如何在 Spring Security 中实现基于 JWT 的身份验证和授权

Posted

技术标签:

【中文标题】如何在 Spring Security 中实现基于 JWT 的身份验证和授权【英文标题】:How to implement JWT based authentication and authorization in Spring Security 【发布时间】:2018-08-25 19:30:37 【问题描述】:

如何在 Spring Security 中实现基于 JWT 的认证和授权

我正在尝试在我的 Spring Boot 应用程序中实现基于 jwt 的身份验证和授权。我遵循了编写here 的教程。但它在我的应用程序中没有做任何事情。它不返回 jwt 令牌,而是我通过了身份验证并且我的请求得到了满足。我是春季安全的新手。这是我的代码。

我希望我的应用返回 jwt 令牌并使用该令牌请求必须获得授权。

这是我的代码。

JWTAuthenticationFilter.java

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter 

    private AuthenticationManager authenticationManager;

    @Autowired
    CustomUserDetailsService userService;

    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) 
    this.authenticationManager = authenticationManager;
    

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
        throws AuthenticationException 

    try 

        CustomUserDetails user = new ObjectMapper().readValue(request.getInputStream(), CustomUserDetails.class);

        return authenticationManager.authenticate(
            new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), new ArrayList<>()));
     catch (Exception e) 
    

    return super.attemptAuthentication(request, response);
    

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
        Authentication auth) 

    String loggedInUser = ((CustomUserDetails) auth.getPrincipal()).getUsername();

    Claims claims = Jwts.claims().setSubject(loggedInUser);

    if (loggedInUser != null) 
        CustomUserDetails user = (CustomUserDetails) userService.loadUserByUsername(loggedInUser);
        String roles[] = ;

        for (Role role : user.getUser().getUserRoles()) 
        roles[roles.length + 1] = role.getRole();
        
        claims.put("roles", roles);

        claims.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME));

    

    String token = Jwts.builder().setClaims(claims)
        .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
        .signWith(SignatureAlgorithm.HS512, SECRET.getBytes()).compact();
    response.addHeader(HEADER_STRING, TOKEN_PREFIX + token);

    


JWTAuthorizationFilter.java

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;

public class JWTAuthorizationFilter extends BasicAuthenticationFilter 

    public JWTAuthorizationFilter(AuthenticationManager authenticationManager) 
    super(authenticationManager);

    

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
        throws IOException, ServletException 

    String header = request.getHeader(HEADER_STRING);
    if (header == null || !header.startsWith(TOKEN_PREFIX)) 
        chain.doFilter(request, response);
        return;
    

    UsernamePasswordAuthenticationToken authentication = getToken(request);
    SecurityContextHolder.getContext().setAuthentication(authentication);
    chain.doFilter(request, response);

    

    @SuppressWarnings("unchecked")
    private UsernamePasswordAuthenticationToken getToken(HttpServletRequest request) 

    String token = request.getHeader(HEADER_STRING);

    System.out.println("-----------------------------------------------------");
    System.out.println("Token: " + token);
    System.out.println("-----------------------------------------------------");

    if (token != null) 

        Claims claims = Jwts.parser().setSigningKey(SECRET.getBytes())
            .parseClaimsJws(token.replace(TOKEN_PREFIX, "")).getBody();
        String user = claims.getSubject();

        ArrayList<String> roles = (ArrayList<String>) claims.get("roles");

        ArrayList<MyGrantedAuthority> rolesList = new ArrayList<>();

        if (roles != null) 
        for (String role : roles) 
            rolesList.add(new MyGrantedAuthority(role));
        
        
        if (user != null) 
        return new UsernamePasswordAuthenticationToken(user, null, null);
        
        return null;
    
    return null;
    


SecurityConfig.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter 

    @Qualifier("userDetailsService")
    @Autowired
    CustomUserDetailsService userDetailsService;

    @Autowired
    PasswordEncoder passwordEncoder;

    @Autowired
    AuthenticationManager authenticationManager;

    @Autowired
    JWTAuthenticationEntryPoint jwtAuthenticationEntryPoint;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) 
    try 
        auth.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder);

     catch (Exception e) 

    

    

    /*
     * @Autowired public void configureGlobal(AuthenticationManagerBuilder auth)
     * throws Exception 
     * auth.inMemoryAuthentication().withUser("student").password("student").roles(
     * "student").and().withUser("admin") .password("admin").roles("admin"); 
     */

    @Override
    protected void configure(HttpSecurity http) throws Exception 

    http.csrf().disable();
    // http.authorizeRequests().anyRequest().permitAll();

