在 Rest API 中传递 JWT 令牌
Posted
技术标签:
【中文标题】在 Rest API 中传递 JWT 令牌【英文标题】:JWT Token Passing in Rest APIs 【发布时间】:2019-07-25 10:07:35 【问题描述】:我正在尝试实现基于 JWT 令牌的 Authentication 和 Authorization。我使用 Spring Boot 作为后端,使用 Angular 7 作为前端,我的工作是完成后端工作。 Bearer Token在Authentication中成功生成。我已经将它添加到 Header 中,但是当我尝试使用 request.getHeader(HEADER_STRING) 获取 Header 时,它是null。
那么如何使用这个生成的 Token 来进一步识别登录用户,或者在生成令牌后识别用户是前端工作?
我在 Spring Security 中使用了自定义登录页面,当我向 http://localhost:8080/login 发出请求时,它包含两个登录表单而不是一个。
控制台
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
attemptAuthentication email: rp@gmail.com abcd@A123
2019-03-04 11:33:34.320 INFO 11652 --- [nio-8080-exec-5] o.h.h.i.QueryTranslatorFactoryInitiator : HHH000397: Using ASTQueryTranslatorFactory
Hibernate: select user0_.id as id1_1_, user0_.branch as branch2_1_, user0_.contact as contact3_1_, user0_.createtime as createti4_1_, user0_.designation as designat5_1_, user0_.email as email6_1_, user0_.expreiance as expreian7_1_, user0_.name as name8_1_, user0_.password as password9_1_, user0_.role as role10_1_, user0_.skypeid as skypeid11_1_, user0_.statusenable as statuse12_1_ from user user0_ where user0_.email=?
loadUserByUsername User [user.toString] Role: ROLE_ADMIN
successfulAuthentication username rp@gmail.com
successfulAuthentication bearer Token Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJycEBjeWduZXRpbmZvdGVjaC5jb20iLCJleHAiOjE1NTE3NjU4MTR9.9mLS64W6JBS1RqlEKl1Zmjb8YS03E9k92ITkaFmw35JH4ELIua8Tbkzj0r9crDgdQnxm3YvFKAD9lY3cgoQsNw
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
doFilterInternal header null response.getHeader(HEADER_STRING) null
getAuthenticationToken token: null
doFilterInternal authenticationToken : null null
JWTAuthenticationFilter.java
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager)
this.authenticationManager = authenticationManager;
@Autowired
CustomUserDetailService customUserDetailService;
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException
try
System.out.println("attemptAuthentication "+" email: "+request.getParameter("email") + " "+request.getParameter("password"));
//User user = new ObjectMapper().readValue(request.getInputStream(), User.class);
return this.authenticationManager
.authenticate(new UsernamePasswordAuthenticationToken(request.getParameter("email"), request.getParameter("password")));
catch (Exception e)
throw new RuntimeException(e);
@Override
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain,
Authentication authResult) throws IOException, ServletException
String username = ((org.springframework.security.core.userdetails.User) authResult.getPrincipal()).getUsername();
System.out.println("successfulAuthentication "+" username "+username);
String token = Jwts
.builder()
.setSubject(username)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
String bearerToken = TOKEN_PREFIX + token;
System.out.println("successfulAuthentication bearer Token "+bearerToken);
response.getWriter().write(bearerToken);
response.addHeader(HEADER_STRING, bearerToken);
response.sendRedirect(SIGN_UP_SUCCESS);
JWTAuthorizationFilter.java
public class JWTAuthorizationFilter extends BasicAuthenticationFilter
private final CustomUserDetailService customUserDetailService;
public JWTAuthorizationFilter(AuthenticationManager authenticationManager, CustomUserDetailService customUserDetailService)
super(authenticationManager);
this.customUserDetailService = customUserDetailService;
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws IOException, ServletException
String header = request.getHeader(HEADER_STRING);
System.out.println("doFilterInternal header "+header+ " response.getHeader(HEADER_STRING) "+response.getHeader(HEADER_STRING));
if (header == null || !header.startsWith(TOKEN_PREFIX))
chain.doFilter(request, response);
UsernamePasswordAuthenticationToken authenticationToken = getAuthenticationToken(request);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
response.addHeader(header, SIGN_UP_URL);
System.out.println("doFilterInternal authenticationToken : "+authenticationToken+ " "+response.getHeader(SIGN_UP_URL));
chain.doFilter(request, response);
private UsernamePasswordAuthenticationToken getAuthenticationToken(HttpServletRequest request)
String token = request.getHeader(HEADER_STRING);
System.out.println("getAuthenticationToken token: "+token);
if (token == null) return null;
String username = Jwts.parser().setSigningKey(SECRET)
.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
.getBody()
.getSubject();
UserDetails userDetails = customUserDetailService.loadUserByUsername(username);
System.out.println("getAuthenticationToken userDetails "+userDetails.toString()+ " userDetails.getAuthorities() "+userDetails.getAuthorities());
return username != null ?
