在本文中,我们将探讨如何将 Spring Security 与 JWT 集成,为您的应用程序构建坚实的安全层。我们将完成从基本配置到实现自定义身份验证过滤器的每个步骤,确保您拥有必要的工具来高效、大规模地保护您的 API。
配置
在 Spring Initializr 中,我们将使用 Java 21、Maven、Jar 和这些依赖项构建一个项目:
- Spring Data JPA
- Spring Web
- 龙目岛
- 春季安全
- PostgreSQL 驱动程序
- OAuth2 资源服务器
设置 PostgreSQL 数据库
使用 Docker,您将使用 Docker-compose 创建一个 PostgreSql 数据库。
在项目的根目录创建一个 docker-compose.yaml 文件。
services:
postgre:
image: postgres:latest
ports:
- "5432:5432"
environment:
- POSTGRES_DB=database
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=admin
volumes:
- postgres_data:/var/lib/postgresql/data
volumes:
postgres_data:
登录后复制
运行命令来启动容器。
docker compose up -d
登录后复制
设置 application.properties 文件
此文件是 Spring Boot 应用程序的配置。
spring.datasource.url=jdbc:postgresql://localhost:5432/database
spring.datasource.username=admin
spring.datasource.password=admin
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
jwt.public.key=classpath:public.key
jwt.private.key=classpath:private.key
登录后复制
jwt.public.key 和 jwt.private.key 是我们将进一步创建的密钥。
生成私钥和公钥
永远不要将这些密钥提交到您的 github
在控制台运行,在资源目录下生成私钥
cd src/main/resources
openssl genrsa > private.key
登录后复制
之后,创建链接到私钥的公钥。
openssl rsa -in private.key -pubout -out public.key
登录后复制
代码
创建安全配置文件
靠近主函数创建一个目录 configs 并在其中创建一个 SecurityConfig.java 文件。
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.web.SecurityFilterChain;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
@Value("${jwt.public.key}")
private RSAPublicKey publicKey;
@Value("${jwt.private.key}")
private RSAPrivateKey privateKey;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth.requestMatchers(HttpMethod.POST, "/signin").permitAll()
.requestMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(config -> config.jwt(jwt -> jwt.decoder(jwtDecoder())));
return http.build();
}
@Bean
BCryptPasswordEncoder bPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
JwtEncoder jwtEncoder() {
var jwk = new RSAKey.Builder(this.publicKey).privateKey(this.privateKey).build();
var jwks = new ImmutableJWKSet<>(new JWKSet(jwk));
return new NimbusJwtEncoder(jwks);
}
@Bean
JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withPublicKey(publicKey).build();
}
}
登录后复制
解释
@EnableWebScurity:当您使用@EnableWebSecurity时,它会自动触发Spring Security的配置以保护Web应用程序。此配置包括设置过滤器、保护端点以及应用各种安全规则。
@EnableMethodSecurity:是 Spring Security 中的一个注释,可在 Spring 应用程序中启用方法级安全性。它允许您使用 @PreAuthorize、@PostAuthorize、@Secured 和 @RolesAllowed 等注释直接在方法级别应用安全规则。
privateKey 和 publicKey:是用于签名和验证 JWT 的 RSA 公钥和私钥。 @Value 注解将属性文件(application.properties)中的键注入到这些字段中。
CSRF:禁用 CSRF(跨站点请求伪造)保护,该保护通常在使用 JWT 进行身份验证的无状态 REST API 中禁用。
-
authorizeHttpRequests:配置基于 URL 的授权规则。
-
requestMatchers(HttpMethod.POST, "/signin").permitAll():允许未经身份验证访问 /signin 和 /login 端点,这意味着任何人都可以在不登录的情况下访问这些路由。
-
anyRequest().authenticated():需要对所有其他请求进行身份验证。
-
oauth2ResourceServer:将应用程序配置为使用 JWT 进行身份验证的 OAuth 2.0 资源服务器。
-
config.jwt(jwt -> jwt.decoder(jwtDecoder())):指定将用于解码和验证 JWT 令牌的 JWT 解码器 bean (jwtDecoder)。
BCryptPasswordEncoder:此 bean 定义使用 BCrypt 哈希算法对密码进行编码的密码编码器。 BCrypt 因其自适应特性而成为安全存储密码的热门选择,使其能够抵抗暴力攻击。
-
JwtEncoder:此 bean 负责编码(签名)JWT 令牌。
-
RSAKey.Builder:使用提供的公钥和私钥 RSA 密钥创建新的 RSA 密钥。
-
ImmutableJWKSet(new JWKSet(jwk)):将 RSA 密钥包装在 JSON Web 密钥集 (JWKSet) 中,使其不可变。
-
NimbusJwtEncoder(jwks):使用 Nimbus 库创建 JWT 编码器,该编码器将使用 RSA 私钥对令牌进行签名。
-
JwtDecoder:此 bean 负责解码(验证)JWT 令牌。
-
NimbusJwtDecoder.withPublicKey(publicKey).build():使用RSA公钥创建JWT解码器,用于验证JWT令牌的签名。
实体
import org.springframework.security.crypto.password.PasswordEncoder;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.EnumType;
import jakarta.persistence.Enumerated;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Table;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
@Entity
@Table(name = "tb_clients")
@Getter
@Setter
@NoArgsConstructor
public class ClientEntity {
@Id
@GeneratedValue(strategy = GenerationType.SEQUENCE)
@Column(name = "client_id")
private Long clientId;
private String name;
@Column(unique = true)
private String cpf;
@Column(unique = true)
private String email;
private String password;
@Column(name = "user_type")
private String userType = "client";
public Boolean isLoginCorrect(String password, PasswordEncoder passwordEncoder) {
return passwordEncoder.matches(password, this.password);
}
}
登录后复制
存储库
import java.util.Optional;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import example.com.challengePicPay.entities.ClientEntity;
@Repository
public interface ClientRepository extends JpaRepository<ClientEntity, Long> {
Optional<ClientEntity> findByEmail(String email);
Optional<ClientEntity> findByCpf(String cpf);
Optional<ClientEntity> findByEmailOrCpf(String email, String cpf);
}
登录后复制
服务
客户服务
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.web.server.ResponseStatusException;
