亚洲国产日韩欧美一区二区三区,精品亚洲国产成人av在线,国产99视频精品免视看7,99国产精品久久久久久久成人热,欧美日韩亚洲国产综合乱

目錄
3. Create JWT Utility Class
4. Custom JWT Authentication Filter
5. Configure Spring Security
6. Create Authentication Endpoint
7. UserDetailsService Implementation
Summary
首頁 Java java教程 使用Spring Security和JWT確保Java Rest API

使用Spring Security和JWT確保Java Rest API

Jul 31, 2025 am 09:13 AM

實(shí)現(xiàn)Spring Boot應(yīng)用中基于JWT的REST API安全機(jī)制,首先需理解用戶登錄后由服務(wù)器頒發(fā)JWT,客戶端在后續(xù)請求的Authorization頭中攜帶該令牌,服務(wù)器通過自定義過濾器驗(yàn)證令牌有效性;2. 在pom.xml中添加spring-boot-starter-security、spring-boot-starter-web及jjwt-api、jjwt-impl、jjwt-jackson依賴;3. 創(chuàng)建JwtUtil工具類,用于生成、解析和驗(yàn)證JWT,包含提取用戶名、過期時(shí)間、生成令牌及校驗(yàn)令牌是否有效的方法;4. 編寫JwtRequestFilter繼承OncePerRequestFilter,在請求中提取Bearer令牌,解析用戶名并加載用戶詳情,若令牌有效則設(shè)置Authentication到SecurityContext;5. 配置SecurityConfig類,禁用CSRF,設(shè)置/authenticate和/register路徑放行,其余請求需認(rèn)證,并配置無狀態(tài)會話管理,將JwtRequestFilter添加到過濾鏈中;6. 提供AuthController處理認(rèn)證請求,通過AuthenticationManager驗(yàn)證憑據(jù),成功后生成JWT并返回AuthResponse;7. 實(shí)現(xiàn)UserDetailsService加載用戶信息用于認(rèn)證;8. 安全最佳實(shí)踐包括使用HTTPS、避免硬編碼密鑰、設(shè)置合理過期時(shí)間、不存儲敏感信息在payload中、驗(yàn)證簽發(fā)者和受眾、在分布式系統(tǒng)中使用JWKs;通過整合Spring Security與JWT,可實(shí)現(xiàn)無狀態(tài)、可擴(kuò)展的安全架構(gòu),支持后續(xù)添加角色權(quán)限和刷新令牌機(jī)制。

Securing Java REST APIs with Spring Security and JWT

Securing Java REST APIs is a critical requirement in modern web applications, especially when using stateless authentication mechanisms like JSON Web Tokens (JWT). Spring Security, combined with JWT, provides a robust and flexible way to protect your endpoints. Here's how to implement it effectively in a Spring Boot application.

Securing Java REST APIs with Spring Security and JWT

1. Understanding the Architecture

Before diving into code, it’s important to understand the flow:

  • The user sends login credentials (e.g., username and password).
  • The server validates them and returns a JWT.
  • The client includes this JWT in the Authorization header (as Bearer <token></token>) for subsequent requests.
  • The server validates the token on each request using a filter before allowing access.

Spring Security handles authentication and authorization, while a custom filter intercepts requests to validate the JWT.

Securing Java REST APIs with Spring Security and JWT

2. Add Required Dependencies

In your pom.xml, include:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-api</artifactId>
        <version>0.11.5</version>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-impl</artifactId>
        <version>0.11.5</version>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-jackson</artifactId>
        <version>0.11.5</version>
        <scope>runtime</scope>
    </dependency>
</dependencies>

3. Create JWT Utility Class

This class handles token generation, validation, and extraction.

