本文介绍basic auth和JWT验证结合

目录结构

依赖

<dependency>

    <groupId>io.jsonwebtoken</groupId>

    <artifactId>jjwt</artifactId>

    <version>0.9.1</version>

</dependency>

<dependency>

    <groupId>com.auth0</groupId>

    <artifactId>auth0</artifactId>

    <version>1.8.0</version>

</dependency>

<dependency>

	<groupId>com.auth0</groupId>

	<artifactId>auth0-spring-security-api</artifactId>

	<version>1.1.0</version>

</dependency>

<dependency>

    <groupId>org.springframework.boot</groupId>

    <artifactId>spring-boot-starter-security</artifactId>

</dependency>

<dependency>

    <groupId>org.json</groupId>

	<artifactId>json</artifactId>

	<version>20180813</version>

</dependency>

<dependency>

	<groupId>org.glassfish</groupId>

	<artifactId>javax.xml.bind</artifactId>

	<version>10.0-b28</version>

</dependency>

config配置文件WebSecurityConfig

package com.springlearn.learn.config;

import com.springlearn.learn.filter.JWTAuthenticationFilter;

import com.springlearn.learn.filter.JWTLoginFilter;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.http.HttpMethod;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import org.springframework.web.servlet.config.annotation.CorsRegistry;

import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration

public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http.cors().and().csrf().disable();

        // 所有的请求都要验证

        http.authorizeRequests()

        .antMatchers("/").permitAll() // 访问 "/" 无需验证

        .antMatchers(HttpMethod.POST, "/login").permitAll() // 访问 "/login" 无需token即可进入

        .antMatchers(HttpMethod.GET, "/login").permitAll()

        .anyRequest()

        .authenticated()

        .and()

        .addFilterBefore( // 添加验证过滤器

            new JWTLoginFilter("/login", authenticationManager()),

            UsernamePasswordAuthenticationFilter.class

        )

        .addFilterBefore(

            new JWTAuthenticationFilter(),

            UsernamePasswordAuthenticationFilter.class

        );

    }

    @Bean

    public BCryptPasswordEncoder passwordEncoder() {

        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();

        return bCryptPasswordEncoder;

    }

    @Autowired

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        String password = "234";

        String encrytedPassword = this.passwordEncoder().encode(password);

        System.out.println("Encoded password = " + encrytedPassword);

        // 这里使用写死的验证,你可以在这里访问数据库

        InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> mngConfig = auth.inMemoryAuthentication();

        UserDetails u1 = User.withUsername("yejiawei").password(encrytedPassword).roles("ADMIN").build();

        UserDetails u2 = User.withUsername("donglei").password(encrytedPassword).roles("USER").build();

        mngConfig.withUser(u1);

        mngConfig.withUser(u2);

    }

    @Override

    public void addCorsMappings(CorsRegistry registry) {

        registry.addMapping("/**").allowedOrigins("*").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*")

        .allowedHeaders("*");

    }

}

filter过滤器JWTLoginFilter

package com.springlearn.learn.filter;

import java.io.IOException;

import java.util.Collections;

import java.util.HashMap;

import java.util.Iterator;

import java.util.Map;

import java.util.stream.Collectors;

import javax.servlet.FilterChain;

import javax.servlet.ServletException;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import com.springlearn.learn.service.TokenAuthenticationService;

import org.json.JSONObject;

import org.springframework.security.authentication.AuthenticationManager;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.AuthenticationException;

import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter{

    public JWTLoginFilter(String url, AuthenticationManager authManager) {

        super(new AntPathRequestMatcher(url));

        setAuthenticationManager(authManager);

    }

    @Override

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)

            throws AuthenticationException, IOException, ServletException {

        // get方式获取参数

        // String username = request.getParameter("username");

        // String password = request.getParameter("password");

        // post方式获取数据

        String s = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));

        JSONObject jsonObject = new JSONObject(s);

        HashMap<String, String> result = new HashMap<String, String>();

        String key = null;

        Iterator<?> keys = jsonObject.keys();

        while(keys.hasNext()) {

            key = (String) keys.next();

            result.put(key, jsonObject.getString(key));

        }

        System.out.printf("JWTLoginFilter.attemptAuthentication: username/password= %s,%s", result.get("username"), result.get("password"));

        System.out.println();

        return getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken(result.get("username"), result.get("password"), Collections.emptyList()));

    }

    @Override

    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,

            Authentication authResult) throws IOException, ServletException {

        System.out.println("JWTLoginFilter.successfulAuthentication:");

        // Write Authorization to Headers of Response.

