基于Spring Boot角色的安全JWT

时间:2016-11-20 19:08:23

标签: java spring-security spring-boot jwt

我正在使用Angular 2的Spring启动。我实现了一个JWT REST端点进行身份验证。我的angular 2前端使用身份验证服务将用户名和密码发送到spring boot后端。在后端,我只希望具有LDAP角色的用户可以访问登录。我实现了以下内容:

@RestController
@RequestMapping("/api")
public class UserJWTController {

    @Inject
    private TokenProvider tokenProvider;

    @Inject
    private AuthenticationManager authenticationManager;



    @RequestMapping(value = "/authenticate", method = RequestMethod.POST, consumes="application/json")
    public ResponseEntity<?> authorize(@RequestBody User user, HttpServletResponse response) {


        UsernamePasswordAuthenticationToken authenticationToken =
            new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword());

        try {
            Authentication authentication = this.authenticationManager.authenticate(authenticationToken);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            Collection<SimpleGrantedAuthority> userAuthorities = (Collection<SimpleGrantedAuthority>)SecurityContextHolder.getContext().getAuthentication().getAuthorities();
            for(SimpleGrantedAuthority authCheck: userAuthorities){
                if(authCheck.toString().equals(LDAP_USER_ROLE )){
                    String jwt = tokenProvider.createToken(authentication, true);
                    response.addHeader(JWTConfigurer.AUTHORIZATION_HEADER, "Bearer " + jwt);
                    return ResponseEntity.ok(new JWTToken(jwt));
                }


            }
            return new ResponseEntity<>(HttpStatus.FORBIDDEN);    


        } catch (AuthenticationException exception) {
            return new ResponseEntity<>(Collections.singletonMap("AuthenticationException",exception.getLocalizedMessage()), HttpStatus.UNAUTHORIZED);
        }
    }
}

我有一个问题的代码是:

Collection<SimpleGrantedAuthority> userAuthorities = (Collection<SimpleGrantedAuthority>)SecurityContextHolder.getContext().getAuthentication().getAuthorities();
                for(SimpleGrantedAuthority authCheck: userAuthorities){
                    if(authCheck.toString().equals(LDAP_USER_ROLE )){
                        String jwt = tokenProvider.createToken(authentication, true);
                        response.addHeader(JWTConfigurer.AUTHORIZATION_HEADER, "Bearer " + jwt);
                        return ResponseEntity.ok(new JWTToken(jwt));
                    }


                }
                return new ResponseEntity<>(HttpStatus.FORBIDDEN);

我正在做的是将角色设置为我导入的常量:LDAP_USER_ROLE

我创建了一个集合变量来存储用户权限,并使用for循环来检查该用户角色是否在权限集合中。如果是,我返回一个JWT令牌,如果不是,我返回403.

有更好的方法吗?它有效,但似乎不是检查用户是否拥有该角色的有效方法。

1 个答案:

答案 0 :(得分:1)

使用springboot security中的@PreAuthorize注释。

实施例: https://github.com/bfwg/springboot-jwt-starter/blob/master/src/main/java/com/bfwg/rest/UserController.java#L48

相关问题
最新问题