使用Spring Boot和JWT保护REST Api [英] Secure REST Api with Spring boot and JWT
问题描述
我正在尝试使用实现了自我的JWT
保护我的REST服务器(意味着JWT中没有处理自我的JWT,其他所有东西当然都是Spring
.)
I'm trying to secure my REST server with JWT
which I have implemented my self (Meaning that no spring stuff in the JWT handling it self, everything else is Spring
of course).
我有这个课程:JWTToken implements Authentication
.
我有一个过滤器,负责在SecurityContextHolder
上设置JWTToken
实例:
I have a filter that is responsible of setting the JWTToken
instance at the SecurityContextHolder
:
public class JwtFilter extends GenericFilterBean {
public void doFilter(...) {
....
JWTToken token = new JWTToken(jwt); // this init the Authentication object with all the jwt claims
SecurityContextHolder.getContext().setAuthentication(token);
....
}
我也有调试资源:
@RequestMapping(
value = "/protected_resource",
method = RequestMethod.POST
)
@RolesAllowed("admin")
public RESTResponse<String> debugJwt() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); // here I can see that the context is the right one
return new RESTResponse<>("This was successful", "feedback message", true);
}
我错过了在任何在线资源中都找不到的谜团,这就是如何实现WebSecurityConfigurerAdapter
,特别是configure(HttpSecurity http)
metohd的方法.
I am missing one peace of the puzzle which I could not found in any of the resources online and this is how to implement WebSecurityConfigurerAdapter
and specifically the configure(HttpSecurity http)
metohd.
例如,当我尝试执行此操作时:
When I tried do this, for instance:
http.authorizeRequests().anyRequest().authenticated()
请求没有通过此请求,资源也没有得到调用.
Requests did not pass through this and the resource was not getting called.
我在这里想念什么?
推荐答案
您的JWTToken
类应实现以下方法:
Your JWTToken
class should implement the method:
Collection<? extends GrantedAuthority> getAuthorities();
实现应返回用户授予的角色的集合,其中一个将是"admin"角色,例如:
The implementation should return a collection of the user granted roles, one of them will be the "admin" role, something like:
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singletonList(new SimpleGrantedAuthority("admin"));
}
当然,在您的情况下,您将查询数据库或JWT令牌并解析用户角色.
Of course in your case you will query the DB or the JWT token and parse the user roles.
这篇关于使用Spring Boot和JWT保护REST Api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!