        TokenAuthenticationService.addAuthentication(response, authResult.getName());

        String authorizationString = response.getHeader("Authorization");

        System.out.println("Authorization String=" + authorizationString);

    }

    @Override

    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {

        response.setContentType("application/json");

        response.setStatus(HttpServletResponse.SC_OK);

        response.getOutputStream().println((new JSONObject(){{

            put("status", 500);

            put("message", "Internal Server Error!!!");

            put("result", JSONObject.NULL);

        }}).toString());

    }

}

filter过滤器JWTAuthenticationFilter

package com.springlearn.learn.filter;

import java.io.IOException;

import javax.servlet.FilterChain;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import com.springlearn.learn.service.TokenAuthenticationService;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.context.SecurityContextHolder;

import org.springframework.web.filter.GenericFilterBean;

public class JWTAuthenticationFilter extends GenericFilterBean {

    @Override

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)

            throws IOException, ServletException {

        System.out.println("JWTAuthenticationFilter.doFilter");

        Authentication authentication = TokenAuthenticationService.getAuthentication((HttpServletRequest) servletRequest);

        SecurityContextHolder.getContext().setAuthentication(authentication);

        filterChain.doFilter(servletRequest, servletResponse);

    }

}

service中的TokenAuthenticationService

package com.springlearn.learn.service;

import java.io.IOException;

import java.util.Collections;

import java.util.Date;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.json.JSONObject;

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

import org.springframework.security.core.Authentication;

import io.jsonwebtoken.Jwts;

import io.jsonwebtoken.SignatureAlgorithm;

public class TokenAuthenticationService {

    static final long _expiretime = 864_000_000;

    static final String _secret = "ThisIsASecret";

    static final String _token_prefix = "Bearer";

    static final String _header_string = "Authorization";

    public static void addAuthentication(HttpServletResponse res, String username) throws IOException {

        String JWT =

                Jwts.builder()

                .setSubject(username)

                .setExpiration(new Date(System.currentTimeMillis() + _expiretime))

                .signWith(SignatureAlgorithm.HS512, _secret).compact();

        res.addHeader(_header_string, _token_prefix + " " + JWT);

        res.setContentType("application/json");

        res.setStatus(HttpServletResponse.SC_OK);

        res.getOutputStream().println((new JSONObject(){{

            put("status", 0);

            put("message", "");

            put("result", JWT);

        }}).toString());

    }

    public static Authentication getAuthentication(HttpServletRequest request) {

        String token = request.getHeader(_header_string);

        if (token != null) {

            // parse the token.

            String user = Jwts.parser().setSigningKey(_secret).parseClaimsJws(token.replace(_token_prefix, "")).getBody()

                    .getSubject();

            return user != null ? new UsernamePasswordAuthenticationToken(user, null, Collections.emptyList()) : null;

        }

        return null;

    }

}

启动文件DemoApplication

package com.springlearn.learn;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication

public class DemoApplication {

	public static void main(String[] args) {

		SpringApplication.run(DemoApplication.class, args);

	}

}

Controller中的TestController

package com.springlearn.learn.controller;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.springframework.web.bind.annotation.RequestBody;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RequestMethod;

import org.springframework.web.bind.annotation.ResponseBody;

import org.springframework.web.bind.annotation.RestController;

@RestController

public class TestController {

    @ResponseBody

    @RequestMapping(value = "/AuthTest", method = RequestMethod.GET)

    public String AuthTest(HttpServletRequest request, HttpServletResponse response) {

        return "OK";

    }

    @ResponseBody

    @RequestMapping(value = "/login", method = RequestMethod.GET)

    public String Login(@RequestBody Object user, HttpServletRequest request, HttpServletResponse response) {

        return "OK";

    }

}

前端测试

<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <meta http-equiv="X-UA-Compatible" content="ie=edge">

    <title>Document</title>

    <script src="https://unpkg.com/axios/dist/axios.min.js"></script>

    <script>

        axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded'; 

        axios.post('http://localhost:9001/login', {

            username: 'yejiawei',

            password: '234'

        }).then(function (response) {

            localStorage.setItem("token", response.data.result)

        }).catch(function (error) {

            console.log(error);

        }).then(function () {

        });

        // axios.get('http://localhost:9001/AuthTest', {

        //     headers: {

        //         "Authorization": localStorage.getItem("token")

        //     }

        // }).then(function (response) {

        //     console.log(response.data);

        // }).catch(function (error) {

        //     console.log(error);

        // }).then(function () {

        // });

    </script>

</head>

<body>

</body>

</html>

springboot成神之——basic auth和JWT验证结合的更多相关文章

  1. springboot成神之——Basic Auth应用

    本文介绍Basic Auth在spring中的应用 目录结构 依赖 入口DemoApplication 验证Authenication 配置WebSecurityConfig 控制器TestContr ...

