Spring with JWT auth,获取当前用户

0ve6wy6x  于 2024-01-05  发布在  Spring
关注(0)|答案(6)|浏览(180)

我有Sping Boot REST应用程序,它使用JWT令牌进行授权。我想使用@AuthenticationPrincipal注解在控制器中获取当前登录用户。但如果我从loadUserByUsername返回自定义模型,它总是返回null,并且auth停止工作。我的模型实现了UserDetails
我试图扩展org.springframework.security.core.userdetails.User,但我从JWTAuthenticationFilter中删除了默认构造函数不存在的错误(ApplicationUser creds = new ObjectMapper().readValue(req.getInputStream(), ApplicationUser.class);
怎么了?

UserDetailsServiceImpl.java

  1. @Service
  2. public class UserDetailsServiceImpl implements UserDetailsService {
  3.     private UserRepository userRepository;
  5.     public UserDetailsServiceImpl(UserRepository userRepository) {
  6.         this.userRepository = userRepository;
  7.     }
  9.     @Override
  10.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  11.         ApplicationUser applicationUser = userRepository.findByUsername(username);
  12.         if (applicationUser == null) throw new UsernameNotFoundException(username);
  14.         return applicationUser;
  15.     }
  16. }

字符串

ApplicationUser.java(model)

  1. @Entity
  2. @Table(name = "users")
  3. public class ApplicationUser implements UserDetails {
  5.     private static final long serialVersionUID = 1L;
  7.     @Id
  8.     @GeneratedValue(strategy = GenerationType.IDENTITY)
  9.     private long id;
  11.     @Column(unique = true, nullable = false)
  12.     private String username;
  14.     @Column(unique = true, nullable = false)
  15.     private String email;
  17.     @Column(nullable = false)
  18.     private String password;
  20.     public long getId() {
  21.         return id;
  22.     }
  24.     public void setId(long id) {
  25.         this.id = id;
  26.     }
  28.     public String getUsername() {
  29.         return username;
  30.     }
  32.     public void setUsername(String username) {
  33.         this.username = username;
  34.     }
  36.     public String getEmail() {
  37.         return email;
  38.     }
  40.     public void setEmail(String email) {
  41.         this.email = email;
  42.     }
  44.     public String getPassword() {
  45.         return password;
  46.     }
  48.     public void setPassword(String password) {
  49.         this.password = password;
  50.     }
  52.     @Override
  53.     public boolean isAccountNonExpired() {
  54.         return false;
  55.     }
  57.     @Override
  58.     public boolean isAccountNonLocked() {
  59.         return false;
  60.     }
  62.     @Override
  63.     public boolean isCredentialsNonExpired() {
  64.         return false;
  65.     }
  67.     @Override
  68.     public boolean isEnabled() {
  69.         return false;
  70.     }
  72.     @Override
  73.     public Collection<? extends GrantedAuthority> getAuthorities() {
  74.         return null;
  75.     }
  76. }

JWTAuthenticationFilter

  1. public class JWTAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
  2.     private AuthenticationManager authenticationManager;
  4.     public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
  5.         super(new AntPathRequestMatcher(LOGIN_URL));
  7.         this.authenticationManager = authenticationManager;
  8.     }
  10.     @Override
  11.     public Authentication attemptAuthentication(HttpServletRequest req,
  12.                                                 HttpServletResponse res) throws AuthenticationException {
  13.         try {
  14.             ApplicationUser creds = new ObjectMapper()
  15.                     .readValue(req.getInputStream(), ApplicationUser.class);
  17.             return authenticationManager.authenticate(
  18.                     new UsernamePasswordAuthenticationToken(
  19.                             creds.getUsername(),
  20.                             creds.getPassword(),
  21.                             new ArrayList<>())
  22.             );
  23.         } catch (IOException e) {
  24.             throw new RuntimeException(e);
  25.         }
  26.     }
  28.     @Override
  29.     protected void successfulAuthentication(HttpServletRequest req,
  30.                                             HttpServletResponse res,
  31.                                             FilterChain chain,
  32.                                             Authentication auth) throws IOException, ServletException {
  34.         String token = Jwts.builder()
  35.                 .setSubject(((ApplicationUser) auth.getPrincipal()).getUsername())
  36.                 .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
  37.                 .signWith(SignatureAlgorithm.HS512, SECRET.getBytes())
  38.                 .compact();
  40.         res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
  41.     }
  42. }