import example.com.challengePicPay.entities.ClientEntity;
import example.com.challengePicPay.repositories.ClientRepository;
@Service
public class ClientService {
@Autowired
private ClientRepository clientRepository;
@Autowired
private BCryptPasswordEncoder bPasswordEncoder;
public ClientEntity createClient(String name, String cpf, String email, String password) {
var clientExists = this.clientRepository.findByEmailOrCpf(email, cpf);
if (clientExists.isPresent()) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Email/Cpf already exists.");
}
var newClient = new ClientEntity();
newClient.setName(name);
newClient.setCpf(cpf);
newClient.setEmail(email);
newClient.setPassword(bPasswordEncoder.encode(password));
return clientRepository.save(newClient);
}
}
登录后复制
令牌服务
import java.time.Instant;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
import org.springframework.stereotype.Service;
import org.springframework.web.server.ResponseStatusException;
import example.com.challengePicPay.repositories.ClientRepository;
@Service
public class TokenService {
@Autowired
private ClientRepository clientRepository;
@Autowired
private JwtEncoder jwtEncoder;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public String login(String email, String password) {
var client = this.clientRepository.findByEmail(email)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.BAD_REQUEST, "Email not found"));
var isCorrect = client.isLoginCorrect(password, bCryptPasswordEncoder);
if (!isCorrect) {
throw new BadCredentialsException("Email/password invalid");
}
var now = Instant.now();
var expiresIn = 300L;
var claims = JwtClaimsSet.builder()
.issuer("pic_pay_backend")
.subject(client.getEmail())
.issuedAt(now)
.expiresAt(now.plusSeconds(expiresIn))
.claim("scope", client.getUserType())
.build();
var jwtValue = jwtEncoder.encode(JwtEncoderParameters.from(claims)).getTokenValue();
return jwtValue;
}
}
登录后复制
控制器
客户端控制器
package example.com.challengePicPay.controllers;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import example.com.challengePicPay.controllers.dto.NewClientDTO;
import example.com.challengePicPay.entities.ClientEntity;
import example.com.challengePicPay.services.ClientService;
@RestController
public class ClientController {
@Autowired
private ClientService clientService;
@PostMapping("/signin")
public ResponseEntity<ClientEntity> createNewClient(@RequestBody NewClientDTO client) {
var newClient = this.clientService.createClient(client.name(), client.cpf(), client.email(), client.password());
return ResponseEntity.status(HttpStatus.CREATED).body(newClient);
}
@GetMapping("/protectedRoute")
@PreAuthorize("hasAuthority('SCOPE_client')")
public ResponseEntity<String> protectedRoute(JwtAuthenticationToken token) {
return ResponseEntity.ok("Authorized");
}
}
登录后复制
Explanation
The /protectedRoute is a private route that can only be accessed with a JWT after logging in.
The token must be included in the headers as a Bearer token, for example.
You can use the token information later in your application, such as in the service layer.
@PreAuthorize: The @PreAuthorize annotation in Spring Security is used to perform authorization checks before a method is invoked. This annotation is typically applied at the method level in a Spring component (like a controller or a service) to restrict access based on the user's roles, permissions, or other security-related conditions.
The annotation is used to define the condition that must be met for the method to be executed. If the condition evaluates to true, the method proceeds. If it evaluates to false, access is denied,
"hasAuthority('SCOPE_client')": It checks if the currently authenticated user or client has the specific authority SCOPE_client. If they do, the method protectedRoute() is executed. If they don't, access is denied.
Token Controller: Here, you can log in to the application, and if successful, it will return a token.
package example.com.challengePicPay.controllers;
import java.util.Map;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RestController;
import example.com.challengePicPay.controllers.dto.LoginDTO;
import example.com.challengePicPay.services.TokenService;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@RestController
public class TokenController {
@Autowired
private TokenService tokenService;
@PostMapping("/login")
public ResponseEntity<Map<String, String>> login(@RequestBody LoginDTO loginDTO) {
var token = this.tokenService.login(loginDTO.email(), loginDTO.password());
return ResponseEntity.ok(Map.of("token", token));
}
}
登录后复制
Reference
- Spring Security
- Spring Security-Toptal article
以上是Spring Security 与 JWT的详细内容。更多信息请关注PHP中文网其他相关文章!