Securing Java REST APIs with Spring Security and JWT
@Component
public class JwtUtil {

    private final String SECRET_KEY = "yourSecretKeyThatIsLongEnoughForHS512"; // Use a strong key
    private final int EXPIRATION_TIME = 86400000; // 24 hours

    public String extractUsername(String token) {
        return extractClaim(token, Claims::getSubject);
    }

    public Date extractExpiration(String token) {
        return extractClaim(token, Claims::getExpiration);
    }

    public <T> T extractClaim(String token, Function<Claims, T> claimResolver) {
        final Claims claims = extractAllClaims(token);
        return claimResolver.apply(claims);
    }

    private Claims extractAllClaims(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
    }

    private Boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, userDetails.getUsername());
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis()   EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS512, SECRET_KEY)
                .compact();
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = extractUsername(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }
}

4. Custom JWT Authentication Filter

This filter runs before most Spring Security checks and validates the JWT from the Authorization header.

@Component
public class JwtRequestFilter extends OncePerRequestFilter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtUtil jwtUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {

        final String authorizationHeader = request.getHeader("Authorization");

        String username = null;
        String jwt = null;

        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
            jwt = authorizationHeader.substring(7);
            username = jwtUtil.extractUsername(jwt);
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);

            if (jwtUtil.validateToken(jwt, userDetails)) {
                UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(authToken);
            }
        }
        chain.doFilter(request, response);
    }
}

5. Configure Spring Security

Override WebSecurityConfigurerAdapter (or use component-based config in newer versions).

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtRequestFilter jwtRequestFilter;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
                .antMatchers("/authenticate").permitAll()
                .antMatchers("/register").permitAll()
                .anyRequest().authenticated()
            .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

Note: In Spring Boot 3 , use SecurityFilterChain bean instead of extending WebSecurityConfigurerAdapter.

6. Create Authentication Endpoint

@RestController
public class AuthController {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtUtil jwtUtil;

    @PostMapping("/authenticate")
    public ResponseEntity<?> createAuthenticationToken(@RequestBody AuthRequest authRequest) throws Exception {
        try {
            authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(authRequest.getUsername(), authRequest.getPassword())
            );
        } catch (BadCredentialsException e) {
            throw new Exception("Incorrect username or password", e);
        }

        final UserDetails userDetails = userDetailsService.loadUserByUsername(authRequest.getUsername());
        final String jwt = jwtUtil.generateToken(userDetails);

        return ResponseEntity.ok(new AuthResponse(jwt));
    }
}

With DTOs:

public class AuthRequest {
    private String username;
    private String password;
    // Getters and setters
}

public class AuthResponse {
    private String token;
    public AuthResponse(String token) { this.token = token; }
    // Getter
}

7. UserDetailsService Implementation

@Service
public class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) {
        User user = userRepository.findByUsername(username)
                .orElseThrow(() -> new UsernameNotFoundException("User not found"));

        return new org.springframework.security.core.userdetails.User(
                user.getUsername(), user.getPassword(), new ArrayList<>());
    }
}

8. Best Practices & Security Tips

  • Use HTTPS in production — JWTs are sensitive.
  • Keep the secret key secure — never hardcode in source; use environment variables or secret management tools.
  • Set reasonable token expiration times — short-lived tokens with refresh tokens are better.
  • Avoid storing sensitive data in JWT payload — it's Base64-encoded, not encrypted.
  • Validate issuer and audience claims in production-grade apps.
  • Consider using JWKs (JSON Web Key Sets) for distributed systems.

Summary

By combining Spring Security and JWT, you get a clean, stateless way to secure REST APIs. The key components are:

  • A JWT utility for token creation/validation
  • A filter to intercept and authenticate requests
  • Proper Spring Security configuration
  • A login endpoint to issue tokens

This setup is widely used, scalable, and integrates well with frontend frameworks and mobile apps.

Basically, once the foundation is in place, extending roles, permissions, or adding refresh tokens becomes manageable.

以上是使用Spring Security和JWT確保Java Rest API的詳細(xì)內(nèi)容。更多信息請關(guān)注PHP中文網(wǎng)其他相關(guān)文章!

