当前位置：首页 > news >正文

使用Spring Boot与Spring Security构建安全的RESTful API

news 来源：原创 2025/5/18 12:21:28

使用Spring Boot与Spring Security构建安全的RESTful API

引言

在现代Web应用开发中，安全性是不可忽视的重要环节。Spring Boot和Spring Security作为Java生态中的主流框架，为开发者提供了强大的工具来构建安全的RESTful API。本文将详细介绍如何结合Spring Boot和Spring Security，并利用JWT（JSON Web Token）实现身份验证与授权。

技术栈

核心框架: Spring Boot, Spring Security
身份验证: JWT
数据库: H2 (示例)
构建工具: Maven

项目初始化

首先，使用Spring Initializr创建一个新的Spring Boot项目，添加以下依赖：

Spring Web
Spring Security
H2 Database (用于示例)
JWT库 (如jjwt)

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>com.h2database</groupId><artifactId>h2</artifactId><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-api</artifactId><version>0.11.5</version></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-impl</artifactId><version>0.11.5</version><scope>runtime</scope></dependency><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt-jackson</artifactId><version>0.11.5</version><scope>runtime</scope></dependency>
</dependencies>

配置Spring Security

Spring Security默认会为所有端点启用基本认证。我们需要自定义配置以实现JWT认证。

创建一个配置类SecurityConfig：

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable().authorizeRequests().antMatchers("/api/auth/**").permitAll().anyRequest().authenticated().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);}@Beanpublic JwtAuthenticationFilter jwtAuthenticationFilter() {return new JwtAuthenticationFilter();}
}

实现JWT生成与验证的逻辑：

@Component
public class JwtTokenProvider {@Value("${jwt.secret}")private String jwtSecret;@Value("${jwt.expiration}")private int jwtExpirationInMs;public String generateToken(Authentication authentication) {UserPrincipal userPrincipal = (UserPrincipal) authentication.getPrincipal();Date now = new Date();Date expiryDate = new Date(now.getTime() + jwtExpirationInMs);return Jwts.builder().setSubject(Long.toString(userPrincipal.getId())).setIssuedAt(new Date()).setExpiration(expiryDate).signWith(SignatureAlgorithm.HS512, jwtSecret).compact();}public Long getUserIdFromJWT(String token) {Claims claims = Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token).getBody();return Long.parseLong(claims.getSubject());}public boolean validateToken(String authToken) {try {Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(authToken);return true;} catch (Exception ex) {// Log error}return false;}
}

实现认证与授权

创建用户服务类CustomUserDetailsService：

@Service
public class CustomUserDetailsService implements UserDetailsService {@Autowiredprivate UserRepository userRepository;@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userRepository.findByUsername(username).orElseThrow(() -> new UsernameNotFoundException("User not found with username: " + username));return UserPrincipal.create(user);}
}

创建认证控制器AuthController：

@RestController
@RequestMapping("/api/auth")
public class AuthController {@Autowiredprivate AuthenticationManager authenticationManager;@Autowiredprivate JwtTokenProvider tokenProvider;@PostMapping("/signin")public ResponseEntity<?> authenticateUser(@RequestBody LoginRequest loginRequest) {Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(),loginRequest.getPassword()));SecurityContextHolder.getContext().setAuthentication(authentication);String jwt = tokenProvider.generateToken(authentication);return ResponseEntity.ok(new JwtAuthenticationResponse(jwt));}
}