我以这种方式生成jwt令牌。

public String generateToken(String email,long id) {
    Map<String, Object> claims = new HashMap<>();
    claims.put("userId",id);
    return doGenerateToken(claims, email);
}

private String doGenerateToken(Map<String, Object> claims, String subject) {

    return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
            .setExpiration(new Date(System.currentTimeMillis() + Long.parseLong(tokenValidity))).signWith(SignatureAlgorithm.HS512, secret).compact();
}

我现在面临的问题是，任何带有有效jwt令牌的请求都可以访问整个数据。目标是只获取由同一用户创建的数据。

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

    httpSecurity.cors().and().csrf().disable().headers().and()
            .authorizeRequests()
            .antMatchers("/api/users/register","/api/users/login","/api/users/token-validate").permitAll()
            .antMatchers("/").hasAnyAuthority("ADMIN")
            .antMatchers("**/save").hasAnyAuthority("ADMIN")
            .antMatchers("**/edit").hasAnyAuthority("ADMIN")
            .antMatchers("**/delete").hasAnyAuthority("ADMIN")
            .anyRequest().authenticated()
            .and()
            .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

只能检索属于用户的消息。对不起，英语不好。

@GetMapping("/get-messages")
public ResponseEntity<GetMessageResponse> getAllMessages(@RequestParam(name = "user-id") long id){
    List<Message> messageList = messageService.findMessagesByUserId(id);
    return ResponseEntity.ok().body(new GetMessageResponse(MessageList,"Messages Retrieved Successfully", HttpStatus.OK));
}