SpringBoot + SpringSecurity + JWT 完整整合实战（生产级无状态认证）

SpringBoot SpringSecurity JWT 完整整合实战生产级无状态认证前言在前后端分离、微服务架构中SpringSecurity JWT 是企业级最主流安全方案。SpringSecurity 负责权限控制、登录校验JWT 负责无状态令牌签发与校验。本文实现一套可直接上线的完整架构登录签发 JWT → 请求携带 Token → Security 自动鉴权 → 角色权限控制 → 异常统一处理。全程标准配置无冗余代码适合后端进阶学习。一、核心 Maven 依赖dependencies!-- Spring Web --dependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-web/artifactId/dependency!-- Spring Security --dependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-security/artifactId/dependency!-- JWT 核心依赖 --dependencygroupIdio.jsonwebtoken/groupIdartifactIdjjwt-api/artifactIdversion0.11.5/version/dependencydependencygroupIdio.jsonwebtoken/groupIdartifactIdjjwt-impl/artifactIdversion0.11.5/versionscoperuntime/scope/dependencydependencygroupIdio.jsonwebtoken/groupIdartifactIdjjwt-jackson/artifactIdversion0.11.5/versionscoperuntime/scope/dependency/dependencies二、JWT 常量配置publicclassJwtConstants{// 密钥生产环境放入配置中心publicstaticfinalStringSECRET_KEYSpringSecurityJwtSecret2026ABCDEFGHIJKLMN;// 令牌过期时间 2小时publicstaticfinallongEXPIRATION2*60*60*1000;// 请求头名称publicstaticfinalStringTOKEN_HEADERAuthorization;// 令牌前缀publicstaticfinalStringTOKEN_PREFIXBearer ;}三、JWT 工具类importio.jsonwebtoken.*;importio.jsonwebtoken.security.Keys;importorg.springframework.stereotype.Component;importjavax.crypto.SecretKey;importjava.util.Date;ComponentpublicclassJwtUtil{privatefinalSecretKeysecretKeyKeys.hmacShaKeyFor(JwtConstants.SECRET_KEY.getBytes());/** * 生成 JWT Token */publicStringgenerateToken(Stringusername){returnJwts.builder().setSubject(username).setIssuedAt(newDate()).setExpiration(newDate(System.currentTimeMillis()JwtConstants.EXPIRATION)).signWith(secretKey,SignatureAlgorithm.HS256).compact();}/** * 从 Token 中获取用户名 */publicStringgetUsername(Stringtoken){returngetClaims(token).getSubject();}/** * 校验 Token 是否有效 */publicbooleanvalidateToken(Stringtoken){try{Jwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(token);returntrue;}catch(Exceptione){returnfalse;}}/** * 获取 Token 载荷 */privateClaimsgetClaims(Stringtoken){returnJwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(token).getBody();}}四、SpringSecurity 用户查询服务importorg.springframework.security.core.userdetails.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.core.userdetails.UsernameNotFoundException;importorg.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;importorg.springframework.stereotype.Service;ServicepublicclassUserDetailServiceImplimplementsUserDetailsService{OverridepublicUserDetailsloadUserByUsername(Stringusername)throwsUsernameNotFoundException{// 模拟数据库查询用户if(!admin.equals(username)){thrownewUsernameNotFoundException(用户不存在);}// 密码 123456 加密StringpwdnewBCryptPasswordEncoder().encode(123456);returnUser.withUsername(admin).password(pwd).roles(ADMIN).build();}}五、JWT 认证过滤器核心importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.context.SecurityContextHolder;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.web.authentication.WebAuthenticationDetailsSource;importorg.springframework.stereotype.Component;importorg.springframework.web.filter.OncePerRequestFilter;importjavax.annotation.Resource;importjavax.servlet.FilterChain;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;ComponentpublicclassJwtAuthenticationFilterextendsOncePerRequestFilter{ResourceprivateJwtUtiljwtUtil;ResourceprivateUserDetailsServiceuserDetailsService;OverrideprotectedvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainfilterChain){try{Stringtokenrequest.getHeader(JwtConstants.TOKEN_HEADER);if(token!nulltoken.startsWith(JwtConstants.TOKEN_PREFIX)){tokentoken.replace(JwtConstants.TOKEN_PREFIX,);StringusernamejwtUtil.getUsername(token);if(username!nullSecurityContextHolder.getContext().getAuthentication()null){UserDetailsuserDetailsuserDetailsService.loadUserByUsername(username);if(jwtUtil.validateToken(token)){UsernamePasswordAuthenticationTokenauthTokennewUsernamePasswordAuthenticationToken(userDetails,null,userDetails.getAuthorities());authToken.setDetails(newWebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(authToken);}}}filterChain.doFilter(request,response);}catch(Exceptione){filterChain.doFilter(request,response);}}}六、SpringSecurity 核心配置importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.config.annotation.web.configuration.EnableWebSecurity;importorg.springframework.security.config.http.SessionCreationPolicy;importorg.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;importorg.springframework.security.crypto.password.PasswordEncoder;importorg.springframework.security.web.SecurityFilterChain;importorg.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;importjavax.annotation.Resource;ConfigurationEnableWebSecuritypublicclassSecurityConfig{ResourceprivateJwtAuthenticationFilterjwtAuthenticationFilter;BeanpublicPasswordEncoderpasswordEncoder(){returnnewBCryptPasswordEncoder();}BeanpublicAuthenticationManagerauthenticationManager(AuthenticationConfigurationconfiguration)throwsException{returnconfiguration.getAuthenticationManager();}BeanpublicSecurityFilterChainsecurityFilterChain(HttpSecurityhttp)throwsException{http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers(/login).permitAll().antMatchers(/admin/**).hasRole(ADMIN).anyRequest().authenticated()// 未登录处理器.exceptionHandling().authenticationEntryPoint((request,response,e)-{response.setContentType(application/json;charsetutf-8);response.getWriter().write({\code\:401,\msg\:\未登录或Token已过期\});}).and().addFilterBefore(jwtAuthenticationFilter,UsernamePasswordAuthenticationFilter.class);returnhttp.build();}}七、登录控制器importorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.Authentication;importorg.springframework.web.bind.annotation.PostMapping;importorg.springframework.web.bind.annotation.RequestParam;importorg.springframework.web.bind.annotation.RestController;importjavax.annotation.Resource;importjava.util.HashMap;importjava.util.Map;RestControllerpublicclassLoginController{ResourceprivateAuthenticationManagerauthenticationManager;ResourceprivateJwtUtiljwtUtil;/** * 登录接口签发 JWT */PostMapping(/login)publicMapString,Objectlogin(RequestParamStringusername,RequestParamStringpassword){AuthenticationauthauthenticationManager.authenticate(newUsernamePasswordAuthenticationToken(username,password));StringtokenjwtUtil.generateToken(username);MapString,ObjectresultnewHashMap();result.put(code,200);result.put(msg,登录成功);result.put(token,token);returnresult;}}八、测试接口importorg.springframework.web.bind.annotation.GetMapping;importorg.springframework.web.bind.annotation.RestController;RestControllerpublicclassTestController{/** * 登录后可访问 */GetMapping(/user/info)publicStringuserInfo(){return当前登录用户信息;}/** * 仅 ADMIN 角色可访问 */GetMapping(/admin/dashboard)publicStringadmin(){return管理员控制台;}}九、接口使用说明登录接口请求地址/login请求方式POST参数usernameadmin、password123456返回JWT Token业务接口请求头Authorization: Bearer 你的Token未登录返回401无权限返回403十、核心优势**无状态认证**不依赖 Session支持分布式、微服务**自动鉴权**SpringSecurity 统一拦截、校验 Token**权限控制**支持角色、权限细粒度控制**安全可靠**BCrypt 密码加密 JWT 防篡改签名**标准化**企业主流架构可直接上线十一、总结SpringSecurity JWT 是后端必备安全技能。本文提供的是一套生产级标准方案​ 登录、鉴权、权限、异常、加密全部完善。可直接用于后台管理系统、微服务网关、APP 后端、企业平台。作者介绍专注 Java 后端、SpringBoot、SpringSecurity、微服务实战开发承接项目开发、架构升级、权限系统定制欢迎 CSDN 私信交流。