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()) : null;
CustomUserDetailService.java
@Component
public class CustomUserDetailService implements UserDetailsService
private final UserRepository userRepository;
@Autowired
public CustomUserDetailService(UserRepository userRepository)
this.userRepository = userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
User user = userRepository.findByEmail(username);
if(user==null)
new UsernameNotFoundException("User not found");
return null;
else
System.out.println("loadUserByUsername "+user.toString()+" Role: "+user.getRole());
List<GrantedAuthority> authorityListAdmin = AuthorityUtils.createAuthorityList("ROLE_USER", "ROLE_ADMIN");
List<GrantedAuthority> authorityListUser = AuthorityUtils.createAuthorityList("ROLE_USER");
return new org.springframework.security.core.userdetails.User
(user.getEmail(), user.getPassword(), user.getRole()=="ADMIN" ? authorityListAdmin : authorityListUser);
SecuriyConfig.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer
@Autowired
private CustomUserDetailService customUserDetailService;
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
auth.userDetailsService(customUserDetailService).passwordEncoder(new BCryptPasswordEncoder());
@Override
public void addViewControllers(ViewControllerRegistry registry)
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
registry.addViewController("/login").setViewName("login");
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
registry.addViewController("/failure").setViewName("failure");
registry.addViewController("/403").setViewName("403");
@Override
protected void configure(HttpSecurity http) throws Exception
http
.csrf().disable()
.authorizeRequests().antMatchers("/login","/home","/failure").permitAll()
.antMatchers(HttpMethod.POST,"/admin/**").permitAll()//hasRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager(), customUserDetailService))
.exceptionHandling().accessDeniedPage("/403")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/home",true)
.failureUrl("/failure")
.and()
.logout().logoutUrl("/logout").permitAll();
public SecurityConfig(UserDetailsService userDetailsService)
super();
this.customUserDetailService = customUserDetailService;
SecurityConstants.java
public class SecurityConstants
static final String SECRET = "Romil";
static final String TOKEN_PREFIX = "Bearer ";
static final String HEADER_STRING = "Authorization";
static final String SIGN_UP_URL = "/login";
static final String SIGN_UP_SUCCESS = "/home";
static final long EXPIRATION_TIME = 86400000L;
【问题讨论】:
我看到这一行 response.sendRedirect(SIGN_UP_SUCCESS); 表示上下文丢失并且请求、响应对象是新的重定向 @resatz 感谢您的回复。如果我不使用 response.sendRedirect(SIGN_UP_SUCCESS);然后生成的令牌会自动下载到系统中,登录页面保持原样。 您可以尝试使用 forward 而不是在此处重定向更多详细信息***.com/questions/2047122/… @resatz RequestDispatcher 将保存当前的 req、res 并转发到下一个 URL。我用过 RequestDispatcher rd = request.getRequestDispatcher(SIGN_UP_SUCCESS); rd.forward(请求,响应);它再次停留在同一页面。控制台打印请求方法'POST'不支持 您是在客户端设置授权标头对吗?在向服务器发送请求之前。 【参考方案1】:如何传递令牌?
在成功登录时在 Spring Boot 中生成令牌发送令牌为 响应前端 在 Angular 中创建 AuthInterceptor,它将在每个 进一步要求。注意事项:
我们还要根据自己的要求设置WebConfig文件。
允许的方法 允许的标头 暴露的标头 maxAge 等。对于我们不需要对用户进行身份验证和授权的请求,我们可以在 ignoring().antMatchers("") 中添加该 API。
@Override public void configure(WebSecurity web) throws Exception web .ignoring() .antMatchers("/userlogin/") .antMatchers("/forgetPassword");
为什么选择 Access-Control-Expose-Headers?
Access-Control-Expose-Headers(可选)- XMLHttpRequest 对象有一个 getResponseHeader() 方法,该方法返回特定响应标头的值。在CORS request 期间,getResponseHeader() method can only access simple response headers。简单的响应头定义如下:
如果您希望客户端能够访问其他标头,则必须使用 Access-Control-Expose-Headers 标头。此标头的值是您要向客户端公开的以逗号分隔的响应标头列表。
response.setHeader("Access-Control-Expose-Headers", "Authorization");
AuthInterceptor
import Injectable from '@angular/core';
import HttpEvent, HttpHandler, HttpInterceptor, HttpRequest from '@angular/common/http';
import Observable from 'rxjs';
@Injectable()
export class AuthInterceptor implements HttpInterceptor
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>>
const token = window.localStorage.getItem('tokenKey'); // you probably want to store it in localStorage or something
if (!token)
return next.handle(req);
const req1 = req.clone(
headers: req.headers.set('Authorization', `$token`),
);
return next.handle(req1);
【讨论】:
以上是关于在 Rest API 中传递 JWT 令牌的主要内容,如果未能解决你的问题,请参考以下文章
如何在 Django 的单个 API 中获取访问令牌和刷新令牌(rest_framework_jwt)
如何在 vue 中存储、管理 REST API JWT 身份验证令牌?