JWT AuthorizationFilter

  1. public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
  3.     public JWTAuthorizationFilter(AuthenticationManager authManager) {
  4.         super(authManager);
  5.     }
  7.     @Override
  8.     protected void doFilterInternal(HttpServletRequest req,
  9.                                     HttpServletResponse res,
  10.                                     FilterChain chain) throws IOException, ServletException {
  11.         String header = req.getHeader(HEADER_STRING);
  13.         if (header == null || !header.startsWith(TOKEN_PREFIX)) {
  14.             chain.doFilter(req, res);
  15.             return;
  16.         }
  18.         UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
  20.         SecurityContextHolder.getContext().setAuthentication(authentication);
  21.         chain.doFilter(req, res);
  22.     }
  24.     private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
  25.         String token = request.getHeader(HEADER_STRING);
  26.         if (token != null) {
  27.             // parse the token.
  28.             String user;
  29.             try {
  30.                 user = Jwts.parser()
  31.                         .setSigningKey(SECRET.getBytes())
  32.                         .parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
  33.                         .getBody()
  34.                         .getSubject();
  35.             } catch (SignatureException e) {
  36.                 return null;
  37.             }
  39.             if (user != null) return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
  41.             return null;
  42.         }
  43.         return null;
  44.     }
  45. }

spring

6条答案

按热度按时间
qcbq4gxm

qcbq4gxm1#

我最近实现了一种方法,可以在SpringBoot中从JWT token获取用户名或电子邮件。

  1. private String getUserName() {
  2.          JwtAuthenticationToken authenticationToken = (JwtAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
  3.     Jwt jwt = (Jwt) authenticationToken.getCredentials();
  4.     String email = (String) jwt.getClaims().get("email");
  5.     return email;
  6.     }

字符串

赞(0)分享  回复(0)举报  2024-01-05
n6lpvg4x

n6lpvg4x2#

在您的情况下,@AuthenticationPrincipal将返回一个带有用户名的字符串,您可以通过在控制器中调用存储库并通过用户名获取用户,或者将存储库声明为@Bean并执行以下操作来获取用户:

  1. public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
  3. //Get the repository
  4. private UserRepository userRepository;
  6. public JWTAuthorizationFilter(AuthenticationManager authManager) {
  7.     super(authManager);
  8. }
  10. @Override
  11. protected void doFilterInternal(HttpServletRequest req,
  12.                                 HttpServletResponse res,
  13.                                 FilterChain chain) throws IOException, ServletException {
  14.     String header = req.getHeader(HEADER_STRING);
  16.     if (header == null || !header.startsWith(TOKEN_PREFIX)) {
  17.         chain.doFilter(req, res);
  18.         return;
  19.     }
  21.     UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
  23.     SecurityContextHolder.getContext().setAuthentication(authentication);
  24.     chain.doFilter(req, res);
  25. }
  27. private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
  28.     String token = request.getHeader(HEADER_STRING);
  29.     if (token != null) {
  30.         // parse the token.
  31.         String user;
  32.         try {
  33.             user = Jwts.parser()
  34.                     .setSigningKey(SECRET.getBytes())
  35.                     .parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
  36.                     .getBody()
  37.                     .getSubject();
  38.         } catch (SignatureException e) {
  39.             return null;
  40.         }
  42.         //Get your user
  43.         UserEntity userEntity = this.userRepository.findByUsername(user);
  45.         if (user != null) {
  46.              //Seting in your AuthenticationPrincipal the user
  47.              return new UsernamePasswordAuthenticationToken(userEntity, null, new ArrayList<>());
  48.         }
  50.         return null;
  51.     }
  52.     return null;
  53. }
  55. }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
2eafrhcq

2eafrhcq3#

检查是否使用了合适的注解,因为其中一个注解已被弃用。
Documentation - deprecated!
Documentation - fine!
此外,请注意将username(String)解析为参数,而不是User type:
用于将Authentication.getPrincipal()解析为方法参数的注解。
Check this topic as well!它可以帮助。
我不知道这是否是一个好的做法(我还没有被认为是Spring的“专业人士”),但在我的个人项目中,我从传递给控制器参数的HttpServletRequest对象中获取token。然后我使用JwtTokenUtil类,它有getUserFormToken(String token);方法来解析user/username。它看起来像这样:

