在本文中,我们将探讨如何将 Spring Security 与 JWT 集成,为您的应用程序构建坚实的安全层。我们将完成从基本配置到实现自定义身份验证过滤器的每个步骤,确保您拥有必要的工具来高效、大规模地保护您的 API。
在 Spring Initializr 中,我们将使用 Java 21、Maven、Jar 和这些依赖项构建一个项目:
使用 Docker,您将使用 Docker-compose 创建一个 PostgreSql 数据库。
在项目的根目录创建一个 docker-compose.yaml 文件。
services:
postgre:
image: postgres:latest
ports:
- "5432:5432"
environment:
- POSTGRES_DB=database
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=admin
volumes:
- postgres_data:/var/lib/postgresql/data
volumes:
postgres_data:
运行命令来启动容器。
docker compose up -d
此文件是 Spring Boot 应用程序的配置。
spring.datasource.url=jdbc:postgresql://localhost:5432/database spring.datasource.username=admin spring.datasource.password=admin spring.jpa.hibernate.ddl-auto=update spring.jpa.show-sql=true jwt.public.key=classpath:public.key jwt.private.key=classpath:private.key
jwt.public.key 和 jwt.private.key 是我们将进一步创建的密钥。
永远不要将这些密钥提交到您的 github
在控制台运行,在资源目录下生成私钥
cd src/main/resources openssl genrsa > private.key
之后,创建链接到私钥的公钥。
openssl rsa -in private.key -pubout -out public.key
靠近主函数创建一个目录 configs 并在其中创建一个 SecurityConfig.java 文件。
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.web.SecurityFilterChain;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
@Value("${jwt.public.key}")
private RSAPublicKey publicKey;
@Value("${jwt.private.key}")
private RSAPrivateKey privateKey;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth.requestMatchers(HttpMethod.POST, "/signin").permitAll()
.requestMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(config -> config.jwt(jwt -> jwt.decoder(jwtDecoder())));
return http.build();
}
@Bean
BCryptPasswordEncoder bPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
JwtEncoder jwtEncoder() {
var jwk = new RSAKey.Builder(this.publicKey).privateKey(this.privateKey).build();
var jwks = new ImmutableJWKSet<>(new JWKSet(jwk));
return new NimbusJwtEncoder(jwks);
}
@Bean
JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withPublicKey(publicKey).build();
}
}
@EnableWebScurity:当您使用@EnableWebSecurity时,它会自动触发Spring Security的配置以保护Web应用程序。此配置包括设置过滤器、保护端点以及应用各种安全规则。
@EnableMethodSecurity:是 Spring Security 中的一个注释,可在 Spring 应用程序中启用方法级安全性。它允许您使用 @PreAuthorize、@PostAuthorize、@Secured 和 @RolesAllowed 等注释直接在方法级别应用安全规则。
privateKey 和 publicKey:是用于签名和验证 JWT 的 RSA 公钥和私钥。 @Value 注解将属性文件(application.properties)中的键注入到这些字段中。
CSRF:禁用 CSRF(跨站点请求伪造)保护,该保护通常在使用 JWT 进行身份验证的无状态 REST API 中禁用。
authorizeHttpRequests:配置基于 URL 的授权规则。
oauth2ResourceServer:将应用程序配置为使用 JWT 进行身份验证的 OAuth 2.0 资源服务器。
BCryptPasswordEncoder:此 bean 定义使用 BCrypt 哈希算法对密码进行编码的密码编码器。 BCrypt 因其自适应特性而成为安全存储密码的热门选择,使其能够抵抗暴力攻击。
JwtEncoder:此 bean 负责编码(签名)JWT 令牌。
JwtDecoder:此 bean 负责解码(验证)JWT 令牌。
import org.springframework.security.crypto.password.PasswordEncoder;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.EnumType;
import jakarta.persistence.Enumerated;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Table;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
@Entity
@Table(name = "tb_clients")
@Getter
@Setter
@NoArgsConstructor
public class ClientEntity {
@Id
@GeneratedValue(strategy = GenerationType.SEQUENCE)
@Column(name = "client_id")
private Long clientId;
private String name;
@Column(unique = true)
private String cpf;
@Column(unique = true)
private String email;
private String password;
@Column(name = "user_type")
private String userType = "client";
public Boolean isLoginCorrect(String password, PasswordEncoder passwordEncoder) {
return passwordEncoder.matches(password, this.password);
}
}
import java.util.Optional;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import example.com.challengePicPay.entities.ClientEntity;
@Repository
public interface ClientRepository extends JpaRepository<ClientEntity, Long> {
Optional<ClientEntity> findByEmail(String email);
Optional<ClientEntity> findByCpf(String cpf);
Optional<ClientEntity> findByEmailOrCpf(String email, String cpf);
}
客户服务
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.web.server.ResponseStatusException;
import example.com.challengePicPay.entities.ClientEntity;
import example.com.challengePicPay.repositories.ClientRepository;
@Service
public class ClientService {
@Autowired
private ClientRepository clientRepository;
@Autowired
private BCryptPasswordEncoder bPasswordEncoder;
