aru*_*nan 30 spring jwt spring-boot
我是JWT的新手.网上没有太多的信息,因为我作为最后的手段来到这里.我已经使用spring会话使用spring security开发了一个spring boot应用程序.现在我们将转向JWT而不是春季会议.我找到了很少的链接,现在我可以验证用户并生成令牌.现在困难的部分是,我想创建一个过滤器,它将验证对服务器的每个请求,
Mat*_*eta 23
这是一个可以满足您需求的过滤器:
public class JWTFilter extends GenericFilterBean {
private static final Logger LOGGER = LoggerFactory.getLogger(JWTFilter.class);
private final TokenProvider tokenProvider;
public JWTFilter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException,
ServletException {
try {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
String jwt = this.resolveToken(httpServletRequest);
if (StringUtils.hasText(jwt)) {
if (this.tokenProvider.validateToken(jwt)) {
Authentication authentication = this.tokenProvider.getAuthentication(jwt);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
filterChain.doFilter(servletRequest, servletResponse);
this.resetAuthenticationAfterRequest();
} catch (ExpiredJwtException eje) {
LOGGER.info("Security exception for user {} - {}", eje.getClaims().getSubject(), eje.getMessage());
((HttpServletResponse) servletResponse).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
LOGGER.debug("Exception " + eje.getMessage(), eje);
}
}
private void resetAuthenticationAfterRequest() {
SecurityContextHolder.getContext().setAuthentication(null);
}
private String resolveToken(HttpServletRequest request) {
String bearerToken = request.getHeader(SecurityConfiguration.AUTHORIZATION_HEADER);
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
String jwt = bearerToken.substring(7, bearerToken.length());
return jwt;
}
return null;
}
}
并在过滤器链中包含过滤器:
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
public final static String AUTHORIZATION_HEADER = "Authorization";
@Autowired
private TokenProvider tokenProvider;
@Autowired
private AuthenticationProvider authenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(this.authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
JWTFilter customFilter = new JWTFilter(this.tokenProvider);
http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
// @formatter:off
http.authorizeRequests().antMatchers("/css/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/authenticate").permitAll()
.anyRequest().fullyAuthenticated()
.and().formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and().logout().permitAll();
// @formatter:on
http.csrf().disable();
}
}
TokenProvider类:
public class TokenProvider {
private static final Logger LOGGER = LoggerFactory.getLogger(TokenProvider.class);
private static final String AUTHORITIES_KEY = "auth";
@Value("${spring.security.authentication.jwt.validity}")
private long tokenValidityInMilliSeconds;
@Value("${spring.security.authentication.jwt.secret}")
private String secretKey;
public String createToken(Authentication authentication) {
String authorities = authentication.getAuthorities().stream().map(authority -> authority.getAuthority()).collect(Collectors.joining(","));
ZonedDateTime now = ZonedDateTime.now();
ZonedDateTime expirationDateTime = now.plus(this.tokenValidityInMilliSeconds, ChronoUnit.MILLIS);
Date issueDate = Date.from(now.toInstant());
Date expirationDate = Date.from(expirationDateTime.toInstant());
return Jwts.builder().setSubject(authentication.getName()).claim(AUTHORITIES_KEY, authorities)
.signWith(SignatureAlgorithm.HS512, this.secretKey).setIssuedAt(issueDate).setExpiration(expirationDate).compact();
}
public Authentication getAuthentication(String token) {
Claims claims = Jwts.parser().setSigningKey(this.secretKey).parseClaimsJws(token).getBody();
Collection<? extends GrantedAuthority> authorities = Arrays.asList(claims.get(AUTHORITIES_KEY).toString().split(",")).stream()
.map(authority -> new SimpleGrantedAuthority(authority)).collect(Collectors.toList());
User principal = new User(claims.getSubject(), "", authorities);
return new UsernamePasswordAuthenticationToken(principal, "", authorities);
}
public boolean validateToken(String authToken) {
try {
Jwts.parser().setSigningKey(this.secretKey).parseClaimsJws(authToken);
return true;
} catch (SignatureException e) {
LOGGER.info("Invalid JWT signature: " + e.getMessage());
LOGGER.debug("Exception " + e.getMessage(), e);
return false;
}
}
}
现在回答你的问题:
/loginURI 上的所有内容(/authenticate在我的代码中)我将重点关注JWT的一般提示,而不考虑代码实现(参见其他答案)
过滤器如何验证令牌?(只是验证签名就够了吗?)
RFC7519指定了如何验证JWT(参见7.2.验证JWT),基本上是语法验证和签名验证.
如果在身份验证流程中使用JWT,我们可以查看OpenID连接规范3.1.3.4 ID令牌验证提出的验证.总结:
iss包含颁发者标识符(如果使用oauth则aud包含client_id)
当前时间iat和exp
使用密钥验证令牌的签名
sub 标识有效用户
如果其他人盗取了令牌并进行了休息通话,我将如何验证.
拥有JWT是身份验证的证明.窃取令牌的攻击者可以冒充用户.所以保持令牌安全
使用TLS加密通信通道
为您的令牌使用安全存储.如果使用Web前端,请考虑添加额外的安全措施,以保护localStorage/cookie免受XSS或CSRF攻击
在身份验证令牌上设置较短的到期时间,并在令牌过期时需要凭据
我如何绕过过滤器中的登录请求?因为它没有授权标题.
登录表单不需要JWT令牌,因为您要验证用户凭据.保持表格超出过滤器的范围.成功验证后发出JWT,并将验证过滤器应用于其余服务
然后过滤器应该拦截除登录表单之外的所有请求,并检查:
如果用户认证?如果不扔401-Unauthorized
如果用户授权请求资源?如果不扔403-Forbidden
允许访问.将用户数据放在请求的上下文中(例如,使用ThreadLocal)
| 归档时间: |
|
| 查看次数: |
21360 次 |
| 最近记录: |