Spring Boot Sping Boot webflux安全性与JWT令牌

68de4m5k  于 2024-01-06  发布在  Spring
关注(0)|答案(1)|浏览(167)

尝试使用Sping Boot webflux设置基于JWT token的身份验证。

Sping Boot 版本:- 2.3.0.BUild-SNAPSHOT
**技术栈:-**Angular 9、Sping Boot 2.3.0、BUILD-SNAPSHOT、Spring security、Spring security JWT

  1. <dependency>
  2.             <groupId>org.springframework.boot</groupId>
  3.             <artifactId>spring-boot-starter-security</artifactId>
  4.         </dependency>
  5.         <dependency>
  6.             <groupId>org.springframework.boot</groupId>
  7.             <artifactId>spring-boot-starter-webflux</artifactId>
  8.         </dependency>
  9. <dependency>
  10.             <groupId>org.springframework.security</groupId>
  11.             <artifactId>spring-security-jwt</artifactId>
  12.             <version>1.1.0.RELEASE</version>
  13.         </dependency>

字符串
GUI是基于angular 9的,并使用基于表单的身份验证。
需要JWT来调用来自Angular 和调用也来直接到API。

WebSecurityConfig,

  1. @Configuration
  2. @EnableWebFluxSecurity
  3. @EnableGlobalMethodSecurity(prePostEnabled = true)
  4. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  5.     @Autowired
  6.     private AuthenticationManager authenticationManager;
  8.     @Autowired
  9.     private ServerSecurityContextRepository securityContextRepository;
  11.     @Bean
  12.     public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {
  13.         return http.exceptionHandling().authenticationEntryPoint((swe, e) -> {
  14.             return Mono.fromRunnable(() -> {
  15.                 swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
  16.             });
  17.         }).accessDeniedHandler((swe, e) -> {
  18.             return Mono.fromRunnable(() -> {
  19.                 swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
  20.             });
  21.         }).and().csrf().disable().formLogin().disable().httpBasic().disable()
  22.                 .authenticationManager(authenticationManager).securityContextRepository(securityContextRepository)
  23.                 .authorizeExchange().pathMatchers(HttpMethod.OPTIONS).permitAll().pathMatchers("/login").permitAll()
  24.                 .anyExchange().authenticated().and().build();
  25.     }
  27.     @Bean
  28.     public PBKDF2Encoder passwordEncoder() {
  29.         return new PBKDF2Encoder();
  30.     }
  32. }

PBKDF2Encoder,

  1. @Component
  2. public class PBKDF2Encoder implements PasswordEncoder {
  3.     @Value("${springbootwebfluxjjwt.password.encoder.secret}")
  4.     private String secret;
  6.     @Value("${springbootwebfluxjjwt.password.encoder.iteration}")
  7.     private Integer iteration;
  9.     @Value("${springbootwebfluxjjwt.password.encoder.keylength}")
  10.     private Integer keylength;
  12.     /**
  13.      * More info (https://www.owasp.org/index.php/Hashing_Java)
  14.      * 
  15.      * @param cs password
  16.      * @return encoded password
  17.      */
  18.     @Override
  19.     public String encode(CharSequence cs) {
  20.         try {
  21.             byte[] result = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512")
  22.                     .generateSecret(
  23.                             new PBEKeySpec(cs.toString().toCharArray(), secret.getBytes(), iteration, keylength))
  24.                     .getEncoded();
  25.             return Base64.getEncoder().encodeToString(result);
  26.         } catch (NoSuchAlgorithmException | InvalidKeySpecException ex) {
  27.             throw new RuntimeException(ex);
  28.         }
  29.     }
  31.     @Override
  32.     public boolean matches(CharSequence cs, String string) {
  33.         return encode(cs).equals(string);
  34.     }
  35. }

AuthenticationManager,

  1. @Component
  2. public class AuthenticationManager implements ReactiveAuthenticationManager {
  4.     @Autowired
  5.     private JWTUtil jwtUtil;
  7.     @Override
  8.     public Mono<Authentication> authenticate(Authentication authentication) {
  9.         String authToken = authentication.getCredentials().toString();
  11.         String username;
  12.         try {
  13.             username = jwtUtil.getUsernameFromToken(authToken);
  14.         } catch (Exception e) {
  15.             username = null;
  16.         }
  17.         if (username != null && jwtUtil.validateToken(authToken)) {
  18.             Claims claims = jwtUtil.getAllClaimsFromToken(authToken);
  19.             List<String> rolesMap = claims.get("role", List.class);
  20.             List<Role> roles = new ArrayList<>();
  21.             for (String rolemap : rolesMap) {
  22.                 roles.add(Role.valueOf(rolemap));
  23.             }
  24.             UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
  25.                 username,
  26.                 null,
  27.                 roles.stream().map(authority -> new SimpleGrantedAuthority(authority.name())).collect(Collectors.toList())
  28.             );
  29.             return Mono.just(auth);
  30.         } else {
  31.             return Mono.empty();
  32.         }
  33.     }
  34. }

SecurityContextRepository,

  1. @Component
  2. public class SecurityContextRepository implements ServerSecurityContextRepository {
  4.     @Autowired
  5.     private AuthenticationManager authenticationManager;
  7.     @Override
  8.     public Mono<Void> save(ServerWebExchange swe, SecurityContext sc) {
  9.         throw new UnsupportedOperationException("Not supported yet.");
  10.     }
  12.     @Override
  13.     public Mono<SecurityContext> load(ServerWebExchange swe) {
  14.         ServerHttpRequest request = swe.getRequest();
  15.         String authHeader = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
  17.         if (authHeader != null && authHeader.startsWith("Bearer ")) {
  18.             String authToken = authHeader.substring(7);
  19.             Authentication auth = new UsernamePasswordAuthenticationToken(authToken, authToken);
  20.             return this.authenticationManager.authenticate(auth).map((authentication) -> {
  21.                 return new SecurityContextImpl(authentication);
  22.             });
  23.         } else {
  24.             return Mono.empty();
  25.         }
  26.     }
  28. }


这是正确的做法吗?还有更好的做法吗?

spring-boot

1条答案

按热度按时间
3b6akqbq

3b6akqbq1#

我也遇到过同样的问题,经过大量的研究,我做了一个功能完全100%的演示项目,实现了webflux + webflux-security +其他.
该实施包括:

  • Spring webflux
  • Spring安全性通过JWT +验证层实现
  • 用户注册演示端点
  • 用户身份验证端点
  • 模型到dto的Map(使用mapstruct)
  • User R2db with Postgresql repository impl
  • spring安全层中的用户验证,根据db中的用户记录
赞(0)分享  回复(0)举报  2024-01-06
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com