如何在Java API中实现身份验证和授权

在Java中实现身份验证和授权可以使用一些现成的框架和工具，比如Spring Security。Spring Security是一个功能强大且灵活的框架，可以帮助我们实现用户身份验证和授权。

以下是一个简单的示例，演示如何在Java API中使用Spring Security进行身份验证和授权：

1. 添加Spring Security依赖：

    org.springframework.boot
    spring-boot-starter-security

2. 创建一个Security配置类：

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
}

3. 配置用户和权限：

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasRole("USER")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .and()
            .httpBasic();
    }
}

4. 创建一个用户和角色：

import org.springframework.context.annotation.Bean;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Service;

@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        if ("admin".equals(username)) {
            return User.withUsername("admin").password("{noop}admin").roles("ADMIN").build();
        } else if ("user".equals(username)) {
            return User.withUsername("user").password("{noop}user").roles("USER").build();
        }
        throw new UsernameNotFoundException("User not found");
    }
}

5. 在控制器中添加注解进行授权验证：

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class ExampleController {

    @GetMapping("/admin")
    public String admin() {
        return "Welcome Admin!";
    }

    @GetMapping("/user")
    public String user() {
        return "Welcome User!";
    }

    @GetMapping("/public")
    public String publicPage() {
        return "Welcome to public page!";
    }
}

这样就完成了一个简单的身份验证和授权示例。当用户访问不同的URL时，根据用户的角色来进行授权验证，如果用户没有相应的角色，则会被拒绝访问。