ログイン機能とユーザー登録機能を作ろう!
こんにちは、TOMON_9912です!
しばらく更新できていませんでしたが、今回はSpring Boot × JWTを使って、
ログイン機能とユーザー登録機能をまとめて作成しました!
生成AIも活用しながら構築してみたのですが、正直、難易度が一段上がった印象です。
でもその分、見慣れないコードも多くて学びと成長の宝庫でした!
JWTをなぜ使おうと思ったか?
JWTを使った認証は、REST API の「ステートレス性」と非常に相性が良いためです。
トークンを使えばサーバー側でセッションを管理する必要がなくなり、スケーラビリティやクライアントの多様性(Web、モバイルなど)にも柔軟に対応できます。
今回の目標
-
ユーザー登録API:JWTを発行して返す
-
ログインAPI:認証成功でJWT発行
-
API保護:JWTによる認証フィルタの実装
ディレクトリ構成
src/main/java/com/example/noteapp/
├── controller
│ └── AuthController.java
├── dto
│ │── LoginRequest.java
│ └── RegisterRequest.java
├── entity
│ └── User.java
├── repository
│ └── UserRepository.java
├── security
│ └── JwtAuthenticationFilter.java
├── service
│ └── CustomUserDetailsService.java
├── util
│ └── JwtUtil.java
└── config
└── SecurityConfig.java
依存関係
pom.xml
<!-- JWT -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<!-- バリデーション -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
DTO
LoginRequest.java
package com.example.noteapp.backend.dto;
import jakarta.validation.constraints.NotBlank;
import lombok.Data;
@Data
public class LoginRequest {
@NotBlank(message = "ユーザー名を入力してください")
private String username;
@NotBlank(message = "パスワードを入力してください")
private String password;
}
RegisterRequest.java
package com.example.noteapp.backend.dto;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Size;
import lombok.Data;
@Data
public class RegisterRequest {
@NotBlank
@Size(min = 3, max = 20)
private String username;
@Email
@NotBlank
private String email;
@NotBlank
@Size(min = 6, max = 100)
private String password;
}
サービス
CustomUserDetailsService.java
package com.example.noteapp.backend.service;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.Collections;
import com.example.noteapp.backend.repository.UserRepository;
import com.example.noteapp.backend.entity.User;
@Service
public class CustomUserDetailsService implements UserDetailsService {
private final UserRepository userRepository;
public CustomUserDetailsService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("ユーザーが見つかりません: " + username));
return org.springframework.security.core.userdetails.User
.withUsername(user.getUsername())
.password(user.getPassword())
.authorities(Collections.emptyList()) // 権限が必要ならここに追加
.build();
}
}
セキュリティ設定
SecurityConfig.java
package com.example.noteapp.backend.config;
import com.example.noteapp.backend.security.JwtAuthenticationFilter;
import com.example.noteapp.backend.service.CustomUserDetailsService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
private final JwtAuthenticationFilter jwtAuthenticationFilter;
private final CustomUserDetailsService userDetailsService;
public SecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter,
CustomUserDetailsService userDetailsService) {
this.jwtAuthenticationFilter = jwtAuthenticationFilter;
this.userDetailsService = userDetailsService;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/auth/**").permitAll()
.anyRequest().authenticated()
)
.authenticationProvider(authenticationProvider()) // ← 明示的に追加
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService); // ← ここ!
