马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
利用 Spring Boot 和 Spring Security 构建安全的 Web 应用:OAuth2、记住我与 JWT 集成指南
在当代 Web 应用中,安全性是至关紧张的。Spring Security 是一个功能强大且高度可定制的安全框架,能够帮助我们轻松实现认证、授权以及其他安全功能。本文将详细介绍怎样利用 Spring Boot 和 Spring Security 构建一个安全的 Web 应用,并扩展以下功能:
- 利用 OAuth2 实现第三方登录(如 Google、GitHub)。
- 设置“记住我”功能,提拔用户体验。
- 集成 JWT(JSON Web Token)实现无状态认证,适合分布式系统。
1. 项目初始化
1.1 创建 Spring Boot 项目
利用 Spring Initializr 创建一个 Spring Boot 项目,选择以下依赖:
- Spring Web
- Spring Security
- Thymeleaf(可选,用于前端模板)
- Spring Boot DevTools(可选,用于开辟热加载)
1.2 项目布局
项目布局如下:
- src
- ├── main
- │ ├── java
- │ │ └── com
- │ │ └── example
- │ │ └── demo
- │ │ ├── DemoApplication.java
- │ │ ├── config
- │ │ │ └── SecurityConfig.java
- │ │ ├── controller
- │ │ │ └── HomeController.java
- │ │ ├── filter
- │ │ │ └── JwtRequestFilter.java
- │ │ ├── service
- │ │ │ └── CustomUserDetailsService.java
- │ │ └── util
- │ │ └── JwtUtil.java
- │ └── resources
- │ ├── static
- │ ├── templates
- │ │ ├── home.html
- │ │ ├── login.html
- │ │ └── user.html
- │ └── application.properties
- └── test
- └── java
- └── com
- └── example
- └── demo
- └── DemoApplicationTests.java
2. 利用 OAuth2 实现第三方登录
OAuth2 是一种授权框架,允许用户通过第三方平台(如 Google、GitHub 等)登录你的应用。
2.1 添加依赖
在 pom.xml 中添加 OAuth2 依赖:
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-oauth2-client</artifactId>
- </dependency>
在 application.properties 中设置 OAuth2 客户端信息。以 Google 为例:
- # Google OAuth2 配置
- spring.security.oauth2.client.registration.google.client-id=your-google-client-id
- spring.security.oauth2.client.registration.google.client-secret=your-google-client-secret
- spring.security.oauth2.client.registration.google.scope=profile,email
- # GitHub OAuth2 配置
- spring.security.oauth2.client.registration.github.client-id=your-github-client-id
- spring.security.oauth2.client.registration.github.client-secret=your-github-client-secret
- spring.security.oauth2.client.registration.github.scope=user:email
在 SecurityConfig 中启用 OAuth2 登录:
- @Bean
- public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- http
- .authorizeHttpRequests((requests) -> requests
- .requestMatchers("/", "/home").permitAll()
- .anyRequest().authenticated()
- )
- .oauth2Login((oauth2) -> oauth2
- .loginPage("/login") // 自定义登录页面
- .defaultSuccessUrl("/home") // 登录成功后跳转的页面
- )
- .logout((logout) -> logout.permitAll());
- return http.build();
- }
在 HomeController 中添加一个端点,用于表现用户信息:
- @GetMapping("/user")
- public String user(Model model, OAuth2AuthenticationToken authentication) {
- OAuth2User user = authentication.getPrincipal();
- model.addAttribute("name", user.getAttribute("name"));
- model.addAttribute("email", user.getAttribute("email"));
- return "user";
- }
在 templates 目次下创建 user.html:
- <!DOCTYPE html>
- <html xmlns:th="http://www.thymeleaf.org">
- <head>
- <title>User Info</title>
- </head>
- <body>
- <h1>Welcome, <span th:text="${name}"></span>!</h1>
- <p>Email: <span th:text="${email}"></span></p>
- <a href="/logout">Logout</a>
- </body>
- </html>
3. 设置“记住我”功能
“记住我”功能允许用户在关闭欣赏器后仍旧保持登录状态。
3.1 设置 SecurityConfig
在 SecurityConfig 中启用“记住我”功能:
- @Bean
- public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- http
- .rememberMe((remember) -> remember
- .tokenValiditySeconds(86400) // 记住我有效期为 1 天
- .key("uniqueAndSecret") // 密钥
- );
- return http.build();
- }
在 login.html 中添加“记住我”复选框:
- <div>
- <label>
- <input type="checkbox" name="remember-me"/> Remember me
- </label>
- </div>
4. 集成 JWT 实现无状态认证
JWT(JSON Web Token)是一种无状态认证机制,适合分布式系统。
4.1 添加依赖
在 pom.xml 中添加 JWT 依赖:
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt</artifactId>
- <version>0.9.1</version>
- </dependency>
在 util 包下创建 JwtUtil.java:
- package com.example.demo.util;
- import io.jsonwebtoken.Claims;
- import io.jsonwebtoken.Jwts;
- import io.jsonwebtoken.SignatureAlgorithm;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.stereotype.Component;
- import java.util.Date;
- import java.util.HashMap;
- import java.util.Map;
- import java.util.function.Function;
- @Component
- public class JwtUtil {
- private String SECRET_KEY = "secret";
- public String extractUsername(String token) {
- return extractClaim(token, Claims::getSubject);
- }
- public Date extractExpiration(String token) {
- return extractClaim(token, Claims::getExpiration);
- }
- public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
- final Claims claims = extractAllClaims(token);
