spring-boot-security-jwt
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSpring Boot JWT Security
Spring Boot JWT 安全方案
Comprehensive JWT (JSON Web Token) authentication and authorization patterns for Spring Boot 3.5.x applications using Spring Security 6.x and the JJWT library. This skill provides production-ready implementations for stateless authentication, role-based access control, and integration with modern authentication providers.
本文提供了适用于Spring Boot 3.5.x应用的全面JWT(JSON Web Token)认证与授权方案,基于Spring Security 6.x和JJWT库实现。该方案包含可直接用于生产环境的无状态认证、基于角色的访问控制,以及与现代认证提供商的集成实现。
Overview
概述
JWT authentication enables stateless, scalable security for Spring Boot applications. This skill covers complete JWT lifecycle management including token generation, validation, refresh strategies, and integration patterns with database-backed and OAuth2 authentication providers. Implementations follow Spring Security 6.x best practices with modern SecurityFilterChain configuration.
JWT认证为Spring Boot应用提供了无状态、可扩展的安全机制。本文涵盖了完整的JWT生命周期管理,包括令牌生成、验证、刷新策略,以及与数据库和OAuth2认证提供商的集成模式。实现方案遵循Spring Security 6.x最佳实践,采用现代化的SecurityFilterChain配置。
When to Use
适用场景
Use this skill when:
- Implementing stateless authentication for REST APIs
- Building SPA (Single Page Application) backends with JWT
- Securing microservices with token-based authentication
- Integrating with OAuth2 providers (Google, GitHub, etc.)
- Implementing role-based or permission-based access control
- Setting up JWT refresh token strategies
- Migrating from session-based to token-based authentication
- Building mobile API backends
- Implementing cross-origin authentication with CORS
在以下场景中可使用本方案:
- 为REST API实现无状态认证
- 为单页应用(SPA)后端构建JWT认证
- 为微服务提供基于令牌的认证保护
- 与OAuth2提供商(Google、GitHub等)集成
- 实现基于角色或权限的访问控制
- 配置JWT刷新令牌策略
- 从基于会话的认证迁移到基于令牌的认证
- 构建移动API后端
- 实现跨域(CORS)认证
Prerequisites
前置条件
- Java 17+ (for records and pattern matching)
- Spring Boot 3.5.x (for Spring Security 6.x integration)
- JJWT library (io.jsonwebtoken) for JWT operations
- Maven or Gradle build system
- Basic understanding of Spring Security concepts
- Java 17+(支持records和模式匹配)
- Spring Boot 3.5.x(适配Spring Security 6.x集成)
- JJWT库(io.jsonwebtoken)用于JWT操作
- Maven或Gradle构建工具
- 具备Spring Security基础概念
Dependencies
依赖配置
Maven
Maven
xml
<dependencies>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<!-- JWT Library -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.12.6</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.12.6</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.12.6</version>
<scope>runtime</scope>
</dependency>
<!-- Database -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<!-- Testing -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>xml
<dependencies>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<!-- JWT Library -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.12.6</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.12.6</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.12.6</version>
<scope>runtime</scope>
</dependency>
<!-- Database -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<!-- Testing -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>Gradle
Gradle
kotlin
dependencies {
// Spring Security
implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("org.springframework.boot:spring-boot-starter-data-jpa")
implementation("org.springframework.boot:spring-boot-starter-validation")
implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
// JWT Library
implementation("io.jsonwebtoken:jjwt-api:0.12.6")
implementation("io.jsonwebtoken:jjwt-impl:0.12.6")
implementation("io.jsonwebtoken:jjwt-jackson:0.12.6")
// Database
runtimeOnly("com.h2database:h2")
runtimeOnly("org.postgresql:postgresql")
// Testing
testImplementation("org.springframework.boot:spring-boot-starter-test")
testImplementation("org.springframework.security:spring-security-test")
testImplementation("org.testcontainers:junit-jupiter")
}kotlin
dependencies {
// Spring Security
implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("org.springframework.boot:spring-boot-starter-data-jpa")
implementation("org.springframework.boot:spring-boot-starter-validation")
implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
// JWT Library
implementation("io.jsonwebtoken:jjwt-api:0.12.6")
implementation("io.jsonwebtoken:jjwt-impl:0.12.6")
implementation("io.jsonwebtoken:jjwt-jackson:0.12.6")
// Database
runtimeOnly("com.h2database:h2")
runtimeOnly("org.postgresql:postgresql")
// Testing
testImplementation("org.springframework.boot:spring-boot-starter-test")
testImplementation("org.springframework.security:spring-security-test")
testImplementation("org.testcontainers:junit-jupiter")
}Quick Start
快速开始
1. Application Configuration
1. 应用配置
yaml
undefinedyaml
undefinedapplication.yml
application.yml
spring:
security:
oauth2:
client:
registration:
google:
client-id: ${GOOGLE_CLIENT_ID}
client-secret: ${GOOGLE_CLIENT_SECRET}
scope: openid, profile, email
jwt:
secret: ${JWT_SECRET:my-very-secret-key-that-is-at-least-256-bits-long}
access-token-expiration: 86400000 # 24 hours in milliseconds
refresh-token-expiration: 604800000 # 7 days in milliseconds
issuer: spring-boot-jwt-example
cookie-name: jwt-token
cookie-secure: false # Set to true in production with HTTPS
cookie-http-only: true
cookie-same-site: lax
undefinedspring:
security:
oauth2:
