返利公众号的安全防护体系:Java Spring Security OAuth2+JWT实现用户身份的多端统一认证
大家好,我是 微赚淘客系统3.0 的研发者省赚客!
在返利类公众号场景中,用户可能通过微信小程序、H5页面或App访问同一套后端服务。为保障账户安全并实现“一次登录、多端通行”,我们基于 Spring Security + OAuth2 + JWT 构建了统一认证中心。本文将聚焦 Java 实现细节,展示如何通过自定义授权服务器、资源服务器及 Token 管理机制,完成高安全性的多端身份认证。
整体架构设计
系统采用 OAuth2 的密码模式(Resource Owner Password Credentials)结合自定义扩展,适用于自有客户端。JWT 作为 Token 载体,包含用户ID、角色、设备类型等信息,并通过 HS512 签名防篡改。所有敏感接口均受 Spring Security 保护。
JWT 工具类与 Token 生成
首先定义 JWT 工具类,用于签发和解析 Token:
packagejuwatech.cn.security.jwt;importio.jsonwebtoken.Claims;importio.jsonwebtoken.Jwts;importio.jsonwebtoken.SignatureAlgorithm;importorg.springframework.beans.factory.annotation.Value;importorg.springframework.stereotype.Component;importjava.util.Date;importjava.util.HashMap;importjava.util.Map;@ComponentpublicclassJwtTokenUtil{@Value("${jwt.secret:juwatech-secret-key-2026}")privateStringsecret;@Value("${jwt.expiration:86400}")// 24小时privateLongexpiration;publicStringgenerateToken(StringuserId,StringclientId){Map<String,Object>claims=newHashMap<>();claims.put("clientId",clientId);claims.put("userId",userId);returnJwts.builder().setClaims(claims).setIssuedAt(newDate()).setExpiration(newDate(System.currentTimeMillis()+expiration*1000)).signWith(SignatureAlgorithm.HS512,secret).compact();}publicClaimsgetClaimsFromToken(Stringtoken){returnJwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();}publicbooleanvalidateToken(Stringtoken){try{Claimsclaims=getClaimsFromToken(token);return!claims.getExpiration().before(newDate());}catch(Exceptione){returnfalse;}}}自定义 UserDetailsService
实现UserDetailsService从数据库加载用户信息:
packagejuwatech.cn.security.service;importjuwatech.cn.mapper.UserMapper;importjuwatech.cn.model.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.core.userdetails.UsernameNotFoundException;importorg.springframework.stereotype.Service;@ServicepublicclassCustomUserDetailsServiceimplementsUserDetailsService{privatefinalUserMapperuserMapper;publicCustomUserDetailsService(UserMapperuserMapper){this.userMapper=userMapper;}@OverridepublicUserDetailsloadUserByUsername(Stringmobile)throwsUsernameNotFoundException{Useruser=userMapper.selectByMobile(mobile);if(user==null){thrownewUsernameNotFoundException("User not found: "+mobile);}returnorg.springframework.security.core.userdetails.User.withUsername(user.getMobile()).password(user.getPassword())// 已加密存储.authorities("ROLE_USER").accountExpired(false).accountLocked(false).credentialsExpired(false).disabled(false).build();}}OAuth2 授权服务器配置
配置授权服务器,支持密码模式并集成 JWT:
packagejuwatech.cn.security.oauth2;importjuwatech.cn.security.jwt.JwtTokenUtil;importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;importorg.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;importorg.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;importorg.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;importorg.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;importorg.springframework.security.oauth2.provider.token.TokenStore;importorg.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;importorg.springframework.security.oauth2.provider.token.store.JwtTokenStore;@Configuration@EnableAuthorizationServerpublicclassAuthorizationServerConfigextendsAuthorizationServerConfigurerAdapter{privatefinalAuthenticationManagerauthenticationManager;privatefinalJwtTokenUtiljwtTokenUtil;publicAuthorizationServerConfig(AuthenticationManagerauthenticationManager,JwtTokenUtiljwtTokenUtil){this.authenticationManager=authenticationManager;this.jwtTokenUtil=jwtTokenUtil;}@Overridepublicvoidconfigure(ClientDetailsServiceConfigurerclients)throwsException{clients.inMemory().withClient("wechat-miniprogram").secret("{noop}mp-secret-2026").authorizedGrantTypes("password","refresh_token").scopes("read","write").accessTokenValiditySeconds(86400).refreshTokenValiditySeconds(604800);}@BeanpublicTokenStoretokenStore(){returnnewJwtTokenStore(jwtAccessTokenConverter());}@BeanpublicJwtAccessTokenConverterjwtAccessTokenConverter(){JwtAccessTokenConverterconverter=newJwtAccessTokenConverter();converter.setSigningKey("juwatech-secret-key-2026");returnconverter;}@Overridepublicvoidconfigure(AuthorizationServerEndpointsConfigurerendpoints){endpoints.tokenStore(tokenStore()).accessTokenConverter(jwtAccessTokenConverter()).authenticationManager(authenticationManager);}@Overridepublicvoidconfigure(AuthorizationServerSecurityConfigurersecurity){security.allowFormAuthenticationForClients().checkTokenAccess("isAuthenticated()");}}资源服务器与权限校验
