JWT简介
创新互联公司2013年至今,先为景泰等服务建站,景泰等地企业,进行企业商务咨询服务。为景泰企业网站制作PC+手机+微官网三网同步一站式服务解决您的所有建站问题。
简介
JSON Web token简称JWT, 是用于对应用程序上的用户进行身份验证的标记。也就是说, 使用 JWTS 的应用程序不再需要保存有关其用户的 cookie 或其他session数据。此特性便于可伸缩性, 同时保证应用程序的安全。
在身份验证过程中, 当用户使用其凭据成功登录时, 将返回 JSON Web token, 并且必须在本地保存 (通常在本地存储中)。每当用户要访问受保护的路由或资源 (端点) 时, 用户代理(user agent)必须连同请求一起发送 JWT, 通常在授权标头中使用Bearer schema。后端服务器接收到带有 JWT 的请求时, 首先要做的是验证token。
JWT的格式
JWT就是一个字符串,经过加密处理与校验处理的字符串,形式为:A.B.C
A由JWT头部信息header加密得到
B由JWT用到的身份验证信息json数据加密得到
C由A和B加密得到,是校验部分
怎样使用token?
可以放到HTTP请求的请求头中,通常是Authorization字段。
流程图
jwt流程图.png
JWT 实战
加入Maven jwt 依赖
io.jsonwebtoken jjwt 0.9.1
在application.proterties中加入配置
# 加密yan jwt.secret=A0B1C2D3E4F5G6H7I8J9KALBMCNDOEPFQ0R1S2T3U4V5W6X7Y8Z9 # tocken 过期时间,单位秒 jwt.expire=300 # 需要认证的url,多个URL使用英文逗号,分割 jwt.authorised-urls=/apis/fis/redis/**
JwtHelper工具类
import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.Date; import java.util.Map; import javax.servlet.http.HttpServletRequest; import com.alibaba.fastjson.JSONObject; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; public class JwtHelper { private Long EXPIRATION_TIME; private String SECRET; private final String TOKEN_PREFIX = "Bearer"; private final String HEADER_STRING = "Authorization"; public JwtHelper(String secret, long expire) { this.EXPIRATION_TIME = expire; this.SECRET = secret; System.out.println("正在初始化Jwthelper,expire="+expire); } public JSONObject generateToken(Mapclaims) { Calendar c = Calendar.getInstance(); c.setTime(new Date()); c.add(Calendar.SECOND, EXPIRATION_TIME.intValue()); Date d = c.getTime(); String jwt = Jwts.builder() .setClaims(claims) .setExpiration(d) .signWith(SignatureAlgorithm.HS512, SECRET) .compact(); JSONObject json = new JSONObject(); json.put("token",TOKEN_PREFIX + " " + jwt); json.put("token-type", TOKEN_PREFIX); json.put("expire-time",new SimpleDateFormat("yyyy-MM-dd HH:ss:mm").format(d) ); return json; } public Map validateTokenAndGetClaims(HttpServletRequest request) { String token = request.getHeader(HEADER_STRING); System.out.println("token is:"+token); if (token == null) { return null; } Map body = Jwts.parser() .setSigningKey(SECRET) .parseClaimsJws(token.replace(TOKEN_PREFIX, "")) .getBody(); return body; } }
JWT过滤器JwtFilter
import java.io.IOException; import java.util.Arrays; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.http.HttpStatus; import org.springframework.util.AntPathMatcher; /** * JWT过滤器 * * @author 李庆海 * */ public class JwtFilter implements Filter { private JwtHelper jwtHelper; private Listurls = null; private static final org.springframework.util.PathMatcher pathMatcher = new AntPathMatcher(); public JwtFilter(JwtHelper jwtHelper, String[] authorisedUrls) { this.jwtHelper = jwtHelper; urls = Arrays.asList(authorisedUrls); } @Override public void init(FilterConfig filterConfig) throws ServletException { //SpringBeanAutowiringSupport.processInjectionBasedOnServletContext(this, filterConfig.getServletContext()); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.setCharacterEncoding("UTF-8"); httpResponse.setContentType("application/json; charset=utf-8"); httpResponse.setHeader("Access-Control-Allow-Origin", "*"); if ("OPTIONS".equals(httpRequest.getMethod())) { httpResponse.setStatus(HttpStatus.NO_CONTENT.value()); // HttpStatus.SC_NO_CONTENT = 204 httpResponse.setHeader("Access-Control-Allow-Credentials", "true"); httpResponse.setHeader("Access-Control-Allow-Headers", "Content-Type, x-requested-with, Token"); httpResponse.setHeader("Access-Control-Allow-Methods", "OPTIONS,GET,POST,DELETE,PUT"); } String spath = httpRequest.getServletPath(); try { // 验证受保护的接口 for (String url : urls) { if (pathMatcher.match(url, spath)) { Object token = jwtHelper.validateTokenAndGetClaims(httpRequest); if (token != null) { chain.doFilter(request, response); return; }else{ httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "未授权或者授权已经过期"); return; } }else{ chain.doFilter(request, response); return; } } } catch (Exception e) { e.printStackTrace(); } chain.doFilter(request, response); return; } @Override public void destroy() { } }
配置JWT
import java.util.ArrayList; import java.util.List; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import cn.com.yd.fis.client.jwt.JwtFilter; import cn.com.yd.fis.client.jwt.JwtHelper; @Configuration public class JwtConfig { @Value("${jwt.secret}") private String secret; @Value("${jwt.expire}") private long expire; @Value("${jwt.authorised-urls}") private String[] authorisedUrls; @Bean public JwtHelper jwtHelperBean() { return new JwtHelper(secret, expire); } @Bean public FilterRegistrationBean basicFilterRegistrationBean() { FilterRegistrationBean registrationBean = new FilterRegistrationBean(); JwtFilter filter = new JwtFilter(jwtHelperBean(), authorisedUrls); registrationBean.setFilter(filter); ListurlPatterns = new ArrayList (); urlPatterns.add("/*"); registrationBean.setUrlPatterns(urlPatterns); return registrationBean; } }
在Controller中使用JWT
此处仅为说明jwt的用法,在实际应用时可以根据具体的业务需要加入不同的或者更多的参数,一并作为claims进行参数传递。
import java.util.HashMap; import java.util.Map; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; import cn.com.yd.fis.client.jwt.JwtHelper; import cn.com.yd.fis.client.util.JsonResult; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; import io.swagger.annotations.ApiParam; @RestController @RequestMapping("${api-url}/auth") public class AuthorizeController { @Autowired private JwtHelper jwtHelper; @PostMapping("/login") public Object login(String loginName,String password) throws Exception { Mapclaims = new HashMap (); claims.put("loginName", loginName); if ("1".equals(password)) { return JsonResult.success(jwtHelper.generateToken(claims)); } else { return JsonResult.fail("登录帐号或者登录密码错误"); } } }
辅助工具类JsonResult
import com.alibaba.fastjson.JSONObject; public class JsonResult { public static JSONObject success(Object obj) { JSONObject json = new JSONObject(); json.put("state", true); json.put("msg", "成功"); if (null != obj) { json.put("obj", obj); } return json; } public static JSONObject fail(Object obj) { JSONObject json = new JSONObject(); json.put("state", false); json.put("msg", "失败"); if (null != obj) { json.put("obj", obj); } return json; } public static JSONObject toJSONObject(boolean state, String msg, Object obj) { JSONObject json = new JSONObject(); json.put("state", state); json.put("msg", msg); if (null != obj) { json.put("obj", obj); } return json; } }
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持创新互联。