client:
registration:
google:
client-id: ${GOOGLE_CLIENT_ID}
client-secret: ${GOOGLE_CLIENT_SECRET}
scope: openid, profile, email
jwt:
secret: ${JWT_SECRET:my-very-secret-key-that-is-at-least-256-bits-long}
access-token-expiration: 86400000 # 24小时(毫秒)
refresh-token-expiration: 604800000 # 7天(毫秒)
issuer: spring-boot-jwt-example
cookie-name: jwt-token
cookie-secure: false # 生产环境使用HTTPS时设为true
cookie-http-only: true
cookie-same-site: lax
undefined2. Modern Spring Security 6.x Configuration
2. 现代化Spring Security 6.x配置
java
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final JwtAuthenticationFilter jwtAuthFilter;
private final AuthenticationProvider authenticationProvider;
private final LogoutHandler logoutHandler;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authz -> authz
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/api/public/**").permitAll()
.requestMatchers(HttpMethod.GET, "/api-docs/**").permitAll()
.requestMatchers(HttpMethod.GET, "/swagger-ui/**").permitAll()
.anyRequest().authenticated()
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
.logout(logout -> logout
.logoutUrl("/api/auth/logout")
.addLogoutHandler(logoutHandler)
.logoutSuccessHandler((request, response, authentication) ->
SecurityContextHolder.clearContext())
);
return http.build();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(List.of("*"));
configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(List.of("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}java
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final JwtAuthenticationFilter jwtAuthFilter;
private final AuthenticationProvider authenticationProvider;
private final LogoutHandler logoutHandler;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authz -> authz
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/api/public/**").permitAll()
.requestMatchers(HttpMethod.GET, "/api-docs/**").permitAll()
.requestMatchers(HttpMethod.GET, "/swagger-ui/**").permitAll()
.anyRequest().authenticated()
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
.logout(logout -> logout
.logoutUrl("/api/auth/logout")
.addLogoutHandler(logoutHandler)
.logoutSuccessHandler((request, response, authentication) ->
SecurityContextHolder.clearContext())
);
return http.build();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(List.of("*"));
configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(List.of("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}3. JWT Service Implementation
3. JWT服务实现
java
@Service
@RequiredArgsConstructor
@Slf4j
public class JwtService {
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.access-token-expiration}")
private long accessTokenExpiration;
@Value("${jwt.refresh-token-expiration}")
private long refreshTokenExpiration;
@Value("${jwt.issuer}")
private String issuer;
private final RefreshTokenService refreshTokenService;
/**
* Generate access token for user
*/
public String generateAccessToken(UserDetails userDetails) {
return generateToken(userDetails, accessTokenExpiration);
}
/**
* Generate refresh token for user
*/
public String generateRefreshToken(UserDetails userDetails) {
return refreshTokenService.createRefreshToken(userDetails.getUsername());
}
/**
* Extract username from JWT token
*/
public String extractUsername(String token) {
return extractClaims(token).getSubject();
}
/**
* Extract claims from JWT token
*/
private Claims extractClaims(String token) {
return Jwts.parser()
.verifyWith(getSigningKey())
.build()
.parseSignedClaims(token)
.getPayload();
}
/**
* Validate JWT token
*/
public boolean isTokenValid(String token, UserDetails userDetails) {
try {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) &&
!isTokenExpired(token) &&
extractClaims(token).getIssuer().equals(issuer));
} catch (JwtException | IllegalArgumentException e) {
log.debug("Invalid JWT token: {}", e.getMessage());
return false;
}
}
/**
* Check if token is expired
*/
private boolean isTokenExpired(String token) {
return extractClaims(token).getExpiration().before(new Date());
}
/**
* Generate token with expiration
*/
private String generateToken(UserDetails userDetails, long expiration) {
Date now = new Date();
Date expiryDate = new Date(now.getTime() + expiration);
return Jwts.builder()
.setSubject(userDetails.getUsername())
.setIssuer(issuer)
.setIssuedAt(now)
.setExpiration(expiryDate)
.claim("authorities", getAuthorities(userDetails))
.claim("type", "access")
.signWith(getSigningKey())
.compact();
}
/**
* Get signing key from secret
*/
private SecretKey getSigningKey() {
byte[] keyBytes = secret.getBytes(StandardCharsets.UTF_8);
return Keys.hmacShaKeyFor(keyBytes);
}
/**
* Extract authorities from user details
*/
private List<String> getAuthorities(UserDetails userDetails) {
return userDetails.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toList());
}
}java
@Service
@RequiredArgsConstructor
@Slf4j
public class JwtService {
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.access-token-expiration}")
private long accessTokenExpiration;
@Value("${jwt.refresh-token-expiration}")
private long refreshTokenExpiration;
@Value("${jwt.issuer}")
private String issuer;
private final RefreshTokenService refreshTokenService;
/**
* 为用户生成访问令牌
*/
public String generateAccessToken(UserDetails userDetails) {
return generateToken(userDetails, accessTokenExpiration);
}
/**
