使用Spring Boot与Spring Security构建安全的RESTful API-优快云博客

本文链接：https://blog.youkuaiyun.com/intwei/article/details/149295811

使用Spring Boot与Spring Security构建安全的RESTful API

引言

在现代Web应用开发中，安全性是至关重要的。Spring Boot和Spring Security为开发者提供了强大的工具来构建安全的RESTful API。本文将详细介绍如何利用这些技术栈实现身份验证与授权，并结合JWT（JSON Web Token）提升安全性。

技术栈

核心框架: Spring Boot, Spring Security
身份验证: JWT
数据库: Hibernate, Spring Data JPA
构建工具: Maven

实现步骤

1. 初始化Spring Boot项目

首先，使用Spring Initializr创建一个新的Spring Boot项目，添加以下依赖：

Spring Web
Spring Security
Spring Data JPA
H2 Database (用于测试)

2. 配置Spring Security

在application.properties中配置JWT密钥和过期时间：

jwt.secret=your-secret-key
jwt.expiration=86400000

3. 实现JWT工具类

创建一个JwtTokenUtil类，用于生成和验证JWT令牌：

public class JwtTokenUtil {
    private String secret;
    private Long expiration;

    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(userDetails.getUsername())
                .setIssuedAt(new Date())
                .setExpiration(new Date(System.currentTimeMillis() + expiration))
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = extractUsername(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }
}

4. 创建用户认证服务

实现UserDetailsService接口，加载用户信息：

@Service
public class CustomUserDetailsService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("User not found");
        }
        return new org.springframework.security.core.userdetails.User(
                user.getUsername(), user.getPassword(), new ArrayList<>());
    }
}

5. 配置安全过滤器

创建一个JwtRequestFilter类，用于拦截请求并验证JWT令牌：

public class JwtRequestFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        final String authorizationHeader = request.getHeader("Authorization");

        String username = null;
        String jwt = null;

        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
            jwt = authorizationHeader.substring(7);
            username = jwtTokenUtil.extractUsername(jwt);
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
            if (jwtTokenUtil.validateToken(jwt, userDetails)) {
                UsernamePasswordAuthenticationToken authenticationToken =
                        new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(authenticationToken);
            }
        }
        chain.doFilter(request, response);
    }
}