{"id":340844,"date":"2022-11-06T21:00:23","date_gmt":"2022-11-06T21:00:23","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=340844"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=340844","title":{"rendered":"\u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 jwt-username-password authentication \u0447\u0435\u0440\u0435\u0437 spring-security-oauth2-resource-server<\/span>"},"content":{"rendered":"
<\/div>\n
\n
\n
\n
\n

\u0414\u043e\u0431\u0440\u044b\u0439 \u0434\u0435\u043d\u044c!<\/p>\n

\u0412 \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u044f \u0445\u043e\u0442\u0435\u043b \u0431\u044b \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u0430\u0442\u044c, \u043a\u0430\u043a \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u043f\u0440\u043e\u0441\u0442\u0435\u0439\u0448\u0443\u044e jwt \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e, \u0431\u0435\u0437 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043a\u0430\u0441\u0442\u043e\u043c\u043d\u044b\u0445 \u0444\u0438\u043b\u044c\u0442\u0440\u043e\u0432 \u0434\u043b\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0438 \u0438 \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u0438 \u0442\u043e\u043a\u0435\u043d\u043e\u0432. \u041d\u0430 \u043c\u043e\u0439 \u0432\u0437\u0433\u043b\u044f\u0434 \u043d\u0430\u0439\u0442\u0438 \u043f\u0440\u0438\u043c\u0435\u0440 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u0432 «\u044d\u0442\u0438\u0445 \u0432\u0430\u0448\u0438\u0445 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0430\u0445», \u0434\u0430 \u0442\u0430\u043a\u043e\u0439 \u0447\u0442\u043e\u0431\u044b \u043d\u0430\u0434 \u043a\u0430\u0436\u0434\u044b\u043c \u043c\u0435\u0442\u043e\u0434\u043e\u043c \u043d\u0435 \u0432\u0438\u0441\u0435\u043b\u043e deprecated \u043d\u0435 \u0441\u0430\u043c\u0430\u044f \u043f\u0440\u043e\u0441\u0442\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430, \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0434\u043b\u044f \u043d\u0430\u0447\u0438\u043d\u0430\u044e\u0449\u0438\u0445, \u0430 \u043d\u0435 \u043d\u0430\u0447\u0438\u043d\u0430\u044e\u0449\u0438\u043c \u044d\u0442\u0438 \u043f\u0440\u0438\u043c\u0435\u0440\u044b \u043d\u0430\u0432\u0435\u0440\u043d\u043e\u0435 \u0438 \u043d\u0435 \u043d\u0443\u0436\u043d\u044b :).<\/p>\n

Security Flow<\/h2>\n

\u0412 \u043e\u0431\u0449\u0435\u043c \u0432\u0438\u0434\u0435 Spring Security \u0432\u0435\u0434\u0435\u0442 \u0441\u0435\u0431\u044f \u043a\u0430\u043a \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043e \u043d\u0430 \u0440\u0438\u0441\u0443\u043d\u043a\u0435:<\/p>\n

\"spring
spring security flow<\/figcaption><\/figure>\n
    \n
  1. \n

    \u0424\u0438\u043b\u044c\u0442\u0440\u044b \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u043a\u0430\u0436\u0434\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441 \u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u044e\u0442 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043b\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f\/\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0440\u0435\u0441\u0443\u0440\u0441\u0443.<\/p>\n<\/li>\n

  2. \n

    \u0424\u0438\u043b\u044c\u0442\u0440\u044b (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 UserNamePasswordAuthenticationFilter) \u0438\u0437\u0432\u043b\u0435\u043a\u0430\u044e\u0442 \u0438\u0437 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043f\u043e\u0434\u0433\u043e\u0442\u0430\u0432\u043b\u0438\u0432\u0430\u044e\u0442 \u043e\u0431\u044a\u0435\u043a\u0442 \u0442\u0438\u043f\u0430 Authentication.<\/p>\n<\/li>\n

  3. \n

    AuthenticationManager \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0437\u0430\u043f\u0440\u043e\u0441 \u043e\u0442 \u0444\u0438\u043b\u044c\u0442\u0440\u0430 \u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 AuthenticationProvider (\u0432 \u043d\u0430\u0448\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0438\u0445 \u0431\u0443\u0434\u0435\u0442 2: DaoAuthenticationProvider — \u0434\u043b\u044f \u0432\u0445\u043e\u0434\u0430 \u043f\u043e \u043b\u043e\u0433\u0438\u043d\u0443 \u0438 \u043f\u0430\u0440\u043e\u043b\u044e \u0438 JwtAuthenticationProvider — \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0439 OAuth2 Resource Server) .<\/p>\n<\/li>\n

  4. \n

    AuthenticationProvider \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043b\u043e\u0433\u0438\u043a\u0443 \u043f\u043e \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.<\/p>\n<\/li>\n

  5. \n

    UserDetailsService \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 \u0437\u0430 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435 \u0445\u0440\u0430\u043d\u044f\u0449\u0435\u0439\u0441\u044f \u0432 \u0411\u0414.<\/p>\n<\/li>\n

  6. \n

    PaswordEncoder \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0434\u043b\u044f \u0445\u044d\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.<\/p>\n<\/li>\n

  7. \n

    \u041e\u0431\u044a\u0435\u043a\u0442 Authentication c \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0435\u0439 \u043e\u0431 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u0432 AuthenticationManager.<\/p>\n<\/li>\n