* 为用户生成刷新令牌
*/
public String generateRefreshToken(UserDetails userDetails) {
return refreshTokenService.createRefreshToken(userDetails.getUsername());
}
/**
* 从JWT令牌中提取用户名
*/
public String extractUsername(String token) {
return extractClaims(token).getSubject();
}
/**
* 从JWT令牌中提取声明
*/
private Claims extractClaims(String token) {
return Jwts.parser()
.verifyWith(getSigningKey())
.build()
.parseSignedClaims(token)
.getPayload();
}
/**
* 验证JWT令牌有效性
*/
public boolean isTokenValid(String token, UserDetails userDetails) {
try {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) &&
!isTokenExpired(token) &&
extractClaims(token).getIssuer().equals(issuer));
} catch (JwtException | IllegalArgumentException e) {
log.debug("Invalid JWT token: {}", e.getMessage());
return false;
}
}
/**
* 检查令牌是否过期
*/
private boolean isTokenExpired(String token) {
return extractClaims(token).getExpiration().before(new Date());
}
/**
* 生成带过期时间的令牌
*/
private String generateToken(UserDetails userDetails, long expiration) {
Date now = new Date();
Date expiryDate = new Date(now.getTime() + expiration);
return Jwts.builder()
.setSubject(userDetails.getUsername())
.setIssuer(issuer)
.setIssuedAt(now)
.setExpiration(expiryDate)
.claim("authorities", getAuthorities(userDetails))
.claim("type", "access")
.signWith(getSigningKey())
.compact();
}
/**
* 从密钥中获取签名密钥
*/
private SecretKey getSigningKey() {
byte[] keyBytes = secret.getBytes(StandardCharsets.UTF_8);
return Keys.hmacShaKeyFor(keyBytes);
}
/**
* 从用户详情中提取权限信息
*/
private List<String> getAuthorities(UserDetails userDetails) {
return userDetails.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toList());
}
}3. JWT Authentication Filter
3. JWT认证过滤器
java
@Component
@RequiredArgsConstructor
public class JwtAuthenticationFilter extends OncePerRequestFilter {
private final JwtService jwtService;
private final UserDetailsService userDetailsService;
@Override
protected void doFilterInternal(
@NonNull HttpServletRequest request,
@NonNull HttpServletResponse response,
@NonNull FilterChain filterChain) throws ServletException, IOException {
final String authHeader = request.getHeader("Authorization");
final String jwt;
final String userEmail;
// Check for Bearer token
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
// Check for JWT cookie
String jwtCookie = WebUtils.getCookie(request, "jwt-token") != null
? WebUtils.getCookie(request, "jwt-token").getValue()
: null;
if (jwtCookie != null) {
jwt = jwtCookie;
userEmail = jwtService.extractUsername(jwt);
if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(userEmail);
if (jwtService.isTokenValid(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(
userDetails,
null,
userDetails.getAuthorities()
);
authToken.setDetails(
new WebAuthenticationDetailsSource().buildDetails(request)
);
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
}
filterChain.doFilter(request, response);
return;
}
jwt = authHeader.substring(7);
userEmail = jwtService.extractUsername(jwt);
if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(userEmail);
if (jwtService.isTokenValid(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(
userDetails,
null,
userDetails.getAuthorities()
);
authToken.setDetails(
new WebAuthenticationDetailsSource().buildDetails(request)
);
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
filterChain.doFilter(request, response);
}
}java
@Component
@RequiredArgsConstructor
public class JwtAuthenticationFilter extends OncePerRequestFilter {
private final JwtService jwtService;
private final UserDetailsService userDetailsService;
@Override
protected void doFilterInternal(
@NonNull HttpServletRequest request,
@NonNull HttpServletResponse response,
@NonNull FilterChain filterChain) throws ServletException, IOException {
final String authHeader = request.getHeader("Authorization");
final String jwt;
final String userEmail;
// 检查Bearer令牌
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
// 检查JWT Cookie
String jwtCookie = WebUtils.getCookie(request, "jwt-token") != null
? WebUtils.getCookie(request, "jwt-token").getValue()
: null;
if (jwtCookie != null) {
jwt = jwtCookie;
userEmail = jwtService.extractUsername(jwt);
if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(userEmail);
if (jwtService.isTokenValid(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(
userDetails,
null,
userDetails.getAuthorities()
);
authToken.setDetails(
new WebAuthenticationDetailsSource().buildDetails(request)
);
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
}
filterChain.doFilter(request, response);
return;
}
jwt = authHeader.substring(7);
userEmail = jwtService.extractUsername(jwt);
if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(userEmail);
if (jwtService.isTokenValid(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(
userDetails,
null,
userDetails.getAuthorities()
);
authToken.setDetails(
new WebAuthenticationDetailsSource().buildDetails(request)
);
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
filterChain.doFilter(request, response);
}
}4. Security Configuration
4. 安全配置
java
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
private final JwtAuthenticationFilter jwtAuthFilter;
private final AuthenticationProvider authenticationProvider;
private final LogoutHandler logoutHandler;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
// Public endpoints
