新项目用到了JWT做URL验证,正好记录下:
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.Date;
@SuppressWarnings("all")
public class JwtUtil {
//设置过期时间
private static final long EXPIRE_TIME = 5L * 60 * 1000 * 12 * 24 * 30;
/**
* 校验token是否正确
* @param token 密钥
* @param secret 用户的密码
* @return 是否正确
*/
public static boolean verify(String token, String username, String secret) {
try {
//根据密码生成JWT效验器
Algorithm algorithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.require(algorithm)
.withClaim("username", username)
.build();
//效验token
DecodedJWT jwt = verifier.verify(token);
return true;
} catch (Exception exception) {
return false;
}
}
/**
* 获得token中的信息无需secret解密也能获得
* @return token中包含的用户名
*/
public static String getUsername(String token) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim("username").asString();
} catch (JWTDecodeException e) {
return null;
}
}
/**
* 生成签名,5min后过期
* @param username 用户名
* @param secret 用户的密码
* @return 加密的token
*/
public static String sign(String username, String secret) {
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(secret);
// 附带username信息
return JWT.create()
.withClaim("username", username)
.withExpiresAt(date)
.sign(algorithm);
}
}
测试方法:
public class Demo {
public static void main(String[] args) {
getToken();
// verifyToken();
}
public static void getToken() {
String sign = JwtUtil.sign("yhy", "1234567");
System.out.println(sign);
}
public static void verifyToken() {
String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NzQyMzI4NDMsInVzZXJuYW1lIjoieWh5In0.JFQhY4huACyD-cMRPo9rr3JD3rIEtevExH6SG3FDYI8";
if (JwtUtil.verify(token, "yhy", "1234567")) {
System.out.println("通过");
} else {
System.out.println("不通过");
}
}
}
实际使用同过配置拦截器拦截,当然还有其他方法得,这里暂时使用配置拦截器拦截
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Component
@SuppressWarnings("all")
public class AuthorityInterceptor extends HandlerInterceptorAdapter {
@Autowired
private RedisUtil redisUtil;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
return true;
//调用方法验证当前请求的权限
// return verify(request);
}
private boolean verify(HttpServletRequest request) {
String token = request.getHeader("token");
if (token == null || "".equals(token)) {
return false;
}
//在redis中查询token
Object obj = redisUtil.get(token);
if (obj == null) {
throw new SeedException("权限不足");
// return false;
}
return true;
}
}