  8. \n

    AuthenticationManager \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0443\u0441\u043f\u0435\u0448\u043d\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0438\u043b\u0438 \u043d\u0435\u0442. \u0415\u0441\u043b\u0438 \u0434\u0430, Authentication \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u043a \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u043c \u043f\u043e\u043c\u0435\u0449\u0430\u0435\u0442\u0441\u044f \u0432 SecurityContex (9), \u0435\u0441\u043b\u0438 \u043d\u0435\u0442 \u0442\u043e \u043f\u0440\u043e\u0431\u0443\u0435\u0442 \u0447\u0435\u0440\u0435\u0437 \u0434\u0440\u0443\u0433\u043e\u0439 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 AuthenticationProvider. <\/p>\n<\/li>\n<\/ol>\n

    \u0410 \u0442\u0435\u043f\u0435\u0440\u044c \u043f\u0435\u0440\u0435\u0439\u0434\u0435\u043c \u043a \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0439 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438.<\/p>\n

    1. \u0414\u043e\u0431\u0430\u0432\u0438\u043c \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438<\/h2>\n
    <dependency> <groupId>org.springframework.boot<\/groupId> <artifactId>spring-boot-starter-data-jpa<\/artifactId> <\/dependency>          <dependency>             <groupId>org.springframework.boot<\/groupId>             <artifactId>spring-boot-configuration-processor<\/artifactId>             <optional>true<\/optional>         <\/dependency>                  <dependency>             <groupId>org.springframework.boot<\/groupId>             <artifactId>spring-boot-starter-oauth2-resource-server<\/artifactId>         <\/dependency>  <dependency> <groupId>org.springframework.boot<\/groupId> <artifactId>spring-boot-starter-web<\/artifactId> <\/dependency>  <dependency> <groupId>org.postgresql<\/groupId> <artifactId>postgresql<\/artifactId> <scope>runtime<\/scope> <\/dependency>  <dependency> <groupId>org.projectlombok<\/groupId> <artifactId>lombok<\/artifactId> <optional>true<\/optional> <\/dependency><\/code><\/pre>\n
    \u0417\u0434\u0435\u0441\u044c \u0432\u043c\u0435\u0441\u0442\u043e spring-boot-starter-security \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c spring-boot-starter-oauth2-resource-server, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0432 \u0441\u0435\u0431\u044f \u0440\u044f\u0434 \u0434\u0440\u0443\u0433\u0438\u0445 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0435\u0439 (security-core, security-core, security-oauth2-jose, security-oauth2-jose-resource-server). <\/p>\n
    2. \u0417\u0430\u043f\u043e\u043b\u043d\u044f\u0435\u043c application.properties<\/h2>\n
    #rsa keys rsa.private-key=classpath:certs\/private.pem rsa.public-key=classpath:certs\/public.pem  #db credentials spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect spring.datasource.url=jdbc:postgresql:\/\/localhost:5432\/jwtDb spring.datasource.username=postgres spring.datasource.password=bestuser  #auto creating db schemas with hibernate spring.jpa.show-sql=true spring.jpa.generate-ddl=true spring.jpa.hibernate.ddl-auto=create  #for sql files (can write data and create schemas) spring.jpa.defer-datasource-initialization=true spring.sql.init.mode=always<\/code><\/pre>\n
    3. \u0421\u043e\u0437\u0434\u0430\u0435\u043c entity \u043a\u043b\u0430\u0441\u0441\u044b \u0438 repository<\/h2>\n
    @Table(name=\"users\") @Entity @Data public class User {  @Id @Column(name=\"id\") @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id; @Column(name=\"email\") private String email;  @Column(name=\"password\") private String password;      @ManyToMany(cascade = CascadeType.MERGE, fetch = FetchType.EAGER)     @JoinTable(name = \"user_role\",             joinColumns = @JoinColumn(name = \"user_id\"),             inverseJoinColumns = @JoinColumn(name = \"role_id\")) private Set<Role> roles; }  @Table(name=\"roles\") @Entity @Data public class Role {  @Id @Column(name=\"id\") @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id;  @Column(name=\"role_name\") private String roleName; }  public interface UserRepository extends JpaRepository<User, Long> { Optional<User> findByEmail(String email); }<\/code><\/pre>\n
    4. \u0421\u043e\u0437\u0434\u0430\u0435\u043c rsa \u043a\u043b\u044e\u0447\u0438<\/h2>\n
    Jwt \u0442\u043e\u043a\u0435\u043d\u044b \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0442\u044c \u0430\u0441\u0441\u0438\u043c\u0435\u0442\u0440\u0438\u0447\u043d\u044b\u043c\u0438 \u043a\u043b\u044e\u0447\u0430\u043c\u0438, \u0431\u043e\u043b\u0435\u0435 \u0442\u043e\u0433\u043e, NimbusJwtEncoder \u0438 NimbusJwtDecoder, \u0431\u0438\u043d\u044b \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043c\u044b \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438, \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u044e\u0442 \u0438\u043c\u0435\u043d\u043d\u043e \u0442\u0430\u043a\u0443\u044e \u043f\u0430\u0440\u0443 \u043a\u043b\u044e\u0447\u0435\u0439. \u0421\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u043d\u043e\u0432\u0443\u044e \u043f\u0430\u043f\u043a\u0443 \u0432 resources \u0438 \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u0435\u043c \u0432 \u043d\u0435\u0439 \u043a\u043b\u044e\u0447\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u043a\u043e\u043c\u0430\u043d\u0434:<\/p>\n