    // http.authorizeRequests().antMatchers("/api/**").permitAll();

    http.addFilter(new JWTAuthenticationFilter(authenticationManager));
    http.addFilter(new JWTAuthorizationFilter(authenticationManager));

    http.authorizeRequests().antMatchers("/api/student/**").hasAnyRole("STUDENT", "ADMIN");
    http.authorizeRequests().antMatchers("/api/admin/**").hasRole("ADMIN");
    http.authorizeRequests().antMatchers("/api/libararian/**").hasAnyRole("LIBRARIAN", "ADMIN");
    http.authorizeRequests().antMatchers("/api/staff/**").hasAnyRole("STAFF", "ADMIN");
    http.authorizeRequests().antMatchers("/api/teacher/**").hasAnyRole("TEACHER", "ADMIN");
    http.authorizeRequests().antMatchers("/api/parent/**").hasAnyRole("PARENT", "ADMIN");
    http.httpBasic().authenticationEntryPoint(jwtAuthenticationEntryPoint);

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    // http.formLogin().and().logout().logoutSuccessUrl("/login?logout").permitAll();

    


MyGrantedAuthority.java

    public class MyGrantedAuthority implements GrantedAuthority 

        String authority;

        MyGrantedAuthority(String authority) 
        this.authority = authority;
        

        @Override
        public String getAuthority() 
        // TODO Auto-generated method stub
        return authority;
        

    

JWTAuthenticationEntryPoint.java

@Component
public class JWTAuthenticationEntryPoint implements AuthenticationEntryPoint 

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
        throws IOException, ServletException 
    response.setStatus(403);
    response.setContentType(MediaType.APPLICATION_JSON_VALUE);

    String message;
    if (exception.getCause() != null) 
        message = exception.getCause().getMessage();
     else 
        message = exception.getMessage();
    
    byte[] body = new ObjectMapper().writeValueAsBytes(Collections.singletonMap("error", message));
    response.getOutputStream().write(body);
    


【问题讨论】:

当您尝试使用用户名和密码发布“/登录”路径时,响应是什么? 我遵循了这个教程,这让我的工作变得轻松。knowledgefactory.net/2020/12/… 【参考方案1】:

我还在我的项目中使用 jwt 身份验证,我可以看到您缺少应该在项目中使用的入口点。我会告诉你我是如何实现它的,看看它是否可以帮助你=)。 您需要实现一个 authenticationEntryPoint 以告诉代码如何完成身份验证。它可以添加在过滤器之后,在 http.authorizerequest 上,使用以下命令:

    .authenticationEntryPoint(jwtAuthEndPoint);

其中 jwtAuthEndPoint 是以下组件:

  @Component
  public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint 
  @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
        AuthenticationException e) throws IOException, ServletException 
    httpServletResponse.setStatus(SC_FORBIDDEN);
    httpServletResponse.setContentType(MediaType.APPLICATION_JSON_VALUE);

    String message;
    if (e.getCause() != null) 
        message = e.getCause().getMessage();
     else 
        message = e.getMessage();
    
    byte[] body = new ObjectMapper().writeValueAsBytes(Collections.singletonMap("error", message));
    httpServletResponse.getOutputStream().write(body);
    

我还建议您看一下本教程,在这种情况下对我有很大帮助:https://sdqali.in/blog/2016/07/07/jwt-authentication-with-spring-web---part-4/

【讨论】:

我添加了上面的类。我还是被困住了。我真的没有从教程中理解这个概念。你能让我的代码工作吗?我对 Spring Security 及其机制知之甚少。请看我更新的代码。有什么我错过的吗? 谢谢,这个回信可以派上用场:)【参考方案2】:

我明白了。 我遵循了另一个教程,这使我的工作变得轻松。 这是完整的重写工作代码

TokenProvider.java

package com.cloudsofts.cloudschool.security;

import static com.cloudsofts.cloudschool.security.SecurityConstants.EXPIRATION_TIME;
import static com.cloudsofts.cloudschool.security.SecurityConstants.SECRET;

import java.util.ArrayList;
import java.util.Date;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import com.cloudsofts.cloudschool.people.users.pojos.CustomUserDetails;
import com.cloudsofts.cloudschool.people.users.pojos.Role;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

@Component
public class TokenProvider 

    @Autowired
    CustomUserDetailsService userService;

    public String createToken(String username) 

    CustomUserDetails user = (CustomUserDetails) userService.loadUserByUsername(username);