.requestMatchers("/api/v1/auth/**").permitAll()
.requestMatchers("/api/v1/oauth2/**").permitAll()
.requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
.requestMatchers("/health").permitAll()
// Admin endpoints
.requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
// Protected endpoints
.anyRequest().authenticated()
)
.sessionManagement(sess -> sess
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
.oauth2Login(oauth2 -> oauth2
.loginPage("/oauth2/authorization/google")
.defaultSuccessUrl("/api/v1/auth/oauth2/success", true)
.failureUrl("/api/v1/auth/oauth2/failure")
)
.logout(logout -> logout
.logoutUrl("/api/v1/auth/logout")
.addLogoutHandler(logoutHandler)
.logoutSuccessHandler((request, response, authentication) ->
SecurityContextHolder.clearContext())
);
return http.build();
}
@Bean
public AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(passwordEncoder);
return authProvider;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
}java
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
private final JwtAuthenticationFilter jwtAuthFilter;
private final AuthenticationProvider authenticationProvider;
private final LogoutHandler logoutHandler;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
// 公开端点
.requestMatchers("/api/v1/auth/**").permitAll()
.requestMatchers("/api/v1/oauth2/**").permitAll()
.requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
.requestMatchers("/health").permitAll()
// 管理员端点
.requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
// 受保护端点
.anyRequest().authenticated()
)
.sessionManagement(sess -> sess
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
.oauth2Login(oauth2 -> oauth2
.loginPage("/oauth2/authorization/google")
.defaultSuccessUrl("/api/v1/auth/oauth2/success", true)
.failureUrl("/api/v1/auth/oauth2/failure")
)
.logout(logout -> logout
.logoutUrl("/api/v1/auth/logout")
.addLogoutHandler(logoutHandler)
.logoutSuccessHandler((request, response, authentication) ->
SecurityContextHolder.clearContext())
);
return http.build();
}
@Bean
public AuthenticationProvider authenticationProvider(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(passwordEncoder);
return authProvider;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
}Authentication Controllers
认证控制器
java
@RestController
@RequestMapping("/api/v1/auth")
@RequiredArgsConstructor
@Slf4j
public class AuthenticationController {
private final AuthenticationService authenticationService;
@PostMapping("/register")
public ResponseEntity<AuthenticationResponse> register(
@Valid @RequestBody RegisterRequest request) {
log.info("Registering new user: {}", request.getEmail());
return ResponseEntity.ok(authenticationService.register(request));
}
@PostMapping("/authenticate")
public ResponseEntity<AuthenticationResponse> authenticate(
@Valid @RequestBody AuthenticationRequest request) {
log.info("Authenticating user: {}", request.getEmail());
AuthenticationResponse response = authenticationService.authenticate(request);
return ResponseEntity.ok()
.header("Set-Cookie", createJwtCookie(response.getAccessToken()))
.body(response);
}
@PostMapping("/refresh")
public ResponseEntity<AuthenticationResponse> refreshToken(
@RequestBody RefreshTokenRequest request) {
log.info("Refreshing token for user");
return ResponseEntity.ok(authenticationService.refreshToken(request));
}
@GetMapping("/me")
public ResponseEntity<UserProfile> getCurrentUser() {
return ResponseEntity.ok(authenticationService.getCurrentUser());
}
private String createJwtCookie(String token) {
return String.format(
"jwt-token=%s; Path=/; HttpOnly; SameSite=Lax; Max-Age=%d",
token,
86400 // 24 hours
);
}
}java
@RestController
@RequestMapping("/api/v1/auth")
@RequiredArgsConstructor
@Slf4j
public class AuthenticationController {
private final AuthenticationService authenticationService;
@PostMapping("/register")
public ResponseEntity<AuthenticationResponse> register(
@Valid @RequestBody RegisterRequest request) {
log.info("Registering new user: {}", request.getEmail());
return ResponseEntity.ok(authenticationService.register(request));
}
@PostMapping("/authenticate")
public ResponseEntity<AuthenticationResponse> authenticate(
@Valid @RequestBody AuthenticationRequest request) {
log.info("Authenticating user: {}", request.getEmail());
AuthenticationResponse response = authenticationService.authenticate(request);
return ResponseEntity.ok()
.header("Set-Cookie", createJwtCookie(response.getAccessToken()))
.body(response);
}
@PostMapping("/refresh")
public ResponseEntity<AuthenticationResponse> refreshToken(
@RequestBody RefreshTokenRequest request) {
log.info("Refreshing token for user");
return ResponseEntity.ok(authenticationService.refreshToken(request));
}
@GetMapping("/me")
public ResponseEntity<UserProfile> getCurrentUser() {
return ResponseEntity.ok(authenticationService.getCurrentUser());
}
private String createJwtCookie(String token) {
return String.format(
"jwt-token=%s; Path=/; HttpOnly; SameSite=Lax; Max-Age=%d",
token,
86400 // 24小时
);
}
}Authorization Patterns
授权方案
Role-Based Access Control (RBAC)
基于角色的访问控制(RBAC)
java
@RestController
@RequestMapping("/api/v1/admin")
@RequiredArgsConstructor
@PreAuthorize("hasRole('ADMIN')")
public class AdminController {
private final AdminService adminService;
@GetMapping("/users")
@PreAuthorize("hasAuthority('ADMIN_READ')")
