创建一个JWT解析器。接下来,你可以使用解析器的parseClai...
SpringBoot整合SpringSecurity权限控制(动态拦截url+单点登录)
jiaoqi6132的博客
04-04 2355
Slf4j@Component@Resource@Override//获取身份验证详细信息//用于校验mac地址白名单(这里只是打个比方,登录验证中增加的额外字段)//表单输入的用户名//表单输入的密码//校验用户名密码if (!matches) {!");@Override@Component@Resource@Override//任意登录用户名!");//从数据库获取密码//用户拥有的角色// }
Spring Security 之 AbstractAuthenticationProcessingFilter 源码解析
weixin_38982591的博客
05-27 5569
SpringSecuritySpring Web项目提供支持,AbstractAuthenticationProcessingFilte 作为验证请求入口的。 AbstractAuthenticationProcessingFilter 继承自 GenericFilterBean,而 GenericFilterBean 是 spring 框架中的过滤器类,实现了接口 javax.servlet.Filter。 public abstract class AbstractAuthentication.
springboot中自定义过滤器
clonetx的博客
01-04 1022
过滤器是Servlet的规范,是基于函数回调的,需要实现javax.servlet.Filter接口,依赖于Tomcat等容器,一般用于过滤请求的URL。 1自定义过滤器 自定义filter的实现,本质上只有一种方式,就是实现Filter接口。但是在spring中我们有时候也会通过继承框架提供的XXXFilter,例如OncePerRequestFilter、 AbstractAuthenticationProcessingFilter(Spring Security使用...
JWT简单介绍与使用
weixin_51980047的博客
07-27 2195
JWT简单介绍与使用
springboot整合springsecurity + jwt
最新发布
10-13
实现Spring Boot整合Spring SecurityJWT,需要进行以下步骤: 1. 添加Spring SecurityJWT的依赖 2. 创建一个实现UserDetailsService接口的类,用于从数据库或其他数据源中获取用户信息 3. 创建一个...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值