基于数据库 + JWT 的 Spring Boot Security 完整示例代码
更新时间:2026年01月19日 10:17:23 作者:jason.zeng@1502207
该示例展示了如何使用Spring Boot Security和JWT实现用户数据库存储、无状态认证和角色权限控制,本文通过实例代码给大家介绍的非常详细,感兴趣的朋友跟随小编一起看看吧
基于数据库 + JWT 的 Spring Boot Security 完整示例
该示例实现 用户数据库存储 + JWT 无状态认证 + 角色权限控制,适用于前后端分离架构。
一、 技术依赖
在 pom.xml 中添加核心依赖:
<!-- Spring Boot Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- Spring Boot Web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Spring Boot Data JPA -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!-- MySQL 驱动 -->
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<scope>runtime</scope>
</dependency>
<!-- JWT 依赖 -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<!-- Lombok (简化代码) -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>二、 数据库设计
设计 sys_user(用户表)、sys_role(角色表)、sys_user_role(用户角色关联表),执行 SQL:
CREATE DATABASE IF NOT EXISTS security_jwt;
USE security_jwt;
-- 用户表
CREATE TABLE sys_user (
id BIGINT PRIMARY KEY AUTO_INCREMENT,
username VARCHAR(50) NOT NULL UNIQUE,
password VARCHAR(100) NOT NULL,
status TINYINT DEFAULT 1 COMMENT '1-正常 0-禁用',
create_time DATETIME DEFAULT CURRENT_TIMESTAMP
);
-- 角色表
CREATE TABLE sys_role (
id BIGINT PRIMARY KEY AUTO_INCREMENT,
role_name VARCHAR(50) NOT NULL,
role_code VARCHAR(50) NOT NULL UNIQUE
);
-- 用户角色关联表
CREATE TABLE sys_user_role (
id BIGINT PRIMARY KEY AUTO_INCREMENT,
user_id BIGINT NOT NULL,
role_id BIGINT NOT NULL,
FOREIGN KEY (user_id) REFERENCES sys_user(id),
FOREIGN KEY (role_id) REFERENCES sys_role(id)
);
-- 插入测试数据
INSERT INTO sys_role (role_name, role_code) VALUES ('管理员', 'ROLE_ADMIN'), ('普通用户', 'ROLE_USER');
-- 密码是 123456 (BCrypt 加密后)
INSERT INTO sys_user (username, password, status) VALUES
('admin', '$2a$10$e0wFw5aKz4wLz7xQxXyYz9z8a7b6c5d4e3f2g1h0', 1),
('user', '$2a$10$e0wFw5aKz4wLz7xQxXyYz9z8a7b6c5d4e3f2g1h0', 1);
INSERT INTO sys_user_role (user_id, role_id) VALUES (1,1), (2,2);三、 核心配置与代码
1. 配置文件 application.yml
spring:
datasource:
url: jdbc:mysql://localhost:3306/security_jwt?useUnicode=true&characterEncoding=utf8&serverTimezone=Asia/Shanghai
username: root
password: 你的数据库密码
driver-class-name: com.mysql.cj.jdbc.Driver
jpa:
hibernate:
ddl-auto: none
show-sql: true
properties:
hibernate:
format_sql: true
jwt:
secret: 7b3a9f8d2e4c6a1b5f9e3c8a2d7b1f4e6c9d8b2a5e7f3c1d4b6a8f9e2c3d5b7a
expiration: 3600000 # token有效期 1小时2. 实体类
- 用户实体 SysUser.java
package com.example.demo.entity;
import lombok.Data;
import javax.persistence.*;
import java.util.List;
@Data
@Entity
@Table(name = "sys_user")
public class SysUser {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private String username;
private String password;
private Integer status;
@ManyToMany(fetch = FetchType.EAGER)
@JoinTable(
name = "sys_user_role",
joinColumns = @JoinColumn(name = "user_id"),
inverseJoinColumns = @JoinColumn(name = "role_id")
)
private List<SysRole> roles;
}- 角色实体 SysRole.java
package com.example.demo.entity;
import lombok.Data;
import javax.persistence.*;
@Data
@Entity
@Table(name = "sys_role")
public class SysRole {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private String roleName;
private String roleCode;
}3. JWT 工具类 JwtUtil.java
package com.example.demo.util;
import io.jsonwebtoken.*;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@Component
public class JwtUtil {
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
// 生成token
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
return Jwts.builder()
.setClaims(claims)
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + expiration))
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
// 验证token
public boolean validateToken(String token, UserDetails userDetails) {
String username = getUsernameFromToken(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
// 从token获取用户名
public String getUsernameFromToken(String token) {
return getClaimsFromToken(token).getSubject();
}
// 解析token
private Claims getClaimsFromToken(String token) {
return Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
}
// 判断token是否过期
private boolean isTokenExpired(String token) {
Date expiration = getClaimsFromToken(token).getExpiration();
return expiration.before(new Date());
}
}4. 自定义 UserDetailsService
package com.example.demo.service;
import com.example.demo.entity.SysRole;
import com.example.demo.entity.SysUser;
import com.example.demo.repository.SysUserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.List;
import java.util.stream.Collectors;
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private SysUserRepository sysUserRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
SysUser sysUser = sysUserRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("用户不存在"));
// 转换角色为权限
List<SimpleGrantedAuthority> authorities = sysUser.getRoles().stream()
.map(role -> new SimpleGrantedAuthority(role.getRoleCode()))
.collect(Collectors.toList());
