1 簡介

Spring Security作為成熟且強(qiáng)大的安全框架，得到許多大廠的青睞。而作為前后端分離的SSO方案，JWT也在許多項(xiàng)目中應(yīng)用。本文將介紹如何通過Spring Security實(shí)現(xiàn)JWT認(rèn)證。

用戶與服務(wù)器交互大概如下：

客戶端獲取JWT，一般通過POST方法把用戶名/密碼傳給server； 服務(wù)端接收到客戶端的請求后，會檢驗(yàn)用戶名/密碼是否正確，如果正確則生成JWT并返回；不正確則返回錯誤； 客戶端拿到JWT后，在有效期內(nèi)都可以通過JWT來訪問資源了，一般把JWT放在請求頭；一次獲取，多次使用； 服務(wù)端校驗(yàn)JWT是否合法，合法則允許客戶端正常訪問，不合法則返回401。 2 項(xiàng)目整合

我們把要整合的Spring Security和JWT加入到項(xiàng)目的依賴中去：

<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId></dependency><dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version></dependency>2.1 JWT整合2.1.1 JWT工具類

JWT工具類起碼要具有以下功能：

根據(jù)用戶信息生成JWT； 校驗(yàn)JWT是否合法，如是否被篡改、是否過期等； 從JWT中解析用戶信息，如用戶名、權(quán)限等；

具體代碼如下：

@Componentpublic class JwtTokenProvider { @Autowired JwtProperties jwtProperties; @Autowired private CustomUserDetailsService userDetailsService; private String secretKey; @PostConstruct protected void init() { secretKey = Base64.getEncoder().encodeToString(jwtProperties.getSecretKey().getBytes()); } public String createToken(String username, List<String> roles) { Claims claims = Jwts.claims().setSubject(username); claims.put('roles', roles); Date now = new Date(); Date validity = new Date(now.getTime() + jwtProperties.getValidityInMs()); return Jwts.builder()// .setClaims(claims)// .setIssuedAt(now)// .setExpiration(validity)// .signWith(SignatureAlgorithm.HS256, secretKey)// .compact(); } public Authentication getAuthentication(String token) { UserDetails userDetails = this.userDetailsService.loadUserByUsername(getUsername(token)); return new UsernamePasswordAuthenticationToken(userDetails, '', userDetails.getAuthorities()); } public String getUsername(String token) { return Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token).getBody().getSubject(); } public String resolveToken(HttpServletRequest req) { String bearerToken = req.getHeader('Authorization'); if (bearerToken != null && bearerToken.startsWith('Bearer ')) { return bearerToken.substring(7); } return null; } public boolean validateToken(String token) { try { Jws<Claims> claims = Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token); if (claims.getBody().getExpiration().before(new Date())) { return false; } return true; } catch (JwtException | IllegalArgumentException e) { throw new InvalidJwtAuthenticationException('Expired or invalid JWT token'); } }}

工具類還實(shí)現(xiàn)了另一個功能：從HTTP請求頭中獲取JWT。

2.1.2 Token處理的Filter

Filter是Security處理的關(guān)鍵，基本上都是通過Filter來攔截請求的。首先從請求頭取出JWT，然后校驗(yàn)JWT是否合法，如果合法則取出Authentication保存在SecurityContextHolder里。如果不合法，則做異常處理。

public class JwtTokenAuthenticationFilter extends GenericFilterBean { private JwtTokenProvider jwtTokenProvider; public JwtTokenAuthenticationFilter(JwtTokenProvider jwtTokenProvider) { this.jwtTokenProvider = jwtTokenProvider; } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; try { String token = jwtTokenProvider.resolveToken(request); if (token != null && jwtTokenProvider.validateToken(token)) { Authentication auth = jwtTokenProvider.getAuthentication(token); if (auth != null) { SecurityContextHolder.getContext().setAuthentication(auth); } } } catch (InvalidJwtAuthenticationException e) { response.setStatus(HttpStatus.UNAUTHORIZED.value()); response.getWriter().write('Invalid token'); response.getWriter().flush(); return; } filterChain.doFilter(req, res); }}

對于異常處理，使用@ControllerAdvice是不行的，應(yīng)該這個是Filter，在這里拋的異常還沒有到DispatcherServlet，無法處理。所以Filter要自己做異常處理：

catch (InvalidJwtAuthenticationException e) { response.setStatus(HttpStatus.UNAUTHORIZED.value()); response.getWriter().write('Invalid token'); response.getWriter().flush(); return;}

最后的return不能省略，因?yàn)橐呀?jīng)要把輸出的內(nèi)容給Response了，沒有必要再往后傳遞，否則報錯

java.lang.IllegalStateException: getWriter() has already been called2.1.3 JWT屬性

JWT需要配置一個密鑰來加密，同時還要配置JWT令牌的有效期。

@Configuration@ConfigurationProperties(prefix = 'pkslow.jwt')public class JwtProperties { private String secretKey = 'pkslow.key'; private long validityInMs = 3600_000;//getter and setter}2.2 Spring Security整合

Spring Security的整個框架還是比較復(fù)雜的，簡化后大概如下圖所示：

它是通過一連串的Filter來進(jìn)行安全管理。細(xì)節(jié)這里先不展開講。

2.2.1 WebSecurityConfigurerAdapter配置

這個配置也可以理解為是FilterChain的配置，可以不用理解，代碼很好懂它做了什么：

@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired JwtTokenProvider jwtTokenProvider; @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public PasswordEncoder passwordEncoder() { return NoOpPasswordEncoder.getInstance(); } @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic().disable() .csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers('/auth/login').permitAll() .antMatchers(HttpMethod.GET, '/admin').hasRole('ADMIN') .antMatchers(HttpMethod.GET, '/user').hasRole('USER') .anyRequest().authenticated() .and() .apply(new JwtSecurityConfigurer(jwtTokenProvider)); }}

