Spring Security (7) Uses JWT authentication

In the previous section, we used a custom authentication token class to support multiple logins, but still session-based. In this section, we need to combine JWT to do the authentication function.

demand

When you log in, return the token. Subsequent interfaces use tokens for access.

1. After successful login, return token.
2. Verify the token when sending the request.

Solution Analysis

Before, we were all session-based. So I need to close the Session first.

Then, in the login success handler, the token is generated and returned.

When sending a business request, an interceptor is used to verify that the token is valid. If it is valid, set it to SecurityContextHoler.

implementation

Token returned after successful login

1. The introduction of JWT package

   JDK 11 removed some of the required classes from the JWT package. Let me reintroduce it here.

           <! -- to solve all of the following are Jwt tools in Java. Lang. ClassNotFoundException: javax.mail. XML. Bind. DatatypeConverter - >
           <dependency>
               <groupId>javax.xml.bind</groupId>
               <artifactId>jaxb-api</artifactId>
               <version>2.3.0</version>
           </dependency>
           <dependency>
               <groupId>com.sun.xml.bind</groupId>
               <artifactId>jaxb-impl</artifactId>
               <version>2.3.0</version>
           </dependency>
           <dependency>
               <groupId>com.sun.xml.bind</groupId>
               <artifactId>jaxb-core</artifactId>
               <version>2.3.0</version>
           </dependency>
           <dependency>
               <groupId>javax.activation</groupId>
               <artifactId>activation</artifactId>
               <version>1.1.1</version>
           </dependency>
           <! - above all to solve the Java. Lang. ClassNotFoundException: javax.mail. XML. Bind. DatatypeConverter - >
           <dependency>
               <groupId>io.jsonwebtoken</groupId>
               <artifactId>jjwt</artifactId>
               <version>0.9.1</version>
           </dependency>
   Copy the code

   Newer packages can also be introduced in the following ways, and there are some apis that are different from older versions that need to be noted.

   <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-api</artifactId>
       <version>0.11.2</version>
   </dependency>
   <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-impl</artifactId>
       <version>0.11.2</version>
       <scope>runtime</scope>
   </dependency>
   <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-jackson</artifactId> <! -- or jjwt-gson if Gson is preferred -->
       <version>0.11.2</version>
       <scope>runtime</scope>
   </dependency>
   Copy the code

2. Modified the method for handling authentication success

   filter.setAuthenticationSuccessHandler((request, response, authentication) -> {
               response.setContentType("application/json; charset=utf-8");
               PrintWriter out = response.getWriter();
               MyUserDetails userDetails = (MyUserDetails) authentication.getPrincipal();
               userDetails.setPassword(null);
    
               String jwt = Jwts.builder()
                       .claim("userId", userDetails.getId()) // User role
                       .setSubject(userDetails.getUsername()) / / theme
                       // Expiration time
                       .setExpiration(new Date(System.currentTimeMillis() + 10 * 60 * 1000))
                       .signWith(SignatureAlgorithm.HS512, "damai") // Encryption algorithm key
                       .compact();
               // userDetails Adds the token field
               userDetails.setToken(jwt);
               HashMap<String, Object> result = new HashMap<>();
               result.put("code"."000000");
               result.put("msg"."Successful landing.");
               result.put("data",userDetails);
               String s = new ObjectMapper().writeValueAsString(result);
               out.write(s);
               out.flush();
               out.close();
           });
   Copy the code

Send a service request to verify the token

1. Adding filters

   @Component
   @Slf4j
   public class JwtTokenFilter extends OncePerRequestFilter {
    
       @Autowired
       MyUserDetailServiceImpl myUserDetailService;
    
       @Override
       protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
           // Spring Security will throw an exception if the token is not authenticated
           String token = request.getHeader(JwtUtil.TOKEN_HEADER);
           if (StringUtils.isBlank(token)) {
               filterChain.doFilter(request,response);
               return;
           }
           log.info("jwtToken:{}",token);
           / / token
           Claims claims = Jwts.parser().setSigningKey(JwtUtil.SECRET).parseClaimsJws(token.replace(JwtUtil.TOKEN_HEAD, "")).getBody();
           String username = claims.getSubject();
           // Load user information
           UserDetails userDetails = myUserDetailService.loadUserByUsername(username);
           MyAuthenticationToken myAuthenticationToken = new MyAuthenticationToken(userDetails, null, userDetails.getAuthorities());
           // Set to the Security contextSecurityContextHolder.getContext().setAuthentication(myAuthenticationToken); filterChain.doFilter(request,response); }}Copy the code

2. Modifying the Security Configuration

    @Override
       protected void configure(HttpSecurity http) throws Exception {
    
          // Custom exception handling when not logged in
          http.exceptionHandling().authenticationEntryPoint((request, response, authException) -> {
               response.setContentType("application/json; charset=utf-8");
               PrintWriter out = response.getWriter();
               HashMap<String, Object> result = new HashMap<>();
               result.put("code"."111112");
               result.put("msg",authException.getMessage());
               out.write(new ObjectMapper().writeValueAsString(result));
               out.flush();
               out.close();
           });
    
         http.authorizeRequests()
                   .anyRequest()
                   .authenticated()
                   .and()
                   .csrf()
                   .disable();
           / / close the session
           http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
           / / add JWT filters, attention must be before UsernamePasswordAuthenticationFilter
           http.addFilterBefore(jwtTokenFilter,UsernamePasswordAuthenticationFilter.class);
           http.addFilterAt(myAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
       }
   Copy the code

landing

1. Login return Token

   {
       "msg": "Successful landing."."code": "000000"."data": {
           "id": 1."phone": null."username": "Zhang"And..."token": "eyJhbGciOiJIUzUxMiJ9.eyJ1c2VySWQiOjEsInN1YiI6IuW8oOS4iSIsImV4cCI6MTYwNTQ5OTk0Nn0.ZlPGSpyOLaKSeGSdDhuyuLDASJsya1rP2cVdy- JBVKVIBijC6DmOlNRnQzhvFcofWFWqeyhHpGsio1g6HmBHYw"."authorities": [{"authority": "admin"}].}}Copy the code

2. Direct access to the business interface

   The request header does not carry the token.

   {
       "msg": "Full authentication is required to access this resource"."code": "111112"
   }
   Copy the code

3. Carries a token and requests a service interface

   

   {
       "_links": {
           "self": {
               "href": "http://localhost:3344/actuator"."templated": false
           },
           "health": {
               "href": "http://localhost:3344/actuator/health"."templated": false
           },
           "health-path": {
               "href": "http://localhost:3344/actuator/health/{*path}"."templated": true
           },
           "info": {
               "href": "http://localhost:3344/actuator/info"."templated": false}}}Copy the code