使用 Spring Boot 和 Spring Security 构建安全的 Web 应用:OAuth2、记住我与 JWT 集成指南
在现代 Web 应用中,安全性是至关重要的。Spring Security 是一个功能强大且高度可定制的安全框架,能够帮助我们轻松实现认证、授权以及其他安全功能。本文将详细介绍如何使用 Spring Boot 和 Spring Security 构建一个安全的 Web 应用,并扩展以下功能:
- 使用 OAuth2 实现第三方登录(如 Google、GitHub)。
- 配置“记住我”功能,提升用户体验。
- 集成 JWT(JSON Web Token)实现无状态认证,适合分布式系统。
1. 项目初始化
1.1 创建 Spring Boot 项目
使用 Spring Initializr 创建一个 Spring Boot 项目,选择以下依赖:
- Spring Web
- Spring Security
- Thymeleaf(可选,用于前端模板)
- Spring Boot DevTools(可选,用于开发热加载)
1.2 项目结构
项目结构如下:
src
├── main
│ ├── java
│ │ └── com
│ │ └── example
│ │ └── demo
│ │ ├── DemoApplication.java
│ │ ├── config
│ │ │ └── SecurityConfig.java
│ │ ├── controller
│ │ │ └── HomeController.java
│ │ ├── filter
│ │ │ └── JwtRequestFilter.java
│ │ ├── service
│ │ │ └── CustomUserDetailsService.java
│ │ └── util
│ │ └── JwtUtil.java
│ └── resources
│ ├── static
│ ├── templates
│ │ ├── home.html
│ │ ├── login.html
│ │ └── user.html
│ └── application.properties
└── test
└── java
└── com
└── example
└── demo
└── DemoApplicationTests.java
2. 使用 OAuth2 实现第三方登录
OAuth2 是一种授权框架,允许用户通过第三方平台(如 Google、GitHub 等)登录你的应用。
2.1 添加依赖
在 pom.xml 中添加 OAuth2 依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
2.2 配置 OAuth2 客户端
在 application.properties 中配置 OAuth2 客户端信息。以 Google 为例:
# Google OAuth2 配置
spring.security.oauth2.client.registration.google.client-id=your-google-client-id
spring.security.oauth2.client.registration.google.client-secret=your-google-client-secret
spring.security.oauth2.client.registration.google.scope=profile,email
# GitHub OAuth2 配置
spring.security.oauth2.client.registration.github.client-id=your-github-client-id
spring.security.oauth2.client.registration.github.client-secret=your-github-client-secret
spring.security.oauth2.client.registration.github.scope=user:email
2.3 配置 SecurityConfig
在 SecurityConfig 中启用 OAuth2 登录:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
)
.oauth2Login((oauth2) -> oauth2
.loginPage("/login") // 自定义登录页面
.defaultSuccessUrl("/home") // 登录成功后跳转的页面
)
.logout((logout) -> logout.permitAll());
return http.build();
}
2.4 创建控制器
在 HomeController 中添加一个端点,用于显示用户信息:
@GetMapping("/user")
public String user(Model model, OAuth2AuthenticationToken authentication) {
OAuth2User user = authentication.getPrincipal();
model.addAttribute("name", user.getAttribute("name"));
model.addAttribute("email", user.getAttribute("email"));
return "user";
}
2.5 创建用户页面
在 templates 目录下创建 user.html:
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<title>User Info</title>
</head>
<body>
<h1>Welcome, <span th:text="${name}"></span>!</h1>
<p>Email: <span th:text="${email}"></span></p>
<a href="/logout">Logout</a>
</body>
</html>
3. 配置“记住我”功能
“记住我”功能允许用户在关闭浏览器后仍然保持登录状态。
3.1 配置 SecurityConfig
在 SecurityConfig 中启用“记住我”功能:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.rememberMe((remember) -> remember
.tokenValiditySeconds(86400) // 记住我有效期为 1 天
.key("uniqueAndSecret") // 密钥
);
return http.build();
}
3.2 修改登录页面
在 login.html 中添加“记住我”复选框:
<div>
<label>
<input type="checkbox" name="remember-me"/> Remember me
</label>
</div>
4. 集成 JWT 实现无状态认证
JWT(JSON Web Token)是一种无状态认证机制,适合分布式系统。
4.1 添加依赖
在 pom.xml 中添加 JWT 依赖:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
4.2 创建 JWT 工具类
在 util 包下创建 JwtUtil.java:
package com.example.demo.util;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
@Component
public class JwtUtil {
private String SECRET_KEY = "secret";
public String extractUsername(String token) {
return extractClaim(token, Claims::getSubject);
}
public Date extractExpiration(String token) {
return extractClaim(token, Claims::getExpiration);
}
public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
final Claims claims = extractAllClaims(token);
return claimsResolver.apply(claims);
}
private Claims extractAllClaims(String token) {
return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
}
private Boolean isTokenExpired(String token) {
return extractExpiration(token).before(new Date());
}
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
return createToken(claims, userDetails.getUsername());
}
private String createToken(Map<String, Object> claims, String subject) {
return Jwts.builder()
.setClaims(claims)
.setSubject(subject)
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10 小时有效期
.signWith(SignatureAlgorithm.HS256, SECRET_KEY)
.compact();
}
public Boolean validateToken(String token, UserDetails userDetails) {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
}
}
4.3 创建 JWT 过滤器
在 filter 包下创建 JwtRequestFilter.java:
package com.example.demo.filter;
import com.example.demo.util.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class JwtRequestFilter extends OncePerRequestFilter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtUtil jwtUtil;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
username = jwtUtil.extractUsername(jwt);
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtUtil.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
chain.doFilter(request, response);
}
}
4.4 配置 SecurityConfig
在 SecurityConfig 中配置 JWT 过滤器:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/authenticate").permitAll()
.anyRequest().authenticated()
)
.sessionManagement((session) -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 无状态会话
);
return http.build();
}
4.5 创建认证端点
在 controller 包下创建 AuthController.java:
package com.example.demo.controller;
import com.example.demo.util.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class AuthController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtUtil jwtUtil;
@PostMapping("/authenticate")
public String createAuthenticationToken(@RequestBody AuthenticationRequest authenticationRequest) throws Exception {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(authenticationRequest.getUsername(), authenticationRequest.getPassword())
);
final UserDetails userDetails = userDetailsService.loadUserByUsername(authenticationRequest.getUsername());
final String jwt = jwtUtil.generateToken(userDetails);
return jwt;
}
}
5. 总结
通过本文的步骤,你已经成功扩展了 Spring Security 项目:
- 使用 OAuth2 实现了第三方登录。
- 配置了“记住我”功能。
- 集成了 JWT 实现无状态认证。
这些功能可以显著提升应用的安全性和用户体验。你可以根据实际需求进一步优化和扩展。希望这篇博客对你有所帮助!