    Claims claims = Jwts.claims().setSubject(username);

    ArrayList<String> rolesList = new ArrayList<String>();

    for (Role role : user.getUser().getUserRoles()) 
        rolesList.add(role.getRole());

    

    claims.put("roles", rolesList);

    String token = Jwts.builder().setClaims(claims)
        .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME)).setIssuedAt(new Date())
        .signWith(SignatureAlgorithm.HS512, SECRET).compact();

    return token;
    

    public Authentication getAuthentication(String token) 
    String username = Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody().getSubject();
    UserDetails userDetails = this.userService.loadUserByUsername(username);

    return new UsernamePasswordAuthenticationToken(userDetails, "", userDetails.getAuthorities());
    

JWTFilter.java

package com.cloudsofts.cloudschool.security;

import static com.cloudsofts.cloudschool.security.SecurityConstants.HEADER_STRING;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;

import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.UnsupportedJwtException;

public class JWTFilter extends GenericFilterBean 

    public final static String AUTHORIZATION_HEADER = "Authorization";

    private final TokenProvider tokenProvider;

    public JWTFilter(TokenProvider tokenProvider) 
    this.tokenProvider = tokenProvider;
    

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
        throws IOException, ServletException 
    try 
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        String jwt = resolveToken(httpRequest);
        if (jwt != null) 
        Authentication authentication = this.tokenProvider.getAuthentication(jwt);
        if (authentication != null) 
            SecurityContextHolder.getContext().setAuthentication(authentication);
        
        

        chain.doFilter(servletRequest, servletResponse);
     catch (ExpiredJwtException | UnsupportedJwtException | MalformedJwtException | SignatureException
        | UsernameNotFoundException e) 
        // Application.logger.info("Security exception ", e.getMessage());
        ((HttpServletResponse) servletResponse).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    
    

    private String resolveToken(HttpServletRequest request) 
    String bearerToken = request.getHeader(HEADER_STRING);
    if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) 
        return bearerToken.substring(7, bearerToken.length());
    
    return null;
    


JWTConfigurer.java

import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

public class JWTConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> 

    private final TokenProvider tokenProvider;

    public JWTConfigurer(TokenProvider tokenProvider) 
    this.tokenProvider = tokenProvider;
    

    @Override
    public void configure(HttpSecurity http) throws Exception 

    JWTFilter customFilter = new JWTFilter(tokenProvider);
    http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
    


SecurityConfig.java

import javax.servlet.http.HttpServletResponse;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

import com.cloudsofts.cloudschool.people.users.pojos.User;

@RestController
public class LoginController 

    private AuthenticationManager authenticationManager;

    private TokenProvider tokenProvider;

    private CustomUserDetailsService userService;

    LoginController(AuthenticationManager auth, CustomUserDetailsService service, TokenProvider tokenProvider) 
    this.authenticationManager = auth;
    this.userService = service;
    this.tokenProvider = tokenProvider;
    

    @PostMapping("/login")
    public String getToken(@RequestBody User user, HttpServletResponse response) 

    UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(user.getUsername(),
        user.getPassword());

    authenticationManager.authenticate(authToken);
    return tokenProvider.createToken(user.getUsername());

    

LoginController.java

import javax.servlet.http.HttpServletResponse;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

import com.cloudsofts.cloudschool.people.users.pojos.User;

@RestController
public class LoginController 

    private AuthenticationManager authenticationManager;

    private TokenProvider tokenProvider;

    private CustomUserDetailsService userService;

    LoginController(AuthenticationManager auth, CustomUserDetailsService service, TokenProvider tokenProvider) 
    this.authenticationManager = auth;
    this.userService = service;
    this.tokenProvider = tokenProvider;
    

    @PostMapping("/login")
    public String getToken(@RequestBody User user, HttpServletResponse response) 

    UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(user.getUsername(),
        user.getPassword());

    authenticationManager.authenticate(authToken);
    return tokenProvider.createToken(user.getUsername());

    

Link to the Github project that helped me.

【讨论】:

以上是关于如何在 Spring Security 中实现基于 JWT 的身份验证和授权的主要内容,如果未能解决你的问题,请参考以下文章

在 Spring Security 中实现分层角色

在 Spring Security 2.06 中实现自定义 AuthenticationProvider

如何在 Spring Boot 中实现基于角色权限的系统

Spring Security 基于角色的授权问题

如何在基于 Keycloak/Spring 的应用程序中实现单点注销?

Spring Security 使用基于xml的http认证