public ResponseEntity<Page<UserResponse>> getAllUsers(Pageable pageable) {
return ResponseEntity.ok(adminService.getAllUsers(pageable));
}
@DeleteMapping("/users/{id}")
@PreAuthorize("hasAuthority('ADMIN_DELETE')")
public ResponseEntity<Void> deleteUser(@PathVariable Long id) {
adminService.deleteUser(id);
return ResponseEntity.noContent().build();
}
@PostMapping("/users/{id}/roles")
@PreAuthorize("hasAuthority('ADMIN_MANAGE_ROLES')")
public ResponseEntity<UserResponse> assignRole(
@PathVariable Long id,
@Valid @RequestBody AssignRoleRequest request) {
return ResponseEntity.ok(adminService.assignRole(id, request));
}
}java
@RestController
@RequestMapping("/api/v1/admin")
@RequiredArgsConstructor
@PreAuthorize("hasRole('ADMIN')")
public class AdminController {
private final AdminService adminService;
@GetMapping("/users")
@PreAuthorize("hasAuthority('ADMIN_READ')")
public ResponseEntity<Page<UserResponse>> getAllUsers(Pageable pageable) {
return ResponseEntity.ok(adminService.getAllUsers(pageable));
}
@DeleteMapping("/users/{id}")
@PreAuthorize("hasAuthority('ADMIN_DELETE')")
public ResponseEntity<Void> deleteUser(@PathVariable Long id) {
adminService.deleteUser(id);
return ResponseEntity.noContent().build();
}
@PostMapping("/users/{id}/roles")
@PreAuthorize("hasAuthority('ADMIN_MANAGE_ROLES')")
public ResponseEntity<UserResponse> assignRole(
@PathVariable Long id,
@Valid @RequestBody AssignRoleRequest request) {
return ResponseEntity.ok(adminService.assignRole(id, request));
}
}Permission-Based Access Control
基于权限的访问控制
java
@Service
@RequiredArgsConstructor
public class DocumentService {
@PreAuthorize("hasPermission(#documentId, 'Document', 'READ')")
public Document getDocument(Long documentId) {
return documentRepository.findById(documentId)
.orElseThrow(() -> new DocumentNotFoundException(documentId));
}
@PreAuthorize("hasPermission(#documentId, 'Document', 'WRITE') or hasRole('ADMIN')")
public Document updateDocument(Long documentId, UpdateDocumentRequest request) {
Document document = getDocument(documentId);
document.setContent(request.content());
return documentRepository.save(document);
}
@PreAuthorize("@documentSecurityService.canAccess(#userEmail, #documentId)")
public Document shareDocument(String userEmail, Long documentId) {
// Implementation
}
}java
@Service
@RequiredArgsConstructor
public class DocumentService {
@PreAuthorize("hasPermission(#documentId, 'Document', 'READ')")
public Document getDocument(Long documentId) {
return documentRepository.findById(documentId)
.orElseThrow(() -> new DocumentNotFoundException(documentId));
}
@PreAuthorize("hasPermission(#documentId, 'Document', 'WRITE') or hasRole('ADMIN')")
public Document updateDocument(Long documentId, UpdateDocumentRequest request) {
Document document = getDocument(documentId);
document.setContent(request.content());
return documentRepository.save(document);
}
@PreAuthorize("@documentSecurityService.canAccess(#userEmail, #documentId)")
public Document shareDocument(String userEmail, Long documentId) {
// 实现逻辑
}
}Custom Permission Evaluator
自定义权限评估器
java
@Component
@RequiredArgsConstructor
public class DocumentPermissionEvaluator implements PermissionEvaluator {
private final DocumentRepository documentRepository;
@Override
public boolean hasPermission(
Authentication authentication,
Object targetDomainObject,
Object permission) {
if (authentication == null || !(targetDomainObject instanceof Document)) {
return false;
}
Document document = (Document) targetDomainObject;
String username = authentication.getName();
String requiredPermission = (String) permission;
// Admin can do anything
if (hasRole(authentication, "ADMIN")) {
return true;
}
// Owner can read and write
if (document.getOwner().getUsername().equals(username)) {
return "READ".equals(requiredPermission) || "WRITE".equals(requiredPermission);
}
// Check shared permissions
return document.getSharedWith().stream()
.anyMatch(share -> share.getUser().getUsername().equals(username)
&& share.getPermission().name().equals(requiredPermission));
}
@Override
public boolean hasPermission(
Authentication authentication,
Serializable targetId,
String targetType,
Object permission) {
if (!"Document".equals(targetType)) {
return false;
}
Document document = documentRepository.findById((Long) targetId).orElse(null);
return document != null && hasPermission(authentication, document, permission);
}
private boolean hasRole(Authentication authentication, String role) {
return authentication.getAuthorities().stream()
.anyMatch(auth -> auth.getAuthority().equals("ROLE_" + role));
}
}java
@Component
@RequiredArgsConstructor
public class DocumentPermissionEvaluator implements PermissionEvaluator {
private final DocumentRepository documentRepository;
@Override
public boolean hasPermission(
Authentication authentication,
Object targetDomainObject,
Object permission) {
if (authentication == null || !(targetDomainObject instanceof Document)) {
return false;
}
Document document = (Document) targetDomainObject;
String username = authentication.getName();
String requiredPermission = (String) permission;
// 管理员拥有所有权限
if (hasRole(authentication, "ADMIN")) {
return true;
}
// 文档所有者拥有读写权限
if (document.getOwner().getUsername().equals(username)) {
return "READ".equals(requiredPermission) || "WRITE".equals(requiredPermission);
}
// 检查共享权限
return document.getSharedWith().stream()