return new User(sysUser.getUsername(), sysUser.getPassword(), authorities);
}
}5. JWT 认证过滤器 JwtAuthenticationFilter.java
package com.example.demo.filter;
import com.example.demo.service.UserDetailsServiceImpl;
import com.example.demo.util.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwtUtil jwtUtil;
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
// 获取token
String token = request.getHeader("Authorization");
if (token != null && token.startsWith("Bearer ")) {
token = token.substring(7);
String username = jwtUtil.getUsernameFromToken(token);
// 用户名存在且未认证
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
// 验证token有效性
if (jwtUtil.validateToken(token, userDetails)) {
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
}
chain.doFilter(request, response);
}
}6. Security 核心配置 SecurityConfig.java
package com.example.demo.config;
import com.example.demo.filter.JwtAuthenticationFilter;
import com.example.demo.service.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) // 开启方法级权限控制
public class SecurityConfig {
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Autowired
private JwtAuthenticationFilter jwtAuthenticationFilter;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(HttpSecurity http) throws Exception {
return http.getSharedObject(AuthenticationManagerBuilder.class)
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder())
.and()
.build();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().disable() // 前后端分离关闭csrf
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // 无状态
.and()
.authorizeHttpRequests()
.antMatchers("/auth/login").permitAll() // 登录接口公开
.anyRequest().authenticated(); // 其他接口需认证
// 添加JWT过滤器
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
}7. 登录控制器与测试接口
package com.example.demo.controller;
import com.example.demo.util.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/auth")
public class AuthController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtUtil jwtUtil;
// 登录接口
@PostMapping("/login")
public String login(@RequestParam String username, @RequestParam String password) {
// 认证用户
authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
// 生成token
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
return jwtUtil.generateToken(userDetails);
}
}
// 测试接口
@RestController
@RequestMapping("/test")
public class TestController {
@GetMapping("/admin")
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String adminTest() {
return "管理员接口";
}
@GetMapping("/user")
@PreAuthorize("hasRole('ROLE_USER')")
public String userTest() {
return "普通用户接口";
}
}8. 仓库接口 SysUserRepository.java
package com.example.demo.repository;
import com.example.demo.entity.SysUser;
import org.springframework.data.jpa.repository.JpaRepository;
import java.util.Optional;
public interface SysUserRepository extends JpaRepository<SysUser, Long> {
Optional<SysUser> findByUsername(String username);
}四、 测试步骤
- 启动项目,使用 Postman 调用
POST /auth/login?username=admin&password=123456获取 token。 - 调用测试接口时,在请求头添加
Authorization: Bearer 生成的token。 - 访问
/test/admin需 admin 角色,访问/test/user需 user 角色,无权限或 token 失效会返回 403/401。
到此这篇关于基于数据库 + JWT 的 Spring Boot Security 完整示例代码的文章就介绍到这了,更多相关Spring Boot Security JWT内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!
您可能感兴趣的文章:
- SpringBoot3集成SpringSecurity+JWT的实现
- springboot security使用jwt认证方式
- SpringBoot3.x接入Security6.x实现JWT认证的完整步骤
- SpringSecurity角色权限控制(SpringBoot+SpringSecurity+JWT)
- SpringBoot3.0+SpringSecurity6.0+JWT的实现
- SpringBoot整合SpringSecurity和JWT和Redis实现统一鉴权认证
- Springboot WebFlux集成Spring Security实现JWT认证的示例
- Springboot集成Spring Security实现JWT认证的步骤详解
- SpringBoot整合SpringSecurity和JWT的示例
- SpringBoot集成Spring Security用JWT令牌实现登录和鉴权的方法
相关文章
Spring boot中使用Spring-data-jpa方便快捷的访问数据库(推荐)
Spring Data JPA 是 Spring 基于 ORM 框架、JPA 规范的基础上封装的一套JPA应用框架,可使开发者用极简的代码即可实现对数据的访问和操作。这篇文章主要介绍了Spring-boot中使用Spring-data-jpa方便快捷的访问数据库,需要的朋友可以参考下2018-05-05
这篇文章主要介绍了基于Spring框架的Shiro配置方法,需要的朋友可以参考下2014-10-10
最简单的在IntelliJ IDEA导入一个本地项目教程(图文)
这篇文章主要介绍了最简单的在IntelliJ IDEA导入一个本地项目教程(图文),文中通过图文介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧2020-08-08
spring boot自定义配置时在yml文件输入有提示问题及解决方案
自定义一个配置类,然后在yml文件具体配置值时,一般不会有提示,今天小编给大家分享spring boot自定义配置时在yml文件输入有提示问题,感兴趣的朋友一起看看吧2023-10-10
这篇文章主要介绍了Java的设计模式之代理模式使用详解,代理模式是23种设计模式之一,它关心的主要是过程,而不是结果,代理模式主要提供了对目标对象的间接访问方式,即通过代理对象来访问目标对象,需要的朋友可以参考下2024-01-01
Java面试为何阿里强制要求不在foreach里执行删除操作
那天,小二去阿里面试,面试官老王一上来就甩给了他一道面试题:为什么阿里的 Java 开发手册里会强制不要在 foreach 里进行元素的删除操作2021-11-11
面向切面编程(aspect-oriented programming,AOP)主要实现的目的是针对业务处理过程中的切面进行提取,诸如日志、事务管理和安全这样的系统服务,从而使得业务逻辑各部分之间的耦合度降低,提高程序的可重用性,同时提高了开发的效率2022-08-08
这篇文章主要和小伙伴们简单介绍下 Spring Security 中的动态权限方案,以便于小伙伴们更好的理解 TienChin 项目中的权限方案,感兴趣的可以了解一下2022-06-06
最近小编做了一个springboot项目,最后需要打成war包在容器中部署,下面小编给大家分享下SpringBoot项目如何打可执行war包,感兴趣的朋友一起看看吧2020-04-04
这篇文章主要介绍了Java 是如何读取和写入浏览器Cookies的实例的相关资料,需要的朋友可以参考下2016-09-09
最新评论