    openssl genrsa  -out keypair.pem 2048 openssl rsa  -in keypai.pem  -pubout  -out public.pem openssl pkc8  -topk8  -inform PEM  -outform PEM  -nocrypt  -in keypair.pem  -out private.pem <\/code><\/pre>\n
    \u0422\u0435\u043f\u0435\u0440\u044c \u043d\u0443\u0436\u043d\u043e \u043a\u0430\u043a-\u0442\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u044d\u0442\u0438\u043c \u043a\u043b\u044e\u0447\u0430\u043c \u0438\u0437 application.properties, \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c:<\/p>\n
    @ConfigurationProperties(prefix =\"rsa\") public record RsaProperties(RSAPrivateKey privateKey, RSAPublicKey publicKey) { }<\/code><\/pre>\n
    *\u043d\u0435 \u0437\u0430\u0431\u0443\u0434\u044c\u0442\u0435 \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c @EnableConfigurationProperties(RsaProperties.class) \u0432 main.<\/p>\n
    5. \u0421\u043e\u0437\u0434\u0430\u0435\u043c UserDetailsService \u0438 UserDetails<\/h2>\n
    \u0414\u043b\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e \u043b\u043e\u0433\u0438\u043d\u0443 \u0438 \u043f\u0430\u0440\u043e\u043b\u044e \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u043c \u0432 \u0431\u0430\u0437\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f DaoAuthenticationProvider, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432 \u0441\u0432\u043e\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 UserDetailsService \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435.<\/p>\n
    \u0420\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f UserDetailsService \u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u0433\u043b\u044f\u0434\u0435\u0442\u044c \u0442\u0430\u043a:<\/p>\n
    public class CustomUsrDetailsService implements UserDetailsService{  @Autowired private UserRepository userRepo;  @Override public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException { User user = userRepo.findByEmail(email).orElseThrow(()-> new UsernameNotFoundException(\"User with email = \"+email+\" not exist!\")); return new CustomUsrDetails(user); } }<\/code><\/pre>\n
    \u0417\u0434\u0435\u0441\u044c \u043d\u0430\u043c \u043d\u0443\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c \u0432\u0441\u0435\u0433\u043e \u043e\u0434\u0438\u043d \u043c\u0435\u0442\u043e\u0434 \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 UserDetails — \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0430\u043a\u043a\u0443\u043c\u0443\u043b\u0438\u0440\u0443\u044e\u0449\u0438\u0439 \u0432 \u0441\u0435\u0431\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435 (\u043b\u043e\u0433\u0438\u043d, \u043f\u0430\u0440\u043e\u043b\u044c, \u043f\u0440\u0430\u0432\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043f\u0440.). \u0415\u0433\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u043d\u0430 \u043d\u0438\u0436\u0435: <\/p>\n
    public class CustomUsrDetails implements UserDetails {  private static final long serialVersionUID = 1L; private User user;  public CustomUsrDetails(User user) { this.user = user; }  @Override public Collection<? extends GrantedAuthority> getAuthorities() { Set<Role> roles = user.getRoles();  List<SimpleGrantedAuthority> authorities = new ArrayList<>(); for(Role role : roles) {authorities.add(new SimpleGrantedAuthority(role.getRoleName()));} return authorities; }  @Override public String getPassword() {return user.getPassword();}  @Override public String getUsername() {return user.getEmail();}  @Override public boolean isAccountNonExpired() {return true;}  @Override public boolean isAccountNonLocked() {return true;}  @Overridepublic boolean isCredentialsNonExpired() {return true;}  @Override public boolean isEnabled() {return true;} }<\/code><\/pre>\n
    6. Security Config<\/h2>\n
