Spring security combined with JWT method tutorial
summary
As we all know, the advantage of using JWT for permission verification over session is that session needs to occupy a lot of server memory, and the problem of sharing session will be involved when multiple servers are used, which is more troublesome when accessing mobile terminals such as mobile phones
JWT does not need to be stored on the server, It does not occupy server resources (i.e. stateless). After the user gets the token after logging in, the token is attached to the request for access permission (generally set in the HTTP request header). JWT does not have the problem of multi server sharing and mobile terminal access. In order to improve security, the token can be bound with the user's IP address
Front end process
The user logs in through Ajax and gets a token
After that, when permission request is required, attach a token for access
Back end process (spring boot + spring Security + jjwt)
Idea:
Write a user entity class and insert a piece of data
User entity class
Role entity class
insert data
User table
Role table
User_ Role table
Dao layer interface obtains data through user name and returns an optional object with value of java8
Write logindto for data transmission with the front end
Write a token generation tool and create it using the jjwt library. There are three methods: generate a token (return string), parse a token (return authentication object), and verify a token (return Boolean value)
Implement the userdetails interface to represent the user entity class, which is wrapped on our user object, including permissions and other properties, and can be used by spring security
Implement the userdetailsservice interface, which has only one method to obtain userdetails. We can obtain the user object from the database, wrap it into userdetails and return it
Write a filter. If the user carries a token, he will obtain the token, generate an authentication object according to the token, and store it in the securitycontext for spring security to control permissions
Write the logincontroller. The user accesses / auth / login through the user name and password, receives it through the logindto object, creates an authentication object, and the code is usernamepasswordauthenticationtoken. Judge whether the object exists, and verify the authentication object through the authenticate method of the AuthenticationManager, The implementation class providermanager of AuthenticationManager will authenticate through authenticationprovider (authentication processing). By default, providermanager calls daoauthenticationprovider for authentication processing, and daoauthenticationprovider will pass userdetailsservice (authentication information source) obtain userdetails. If the authentication is successful, an authentication containing permissions is returned, and then through securitycontextholder. Getcontext() Setauthentication() is set in the securitycontext. A token is generated according to the authentication and returned to the user
Write a security configuration class, inherit websecurityconfigureradapter, and override the configure method
Write controller for testing
Case source code download (local download)
