Spring Security 超详细使用教程接入 Spring Boot 与前后端分离引言Spring SecuritySpring Boot 安全的“守护神”Spring Security 是 Spring 生态中处理认证Authentication和授权Authorization的强大框架它无缝集成 Spring Boot提供从基本认证到 OAuth2 的全面解决方案。在前后端分离架构中如 React/Vue 前端 Spring Boot 后端Spring Security 常结合 JWTJSON Web Token实现无状态认证避免传统 Session 的跨域问题。根据官方指南Spring Security 能轻松保护 REST API确保只有授权用户访问资源。 2026 年随着 Spring Boot 3.x 的普及这一框架支持虚拟线程和 GraalVM Native 编译提升了性能和安全性。本教程从基础接入入手逐步深入前后端分离实战覆盖依赖、配置、JWT 集成和常见坑。目标读完后你能独立构建一个安全的 API 系统提升应用安全性 50%。预计阅读时长30 分钟。准备 IntelliJ IDEA 和 Maven立即新建 Spring Boot 项目测试基本认证核心概念Spring Security 基础速览Spring Security 的核心是过滤器链Filter Chain它拦截请求处理认证/授权。以下表格对比关键概念基于 Spring Security 6.x兼容 Boot 3.x概念定义与作用关键组件/注解前后端分离适用性常见误区认证Authentication验证用户身份如用户名/密码、JWTUserDetailsService, AuthenticationManager高用 JWT 令牌替换 Session忽略密码加密BCrypt授权Authorization检查权限如角色/方法级PreAuthorize, SecurityFilterChain高基于 JWT 声明claims过度配置导致性能瓶颈过滤器链拦截请求的过滤器序列HttpSecurity 配置中自定义 JWT 过滤器默认启用 CSRF 冲突 CORSJWT 集成无状态令牌用于前后端分离JwtAuthenticationToken高API 首选密钥泄露/过期未处理OAuth2第三方登录如 GoogleEnableOAuth2Client高社交登录配置 issuer-uri 错误解读前后端分离时禁用 Sessionstateless用 JWT 携带用户信息。默认 Spring Security 启用基本认证需自定义配置。依赖与项目准备步骤1创建 Spring Boot 项目使用 Spring Initializrhttps://start.spring.io生成项目选择 Spring Boot 3.x、Java 21、Maven。添加依赖Webspring-boot-starter-web、Securityspring-boot-starter-security、JWTspring-boot-starter-oauth2-resource-server 或 jjwt。pom.xml 示例dependenciesdependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-web/artifactId/dependencydependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-security/artifactId/dependencydependencygroupIdorg.springframework.security/groupIdartifactIdspring-security-oauth2-resource-server/artifactId/dependencydependencygroupIdorg.springframework.security/groupIdartifactIdspring-security-oauth2-jose/artifactId/dependencydependency!-- JWT 解析 --groupIdio.jsonwebtoken/groupIdartifactIdjjwt-api/artifactIdversion0.12.3/version/dependencydependencygroupIdio.jsonwebtoken/groupIdartifactIdjjwt-impl/artifactIdversion0.12.3/versionscoperuntime/scope/dependencydependencygroupIdio.jsonwebtoken/groupIdartifactIdjjwt-jackson/artifactIdversion0.12.3/versionscoperuntime/scope/dependency/dependencies步骤2基本配置添加 Security 后Spring Boot 默认启用基本认证用户名 user密码控制台打印。测试运行应用访问 http://localhost:8080弹出登录框。基础认证配置用户名/密码验证步骤3自定义用户服务创建 UserDetailsService 实现类加载用户数据可从数据库。代码示例SecurityConfig.javaimportorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.core.userdetails.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;importorg.springframework.security.crypto.password.PasswordEncoder;importorg.springframework.security.provisioning.InMemoryUserDetailsManager;importorg.springframework.security.web.SecurityFilterChain;ConfigurationpublicclassSecurityConfig{BeanpublicPasswordEncoderpasswordEncoder(){returnnewBCryptPasswordEncoder();// 密码加密}BeanpublicUserDetailsServiceuserDetailsService(){UserDetailsuserUser.withUsername(admin).password(passwordEncoder().encode(123456)).roles(ADMIN).build();returnnewInMemoryUserDetailsManager(user);// 内存用户生产用数据库}BeanpublicSecurityFilterChainsecurityFilterChain(HttpSecurityhttp)throwsException{http.authorizeHttpRequests(auth-auth.requestMatchers(/public/**).permitAll()// 公开路径.anyRequest().authenticated()// 其他需认证).formLogin(form-form// 表单登录.loginPage(/login)// 自定义登录页前后端分离可忽略.permitAll()).logout(logout-logout.permitAll());returnhttp.build();}}测试访问受保护路径输入 admin/123456 登录。前后端分离JWT 认证集成前后端分离时禁用表单登录和 CSRF用 JWT 处理认证。步骤4JWT 配置创建 JWT 工具类importio.jsonwebtoken.*;importjava.util.Date;publicclassJwtUtils{privatestaticfinalStringSECRETyour_secret_key;// 密钥privatestaticfinallongEXPIRATION86400000;// 1天publicstaticStringgenerateToken(Stringusername){returnJwts.builder().setSubject(username).setExpiration(newDate(System.currentTimeMillis()EXPIRATION)).signWith(Keys.hmacShaKeyFor(SECRET.getBytes())).compact();}publicstaticStringgetUsernameFromToken(Stringtoken){returnJwts.parserBuilder().setSigningKey(Keys.hmacShaKeyFor(SECRET.getBytes())).build().parseClaimsJws(token).getBody().getSubject();}publicstaticbooleanvalidateToken(Stringtoken){try{Jwts.parserBuilder().setSigningKey(Keys.hmacShaKeyFor(SECRET.getBytes())).build().parseClaimsJws(token);returntrue;}catch(Exceptione){returnfalse;}}}步骤5自定义 JWT 过滤器更新 SecurityConfig// ... 