    @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity @Configuration public class AppSecurityConfig {  private final RsaProperties rsaKeys;  public AppSecurityConfig(RsaProperties rsaKeys) { this.rsaKeys = rsaKeys; }  @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }  @Bean     public UserDetailsService customUserDetailsService() {         return new CustomUsrDetailsService();     }   @Bean public AuthenticationManager authManager() {         var authProvider = new DaoAuthenticationProvider();         authProvider.setUserDetailsService(customUserDetailsService());         authProvider.setPasswordEncoder(passwordEncoder());         return new ProviderManager(authProvider); }  @Bean JwtEncoder jwtEncoder() { JWK jwk = new RSAKey.Builder(rsaKeys.publicKey()).privateKey(rsaKeys.privateKey()).build(); JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(new JWKSet(jwk)); return new NimbusJwtEncoder(jwkSource); }  @Bean JwtDecoder jwtDecoder() { return NimbusJwtDecoder.withPublicKey(rsaKeys.publicKey()).build(); }  @Bean TokenService tokenService() { return new TokenService(jwtEncoder()); }  @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {  return http                     .csrf(csrf -> csrf.disable())                     .authorizeRequests(auth -> auth                         .mvcMatchers(\"\/login\").permitAll()                         .mvcMatchers(\"\/token\/refresh\").permitAll()                         .mvcMatchers(\"\/admin\").hasAuthority(\"SCOPE_adm\")                         .mvcMatchers(\"\/user\").hasAuthority(\"SCOPE_usr\")                         .anyRequest().authenticated())                     .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))                     .oauth2ResourceServer(OAuth2ResourceServerConfigurer :: jwt )                         .build(); }  }<\/code><\/pre>\n
    \u0423 \u043d\u0430\u0441 \u043a\u0430\u043a \u0438 \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u043b\u043e\u0441\u044c \u0440\u0430\u043d\u0435\u0435 \u0431\u0443\u0434\u0435\u0442 2 AuthenticationProvide<\/p>\n
      \n
    1. \n
       JwtAuthenticationProvider <\/p>\n<\/li>\n<\/ol>\n
      <\/figcaption><\/figure>\n
      1.1 \u0424\u0438\u043b\u044c\u0442\u0440 \u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0442\u043e\u043a\u0435\u043d \u0438 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442 \u0435\u0433\u043e \u0432 AuthenticationManager<\/p>\n
      1.2 ProviderManager \u0432\u044b\u0431\u0438\u0440\u0430\u0435\u0442 JwtAuthenticationProvider<\/p>\n
      1.3 JwtAuthenticationProvider \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u044e \u0442\u043e\u043a\u0435\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e JwtDecoder<\/p>\n
      1.4 JwtAuthenticationProvider \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u0443\u0435\u0442 \u0442\u043e\u043a\u0435\u043d \u0432 \u043e\u0431\u044a\u0435\u043a\u0442 Authentication \u0442\u0438\u043f\u0430 JwtAuthenticationToken <\/p>\n
      1.5 JwtAuthenticationToken \u043f\u043e\u043c\u0435\u0449\u0430\u0435\u0442\u0441\u044f \u0432 SecurityContextHolder<\/p>\n
      \u041f\u0440\u0438 \u044d\u0442\u043e\u043c \u0432\u0441\u0435 \u044d\u0442\u0438 \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u044f\u0446\u0438\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442\u0441\u044f «\u043f\u043e\u0434 \u043a\u0430\u043f\u043e\u0442\u043e\u043c» c \u043f\u043e\u043c\u043e\u0449\u044c\u044e OAuth2ResourceServerConfigurer \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0433\u043e \u0432 SecurityFilterChain. \u041d\u0430\u043c \u043e\u0441\u0442\u0430\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0431\u0438\u043d\u044b JwtEncoder, JwtDecoder \u0438 \u0441\u043e\u0437\u0434\u0430\u0442\u044c TokenService \u0434\u043b\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0438 access \u0438 refresh \u0442\u043e\u043a\u0435\u043d\u043e\u0432 \u0438 \u0432\u044b\u043d\u0438\u043c\u0430\u043d\u0438\u044f \u0438\u0437 \u043d\u0438\u0445 username.<\/p>\n
      public class TokenService  {  private final JwtEncoder jwtEncoder;  public TokenService(JwtEncoder jwtEncoder) { super(); this.jwtEncoder = jwtEncoder; }      public String generateAccessToken(CustomUsrDetails usrDetails) {         Instant now = Instant.now();         String scope = usrDetails.getAuthorities().stream()                 .map(GrantedAuthority::getAuthority)                 .collect(Collectors.joining(\" \"));              JwtClaimsSet claims = JwtClaimsSet.builder()                 .issuer(\"self\")                 .issuedAt(now)                 .expiresAt(now.plus(2, ChronoUnit.MINUTES))                 .subject(usrDetails.getUsername())                 .claim(\"scope\", scope)                 .build();         return this.jwtEncoder.encode(JwtEncoderParameters.from(claims)).getTokenValue();     }      public String generateRefreshToken(CustomUsrDetails usrDetails) {         Instant now = Instant.now();         String scope = usrDetails.getAuthorities().stream()                 .map(GrantedAuthority::getAuthority)                 .collect(Collectors.joining(\" \"));                  JwtClaimsSet claims = JwtClaimsSet.builder()                 .issuer(\"self\")                 .issuedAt(now)                 .expiresAt(now.plus(10, ChronoUnit.MINUTES))                 .subject(usrDetails.getUsername())                 .claim(\"scope\", scope)                 .build();         return this.jwtEncoder.encode(JwtEncoderParameters.from(claims)).getTokenValue();     }          public String parseToken(String token) {     try { SignedJWT decodedJWT = SignedJWT.parse(token); String subject = decodedJWT.getJWTClaimsSet().getSubject(); return subject; } catch (ParseException e) { e.printStackTrace(); }     return null;     } }<\/code><\/pre>\n
