为什么在过滤器中使用 UserDetailsService?智威汤逊
Why is UserDetailsService being used in filters? JWT
我查了很多jwt的教程和例子,例如,如果你google "spring-security jwt example"你可能会看到那些链接:
- https://www.callicoder.com/spring-boot-spring-security-jwt-mysql-react-app-part-2/
- https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world
- https://www.javainuse.com/spring/boot-jwt
问题)他们的 authFilters 使用 UserDetailsService,所以他们从数据库中获取数据,因为它只是一个简单的令牌,而不是 JWT。
所以我觉得我有些不明白。
更新: 我会做什么:
或者创建我的自定义身份验证和自定义 AuthProvider。
或者只使用 JwtUtil class,它将解码 jwt,然后创建默认的 UsernamePasswordAuthToken 并将其设置到 SecurityContextHolder 中。
经过另一次审查,我发现我错过了 Rajeev Singh's tutorial on callicoder
中的重要说明
Note that, the database hit in the above filter is optional. You could
also encode the user’s username and roles inside JWT claims and create
the UserDetails object by parsing those claims from the JWT. That
would avoid the database hit.
However, Loading the current details of the user from the database
might still be helpful. For example, you might wanna disallow login
with this JWT if the user’s role has changed, or the user has updated
his password after the creation of this JWT.
我查了很多jwt的教程和例子,例如,如果你google "spring-security jwt example"你可能会看到那些链接:
- https://www.callicoder.com/spring-boot-spring-security-jwt-mysql-react-app-part-2/
- https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world
- https://www.javainuse.com/spring/boot-jwt
问题)他们的 authFilters 使用 UserDetailsService,所以他们从数据库中获取数据,因为它只是一个简单的令牌,而不是 JWT。
所以我觉得我有些不明白。
更新: 我会做什么:
或者创建我的自定义身份验证和自定义 AuthProvider。
或者只使用 JwtUtil class,它将解码 jwt,然后创建默认的 UsernamePasswordAuthToken 并将其设置到 SecurityContextHolder 中。
经过另一次审查,我发现我错过了 Rajeev Singh's tutorial on callicoder
中的重要说明Note that, the database hit in the above filter is optional. You could also encode the user’s username and roles inside JWT claims and create the UserDetails object by parsing those claims from the JWT. That would avoid the database hit.
However, Loading the current details of the user from the database might still be helpful. For example, you might wanna disallow login with this JWT if the user’s role has changed, or the user has updated his password after the creation of this JWT.