public ClientEntity createClient(String name, String cpf, String email, String password) {
var clientExists = this.clientRepository.findByEmailOrCpf(email, cpf);
if (clientExists.isPresent()) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Email/Cpf already exists.");
}
var newClient = new ClientEntity();
newClient.setName(name);
newClient.setCpf(cpf);
newClient.setEmail(email);
newClient.setPassword(bPasswordEncoder.encode(password));
return clientRepository.save(newClient);
}
}
令牌服务
import java.time.Instant;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
import org.springframework.stereotype.Service;
import org.springframework.web.server.ResponseStatusException;
import example.com.challengePicPay.repositories.ClientRepository;
@Service
public class TokenService {
@Autowired
private ClientRepository clientRepository;
@Autowired
private JwtEncoder jwtEncoder;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public String login(String email, String password) {
var client = this.clientRepository.findByEmail(email)
.orElseThrow(() -> new ResponseStatusException(HttpStatus.BAD_REQUEST, "Email not found"));
var isCorrect = client.isLoginCorrect(password, bCryptPasswordEncoder);
if (!isCorrect) {
throw new BadCredentialsException("Email/password invalid");
}
var now = Instant.now();
var expiresIn = 300L;
var claims = JwtClaimsSet.builder()
.issuer("pic_pay_backend")
.subject(client.getEmail())
.issuedAt(now)
.expiresAt(now.plusSeconds(expiresIn))
.claim("scope", client.getUserType())
.build();
var jwtValue = jwtEncoder.encode(JwtEncoderParameters.from(claims)).getTokenValue();
return jwtValue;
}
}
客户端控制器
package example.com.challengePicPay.controllers;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import example.com.challengePicPay.controllers.dto.NewClientDTO;
import example.com.challengePicPay.entities.ClientEntity;
import example.com.challengePicPay.services.ClientService;
@RestController
public class ClientController {
@Autowired
private ClientService clientService;
@PostMapping("/signin")
public ResponseEntity<ClientEntity> createNewClient(@RequestBody NewClientDTO client) {
var newClient = this.clientService.createClient(client.name(), client.cpf(), client.email(), client.password());
return ResponseEntity.status(HttpStatus.CREATED).body(newClient);
}
@GetMapping("/protectedRoute")
@PreAuthorize("hasAuthority('SCOPE_client')")
public ResponseEntity<String> protectedRoute(JwtAuthenticationToken token) {
return ResponseEntity.ok("Authorized");
}
}
The /protectedRoute is a private route that can only be accessed with a JWT after logging in.
The token must be included in the headers as a Bearer token, for example.
You can use the token information later in your application, such as in the service layer.
@PreAuthorize: The @PreAuthorize annotation in Spring Security is used to perform authorization checks before a method is invoked. This annotation is typically applied at the method level in a Spring component (like a controller or a service) to restrict access based on the user's roles, permissions, or other security-related conditions.
The annotation is used to define the condition that must be met for the method to be executed. If the condition evaluates to true, the method proceeds. If it evaluates to false, access is denied,
"hasAuthority('SCOPE_client')": It checks if the currently authenticated user or client has the specific authority SCOPE_client. If they do, the method protectedRoute() is executed. If they don't, access is denied.
Token Controller: Here, you can log in to the application, and if successful, it will return a token.
package example.com.challengePicPay.controllers;
import java.util.Map;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RestController;
import example.com.challengePicPay.controllers.dto.LoginDTO;
import example.com.challengePicPay.services.TokenService;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@RestController
public class TokenController {
@Autowired
private TokenService tokenService;
@PostMapping("/login")
public ResponseEntity<Map<String, String>> login(@RequestBody LoginDTO loginDTO) {
var token = this.tokenService.login(loginDTO.email(), loginDTO.password());
return ResponseEntity.ok(Map.of("token", token));
}
}
以上是Spring Security 与 JWT的详细内容。更多信息请关注PHP中文网其他相关文章!