本站聲明
本文內(nèi)容由網(wǎng)友自發(fā)貢獻(xiàn),版權(quán)歸原作者所有,本站不承擔(dān)相應(yīng)法律責(zé)任。如您發(fā)現(xiàn)有涉嫌抄襲侵權(quán)的內(nèi)容,請聯(lián)系admin@php.cn

熱AI工具

Undress AI Tool

Undress AI Tool

免費(fèi)脫衣服圖片

Undresser.AI Undress

Undresser.AI Undress

人工智能驅(qū)動的應(yīng)用程序,用于創(chuàng)建逼真的裸體照片

AI Clothes Remover

AI Clothes Remover

用于從照片中去除衣服的在線人工智能工具。

Clothoff.io

Clothoff.io

AI脫衣機(jī)

Video Face Swap

Video Face Swap

使用我們完全免費(fèi)的人工智能換臉工具輕松在任何視頻中換臉!

熱工具

記事本++7.3.1

記事本++7.3.1

好用且免費(fèi)的代碼編輯器

SublimeText3漢化版

SublimeText3漢化版

中文版,非常好用

禪工作室 13.0.1

禪工作室 13.0.1

功能強(qiáng)大的PHP集成開發(fā)環(huán)境

Dreamweaver CS6

Dreamweaver CS6

視覺化網(wǎng)頁開發(fā)工具

SublimeText3 Mac版

SublimeText3 Mac版

神級代碼編輯軟件(SublimeText3)

Java中的'枚舉”類型是什么? Java中的'枚舉”類型是什么? Jul 02, 2025 am 01:31 AM

Java中的枚舉(enum)是一種特殊的類,用于表示固定數(shù)量的常量值。1.使用enum關(guān)鍵字定義;2.每個枚舉值都是該枚舉類型的公共靜態(tài)最終實(shí)例;3.可以包含字段、構(gòu)造函數(shù)和方法,為每個常量添加行為;4.可在switch語句中使用,支持直接比較,并提供name()、ordinal()、values()和valueOf()等內(nèi)置方法;5.枚舉可提升代碼的類型安全性、可讀性和靈活性,適用于狀態(tài)碼、顏色或星期等有限集合場景。

界面隔離原理是什么? 界面隔離原理是什么? Jul 02, 2025 am 01:24 AM

接口隔離原則(ISP)要求不強(qiáng)制客戶端依賴未使用的接口。其核心是用多個小而精的接口替代大而全的接口。違反該原則的表現(xiàn)包括:類實(shí)現(xiàn)接口時(shí)拋出未實(shí)現(xiàn)異常、存在大量無效方法實(shí)現(xiàn)、無關(guān)功能被強(qiáng)行歸入同一接口。應(yīng)用方法包括:按常用方法組劃分接口、依據(jù)客戶端使用拆分接口、必要時(shí)使用組合替代多接口實(shí)現(xiàn)。例如將包含打印、掃描、傳真方法的Machine接口拆分為Printer、Scanner和FaxMachine。在小型項(xiàng)目或所有客戶端均使用全部方法時(shí)可適當(dāng)放寬規(guī)則。

現(xiàn)代爪哇的異步編程技術(shù) 現(xiàn)代爪哇的異步編程技術(shù) Jul 07, 2025 am 02:24 AM

Java支持異步編程的方式包括使用CompletableFuture、響應(yīng)式流(如ProjectReactor)以及Java19 中的虛擬線程。1.CompletableFuture通過鏈?zhǔn)秸{(diào)用提升代碼可讀性和維護(hù)性,支持任務(wù)編排和異常處理;2.ProjectReactor提供Mono和Flux類型實(shí)現(xiàn)響應(yīng)式編程,具備背壓機(jī)制和豐富的操作符;3.虛擬線程減少并發(fā)成本,適用于I/O密集型任務(wù),與傳統(tǒng)平臺線程相比更輕量且易于擴(kuò)展。每種方式均有適用場景,應(yīng)根據(jù)需求選擇合適工具并避免混合模型以保持簡潔性