        \n
      1. \n
        DaoAuthenticationProvider<\/p>\n<\/li>\n<\/ol>\n
        <\/figcaption><\/figure>\n
        2.1 \u0424\u0438\u043b\u044c\u0442\u0440 \u0431\u0435\u0440\u0435\u0442 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u0435 \u043b\u043e\u0433\u0438\u043d \u0438 \u043f\u0430\u0440\u043e\u043b\u044c \u0438 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442 UsernamePasswordAuthenticationToken \u0432 AuthenticationManager<\/p>\n
        2.2 AuthenticationManager \u0432\u044b\u0431\u0438\u0440\u0430\u0435\u0442 DaoAuthenticationProvider<\/p>\n
        2.3 DaoAuthenticationProvider \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 UserDetails \u0447\u0435\u0440\u0435\u0437 UserDetailsService (\u0443 \u043d\u0430\u0441 \u043e\u043d\u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u044b \u043a\u0430\u043a CustomUsrDetails \u0438 CustomUsrDetailsService)<\/p>\n
        2.4 DaoAuthenticationProvider \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u043f\u0430\u0440\u043e\u043b\u044c \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u0438\u0437 UserDetails \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e BcryptPasswordEncoder<\/p>\n
        2.5 UsernamePasswordAuthenticationToken \u043f\u043e\u043c\u0435\u0449\u0430\u0435\u0442\u0441\u044f \u0432 SecurityContextHolder<\/p>\n
        7. EndPoints<\/h2>\n
        \u0422\u0435\u043f\u0435\u0440\u044c \u043e\u0441\u0442\u0430\u043b\u043e\u0441\u044c \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u044d\u043d\u0434\u043f\u043e\u0438\u043d\u0442\u044b \u0434\u043b\u044f \u043b\u043e\u0433\u0438\u043d\u0430, \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0442\u043e\u043a\u0435\u043d\u043e\u0432, \u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043f\u0440\u0430\u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u0430.<\/p>\n
        @RestController public class AuthController {  private final TokenService tokenService; private final AuthenticationManager authManager; private final CustomUsrDetailsService usrDetailsService;   public AuthController(TokenService tokenService, AuthenticationManager authManager, CustomUsrDetailsService usrDetailsService) { super(); this.tokenService = tokenService; this.authManager = authManager; this.usrDetailsService = usrDetailsService; }   record LoginRequest(String username, String password) {}; record LoginResponse(String message, String access_jwt_token, String refresh_jwt_token) {}; @PostMapping(\"\/login\") public LoginResponse login(@RequestBody LoginRequest request) {  UsernamePasswordAuthenticationToken authenticationToken =  new UsernamePasswordAuthenticationToken(request.username, request.password); Authentication auth = authManager.authenticate(authenticationToken);  CustomUsrDetails user = (CustomUsrDetails) usrDetailsService.loadUserByUsername(request.username); String access_token = tokenService.generateAccessToken(user); String refresh_token = tokenService.generateRefreshToken(user);  return new LoginResponse(\"User with email = \"+ request.username + \" successfully logined!\"  , access_token, refresh_token); }  record RefreshTokenResponse(String access_jwt_token, String refresh_jwt_token) {}; @GetMapping(\"\/token\/refresh\") public RefreshTokenResponse refreshToken(HttpServletRequest request) {  String headerAuth = request.getHeader(\"Authorization\");   String refreshToken = headerAuth.substring(7, headerAuth.length());  String email = tokenService.parseToken(refreshToken); CustomUsrDetails user = (CustomUsrDetails) usrDetailsService.loadUserByUsername(email); String access_token = tokenService.generateAccessToken(user); String refresh_token = tokenService.generateRefreshToken(user);  return new RefreshTokenResponse(access_token, refresh_token); } }<\/code><\/pre>\n
        @RestController public class MyController {  @GetMapping(\"\/admin\") public String homeAdmin(Principal principal) { return \"Hello mr. \" + principal.getName(); }  @GetMapping(\"\/user\") public String homeUser(Principal principal) { return \"Hello mr. \" + principal.getName(); } }<\/code><\/pre>\n
        8. \u0417\u0430\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435<\/h2>\n
        \u0414\u0430\u043d\u043d\u044b\u0439 \u043f\u043e\u0434\u0445\u043e\u0434 \u0445\u043e\u0442\u044c \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442, \u043d\u043e \u043d\u0438\u043a\u0430\u043a \u043d\u0435 \u043f\u0440\u0435\u0442\u0435\u043d\u0434\u0443\u0435\u0442 \u043d\u0430 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u0435 \ud83d\ude42  <\/p>\n<\/div>\n<\/div>\n<\/div>\n
        <\/div>\n<\/div>\n
          
