問題描述
我正在用 spring boot 編寫一個(gè) RESTful api.我正在使用 spring boot、jersey、mongo db、swagger、spring boot security 和 jwt.
I'm writing a RESTful api with spring boot. I'm using spring boot, jersey, mongo db, swagger, spring boot security and jwt.
我已經(jīng)編寫了模型、數(shù)據(jù)庫請求的存儲(chǔ)庫.現(xiàn)在我已經(jīng)集成了 Security 和 jwt 令牌.
I have written the models, the repositories for the requests to the DB. Now I have integrated the Security and jwt token.
現(xiàn)在我需要離散化用戶的角色,因?yàn)橛脩魺o法調(diào)用需要管理員權(quán)限的路由.
Now I need to discretize the role of the users, because a user cant call a route that need an admin priviledges.
我有一個(gè)登錄路徑,它返回一個(gè)令牌.這是我的 SecurityConfig 的代碼
I have a route for login, it's return a token. This is the code of my SecurityConfig
...
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
UserRepository userRepository;
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/api/swagger.json").permitAll()
.antMatchers(HttpMethod.POST, "/login").permitAll()
.antMatchers("/api/*").authenticated()
.and()
.addFilterBefore(new JWTLoginFilter("/login", authenticationManager(), userRepository),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new JWTAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
}
我編寫了 JWTLoginFilter,當(dāng)用戶登錄時(shí)返回我的令牌
I written the JWTLoginFilter that return me the token when user makes login
...
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException, IOException, ServletException {
Credential creds = new ObjectMapper().readValue(req.getInputStream(), Credential.class);
User user = userRepository.login(creds);
if (user == null)
throw new BadCredentialsException("");
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
creds.getUsername(),
creds.getPassword()
);
return token;
}
...
我想在方法的端點(diǎn)類中插入它
I want insert this on my endpoint class on method
@PreAuthorize("hasRole('ROLE_ADMIN')")
這是端點(diǎn)的一部分
....
@Component
@Path("story")
@Api(value = "Story", produces = "application/json")
public class StoryEndpoint {
private static final Logger LOGGER = LoggerFactory.getLogger(StoryEndpoint.class);
@Autowired
StoryRepository storyRepository;
@GET
@Path("/")
@Produces(MediaType.APPLICATION_JSON)
@PreAuthorize("hasRole('ROLE_ADMIN')") <--- I want insert here
@ApiOperation(value = "Get All Story", response = Story.class)
@ApiResponses(value = {
@ApiResponse(code = 200, message = "hello resource found"),
@ApiResponse(code = 404, message = "Given admin user not found")
})
public Response getAllStory(){
Iterable<Story> stories = storyRepository.findAll();
LOGGER.info("getAllStory");
return (stories!=null) ? Response.ok(stories).build() : Response.ok(ResponseErrorGenerator.generate(Response.Status.NOT_FOUND)).status(Response.Status.NOT_FOUND).build();
}
....
如何制定一種機(jī)制來為用戶分配角色,以及如何在令牌中傳遞角色并離散化路由用戶角色?
How I can make a mechanism for assign to user the role and how i can pass the role in token and discretize on route the role of user?
推薦答案
您需要將用戶角色作為附加聲明存儲(chǔ)在 JWT 令牌中,在令牌驗(yàn)證后提取它們并作為主體的權(quán)限"傳遞:
You need to store user roles inside JWT token as additional claims, extract them after token validation and pass as 'authorities' for principal:
Collection<? extends GrantedAuthority> authorities
= Arrays.asList(claims.get(AUTHORITIES_KEY).toString().split(",")).stream()
.map(authority -> new SimpleGrantedAuthority(authority))
.collect(Collectors.toList());
User principal = new User(claims.getSubject(), "",
authorities);
UsernamePasswordAuthenticationToken t
= new UsernamePasswordAuthenticationToken(principal, "", authorities);
這篇關(guān)于Spring Boot 如何使用 jwt 管理用戶角色的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!