springsecurity整合token
时间: 2025-02-02 14:50:43 浏览: 39
### Spring Security 中集成 Token 认证
#### 配置依赖项
为了在项目中使用 JWT 和 Spring Security 的组合,需要引入相应的 Maven 或 Gradle 依赖。通常情况下会涉及到 `spring-boot-starter-security`、`jjwt-api` 及其对应的实现库。
```xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- JJWT API -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>${jjwt.version}</version>
</dependency>
<!-- JJWT 实现 -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<scope>runtime</scope>
<version>${jjwt.version}</version>
</dependency>
```
#### 创建自定义过滤器
Spring Security 主要是通过过滤器链来处理请求的安全性验证工作。对于基于 Token 的认证方式来说,可以创建一个新的过滤器用于解析 HTTP 请求头中的 Bearer Token 并完成用户的鉴权操作[^2]。
```java
public class JwtRequestFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
try {
username = jwtUtil.extractUsername(jwt);
} catch (Exception e) {
logger.error("Error parsing token", e);
}
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtUtil.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
authToken.setDetails(new WebAuthenticationDetailsSource()
.buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
chain.doFilter(request, response);
}
}
```
#### 设置全局配置类
为了让上述自定义的过滤器生效,在应用程序启动时还需要注册该过滤器到 Spring Security 过滤器链条当中去,并关闭默认的一些防护机制以便更好地适配 RESTful 接口调用场景下的无状态特性[^1]。
```java
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final UserDetailsService userDetailsService;
private final JwtRequestFilter jwtRequestFilter;
public SecurityConfig(UserDetailsService userDetailsService, JwtRequestFilter jwtRequestFilter) {
this.userDetailsService = userDetailsService;
this.jwtRequestFilter = jwtRequestFilter;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().
authorizeRequests().
antMatchers("/authenticate").permitAll().
anyRequest().authenticated().
and().
sessionManagement().
sessionCreationPolicy(SessionCreationPolicy.STATELESS).
and().
addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
super.configure(http);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
```
#### 用户认证接口设计
最后一步就是提供给前端用来获取 Token 的接口了。当接收到用户名密码形式的身份凭证之后,应该先对其进行有效性检查;一旦确认合法,则可签发新的 JSON Web Tokens 返回给客户端保存起来供后续访问受保护资源所用[^4]。
```java
@RestController
@RequestMapping("/api/v1/auth")
public class AuthController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private JwtUtil jwtUtil;
@PostMapping("/login")
public ResponseEntity<?> createAuthToken(@RequestBody LoginRequest loginRequest) {
try {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginRequest.getUsername(),
loginRequest.getPassword())
);
final UserDetails userDetails = userDetailsService.
loadUserByUsername(loginRequest.getUsername());
final String token = jwtUtil.generateToken(userDetails);
Map<String, Object> result = Maps.newHashMap();
result.put("token", "Bearer " + token);
return ResponseEntity.ok(result);
} catch (BadCredentialsException ex) {
throw new BadCredentialsException("Invalid credentials");
}
}
}
```
阅读全文
相关推荐


