.anyMatch(share -> share.getUser().getUsername().equals(username)
&& share.getPermission().name().equals(requiredPermission));
}
@Override
public boolean hasPermission(
Authentication authentication,
Serializable targetId,
String targetType,
Object permission) {
if (!"Document".equals(targetType)) {
return false;
}
Document document = documentRepository.findById((Long) targetId).orElse(null);
return document != null && hasPermission(authentication, document, permission);
}
private boolean hasRole(Authentication authentication, String role) {
return authentication.getAuthorities().stream()
.anyMatch(auth -> auth.getAuthority().equals("ROLE_" + role));
}
}Database Entities
数据库实体
java
@Entity
@Table(name = "users")
@Data
@NoArgsConstructor
@AllArgsConstructor
@Builder
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(unique = true, nullable = false)
private String username;
@Column(unique = true, nullable = false)
private String email;
@Column(nullable = false)
private String password;
@Builder.Default
@Enumerated(EnumType.STRING)
private Role role = Role.USER;
@Builder.Default
private boolean enabled = true;
@Builder.Default
private boolean accountNonExpired = true;
@Builder.Default
private boolean accountNonLocked = true;
@Builder.Default
private boolean credentialsNonExpired = true;
@OneToMany(mappedBy = "user", cascade = CascadeType.ALL, fetch = FetchType.LAZY)
private Set<RefreshToken> refreshTokens = new HashSet<>();
@CreationTimestamp
@Column(name = "created_at", updatable = false)
private LocalDateTime createdAt;
@UpdateTimestamp
@Column(name = "updated_at")
private LocalDateTime updatedAt;
}
@Entity
@Table(name = "refresh_tokens")
@Data
@NoArgsConstructor
@AllArgsConstructor
@Builder
public class RefreshToken {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(nullable = false, unique = true)
private String token;
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "user_id", nullable = false)
private User user;
@Builder.Default
private boolean revoked = false;
@Builder.Default
private boolean expired = false;
@Column(name = "expiry_date")
private LocalDateTime expiryDate;
@CreationTimestamp
@Column(name = "created_at", updatable = false)
private LocalDateTime createdAt;
}java
@Entity
@Table(name = "users")
@Data
@NoArgsConstructor
@AllArgsConstructor
@Builder
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(unique = true, nullable = false)
private String username;
@Column(unique = true, nullable = false)
private String email;
@Column(nullable = false)
private String password;
@Builder.Default
@Enumerated(EnumType.STRING)
private Role role = Role.USER;
@Builder.Default
private boolean enabled = true;
@Builder.Default
private boolean accountNonExpired = true;
@Builder.Default
private boolean accountNonLocked = true;
@Builder.Default
private boolean credentialsNonExpired = true;
@OneToMany(mappedBy = "user", cascade = CascadeType.ALL, fetch = FetchType.LAZY)
private Set<RefreshToken> refreshTokens = new HashSet<>();
@CreationTimestamp
@Column(name = "created_at", updatable = false)
private LocalDateTime createdAt;
@UpdateTimestamp
@Column(name = "updated_at")
private LocalDateTime updatedAt;
}
@Entity
@Table(name = "refresh_tokens")
@Data
@NoArgsConstructor
@AllArgsConstructor
@Builder
public class RefreshToken {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(nullable = false, unique = true)
private String token;
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "user_id", nullable = false)
private User user;
@Builder.Default
private boolean revoked = false;
@Builder.Default
private boolean expired = false;
@Column(name = "expiry_date")
private LocalDateTime expiryDate;
@CreationTimestamp
@Column(name = "created_at", updatable = false)
private LocalDateTime createdAt;
}Testing JWT Security
测试JWT安全方案
java
@SpringBootTest
@AutoConfigureMockMvc
@TestPropertySource(properties = {
"jwt.secret=test-secret-key-for-testing-only",
"jwt.access-token-expiration=3600000"
})
class AuthenticationControllerTest {
@Autowired
private MockMvc mockMvc;
@Autowired
private ObjectMapper objectMapper;
@Autowired
private JwtService jwtService;
@Test
void shouldAuthenticateUser() throws Exception {
AuthenticationRequest request = AuthenticationRequest.builder()
.email("test@example.com")
.password("password123")
.build();
mockMvc.perform(post("/api/v1/auth/authenticate")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isOk())
.andExpect(jsonPath("$.accessToken").exists())
.andExpect(jsonPath("$.refreshToken").exists())
.andExpect(jsonPath("$.user.email").value("test@example.com"));
}
@Test
void shouldDenyAccessWithoutToken() throws Exception {
mockMvc.perform(get("/api/v1/admin/users"))
.andExpect(status().isUnauthorized());
}
@Test
@WithMockUser(roles = "ADMIN")
void shouldAllowAdminAccess() throws Exception {
mockMvc.perform(get("/api/v1/admin/users"))
.andExpect(status().isOk());
}
@Test
void shouldValidateJwtToken() throws Exception {
UserDetails userDetails = User.withUsername("test@example.com")
.password("password")
.roles("USER")
.build();
String token = jwtService.generateAccessToken(userDetails);
mockMvc.perform(get("/api/v1/auth/me")
.header("Authorization", "Bearer " + token))
.andExpect(status().isOk());
}
}java
@SpringBootTest
@AutoConfigureMockMvc
@TestPropertySource(properties = {
"jwt.secret=test-secret-key-for-testing-only",