Java中可呼叫和可運(yùn)行的差異 Java中可呼叫和可運(yùn)行的差異 Jul 04, 2025 am 02:50 AM

Callable和Runnable在Java中主要有三點(diǎn)區(qū)別。第一,Callable的call()方法可以返回結(jié)果,適合需要返回值的任務(wù),如Callable;而Runnable的run()方法無返回值,適用于無需返回的任務(wù),如日志記錄。第二,Callable允許拋出checked異常,便于錯誤傳遞;而Runnable必須在內(nèi)部處理異常。第三,Runnable可直接傳給Thread或ExecutorService,而Callable只能提交給ExecutorService,并返回Future對象以

在Java中使用枚舉的最佳實(shí)踐 在Java中使用枚舉的最佳實(shí)踐 Jul 07, 2025 am 02:35 AM

在Java中,枚舉(enum)適合表示固定常量集合,最佳實(shí)踐包括:1.用enum表示固定狀態(tài)或選項(xiàng),提升類型安全和可讀性;2.為枚舉添加屬性和方法以增強(qiáng)靈活性,如定義字段、構(gòu)造函數(shù)、輔助方法等;3.使用EnumMap和EnumSet提高性能和類型安全性,因其基于數(shù)組實(shí)現(xiàn)更高效;4.避免濫用enum,如動態(tài)值、頻繁變更或復(fù)雜邏輯場景應(yīng)使用其他方式替代。正確使用enum能提升代碼質(zhì)量并減少錯誤,但需注意其適用邊界。

了解Java Nio及其優(yōu)勢 了解Java Nio及其優(yōu)勢 Jul 08, 2025 am 02:55 AM

JavaNIO是Java1.4引入的新型IOAPI,1)面向緩沖區(qū)和通道,2)包含Buffer、Channel和Selector核心組件,3)支持非阻塞模式,4)相比傳統(tǒng)IO更高效處理并發(fā)連接。其優(yōu)勢體現(xiàn)在:1)非阻塞IO減少線程開銷,2)Buffer提升數(shù)據(jù)傳輸效率,3)Selector實(shí)現(xiàn)多路復(fù)用,4)內(nèi)存映射加快文件讀寫。使用時(shí)需注意:1)Buffer的flip/clear操作易混淆,2)非阻塞下需手動處理不完整數(shù)據(jù),3)Selector注冊需及時(shí)取消,4)NIO并非適用于所有場景。

探索Java中不同的同步機(jī)制 探索Java中不同的同步機(jī)制 Jul 04, 2025 am 02:53 AM

Javaprovidesmultiplesynchronizationtoolsforthreadsafety.1.synchronizedblocksensuremutualexclusionbylockingmethodsorspecificcodesections.2.ReentrantLockoffersadvancedcontrol,includingtryLockandfairnesspolicies.3.Conditionvariablesallowthreadstowaitfor

Java Classloader在內(nèi)部如何工作 Java Classloader在內(nèi)部如何工作 Jul 06, 2025 am 02:53 AM

Java的類加載機(jī)制通過ClassLoader實(shí)現(xiàn),其核心工作流程分為加載、鏈接和初始化三個階段。加載階段由ClassLoader動態(tài)讀取類的字節(jié)碼并創(chuàng)建Class對象;鏈接包括驗(yàn)證類的正確性、為靜態(tài)變量分配內(nèi)存及解析符號引用;初始化則執(zhí)行靜態(tài)代碼塊和靜態(tài)變量賦值。類加載采用雙親委派模型,優(yōu)先委托父類加載器查找類,依次嘗試Bootstrap、Extension和ApplicationClassLoader,確保核心類庫安全且避免重復(fù)加載。開發(fā)者可自定義ClassLoader,如URLClassL

See all articles