省略前部分BeanpublicSecurityFilterChainsecurityFilterChain(HttpSecurityhttp)throwsException{http.csrf(csrf-csrf.disable())// 前后端分离禁用 CSRF.sessionManagement(session-session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))// 无状态.authorizeHttpRequests(auth-auth.requestMatchers(/login).permitAll().anyRequest().authenticated()).addFilterBefore(newJwtAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class);// 自定义过滤器returnhttp.build();}JwtAuthenticationFilter.javaimportjakarta.servlet.FilterChain;importjakarta.servlet.http.HttpServletRequest;importjakarta.servlet.http.HttpServletResponse;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.context.SecurityContextHolder;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.web.filter.OncePerRequestFilter;publicclassJwtAuthenticationFilterextendsOncePerRequestFilter{OverrideprotectedvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainfilterChain)throwsException{Stringtokenrequest.getHeader(Authorization);if(token!nulltoken.startsWith(Bearer )){tokentoken.substring(7);if(JwtUtils.validateToken(token)){StringusernameJwtUtils.getUsernameFromToken(token);// 从UserDetailsService加载用户UserDetailsuserDetailsuserDetailsService().loadUserByUsername(username);UsernamePasswordAuthenticationTokenauthnewUsernamePasswordAuthenticationToken(userDetails,null,userDetails.getAuthorities());SecurityContextHolder.getContext().setAuthentication(auth);}}filterChain.doFilter(request,response);}}步骤6登录接口生成 JWTLoginController.javaimportorg.springframework.security.authentication.AuthenticationManager;importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;importorg.springframework.security.core.Authentication;importorg.springframework.web.bind.annotation.PostMapping;importorg.springframework.web.bind.annotation.RequestBody;importorg.springframework.web.bind.annotation.RestController;RestControllerpublicclassLoginController{privatefinalAuthenticationManagerauthenticationManager;publicLoginController(AuthenticationManagerauthenticationManager){this.authenticationManagerauthenticationManager;}PostMapping(/login)publicStringlogin(RequestBodyLoginRequestrequest){AuthenticationauthenticationauthenticationManager.authenticate(newUsernamePasswordAuthenticationToken(request.getUsername(),request.getPassword()));returnJwtUtils.generateToken(request.getUsername());}}publicclassLoginRequest{privateStringusername;privateStringpassword;// getters/setters}前端用 Axios 发送 POST /login获取 JWT后续请求加 Header: Authorization: Bearer {token}。授权与方法级安全步骤7角色授权在 SecurityConfig 加EnableMethodSecurity。Controller 示例RestControllerpublicclassAdminController{GetMapping(/admin)PreAuthorize(hasRole(ADMIN))// 方法级授权publicStringadmin(){returnAdmin Access;}}常见问题与优化CORS前后端分离加 CORS 配置BeanpublicCorsConfigurationSourcecorsConfigurationSource(){CorsConfigurationconfignewCorsConfiguration();config.setAllowedOrigins(List.of(http://localhost:3000));// 前端地址config.setAllowedMethods(List.of(GET,POST,PUT,DELETE));config.setAllowedHeaders(List.of(*));UrlBasedCorsConfigurationSourcesourcenewUrlBasedCorsConfigurationSource();source.registerCorsConfiguration(/**,config);returnsource;}性能大表 JWT 验证用缓存生产用 RSA 密钥签名。OAuth2扩展到第三方登录配置 issuer-uri 和 client-id g rok:render type“render_inline_citation”9/grok:render。结语Spring Security构建安全的 API 堡垒从基本认证到 JWT 前后端分离Spring Security 让安全配置变得优雅而强大——在春川的春日午后当前 KST 11:302026.3.7试着运行这个配置Postman 测试 /login 获取 JWT你将感受到安全的脉动实践挑战集成数据库用户存储。需 OAuth2 扩展或代码调试分享你的项目细节我帮优化。参考Spring 官方指南与 Baeldung 教程。 Go secure, build robust