控制器

  1. @Autowired
  2. TestService testService;
  4. @Autowired
  5. UserService userService;
  7. @Autowired
  8. private JwtTokenUtil jwtTokenUtil;
  10. @RequestMapping(value="/test", method = RequestMethod.GET, produces = "application/json")
  11. @ResponseBody
  12. public List<Test> getTestsListByUserId(HttpServletRequest req){
  13.     String token = req.getHeader(HEADER_STRING).replace(TOKEN_PREFIX,"");
  14.     return testService.findByUserId(userService.findByUsername(jwtTokenUtil.getUsernameFromToken(token)));
  15. }

字符串

JwtTokenUtil

  1. @Component
  2. public class JwtTokenUtil implements Serializable {
  4. public String getUsernameFromToken(String token) {
  5.     return getClaimFromToken(token, Claims::getSubject);
  6. }
  8. public Date getExpirationDateFromToken(String token) {
  9.     return getClaimFromToken(token, Claims::getExpiration);
  10. }
  12. public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
  13.     final Claims claims = getAllClaimsFromToken(token);
  14.     return claimsResolver.apply(claims);
  15. }
  17. private Claims getAllClaimsFromToken(String token) {
  18.     return Jwts.parser()
  19.             .setSigningKey(SIGNING_KEY)
  20.             .parseClaimsJws(token)
  21.             .getBody();
  22. }
  24. private Boolean isTokenExpired(String token) {
  25.     final Date expiration = getExpirationDateFromToken(token);
  26.     return expiration.before(new Date());
  27. }
  29. public String generateToken(User user) {
  30.     return doGenerateToken(user.getUsername());
  31. }
  33. private String doGenerateToken(String subject) {
  35.     Claims claims = Jwts.claims().setSubject(subject);
  36.     claims.put("scopes", Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
  38.     return Jwts.builder()
  39.             .setClaims(claims)
  40.             .setIssuer("issuer")
  41.             .setIssuedAt(new Date(System.currentTimeMillis()))
  42.             .setExpiration(new Date(System.currentTimeMillis() + ACCESS_TOKEN_VALIDITY_SECONDS*1000))
  43.             .signWith(SignatureAlgorithm.HS256, SIGNING_KEY)
  44.             .compact();
  45. }
  47. public Boolean validateToken(String token, UserDetails userDetails) {
  48.     final String username = getUsernameFromToken(token);
  49.     return (
  50.            username.equals(userDetails.getUsername())
  51.                    && !isTokenExpired(token));
  52.     }
  54. }


但我通常有不同的过滤器实现根据你的。如果你有兴趣-我用this教程和实现。

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
k5hmc34c

k5hmc34c4#

要检索自定义模型,我做以下事情:
从数据库中获取模型并将其设置为Principal。

  1. private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
  2.         String token = request.getHeader(HEADER_STRING);
  3.         if (token != null) {
  4.             // parse the token.
  5.             String user;
  6.             try {
  7.                 user = Jwts.parser()
  8.                         .setSigningKey(SECRET.getBytes())
  9.                         .parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
  10.                         .getBody()
  11.                         .getSubject();
  12.             } catch (SignatureException e) {
  13.                 return null;
  14.             }
  16.             // Get user model
  17.             ApplicationUser userModel = userRepository.findByUsername(user);
  19.             // Set it
  20.             if (user != null && userModel != null) return new UsernamePasswordAuthenticationToken(userModel, null, new ArrayList<>());
  22.             return null;
  23.         }
  24.         return null;
  25.     }

字符串
然后在控制器中使用@AuthenticationPrincipal注解检索。

  1. public ApplicationUser getCurrentUser(@AuthenticationPrincipal ApplicationUser user) {
  2.     return user;
  3. }

展开查看全部
赞(0)分享  回复(0)举报  2024-01-05
osh3o9ms

osh3o9ms5#

如果这仍然是实际的,我刚才回答了类似的问题here
要点是从header中取出authorization token

  1. HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
  2.     String token = request.getHeader("Authorization").split(" ")[1];

字符串
然后你就可以解码得到你需要的零件。

赞(0)分享  回复(0)举报  2024-01-05
iih3973s

iih3973s6#

现在你可以做到这一点,它很容易和更简单:

  1. public User getCurrentUser() {
  2.         Authentication authenticationToken = SecurityContextHolder.getContext().getAuthentication();
  3.         return (User)authenticationToken.getPrincipal();
  4.     }

字符串

赞(0)分享  回复(0)举报  2024-01-05
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com