在资源服务器中解析 JWT 并构建 SecurityContext:
packagejuwatech.cn.security.resource;importjuwatech.cn.security.jwt.JwtTokenUtil;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.context.SecurityContextHolder;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.stereotype.Component;importorg.springframework.web.filter.OncePerRequestFilter;importjavax.servlet.FilterChain;importjavax.servlet.ServletException;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.io.IOException;@ComponentpublicclassJwtAuthenticationFilterextendsOncePerRequestFilter{privatefinalJwtTokenUtiljwtTokenUtil;privatefinalUserDetailsServiceuserDetailsService;publicJwtAuthenticationFilter(JwtTokenUtiljwtTokenUtil,UserDetailsServiceuserDetailsService){this.jwtTokenUtil=jwtTokenUtil;this.userDetailsService=userDetailsService;}@OverrideprotectedvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainchain)throwsServletException,IOException{StringauthHeader=request.getHeader("Authorization");if(authHeader!=null&&authHeader.startsWith("Bearer ")){Stringtoken=authHeader.substring(7);if(jwtTokenUtil.validateToken(token)){Stringmobile=jwtTokenUtil.getClaimsFromToken(token).getSubject();UserDetailsuserDetails=userDetailsService.loadUserByUsername(mobile);UsernamePasswordAuthenticationTokenauthentication=newUsernamePasswordAuthenticationToken(userDetails,null,userDetails.getAuthorities());SecurityContextHolder.getContext().setAuthentication(authentication);}}chain.doFilter(request,response);}}并在 WebSecurity 中启用:
packagejuwatech.cn.security.config;importjuwatech.cn.security.resource.JwtAuthenticationFilter;importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.config.annotation.web.configuration.EnableWebSecurity;importorg.springframework.security.config.http.SessionCreationPolicy;importorg.springframework.security.web.SecurityFilterChain;importorg.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;@Configuration@EnableWebSecuritypublicclassResourceServerConfig{privatefinalJwtAuthenticationFilterjwtAuthenticationFilter;publicResourceServerConfig(JwtAuthenticationFilterjwtAuthenticationFilter){this.jwtAuthenticationFilter=jwtAuthenticationFilter;}@BeanpublicSecurityFilterChainfilterChain(HttpSecurityhttp)throwsException{http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/api/auth/**").permitAll().antMatchers("/api/refund/**").hasRole("USER").anyRequest().authenticated().and().addFilterBefore(jwtAuthenticationFilter,UsernamePasswordAuthenticationFilter.class);returnhttp.build();}}多端统一登录接口
提供统一登录入口,适配不同客户端:
packagejuwatech.cn.controller;importjuwatech.cn.security.jwt.JwtTokenUtil;importorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.web.bind.annotation.PostMapping;importorg.springframework.web.bind.annotation.RequestBody;importorg.springframework.web.bind.annotation.RestController;@RestControllerpublicclassAuthController{privatefinalAuthenticationManagerauthenticationManager;privatefinalJwtTokenUtiljwtTokenUtil;publicAuthController(AuthenticationManagerauthenticationManager,JwtTokenUtiljwtTokenUtil){this.authenticationManager=authenticationManager;this.jwtTokenUtil=jwtTokenUtil;}@PostMapping("/api/auth/login")publicObjectlogin(@RequestBodyLoginRequestreq){authenticationManager.authenticate(newUsernamePasswordAuthenticationToken(req.getMobile(),req.getPassword()));Stringtoken=jwtTokenUtil.generateToken(req.getMobile(),req.getClientId());returnjava.util.Map.of("access_token",token,"token_type","Bearer");}publicstaticclassLoginRequest{privateStringmobile;privateStringpassword;privateStringclientId;// getters and setterspublicStringgetMobile(){returnmobile;}publicvoidsetMobile(Stringmobile){this.mobile=mobile;}publicStringgetPassword(){returnpassword;}publicvoidsetPassword(Stringpassword){this.password=password;}publicStringgetClientId(){returnclientId;}publicvoidsetClientId(StringclientId){this.clientId=clientId;}}}本文著作权归 微赚淘客系统3.0 研发团队,转载请注明出处!
)
)