"jwt.access-token-expiration=3600000"
})
class AuthenticationControllerTest {
@Autowired
private MockMvc mockMvc;
@Autowired
private ObjectMapper objectMapper;
@Autowired
private JwtService jwtService;
@Test
void shouldAuthenticateUser() throws Exception {
AuthenticationRequest request = AuthenticationRequest.builder()
.email("test@example.com")
.password("password123")
.build();
mockMvc.perform(post("/api/v1/auth/authenticate")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isOk())
.andExpect(jsonPath("$.accessToken").exists())
.andExpect(jsonPath("$.refreshToken").exists())
.andExpect(jsonPath("$.user.email").value("test@example.com"));
}
@Test
void shouldDenyAccessWithoutToken() throws Exception {
mockMvc.perform(get("/api/v1/admin/users"))
.andExpect(status().isUnauthorized());
}
@Test
@WithMockUser(roles = "ADMIN")
void shouldAllowAdminAccess() throws Exception {
mockMvc.perform(get("/api/v1/admin/users"))
.andExpect(status().isOk());
}
@Test
void shouldValidateJwtToken() throws Exception {
UserDetails userDetails = User.withUsername("test@example.com")
.password("password")
.roles("USER")
.build();
String token = jwtService.generateAccessToken(userDetails);
mockMvc.perform(get("/api/v1/auth/me")
.header("Authorization", "Bearer " + token))
.andExpect(status().isOk());
}
}Best Practices
最佳实践
1. Modern JWT Patterns
1. 现代化JWT方案
Key Rotation Strategy
密钥轮换策略
java
@Component
@RequiredArgsConstructor
public class JwtKeyRotationService {
private final SecretKeyRepository keyRepository;
private final CacheManager cacheManager;
@Scheduled(cron = "0 0 0 * * ?") // Daily at midnight
public void rotateKeys() {
SecretKey newKey = Keys.secretKeyFor(SignatureAlgorithm.HS256);
keyRepository.save(new SecretKeyEntity(newKey, LocalDateTime.now()));
cacheManager.getCache("jwt-keys").clear();
}
}java
@Component
@RequiredArgsConstructor
public class JwtKeyRotationService {
private final SecretKeyRepository keyRepository;
private final CacheManager cacheManager;
@Scheduled(cron = "0 0 0 * * ?") // 每日午夜执行
public void rotateKeys() {
SecretKey newKey = Keys.secretKeyFor(SignatureAlgorithm.HS256);
keyRepository.save(new SecretKeyEntity(newKey, LocalDateTime.now()));
cacheManager.getCache("jwt-keys").clear();
}
}Token Blacklisting
令牌黑名单
java
@Service
@RequiredArgsConstructor
public class TokenBlacklistService {
private final RedisTemplate<string, string> redisTemplate;
private static final String BLACKLIST_PREFIX = "blacklist:jwt:";
public void blacklistToken(String token, long expirationTime) {
String tokenId = extractTokenId(token);
redisTemplate.opsForValue().set(
BLACKLIST_PREFIX + tokenId,
"1",
expirationTime,
TimeUnit.MILLISECONDS
);
}
public boolean isBlacklisted(String token) {
String tokenId = extractTokenId(token);
return Boolean.TRUE.equals(redisTemplate.hasKey(BLACKLIST_PREFIX + tokenId));
}
}java
@Service
@RequiredArgsConstructor
public class TokenBlacklistService {
private final RedisTemplate<string, string> redisTemplate;
private static final String BLACKLIST_PREFIX = "blacklist:jwt:";
public void blacklistToken(String token, long expirationTime) {
String tokenId = extractTokenId(token);
redisTemplate.opsForValue().set(
BLACKLIST_PREFIX + tokenId,
"1",
expirationTime,
TimeUnit.MILLISECONDS
);
}
public boolean isBlacklisted(String token) {
String tokenId = extractTokenId(token);
return Boolean.TRUE.equals(redisTemplate.hasKey(BLACKLIST_PREFIX + tokenId));
}
}2. Security Configuration
2. 安全配置建议
- Always use HTTPS in production for JWT token transmission
- Set appropriate cookie flags: ,
HttpOnly,SecureSameSite - Use strong secret keys: minimum 256 bits for HMAC algorithms
- Implement token expiration: Don't use tokens with infinite lifetime
- Validate all inputs: Never trust JWT claims without validation
- Implement key rotation: Regularly rotate signing keys
- Use token blacklisting: For logout and security incidents
- 生产环境必须使用HTTPS传输JWT令牌
- 设置正确的Cookie属性:,
HttpOnly,SecureSameSite - 使用强密钥:HMAC算法至少使用256位密钥
- 实现令牌过期机制:避免使用永不过期的令牌
- 验证所有输入:绝不信任未验证的JWT声明
- 实现密钥轮换:定期轮换签名密钥
- 使用令牌黑名单:用于登出和安全事件处理
2. Token Management
2. 令牌管理
java
// Implement refresh token rotation
public class RefreshTokenService {
@Transactional
public String rotateRefreshToken(String oldToken) {
RefreshToken refreshToken = refreshTokenRepository.findByToken(oldToken)
.orElseThrow(() -> new RefreshTokenException("Invalid refresh token"));
// Revoke old token
refreshToken.setRevoked(true);
refreshTokenRepository.save(refreshToken);
// Generate new token
return createRefreshToken(refreshToken.getUser().getUsername());
}
}java
// 实现刷新令牌轮换
public class RefreshTokenService {
@Transactional
public String rotateRefreshToken(String oldToken) {
RefreshToken refreshToken = refreshTokenRepository.findByToken(oldToken)
.orElseThrow(() -> new RefreshTokenException("Invalid refresh token"));
// 吊销旧令牌
refreshToken.setRevoked(true);
refreshTokenRepository.save(refreshToken);
// 生成新令牌
return createRefreshToken(refreshToken.getUser().getUsername());
}
}3. Performance Optimization
3. 性能优化
java
// Cache user details to avoid database hits
@Service
@RequiredArgsConstructor
public class CachedUserDetailsService implements UserDetailsService {
private final UserRepository userRepository;
private final CacheManager cacheManager;
@Override
@Cacheable(value = "users", key = "#username")
public UserDetails loadUserByUsername(String username) {