provider.setPasswordEncoder(passwordEncoder());
return provider;
}
}
JwtProperties.java
package com.example.noteapp.backend.config;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
@Configuration
@ConfigurationProperties(prefix = "jwt")
public class JwtProperties {
private String secret;
private long expiration;
public String getSecret() {
return secret;
}
public void setSecret(String secret) {
this.secret = secret;
}
public long getExpiration() {
return expiration;
}
public void setExpiration(long expiration) {
this.expiration = expiration;
}
}
コントローラー
AuthController.java
package com.example.noteapp.backend.controller;
import com.example.noteapp.backend.dto.RegisterRequest;
import com.example.noteapp.backend.dto.LoginRequest;
import com.example.noteapp.backend.entity.User;
import com.example.noteapp.backend.repository.UserRepository;
import com.example.noteapp.backend.util.JwtUtil;
import org.springframework.http.ResponseEntity;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.bind.annotation.*;
import jakarta.validation.Valid;
import java.time.LocalDateTime;
import java.util.Map;
@RestController
@RequestMapping("/api/auth")
public class AuthController {
private final UserRepository userRepository;
private final PasswordEncoder passwordEncoder;
private final JwtUtil jwtUtil;
public AuthController(UserRepository userRepository, PasswordEncoder passwordEncoder, JwtUtil jwtUtil) {
this.userRepository = userRepository;
this.passwordEncoder = passwordEncoder;
this.jwtUtil = jwtUtil;
}
@PostMapping("/register")
public ResponseEntity<?> register(@Valid @RequestBody RegisterRequest request) {
if (userRepository.findByUsername(request.getUsername()).isPresent()) {
return ResponseEntity.badRequest().body(Map.of("error", "Username already exists"));
}
if (userRepository.findByEmail(request.getEmail()).isPresent()) {
return ResponseEntity.badRequest().body(Map.of("error", "Email already exists"));
}
User user = new User();
user.setUsername(request.getUsername());
user.setEmail(request.getEmail());
user.setPassword(passwordEncoder.encode(request.getPassword()));
user.setCreatedAt(LocalDateTime.now());
user.setUpdatedAt(LocalDateTime.now());
user.setStatus(User.UserStatus.active);
userRepository.save(user);
String token = jwtUtil.generateToken(user.getUsername());
return ResponseEntity.ok(Map.of(
"token", token,
"username", user.getUsername()
));
}
@PostMapping("/login")
public ResponseEntity<?> login(@Valid @RequestBody LoginRequest request) {
return userRepository.findByUsername(request.getUsername())
.filter(user -> passwordEncoder.matches(request.getPassword(), user.getPassword()))
.map(user -> {
String token = jwtUtil.generateToken(user.getUsername());
return ResponseEntity.ok(Map.of(
"token", token,
"username", user.getUsername()));
})
.orElse(ResponseEntity.status(401).body(Map.of("error", "Invalid credentials")));
}
}
JWTユーティリティ
JwtUtil.java
package com.example.noteapp.backend.util;
import io.jsonwebtoken.*;
import io.jsonwebtoken.security.Keys;
import org.springframework.stereotype.Component;
import com.example.noteapp.backend.config.JwtProperties;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.Date;
@Component
public class JwtUtil {
private final Key key;
private final long expiration;
public JwtUtil(JwtProperties jwtProperties) {
this.key = Keys.hmacShaKeyFor(jwtProperties.getSecret().getBytes(StandardCharsets.UTF_8));
this.expiration = jwtProperties.getExpiration();
}
public String generateToken(String username) {
return Jwts.builder()
.setSubject(username)
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + expiration))
.signWith(key, SignatureAlgorithm.HS256)
.compact();
}
public boolean validateToken(String token) {
try {
Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token);
return true;
} catch (JwtException e) {
return false;
}
}
public String extractUsername(String token) {
return Jwts.parserBuilder().setSigningKey(key).build()
.parseClaimsJws(token)
.getBody()
.getSubject();
}
}
JwtAuthenticationFilter.java
package com.example.noteapp.backend.security;
import com.example.noteapp.backend.util.JwtUtil;
import com.example.noteapp.backend.service.CustomUserDetailsService;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
private final JwtUtil jwtUtil;
private final CustomUserDetailsService userDetailsService;
public JwtAuthenticationFilter(JwtUtil jwtUtil, CustomUserDetailsService userDetailsService) {
this.jwtUtil = jwtUtil;
this.userDetailsService = userDetailsService;
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain)
throws ServletException, IOException {
String authHeader = request.getHeader("Authorization");
if (authHeader != null && authHeader.startsWith("Bearer ")) {
String token = authHeader.substring(7);
if (jwtUtil.validateToken(token)) {
String username = jwtUtil.extractUsername(token);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authToken);
} else {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setContentType("application/json");
response.getWriter().write("{\"error\":\"無効または期限切れのトークンです\"}");
return;
}
}
filterChain.doFilter(request, response);
}
}
補足:秘密鍵は環境変数や設定ファイルなどで安全に管理しましょう。
API利用例(curl)
登録
curl -X POST http://localhost:8080/api/auth/register \
-H "Content-Type: application/json" \
-d '{"username":"sample","email":"test@example.com","password":"pass1234"}'
ログイン
curl -X POST http://localhost:8080/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"sample","password":"pass1234"}'
各種プロセス
1. 新規登録
クライアント → POST /api/auth/register → JWT発行 → クライアント保存
2. ログイン
クライアント → POST /api/auth/login → JWT発行 → クライアント保存
3. 保護APIアクセス
クライアント → Authorization: Bearer <JWT> → フィルター通過 → Controller 到達
まとめ
今回はかなりボリュームがあったのでかなり大変でした!
生成AIを活用して作ったので理解できていないところが多いので、完成したら腰を据えてセキュリティについての勉強もしていきたいですね!なぜこのコードが必要か?というところまでまだ踏み込めていないので、ここは慎重に勉強していった方が良さそうですね。
細かいテストはフロントエンドを作成してからしていこうと思います!
完成したらGitHubを公開してみるのもよさそうですね!