  2. springboot成神之——ioc容器(依赖注入)

    springboot成神之--ioc容器(依赖注入) spring的ioc功能 文件目录结构 lang Chinese English GreetingService MyRepository MyC ...

  3. springboot成神之——application.properties所有可用属性

    application.properties所有可用属性 # =================================================================== # ...

  4. springboot成神之——springboot入门使用

    springboot创建webservice访问mysql(使用maven) 安装 起步 spring常用命令 spring常见注释 springboot入门级使用 配置你的pom.xml文件 配置文 ...

  5. springboot成神之——mybatis和mybatis-generator

    项目结构 依赖 generator配置文件 properties配置 生成文件 使用Example 本文讲解如何在spring-boot中使用mybatis和mybatis-generator自动生成 ...

  6. springboot成神之——swagger文档自动生成工具

    本文讲解如何在spring-boot中使用swagger文档自动生成工具 目录结构 说明 依赖 SwaggerConfig 开启api界面 JSR 303注释信息 Swagger核心注释 User T ...

  7. springboot成神之——log4j2的使用

    本文介绍如何在spring-boot中使用log4j2 说明 依赖 日志记录语句 log4j2配置文件 本文介绍如何在spring-boot中使用log4j2 说明 log4j2本身使用是非常简单的, ...

  8. springboot成神之——mybatis在spring-boot中使用的几种方式

    本文介绍mybatis在spring-boot中使用的几种方式 项目结构 依赖 WebConfig DemoApplication 方式一--@Select User DemoApplication ...

  9. springboot成神之——发送邮件

    本文介绍如何用spring发送邮件 目录结构 依赖 MailConfig TestController 测试 本文介绍如何用spring发送邮件 目录结构 依赖 <dependency> ...

随机推荐

  1. uva11827gcd

    gcd裸题,不过输入要注意gets会tle,要用快速读入 #include<map> #include<set> #include<cmath> #include& ...

  2. Solr简单测试

    import org.apache.solr.client.solrj.SolrClient; import org.apache.solr.client.solrj.SolrQuery; impor ...

  3. 【hive】函数大全

    数学函数 Return Type Name (Signature) Description DOUBLE round(DOUBLE a) Returns the rounded BIGINT valu ...

  4. input type=file 怎么样调取用户手机照相机

    input 有个属性accept="image/*" 这样就可以了,同时在网上看到了其他答案,试了下没啥效果.写记录下来 如下: 使用input:file标签, 去调用系统默认相机 ...

  5. Flask中的session ,自定义实现 session机制, 和 flask-session组件

    session 是基于cookie实现, 保存在服务端的键值对(形式为 {随机字符串:'xxxxxx'}), 同时在浏览器中的cookie中也对应一相同的随机字符串,用来再次请求的 时候验证: 注意 ...

  6. Android 仿淘宝属性标签页

    直接看效果图相信这样的效果很多,我之前在网上找了很久没找到自己想要的! <?xml version="1.0" encoding="utf-8"?> ...

  7. 大白话讲解如何给github上项目贡献代码

    本文献给对git很迷茫的新手,注意是新手,但至少会点基本操作,有点基本概念的新手,我不会从怎么用github和git是什么开始讲的.如果作为新手你看书又看不进去,原理又太复杂,又没有直接了当告诉我们怎 ...

  8. 关于Sublime Text不能在打开方式中显示并且不能被设置成默认打开方式的问题

    解决方法: 1. Windows 输入 regedit 后 回车 打开注册表 2.找到 "HKEY_CLASSES_ROOT\Applications\sublime_text.exe\sh ...

  9. Java进阶知识点7:不要只会写synchronized - JDK十大并发编程组件总结

    一.背景 提到Java中的并发编程,首先想到的便是使用synchronized代码块,保证代码块在并发环境下有序执行,从而避免冲突.如果涉及多线程间通信,可以再在synchronized代码块中使用w ...

  10. 关于public static void main(String[] args)相关知识

    main()方法是Java应用程序的入口方法,也就是说,程序在运行的时候,第一个执行的方法就是main()方法,这个方法和其他的方法有很大的不同.比如方法的名字必须是main,方法必须是public ...