User user = userRepository.findByEmail(username)
.orElseThrow(() -> new UsernameNotFoundException(username));
return new CustomUserDetails(user);
}
}java
// 缓存用户详情以避免重复数据库查询
@Service
@RequiredArgsConstructor
public class CachedUserDetailsService implements UserDetailsService {
private final UserRepository userRepository;
private final CacheManager cacheManager;
@Override
@Cacheable(value = "users", key = "#username")
public UserDetails loadUserByUsername(String username) {
User user = userRepository.findByEmail(username)
.orElseThrow(() -> new UsernameNotFoundException(username));
return new CustomUserDetails(user);
}
}4. Monitoring and Audit
4. 监控与审计
java
@Component
@RequiredArgsConstructor
@Slf4j
public class SecurityAuditService {
@EventListener
public void handleAuthenticationSuccess(AuthenticationSuccessEvent event) {
log.info("Authentication success for user: {}", event.getAuthentication().getName());
// Store audit event
}
@EventListener
public void handleAuthenticationFailure(AuthenticationFailureEvent event) {
log.warn("Authentication failure for user: {}", event.getAuthentication().getName());
// Store security event
}
@EventListener
public void handleAuthorizationFailure(AuthorizationFailureEvent event) {
log.warn("Authorization denied for user: {} on resource: {}",
event.getAuthentication().getName(),
event.getConfigAttributes());
}
}java
@Component
@RequiredArgsConstructor
@Slf4j
public class SecurityAuditService {
@EventListener
public void handleAuthenticationSuccess(AuthenticationSuccessEvent event) {
log.info("Authentication success for user: {}", event.getAuthentication().getName());
// 存储审计事件
}
@EventListener
public void handleAuthenticationFailure(AuthenticationFailureEvent event) {
log.warn("Authentication failure for user: {}", event.getAuthentication().getName());
// 存储安全事件
}
@EventListener
public void handleAuthorizationFailure(AuthorizationFailureEvent event) {
log.warn("Authorization denied for user: {} on resource: {}",
event.getAuthentication().getName(),
event.getConfigAttributes());
}
}Constraints
约束条件
1. Token Size Limitations
1. 令牌大小限制
- JWT tokens should stay under HTTP header size limits (typically 8KB)
- Avoid storing large amounts of data in JWT claims
- Use references instead of embedding complete objects
- JWT令牌应保持在HTTP头大小限制内(通常为8KB)
- 避免在JWT声明中存储大量数据
- 使用引用而非直接嵌入完整对象
2. Security Considerations
2. 安全注意事项
- Never store sensitive information in JWT tokens
- Implement proper token revocation strategies
- Use different keys for different environments (dev, staging, prod)
- Regularly rotate signing keys
- 切勿在JWT令牌中存储敏感信息
- 实现完善的令牌吊销策略
- 不同环境(开发、测试、生产)使用不同密钥
- 定期轮换签名密钥
3. Rate Limiting
3. 限流配置
java
@RestController
@RequestMapping("/api/v1/auth")
@RequiredArgsConstructor
public class AuthenticationController {
@PostMapping("/authenticate")
@RateLimiter(name = "auth", fallbackMethod = "authenticateFallback")
public ResponseEntity<AuthenticationResponse> authenticate(@RequestBody AuthenticationRequest request) {
// Implementation
}
public ResponseEntity<AuthenticationResponse> authenticateFallback(
AuthenticationRequest request,
CallNotPermittedException exception) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS).build();
}
}java
@RestController
@RequestMapping("/api/v1/auth")
@RequiredArgsConstructor
public class AuthenticationController {
@PostMapping("/authenticate")
@RateLimiter(name = "auth", fallbackMethod = "authenticateFallback")
public ResponseEntity<AuthenticationResponse> authenticate(@RequestBody AuthenticationRequest request) {
// 实现逻辑
}
public ResponseEntity<AuthenticationResponse> authenticateFallback(
AuthenticationRequest request,
CallNotPermittedException exception) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS).build();
}
}4. CORS Configuration
4. CORS配置
java
@Configuration
public class CorsConfig {
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(List.of("*"));
configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(List.of("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}java
@Configuration
public class CorsConfig {
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(List.of("*"));
configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(List.of("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}Reference Materials
参考资料
- Complete JWT Configuration Guide - Consolidated configuration patterns for Spring Security 6.x
- JWT Testing Guide - Comprehensive testing strategies
- JWT Quick Reference - Common patterns and quick examples
- Complete implementation examples
- Security hardening checklist
- Migration guide for Spring Security 6.x
- 完整JWT配置指南 - Spring Security 6.x集成的综合配置方案
- JWT测试指南 - 全面的测试策略
- JWT速查手册 - 常见方案与快速示例
- 完整实现示例
- 安全加固清单
- Spring Security 6.x迁移指南
Related Skills
相关技能
- - Constructor injection patterns used throughout
spring-boot-dependency-injection - - REST API security patterns and error handling
spring-boot-rest-api-standards - - Testing Spring Security configurations
unit-test-security-authorization - - User entity and repository patterns
spring-data-jpa - - Security monitoring and health endpoints
spring-boot-actuator
- - 全文使用的构造函数注入方案
spring-boot-dependency-injection - - REST API安全方案与错误处理
spring-boot-rest-api-standards - - Spring Security配置测试
unit-test-security-authorization - - 用户实体与仓库方案
spring-data-jpa - - 安全监控与健康检查端点
spring-boot-actuator