在Web应用程序中,认证是保护资源免受未授权访问的重要组成部分。传统的Session认证方式在分布式环境下存在一些问题,而JWT(JSON Web Token)则提供了一种更安全、可扩展、无状态的认证解决方案。
JWT Token简介
JWT是一种基于JSON的开放标准(RFC 7519),用于在各方之间安全地传输信息,该信息可以被验证和信任。它由三部分组成:Header、Payload和Signature。
- Header:包含算法和令牌的类型信息。
- Payload:包含声明(claims)和附加数据。
- Signature:使用Header和Payload以及密钥生成的加密签名。
当用户登录成功后,服务端会生成一个包含用户信息(如用户名、用户角色等)的JWT Token,并将其返回给客户端。接下来,客户端在每次请求时都携带该Token,并将其放在请求的头部或参数中,服务端会通过验证Token的合法性来判断用户是否有权限访问请求的资源。
Spring Boot中使用JWT Token认证
下面我们将使用Spring Boot和Spring Security来实现JWT Token认证。
首先,我们需要添加以下依赖到项目的pom.xml文件中:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.2</version>
</dependency>
接下来,创建一个JwtTokenUtil工具类,用于生成和解析JWT Token。具体实现如下:
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@Component
public class JwtTokenUtil {
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
claims.put("sub", userDetails.getUsername());
claims.put("iat", new Date());
return Jwts.builder()
.setClaims(claims)
.setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
public String getUsernameFromToken(String token) {
Claims claims = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
return claims.getSubject();
}
public boolean validateToken(String token, UserDetails userDetails) {
String username = getUsernameFromToken(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
private boolean isTokenExpired(String token) {
Date expirationDate = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody().getExpiration();
return expirationDate.before(new Date());
}
}
在上面的代码中,我们使用io.jsonwebtoken库来操作JWT Token。JwtTokenUtil类中的generateToken方法用于生成Token,getUsernameFromToken方法用于从Token中获取用户名,validateToken方法用于验证Token的合法性。
接下来,我们需要创建一个JwtUserDetailsService类,实现Spring Security的UserDetailsService接口,用于处理用户认证逻辑。具体实现如下:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
@Service
public class JwtUserDetailsService implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if ("admin".equals(username)) {
return new User("admin", passwordEncoder.encode("admin123"), new ArrayList<>());
} else {
throw new UsernameNotFoundException("User not found with username: " + username);
}
}
}
在上面的代码中,我们对Spring Security的UserDetailsService接口进行了实现,根据用户名查询用户信息。在这里,我们简单地返回一个硬编码的用户名和加密后的密码。
接下来,我们需要创建一个JwtAuthenticationFilter类,继承自Spring Security的UsernamePasswordAuthenticationFilter类,用于拦截登录请求并生成Token。具体实现如下:
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
private JwtTokenUtil jwtTokenUtil;
private JwtUserDetailsService jwtUserDetailsService;
public JwtAuthenticationFilter(AuthenticationManager authenticationManager, JwtTokenUtil jwtTokenUtil, JwtUserDetailsService jwtUserDetailsService) {
this.authenticationManager = authenticationManager;
this.jwtTokenUtil = jwtTokenUtil;
this.jwtUserDetailsService = jwtUserDetailsService;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (!request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
try {
UserCredentials credentials = new ObjectMapper().readValue(request.getInputStream(), UserCredentials.class);
UserDetails userDetails = jwtUserDetailsService.loadUserByUsername(credentials.getUsername());
return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword(), new ArrayList<>()));
} catch (IOException e) {
throw new AuthenticationServiceException("Failed to authenticate user");
}
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
String token = jwtTokenUtil.generateToken((UserDetails) authResult.getPrincipal());
response.addHeader("Authorization", "Bearer " + token);
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.getWriter().write(failed.getMessage());
}
private static class UserCredentials {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
}
在上面的代码中,我们在attemptAuthentication方法中,根据请求参数中的用户名和密码,调用jwtUserDetailsService查询用户信息,并使用authenticationManager进行认证。在successfulAuthentication方法中,我们使用jwtTokenUtil生成Token,并将其添加到响应头中。
最后,我们需要配置Spring Security,使其使用我们自定义的JwtAuthenticationFilter。在WebSecurityConfigurerAdapter的子类中进行以下配置:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtUserDetailsService jwtUserDetailsService;
@Autowired
private JwtAuthenticationFilter jwtAuthenticationFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
在上面的配置中,我们将jwtAuthenticationFilter添加到了UsernamePasswordAuthenticationFilter之前,以便在请求到达之前进行Token认证。
总结
通过上面的实现,我们成功地在Spring Boot中使用JWT Token实现了Token认证。JWT Token可以提供更安全、可扩展、无状态的认证解决方案,并且在分布式环境下表现优秀,可以应用于各种类型的Web应用程序中。
更多关于JWT Token的详细信息请参考官方文档。
本文来自极简博客,作者:狂野之心,转载请注明原文链接:Spring Boot中使用JWT Token进行Token认证