         \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  https:\/\/habr.com\/ru\/post\/697694\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
        <\/div>\n
        \n
        \n
        \n
        \n
        \u0414\u043e\u0431\u0440\u044b\u0439 \u0434\u0435\u043d\u044c!<\/p>\n
        \u0412 \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u044f \u0445\u043e\u0442\u0435\u043b \u0431\u044b \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u0430\u0442\u044c, \u043a\u0430\u043a \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u043f\u0440\u043e\u0441\u0442\u0435\u0439\u0448\u0443\u044e jwt \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e, \u0431\u0435\u0437 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043a\u0430\u0441\u0442\u043e\u043c\u043d\u044b\u0445 \u0444\u0438\u043b\u044c\u0442\u0440\u043e\u0432 \u0434\u043b\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0438 \u0438 \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u0438 \u0442\u043e\u043a\u0435\u043d\u043e\u0432. \u041d\u0430 \u043c\u043e\u0439 \u0432\u0437\u0433\u043b\u044f\u0434 \u043d\u0430\u0439\u0442\u0438 \u043f\u0440\u0438\u043c\u0435\u0440 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u0432 «\u044d\u0442\u0438\u0445 \u0432\u0430\u0448\u0438\u0445 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0430\u0445», \u0434\u0430 \u0442\u0430\u043a\u043e\u0439 \u0447\u0442\u043e\u0431\u044b \u043d\u0430\u0434 \u043a\u0430\u0436\u0434\u044b\u043c \u043c\u0435\u0442\u043e\u0434\u043e\u043c \u043d\u0435 \u0432\u0438\u0441\u0435\u043b\u043e deprecated \u043d\u0435 \u0441\u0430\u043c\u0430\u044f \u043f\u0440\u043e\u0441\u0442\u0430\u044f \u0437\u0430\u0434\u0430\u0447\u0430, \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0434\u043b\u044f \u043d\u0430\u0447\u0438\u043d\u0430\u044e\u0449\u0438\u0445, \u0430 \u043d\u0435 \u043d\u0430\u0447\u0438\u043d\u0430\u044e\u0449\u0438\u043c \u044d\u0442\u0438 \u043f\u0440\u0438\u043c\u0435\u0440\u044b \u043d\u0430\u0432\u0435\u0440\u043d\u043e\u0435 \u0438 \u043d\u0435 \u043d\u0443\u0436\u043d\u044b :).<\/p>\n
        Security Flow<\/h2>\n
        \u0412 \u043e\u0431\u0449\u0435\u043c \u0432\u0438\u0434\u0435 Spring Security \u0432\u0435\u0434\u0435\u0442 \u0441\u0435\u0431\u044f \u043a\u0430\u043a \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043e \u043d\u0430 \u0440\u0438\u0441\u0443\u043d\u043a\u0435:<\/p>\n
        spring security flow<\/figcaption><\/figure>\n
          \n
        1. \n
          \u0424\u0438\u043b\u044c\u0442\u0440\u044b \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u043a\u0430\u0436\u0434\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441 \u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u044e\u0442 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043b\u0438 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f\/\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0440\u0435\u0441\u0443\u0440\u0441\u0443.<\/p>\n<\/li>\n
        2. \n
          \u0424\u0438\u043b\u044c\u0442\u0440\u044b (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 UserNamePasswordAuthenticationFilter) \u0438\u0437\u0432\u043b\u0435\u043a\u0430\u044e\u0442 \u0438\u0437 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043f\u043e\u0434\u0433\u043e\u0442\u0430\u0432\u043b\u0438\u0432\u0430\u044e\u0442 \u043e\u0431\u044a\u0435\u043a\u0442 \u0442\u0438\u043f\u0430 Authentication.<\/p>\n<\/li>\n
        3. \n
          AuthenticationManager \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0437\u0430\u043f\u0440\u043e\u0441 \u043e\u0442 \u0444\u0438\u043b\u044c\u0442\u0440\u0430 \u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 AuthenticationProvider (\u0432 \u043d\u0430\u0448\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0438\u0445 \u0431\u0443\u0434\u0435\u0442 2: DaoAuthenticationProvider — \u0434\u043b\u044f \u0432\u0445\u043e\u0434\u0430  \u043f\u043e \u043b\u043e\u0433\u0438\u043d\u0443 \u0438 \u043f\u0430\u0440\u043e\u043b\u044e \u0438 JwtAuthenticationProvider — \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0439 OAuth2 Resource Server) .<\/p>\n<\/li>\n
        4. \n
          AuthenticationProvider \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043b\u043e\u0433\u0438\u043a\u0443 \u043f\u043e \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.<\/p>\n<\/li>\n
        5. \n
          UserDetailsService \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 \u0437\u0430 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435 \u0445\u0440\u0430\u043d\u044f\u0449\u0435\u0439\u0441\u044f \u0432 \u0411\u0414.<\/p>\n<\/li>\n
        6. \n
          PaswordEncoder \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0434\u043b\u044f \u0445\u044d\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.<\/p>\n<\/li>\n
        7. \n
          \u041e\u0431\u044a\u0435\u043a\u0442 Authentication c \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0435\u0439 \u043e\u0431  \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u0432 AuthenticationManager.<\/p>\n<\/li>\n
        8. \n
          AuthenticationManager \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0443\u0441\u043f\u0435\u0448\u043d\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0438\u043b\u0438 \u043d\u0435\u0442. \u0415\u0441\u043b\u0438 \u0434\u0430, Authentication \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u043a \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u043c \u043f\u043e\u043c\u0435\u0449\u0430\u0435\u0442\u0441\u044f \u0432 SecurityContex (9), \u0435\u0441\u043b\u0438 \u043d\u0435\u0442 \u0442\u043e \u043f\u0440\u043e\u0431\u0443\u0435\u0442 \u0447\u0435\u0440\u0435\u0437 \u0434\u0440\u0443\u0433\u043e\u0439 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 AuthenticationProvider. <\/p>\n<\/li>\n<\/ol>\n
          \u0410 \u0442\u0435\u043f\u0435\u0440\u044c \u043f\u0435\u0440\u0435\u0439\u0434\u0435\u043c \u043a \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0439 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438.<\/p>\n
          1. \u0414\u043e\u0431\u0430\u0432\u0438\u043c \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438<\/h2>\n
