puzhiweizuishuai / springsecurity-jwt-vue-deom Goto Github PK

View Code? Open in Web Editor NEW

103.0 4.0 75.0 3.88 MB

A demonstration of stateless JWT authentication with Spring Security, Spring Boot and Vue js

License: MIT License

Java 68.16% JavaScript 3.92% HTML 0.55% Vue 27.38%

springboot springsecurity jwt vue

springsecurity-jwt-vue-deom's Introduction

JWT Spring Boot Security

Chinese Documents 中文文档

About

This is a demonstration of stateless token-based authentication using JSON Web Token and CSRF protection, Spring Security, Spring Boot and Vue js.

Technology Stack

Component	Technology
Frontend	Vue.js 2
Backend (REST)	SpringBoot (Java)
Security	Token Based (Spring Security, JJWT, CSRF)
Client Build Tools	vue-cli, Webpack, npm
Server Build Tools	Maven

Quick start

Run Environment: Java11, Node 12, Maven3

Clone this project

git clone https://github.com/PuZhiweizuishuai/SpringSecurity-JWT-Vue-Deom.git

Run back end server

cd spring-security-jwt
mvn clean package

Then

java -jar target/security-0.0.1-SNAPSHOT.jar

Run front end server

cd vue
npm install

Then

npm run serve

Final

Open

http://127.0.0.1:8080

Screenshots

Security

JWT token

To generating and verifying JWT I use JJWT. JJWT – a self-contained Java library providing end-to-end JSON Web Tokens creation and verification.

JWT storing strategy

We have a couple of options where to store the token:

HTML5 Web Storage (localStorage or sessionStorage) Cookies

Main problem of Web Storage

It is accessible through JavaScript on the same domain. This means that any JavaScript running on your site will have access to web storage, and because of this can be vulnerable to cross-site scripting (XSS) attacks.

So, to prevent XSS I store the JWT token in a Http-Only/Secure cookie. Cookies, when used with the HttpOnly cookie flag, are not accessible through JavaScript, and are immune to XSS.

CSRF attack

However, cookies are vulnerable to a different type of attack: cross-site request forgery (CSRF). A CSRF attack is a type of attack that occurs when a malicious web site, email, or blog causes a user’s web browser to perform an unwanted action on a trusted site on which the user is currently authenticated.

To prevent CSRF attacks, we must create an extra Javascript readable cookie which is called: XSRF-TOKEN. This cookie must be created when the user is logged in and should contain a random, un-guessable string. Every time the JavaScript application wants to make a request, it will need to read this token and send it along in a custom HTTP header.

Reference document

Spring Security Reference

Vue.js

Dependency software

mavonEditor

element ui

Copyright and license

The code is released under the MIT license.

springsecurity-jwt-vue-deom's People

Contributors

Stargazers

Watchers

Forkers

wangyang1749 mgbin088 tongyp beeworkshop xixiyuguang lyc88 charles2mx binshen 17862733549 fanlun007 itont lonseajim yl463539765 java-lx liu-zq wuhz520 nowcoder001 yangli0226 young17 zhangcqgg joker0017 hqm1015 mouday gjkbjf-lab logycoconut cnjlq84 otis1998 mongohadoop money461 tanxiong188 phcsea abadbeginning oneboi titaniume bailons lvscxl huangxh16888 lovepli tzhanhe baotinghuang gelong he-dongwei-github huaihualiqi benjak135765 bengaltiger65 wuzhj1 lcy604 diy-z fbljq5 lyonleelpl jtiag boriszhangbo chenjie94 chess254 mappedbyte han199901 romasszhs lszall c3730915 jiangjun79 houtianyun wckjlu hujiese runants duyexu winweb hogle-spring flyying211 joke007 lwl504 dylanpppan yeshenyuewu5 smithathy

springsecurity-jwt-vue-deom's Issues

请教：Spring Security + JWT +Vue + History Mode浏览器刷新问题

大神，
如果前端Vue-Router采用History Mode，当刷新浏览器时，URL总是会跳转到登录页面，请问在后端该如何处理？附上部分代码，请帮我看下，不甚感激。

public class SecurityConfig extends WebSecurityConfigurerAdapter{
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().authorizeRequests().antMatchers("/login").permitAll()
      .anyRequest().authenticated();
    http.formLogin().loginPage("/login");
    http.addFilter(new JWTAuthenticationFilter(authenticationManager())) // 用户名，密码验证，验证成功会返回token给客户端
      .addFilter(new JWTAuthorizationFilter(authenticationManager()))
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  }
}

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
  public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
    super(authenticationManager);
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
    String header = request.getHeader(Constant.REQUEST_HEADER_AUTH);
    // 问题出在这里，当（正常情况）调用rest api时，前端会把token带上，请求是合法的
    // 但是当刷新浏览器时，此时header = null，请求不合法，然后就会跳转到/login页面
    if (header == null || !header.startsWith(Constant.TOKEN_PREFIX)) {
      chain.doFilter(request, response);
      return;
    }

    UsernamePasswordAuthenticationToken authentication = getAuthentication(request);
    SecurityContextHolder.getContext().setAuthentication(authentication);
    chain.doFilter(request, response);
  }

  private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
    String token = request.getHeader("Authorization");
    if (token != null) {
      // parse the token.
      String user = Jwts.parser().setSigningKey("secret").parseClaimsJws(token.replace("Bearer ", "")).getBody().getSubject();
      if (user != null) {
        return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
      }
      return null;
    }
    return null;
  }