禁用會話和CSRF，使用SessionCreationPolicy.STATELESS和csrf().disable()實現(xiàn)REST友好安全；2. 採用JWT進行無狀態(tài)認證，通過JwtUtil生成並驗證含用戶角色和過期時間的令牌；3. 創(chuàng)建JwtAuthenticationFilter攔截請求，解析Authorization頭中的Bearer令牌，驗證後將認證信息存入SecurityContextHolder；4. 使用@PreAuthorize("hasRole('ADMIN')")等註解實現(xiàn)基於角色的訪問控制，並通過@EnableGlobalMethodSecurity(prePostEnabled=true)啟用方法級安全；5. 提供登錄接口/login，經(jīng)AuthenticationManager認證成功後返回JWT令牌；務(wù)必使用HTTPS、安全存儲密鑰、避免localStorage存放令牌、嚴(yán)格校驗簽名並設(shè)置合理過期策略，以確保API安全。

Securing REST APIs with Spring Security in Java isn't just a best practice—it's a necessity. Unlike traditional web apps that rely on session cookies, REST APIs are stateless, so security has to be handled differently. Here's how to do it right using Spring Security and Java (without Spring Boot if you're going the XML or pure Java config route, though we'll focus on modern Java config).

1. Enable Spring Security in a REST-Friendly Way

Start by setting up Spring Security with Java configuration. You'll need to disable session creation and CSRF protection since REST APIs typically use token-based authentication (like JWT), not sessions.

 @Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable() // No CSRF for stateless APIs
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // Always stateless
            .and()
            .authorizeHttpRequests(authz -> authz
                .requestMatchers("/api/public/**").permitAll()
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            )
            .httpBasic().disable() // Not ideal for REST; use tokens
            .addFilterBefore(jwtFilter(), UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    @Bean
    public JwtAuthenticationFilter jwtFilter() {
        return new JwtAuthenticationFilter();
    }
}

? Key points:

• STATELESS sessions prevent Spring from creating JSESSIONID cookies.
• Disable CSRF because it relies on session state.
• Use requestMatchers() to define public vs. secured endpoints.

2. Use JWT for Stateless Authentication

JWT (JSON Web Token) is perfect for REST APIs. The client logs in once, gets a token, and sends it in the Authorization: Bearer <token> header on subsequent requests.

Generate JWT (Example Utility)

 public class JwtUtil {
    private String secret = "yourSuperSecretKeyThatIsAtLeast256BitsLong";

    public String generateToken(String username, Collection<? extends GrantedAuthority> authorities) {
        return Jwts.builder()
            .setSubject(username)
            .claim("authorities", authorities.stream()
                .map(GrantedAuthority::getAuthority)
                .collect(Collectors.toList()))
            .setIssuedAt(new Date())
            .setExpiration(new Date(System.currentTimeMillis() 86400000)) // 24h
            .signWith(SignatureAlgorithm.HS256, secret)
            .compact();
    }

    public boolean isTokenValid(String token, String username) {
        return getUsernameFromToken(token).equals(username) && !isTokenExpired(token);
    }

    public String getUsernameFromToken(String token) {
        return getClaims(token).getSubject();
    }

    private Claims getClaims(String token) {
        return Jwts.parser()
            .setSigningKey(secret)
            .parseClaimsJws(token)
            .getBody();
    }

    private boolean isTokenExpired(String token) {
        return getClaims(token).getExpiration().before(new Date());
    }
}

?? Keep the secret secure—never hardcode in production. Use environment variables or config servers.

3. Custom JWT Authentication Filter

You need a filter to intercept incoming requests, extract the JWT from the Authorization header, validate it, and set the authentication in Spring Security's context.

 public class JwtAuthenticationFilter extends OncePerRequestFilter {

    @Autowired
    private JwtUtil jwtUtil;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {

        String token = extractToken(request);

        if (token != null && jwtUtil.validateToken(token)) {
            String username = jwtUtil.getUsernameFromToken(token);
            UserDetails userDetails = userDetailsService.loadUserByUsername(username);

            UsernamePasswordAuthenticationToken authentication =
                new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
            authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }

    private String extractToken(HttpServletRequest request) {
        String bearerToken = request.getHeader("Authorization");
        if (bearerToken != null && bearerToken.startsWith("Bearer ")) {
            return bearerToken.substring(7);
        }
        return null;
    }
}

? This filter runs before Spring checks authentication. If the token is valid, it sets the Authentication object so @PreAuthorize , hasRole() , etc., work as expected.

4. Secure Endpoints with Role-Based Access

Once authentication is in place, protect your endpoints using method-level security:

 @RestController
@RequestMapping("/api/admin")
@PreAuthorize("hasRole('ADMIN')")
public class AdminController {

    @GetMapping("/data")
    public ResponseEntity<String> getSensitiveData() {
        return ResponseEntity.ok("Top secret data!");
    }
}

Don't forget to enable method-level security:

 @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig {
    // No extra beans needed if using global method security
}

5. Add a Login Endpoint to Issue Tokens

Create a simple login controller to authenticate and return a JWT:

 @PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest request) {
    try {
        Authentication authentication = authenticationManager.authenticate(
            new UsernamePasswordAuthenticationToken(request.getUsername(), request.getPassword())
        );
        SecurityContextHolder.getContext().setAuthentication(authentication);

        String token = jwtUtil.generateToken(
            authentication.getName(),
            (Collection<? extends GrantedAuthority>) authentication.getAuthorities()
        );

        return ResponseEntity.ok(new JwtResponse(token));
    } catch (AuthenticationException e) {
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
    }
}

? You'll need to expose the AuthenticationManager bean if not using Spring Boot auto-configuration.

Final Notes

• Never store JWTs in localStorage (XSS risk). Prefer httpOnly cookies if possible, or use secure in-memory storage.
• Always use HTTPS in production.
• Rotate secrets and consider short token expiration with refresh tokens.
• Validate token signatures strictly—don't use none algorithm.

Basically, securing REST APIs with Spring Security comes down to:

• Disabling sessions and CSRF.
• Using JWT (or OAuth2) for stateless auth.
• Writing a filter to validate tokens.
• Leveraging Spring's authorization mechanisms.

It's not complex, but easy to get wrong. Do it once right, and your API stays safe.

以上是用彈簧安全和Java確保REST API的詳細內(nèi)容。更多資訊請關(guān)注PHP中文網(wǎng)其他相關(guān)文章！