          <dependency> <groupId>org.springframework.boot<\/groupId> <artifactId>spring-boot-starter-data-jpa<\/artifactId> <\/dependency>          <dependency>             <groupId>org.springframework.boot<\/groupId>             <artifactId>spring-boot-configuration-processor<\/artifactId>             <optional>true<\/optional>         <\/dependency>                  <dependency>             <groupId>org.springframework.boot<\/groupId>             <artifactId>spring-boot-starter-oauth2-resource-server<\/artifactId>         <\/dependency>  <dependency> <groupId>org.springframework.boot<\/groupId> <artifactId>spring-boot-starter-web<\/artifactId> <\/dependency>  <dependency> <groupId>org.postgresql<\/groupId> <artifactId>postgresql<\/artifactId> <scope>runtime<\/scope> <\/dependency>  <dependency> <groupId>org.projectlombok<\/groupId> <artifactId>lombok<\/artifactId> <optional>true<\/optional> <\/dependency><\/code><\/pre>\n
          \u0417\u0434\u0435\u0441\u044c \u0432\u043c\u0435\u0441\u0442\u043e spring-boot-starter-security \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c spring-boot-starter-oauth2-resource-server, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0432 \u0441\u0435\u0431\u044f \u0440\u044f\u0434 \u0434\u0440\u0443\u0433\u0438\u0445 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0435\u0439 (security-core, security-core, security-oauth2-jose, security-oauth2-jose-resource-server). <\/p>\n
          2. \u0417\u0430\u043f\u043e\u043b\u043d\u044f\u0435\u043c application.properties<\/h2>\n
          #rsa keys rsa.private-key=classpath:certs\/private.pem rsa.public-key=classpath:certs\/public.pem  #db credentials spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect spring.datasource.url=jdbc:postgresql:\/\/localhost:5432\/jwtDb spring.datasource.username=postgres spring.datasource.password=bestuser  #auto creating db schemas with hibernate spring.jpa.show-sql=true spring.jpa.generate-ddl=true spring.jpa.hibernate.ddl-auto=create  #for sql files (can write data and create schemas) spring.jpa.defer-datasource-initialization=true spring.sql.init.mode=always<\/code><\/pre>\n
          3. \u0421\u043e\u0437\u0434\u0430\u0435\u043c entity \u043a\u043b\u0430\u0441\u0441\u044b \u0438 repository<\/h2>\n
          @Table(name=\"users\") @Entity @Data public class User {  @Id @Column(name=\"id\") @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id; @Column(name=\"email\") private String email;  @Column(name=\"password\") private String password;      @ManyToMany(cascade = CascadeType.MERGE, fetch = FetchType.EAGER)     @JoinTable(name = \"user_role\",             joinColumns = @JoinColumn(name = \"user_id\"),             inverseJoinColumns = @JoinColumn(name = \"role_id\")) private Set<Role> roles; }  @Table(name=\"roles\") @Entity @Data public class Role {  @Id @Column(name=\"id\") @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id;  @Column(name=\"role_name\") private String roleName; }  public interface UserRepository extends JpaRepository<User, Long> { Optional<User> findByEmail(String email); }<\/code><\/pre>\n
          4. \u0421\u043e\u0437\u0434\u0430\u0435\u043c rsa \u043a\u043b\u044e\u0447\u0438<\/h2>\n
          Jwt \u0442\u043e\u043a\u0435\u043d\u044b \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0442\u044c \u0430\u0441\u0441\u0438\u043c\u0435\u0442\u0440\u0438\u0447\u043d\u044b\u043c\u0438 \u043a\u043b\u044e\u0447\u0430\u043c\u0438, \u0431\u043e\u043b\u0435\u0435 \u0442\u043e\u0433\u043e, NimbusJwtEncoder \u0438 NimbusJwtDecoder, \u0431\u0438\u043d\u044b \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043c\u044b \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438, \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u044e\u0442 \u0438\u043c\u0435\u043d\u043d\u043e \u0442\u0430\u043a\u0443\u044e \u043f\u0430\u0440\u0443 \u043a\u043b\u044e\u0447\u0435\u0439. \u0421\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u043d\u043e\u0432\u0443\u044e \u043f\u0430\u043f\u043a\u0443 \u0432 resources \u0438 \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u0435\u043c \u0432 \u043d\u0435\u0439 \u043a\u043b\u044e\u0447\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u043a\u043e\u043c\u0430\u043d\u0434:<\/p>\n
          openssl genrsa  -out keypair.pem 2048 openssl rsa  -in keypai.pem  -pubout  -out public.pem openssl pkc8  -topk8  -inform PEM  -outform PEM  -nocrypt  -in keypair.pem  -out private.pem <\/code><\/pre>\n
          \u0422\u0435\u043f\u0435\u0440\u044c \u043d\u0443\u0436\u043d\u043e \u043a\u0430\u043a-\u0442\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u044d\u0442\u0438\u043c \u043a\u043b\u044e\u0447\u0430\u043c \u0438\u0437 application.properties, \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c:<\/p>\n
          @ConfigurationProperties(prefix =\"rsa\") public record RsaProperties(RSAPrivateKey privateKey, RSAPublicKey publicKey) { }<\/code><\/pre>\n
          *\u043d\u0435 \u0437\u0430\u0431\u0443\u0434\u044c\u0442\u0435 \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c @EnableConfigurationProperties(RsaProperties.class) \u0432 main.<\/p>\n
          5. \u0421\u043e\u0437\u0434\u0430\u0435\u043c UserDetailsService \u0438 UserDetails<\/h2>\n
          \u0414\u043b\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e \u043b\u043e\u0433\u0438\u043d\u0443 \u0438 \u043f\u0430\u0440\u043e\u043b\u044e \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u043c \u0432 \u0431\u0430\u0437\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f DaoAuthenticationProvider, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432 \u0441\u0432\u043e\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 UserDetailsService \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435.<\/p>\n
          \u0420\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f UserDetailsService \u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u0433\u043b\u044f\u0434\u0435\u0442\u044c \u0442\u0430\u043a:<\/p>\n
          public class CustomUsrDetailsService implements UserDetailsService{  @Autowired private UserRepository userRepo;  @Override public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException { User user = userRepo.findByEmail(email).orElseThrow(()-> new UsernameNotFoundException(\"User with email = \"+email+\" not exist!\")); return new CustomUsrDetails(user); } }<\/code><\/pre>\n
          \u0417\u0434\u0435\u0441\u044c \u043d\u0430\u043c \u043d\u0443\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c \u0432\u0441\u0435\u0433\u043e \u043e\u0434\u0438\u043d \u043c\u0435\u0442\u043e\u0434 \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 UserDetails — \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0430\u043a\u043a\u0443\u043c\u0443\u043b\u0438\u0440\u0443\u044e\u0449\u0438\u0439 \u0432 \u0441\u0435\u0431\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435 (\u043b\u043e\u0433\u0438\u043d, \u043f\u0430\u0440\u043e\u043b\u044c, \u043f\u0440\u0430\u0432\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043f\u0440.). \u0415\u0433\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u043d\u0430 \u043d\u0438\u0436\u0435: <\/p>\n