- return claimsResolver.apply(claims);
- }
- private Claims extractAllClaims(String token) {
- return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
- }
- private Boolean isTokenExpired(String token) {
- return extractExpiration(token).before(new Date());
- }
- public String generateToken(UserDetails userDetails) {
- Map<String, Object> claims = new HashMap<>();
- return createToken(claims, userDetails.getUsername());
- }
- private String createToken(Map<String, Object> claims, String subject) {
- return Jwts.builder()
- .setClaims(claims)
- .setSubject(subject)
- .setIssuedAt(new Date(System.currentTimeMillis()))
- .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10 小时有效期
- .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
- .compact();
- }
- public Boolean validateToken(String token, UserDetails userDetails) {
- final String username = extractUsername(token);
- return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
- }
- }
在 filter 包下创建 JwtRequestFilter.java:
- package com.example.demo.filter;
- import com.example.demo.util.JwtUtil;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
- import org.springframework.security.core.context.SecurityContextHolder;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
- import org.springframework.stereotype.Component;
- import org.springframework.web.filter.OncePerRequestFilter;
- import javax.servlet.FilterChain;
- import javax.servlet.ServletException;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import java.io.IOException;
- @Component
- public class JwtRequestFilter extends OncePerRequestFilter {
- @Autowired
- private UserDetailsService userDetailsService;
- @Autowired
- private JwtUtil jwtUtil;
- @Override
- protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
- throws ServletException, IOException {
- final String authorizationHeader = request.getHeader("Authorization");
- String username = null;
- String jwt = null;
- if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
- jwt = authorizationHeader.substring(7);
- username = jwtUtil.extractUsername(jwt);
- }
- if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
- UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
- if (jwtUtil.validateToken(jwt, userDetails)) {
- UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
- userDetails, null, userDetails.getAuthorities());
- authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
- SecurityContextHolder.getContext().setAuthentication(authenticationToken);
- }
- }
- chain.doFilter(request, response);
- }
- }
在 SecurityConfig 中设置 JWT 过滤器:
- @Bean
- public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- http
- .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
- .authorizeHttpRequests((requests) -> requests
- .requestMatchers("/authenticate").permitAll()
- .anyRequest().authenticated()
- )
- .sessionManagement((session) -> session
- .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 无状态会话
- );
- return http.build();
- }
在 controller 包下创建 AuthController.java:
- package com.example.demo.controller;
- import com.example.demo.util.JwtUtil;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.security.authentication.AuthenticationManager;
- import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.web.bind.annotation.PostMapping;
- import org.springframework.web.bind.annotation.RequestBody;
- import org.springframework.web.bind.annotation.RestController;
- @RestController
- public class AuthController {
- @Autowired
- private AuthenticationManager authenticationManager;
- @Autowired
- private UserDetailsService userDetailsService;
- @Autowired
- private JwtUtil jwtUtil;
- @PostMapping("/authenticate")
- public String createAuthenticationToken(@RequestBody AuthenticationRequest authenticationRequest) throws Exception {
- authenticationManager.authenticate(
- new UsernamePasswordAuthenticationToken(authenticationRequest.getUsername(), authenticationRequest.getPassword())
- );
- final UserDetails userDetails = userDetailsService.loadUserByUsername(authenticationRequest.getUsername());
- final String jwt = jwtUtil.generateToken(userDetails);
- return jwt;
- }
- }
5. 总结
通过本文的步调,你已经成功扩展了 Spring Security 项目:
- 利用 OAuth2 实现了第三方登录。
- 设置了“记住我”功能。
- 集成了 JWT 实现无状态认证。
这些功能可以显著提拔应用的安全性和用户体验。你可以根据现实需求进一步优化和扩展。希望这篇博客对你有所帮助!
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
