1. 程式人生 > 程式設計 >SpringBoot Security整合JWT授權RestAPI的實現

SpringBoot Security整合JWT授權RestAPI的實現

本教程主要詳細講解SpringBoot Security整合JWT授權RestAPI。


技術 版本
Java 1.8+
SpringBoot 2.x.x
Security 5.x
JWT 0.9.0



mvn archetype:generate -DgroupId=com.edurt.sli.slisj -DartifactId=spring-learn-integration-security-jwt -DarchetypeArtifactId=maven-archetype-quickstart -Dversion=1.0.0 -DinteractiveMode=false


<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">




  <name>SpringBoot Security整合JWT授權RestAPI</name>





spring-boot-starter-security啟動spring security安全框架

jjwt啟動spring security jwt框架支援


 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 * <p>
 * http://www.apache.org/licenses/LICENSE-2.0
 * <p>
 * Unless required by applicable law or agreed to in writing,software
 * distributed under the License is distributed on an "AS IS" BASIS,* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.stereotype.Component;

 * <p> SpringBootSecurityJwtIntegration </p>
 * <p> Description : SpringBootSecurityJwtIntegration </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:45 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
@Component(value = "com.edurt.sli.slisj")
public class SpringBootSecurityJwtIntegration {

  public static void main(String[] args) {

配置 JWT


 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj.config.jwt;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import java.io.Serializable;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

 * <p> JwtTokenTemplate </p>
 * <p> Description : JwtTokenTemplate </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:49 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
public class JwtTokenTemplate implements Serializable {

  private static final String CLAIM_KEY_USERNAME = "sub";

  private static final long EXPIRATION_TIME = 432000000;

  private static final String SECRET = "secret";

  public String generateToken(UserDetails userDetails) {
    Map<String,Object> claims = new HashMap<>(16);
    return Jwts.builder()
        .setExpiration(new Date(Instant.now().toEpochMilli() + EXPIRATION_TIME))

  public Boolean validateToken(String token,UserDetails userDetails) {
    User user = (User) userDetails;
    String username = getUsernameFromToken(token);
    return (username.equals(user.getUsername()) && !isTokenExpired(token));

  public Boolean isTokenExpired(String token) {
    Date expiration = getExpirationDateFromToken(token);
    return expiration.before(new Date());

  public String getUsernameFromToken(String token) {
    String username = getClaimsFromToken(token).getSubject();
    return username;

  public Date getExpirationDateFromToken(String token) {
    Date expiration = getClaimsFromToken(token).getExpiration();
    return expiration;

  private Claims getClaimsFromToken(String token) {
    Claims claims = Jwts.parser()
    return claims;



 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj.config.jwt;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

 * <p> JwtTokenFilter </p>
 * <p> Description : JwtTokenFilter </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:49 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
public class JwtTokenFilter extends OncePerRequestFilter {

  public static final String HEADER_STRING = "Authorization";

  private UserDetailsService userDetailsService;

  private JwtTokenTemplate jwtTokenTemplate;

  protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain chain) throws ServletException,IOException {
    String token = request.getHeader(HEADER_STRING);
    if (null != token) {
      String username = jwtTokenTemplate.getUsernameFromToken(token);
      if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
        UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
        if (jwtTokenTemplate.validateToken(token,userDetails)) {
          UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
          authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(




 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj.config;

import com.edurt.sli.slisj.config.jwt.JwtTokenFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

 * <p> JwtSecurityConfig </p>
 * <p> Description : JwtSecurityConfig </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:46 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {

  private UserDetailsService userDetailsService;

  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();

  protected void configure(HttpSecurity http) throws Exception {

  public JwtTokenFilter authenticationTokenFilterBean() {
    return new JwtTokenFilter();

  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();



 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj.config;

import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.ArrayList;

 * <p> JwtUserDetailsService </p>
 * <p> Description : JwtUserDetailsService </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:54 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
public class JwtUserDetailsService implements UserDetailsService {

  public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
    if (userName.equals("admin")) {
      return new User("admin","$2a$10$slYQmyNdGzTn7ZLBXBChFOC9f6kFjAqPhccnP6DxlWXx2lPk1C3G6",new ArrayList<>());
    return null;






 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj.param;

import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import lombok.ToString;

 * <p> JwtParam </p>
 * <p> Description : JwtParam </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:59 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
public class JwtParam {

  private String username;
  private String password;




 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License,either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
package com.edurt.sli.slisj.controller;

import com.edurt.sli.slisj.config.JwtUserDetailsService;
import com.edurt.sli.slisj.config.jwt.JwtTokenTemplate;
import com.edurt.sli.slisj.param.JwtParam;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.bind.annotation.*;

 * <p> HelloJwtController </p>
 * <p> Description : HelloJwtController </p>
 * <p> Author : qianmoQ </p>
 * <p> Version : 1.0 </p>
 * <p> Create Time : 2019-11-26 20:58 </p>
 * <p> Author Email: <a href="mailTo:[email protected]" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" >qianmoQ</a> </p>
@RequestMapping(value = "auth")
public class HelloJwtController {

  private JwtTokenTemplate jwtTokenTemplate;

  private AuthenticationManager authenticationManager;

  private JwtUserDetailsService userDetailsService;

  @PostMapping(value = "login")
  public String login(@RequestBody JwtParam body) throws AuthenticationException {
    UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(body.getUsername(),body.getPassword());
    Authentication authentication = authenticationManager.authenticate(authenticationToken);
    UserDetails userDetails = userDetailsService.loadUserByUsername(body.getUsername());
    return jwtTokenTemplate.generateToken(userDetails);

  @GetMapping(value = "hello")
  public String hello() {
    return "Hello Jwt!!!";




curl -X GET 'http://localhost:8989/auth/hello'


  "timestamp": "2019-11-26T13:05:05.204+0000","status": 403,"error": "Forbidden","message": "Access Denied","path": "/auth/hello"


curl -X POST '' --header 'Content-Type: application/json' -d '{"username": "admin","password": "password"}'




curl -X GET '' --header 'Authorization: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTU3NTIwNTg4OH0.zc3JTsIHIZSmi-hrgCB1AKrrjVWtnWB4YJjOhzml2k9qRdTGdoDYKM1XriQIAInvIrTDDkpozT4Ny58Wcpm4JA'


Hello Jwt!!!




mvn clean package -Dmaven.test.skip=true -X


java -jar target/spring-learn-integration-security-jwt-1.0.0.jar


  • GitHub
  • Gitee