          public class CustomUsrDetails implements UserDetails {  private static final long serialVersionUID = 1L; private User user;  public CustomUsrDetails(User user) { this.user = user; }  @Override public Collection<? extends GrantedAuthority> getAuthorities() { Set<Role> roles = user.getRoles();  List<SimpleGrantedAuthority> authorities = new ArrayList<>(); for(Role role : roles) {authorities.add(new SimpleGrantedAuthority(role.getRoleName()));} return authorities; }  @Override public String getPassword() {return user.getPassword();}  @Override public String getUsername() {return user.getEmail();}  @Override public boolean isAccountNonExpired() {return true;}  @Override public boolean isAccountNonLocked() {return true;}  @Overridepublic boolean isCredentialsNonExpired() {return true;}  @Override public boolean isEnabled() {return true;} }<\/code><\/pre>\n
          6. Security Config<\/h2>\n
          @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity @Configuration public class AppSecurityConfig {  private final RsaProperties rsaKeys;  public AppSecurityConfig(RsaProperties rsaKeys) { this.rsaKeys = rsaKeys; }  @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }  @Bean     public UserDetailsService customUserDetailsService() {         return new CustomUsrDetailsService();     }   @Bean public AuthenticationManager authManager() {         var authProvider = new DaoAuthenticationProvider();         authProvider.setUserDetailsService(customUserDetailsService());         authProvider.setPasswordEncoder(passwordEncoder());         return new ProviderManager(authProvider); }  @Bean JwtEncoder jwtEncoder() { JWK jwk = new RSAKey.Builder(rsaKeys.publicKey()).privateKey(rsaKeys.privateKey()).build(); JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(new JWKSet(jwk)); return new NimbusJwtEncoder(jwkSource); }  @Bean JwtDecoder jwtDecoder() { return NimbusJwtDecoder.withPublicKey(rsaKeys.publicKey()).build(); }  @Bean TokenService tokenService() { return new TokenService(jwtEncoder()); }  @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {  return http                     .csrf(csrf -> csrf.disable())                     .authorizeRequests(auth -> auth                         .mvcMatchers(\"\/login\").permitAll()                         .mvcMatchers(\"\/token\/refresh\").permitAll()                         .mvcMatchers(\"\/admin\").hasAuthority(\"SCOPE_adm\")                         .mvcMatchers(\"\/user\").hasAuthority(\"SCOPE_usr\")                         .anyRequest().authenticated())                     .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))                     .oauth2ResourceServer(OAuth2ResourceServerConfigurer :: jwt )                         .build(); }  }<\/code><\/pre>\n
          \u0423 \u043d\u0430\u0441 \u043a\u0430\u043a \u0438 \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u043b\u043e\u0441\u044c \u0440\u0430\u043d\u0435\u0435 \u0431\u0443\u0434\u0435\u0442 2 AuthenticationProvide<\/p>\n
            \n
          1. \n
             JwtAuthenticationProvider <\/p>\n<\/li>\n<\/ol>\n
            <\/figcaption><\/figure>\n
            1.1 \u0424\u0438\u043b\u044c\u0442\u0440 \u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0442\u043e\u043a\u0435\u043d \u0438 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442 \u0435\u0433\u043e \u0432 AuthenticationManager<\/p>\n
            1.2 ProviderManager \u0432\u044b\u0431\u0438\u0440\u0430\u0435\u0442 JwtAuthenticationProvider<\/p>\n
            1.3 JwtAuthenticationProvider \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u044e \u0442\u043e\u043a\u0435\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e JwtDecoder<\/p>\n
            1.4 JwtAuthenticationProvider \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u0443\u0435\u0442 \u0442\u043e\u043a\u0435\u043d \u0432 \u043e\u0431\u044a\u0435\u043a\u0442 Authentication \u0442\u0438\u043f\u0430 JwtAuthenticationToken <\/p>\n
            1.5 JwtAuthenticationToken \u043f\u043e\u043c\u0435\u0449\u0430\u0435\u0442\u0441\u044f \u0432 SecurityContextHolder<\/p>\n
            \u041f\u0440\u0438 \u044d\u0442\u043e\u043c \u0432\u0441\u0435 \u044d\u0442\u0438 \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u044f\u0446\u0438\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442\u0441\u044f «\u043f\u043e\u0434 \u043a\u0430\u043f\u043e\u0442\u043e\u043c» c \u043f\u043e\u043c\u043e\u0449\u044c\u044e OAuth2ResourceServerConfigurer \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0433\u043e \u0432 SecurityFilterChain. \u041d\u0430\u043c \u043e\u0441\u0442\u0430\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0431\u0438\u043d\u044b JwtEncoder, JwtDecoder \u0438 \u0441\u043e\u0437\u0434\u0430\u0442\u044c TokenService \u0434\u043b\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0438 access \u0438 refresh \u0442\u043e\u043a\u0435\u043d\u043e\u0432 \u0438 \u0432\u044b\u043d\u0438\u043c\u0430\u043d\u0438\u044f \u0438\u0437 \u043d\u0438\u0445 username.<\/p>\n
            public class TokenService  {  private final JwtEncoder jwtEncoder;  public TokenService(JwtEncoder jwtEncoder) { super(); this.jwtEncoder = jwtEncoder; }      public String generateAccessToken(CustomUsrDetails usrDetails) {         Instant now = Instant.now();         String scope = usrDetails.getAuthorities().stream()                 .map(GrantedAuthority::getAuthority)                 .collect(Collectors.joining(\" \"));              JwtClaimsSet claims = JwtClaimsSet.builder()                 .issuer(\"self\")                 .issuedAt(now)                 .expiresAt(now.plus(2, ChronoUnit.MINUTES))                 .subject(usrDetails.getUsername())   <\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-340844","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/340844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=340844"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/340844\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=340844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=340844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=340844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}