這里通過HttpSecurity配置了哪些請求需要什么權(quán)限才可以訪問。

/auth/login用于登陸獲取JWT，所以都能訪問； /admin只有ADMIN用戶才可以訪問； /user只有USER用戶才可以訪問。

而之前實(shí)現(xiàn)的Filter則在下面配置使用：

public class JwtSecurityConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> { private JwtTokenProvider jwtTokenProvider; public JwtSecurityConfigurer(JwtTokenProvider jwtTokenProvider) { this.jwtTokenProvider = jwtTokenProvider; } @Override public void configure(HttpSecurity http) throws Exception { JwtTokenAuthenticationFilter customFilter = new JwtTokenAuthenticationFilter(jwtTokenProvider); http.exceptionHandling() .authenticationEntryPoint(new JwtAuthenticationEntryPoint()) .and() .addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class); }}2.2.2 用戶從哪來

通常在Spring Security的世界里，都是通過實(shí)現(xiàn)UserDetailsService來獲取UserDetails的。

@Componentpublic class CustomUserDetailsService implements UserDetailsService { private UserRepository users; public CustomUserDetailsService(UserRepository users) { this.users = users; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return this.users.findByUsername(username) .orElseThrow(() -> new UsernameNotFoundException('Username: ' + username + ' not found')); }}

對于UserRepository，可以從數(shù)據(jù)庫中讀取，或者其它用戶管理中心。為了方便，我使用Map放了兩個用戶：

@Repositorypublic class UserRepository { private static final Map<String, User> allUsers = new HashMap<>(); @Autowired private PasswordEncoder passwordEncoder; @PostConstruct protected void init() { allUsers.put('pkslow', new User('pkslow', passwordEncoder.encode('123456'), Collections.singletonList('ROLE_ADMIN'))); allUsers.put('user', new User('user', passwordEncoder.encode('123456'), Collections.singletonList('ROLE_USER'))); } public Optional<User> findByUsername(String username) { return Optional.ofNullable(allUsers.get(username)); }}3 測試

完成代碼編寫后，我們來測試一下：

（1）無JWT訪問，失敗

curl http://localhost:8080/admin{'timestamp':'2021-02-06T05:45:06.385+0000','status':403,'error':'Forbidden','message':'Access Denied','path':'/admin'}$ curl http://localhost:8080/user{'timestamp':'2021-02-06T05:45:16.438+0000','status':403,'error':'Forbidden','message':'Access Denied','path':'/user'}

（2）admin獲取JWT，密碼錯誤則失敗，密碼正確則成功

$ curl http://localhost:8080/auth/login -X POST -d ’{'username':'pkslow','password':'xxxxxx'}’ -H ’Content-Type: application/json’{'timestamp':'2021-02-06T05:47:16.254+0000','status':403,'error':'Forbidden','message':'Access Denied','path':'/auth/login'}$ curl http://localhost:8080/auth/login -X POST -d ’{'username':'pkslow','password':'123456'}’ -H ’Content-Type: application/json’eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJwa3Nsb3ciLCJyb2xlcyI6WyJST0xFX0FETUlOIl0sImlhdCI6MTYxMjU5MDYxNCwiZXhwIjoxNjEyNTkxMjE0fQ.d4Gi50aaOsHHqpM0d8Mh1960otnZf7rlE3x6xSfakVo

（3）admin帶JWT訪問/admin，成功；訪問/user失敗

$ curl http://localhost:8080/admin -H ’Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJwa3Nsb3ciLCJyb2xlcyI6WyJST0xFX0FETUlOIl0sImlhdCI6MTYxMjU5MDYxNCwiZXhwIjoxNjEyNTkxMjE0fQ.d4Gi50aaOsHHqpM0d8Mh1960otnZf7rlE3x6xSfakVo’you are admin$ curl http://localhost:8080/user -H ’Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJwa3Nsb3ciLCJyb2xlcyI6WyJST0xFX0FETUlOIl0sImlhdCI6MTYxMjU5MDYxNCwiZXhwIjoxNjEyNTkxMjE0fQ.d4Gi50aaOsHHqpM0d8Mh1960otnZf7rlE3x6xSfakVo’{'timestamp':'2021-02-06T05:51:23.099+0000','status':403,'error':'Forbidden','message':'Forbidden','path':'/user'}

（4）使用過期的JWT訪問，失敗

$ curl http://localhost:8080/admin -H ’Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJwa3Nsb3ciLCJyb2xlcyI6WyJST0xFX0FETUlOIl0sImlhdCI6MTYxMjU5MDQ0OSwiZXhwIjoxNjEyNTkwNTA5fQ.CSaubE4iJcYATbLmbb59aNFU1jNCwDFHUV3zIakPU64’Invalid token4 總結(jié)

代碼請查看：https://github.com/LarryDpk/pkslow-samples

以上就是Springboot集成Spring Security實(shí)現(xiàn)JWT認(rèn)證的步驟詳解的詳細(xì)內(nèi)容，更多關(guān)于Springboot集成Spring Security的資料請關(guān)注好吧啦網(wǎng)其它相關(guān)文章！