JWT学习
一、什么是JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. --[摘自官网]
# 1.官方解释
-官网地址:https://jwt.io/introduction/
-翻译:JSON Web令牌(JWT)是一个开放标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间作为JSON对象安全地传输信息。由于此信息是经过数字签名的,因此可以被验证和信任。可以使用秘密(使用HMAC算法)或使用RSA或ECDSA的公用/专用密钥对对JWT进行签名。
# 2.通俗解释
-JWT简称JSON Web Token,也就是通过JSON形式作为Web应用中的令牌,用于各方之间安全地将信息作为JSON对象传输,在数据传输的过程中还可以完成数据加密、签名等相关处理。
二、JWT能做什么
# 1.授权
-这是使用JWT的最常见方案。一旦用户登录,每个后续请求将包括JWT,从而允许用户访问该令牌允许的路由,服务和资源。单点登录是今广泛使用JWT的一项功能。因为它的开销很小并且可以在不同的域中轻松使用
# 2.信息交换
JSON Web Token是在各方之间安全地传输信息的好方法。因为可以对JWT进行签名(例如,使用公钥/私钥对),所以您可以确保发件人是他们所说的人。此外,由于签名是使用标头和有效负载计算的,因此您还可以验证内容是否遭到篡改。
三、JWT和传统Session的区别
四、JWT的构成和认证流程
五、JWT的优缺点
六、在SpringBoot中使用JWT
6.1、引入依赖
<!--JWT的依赖-->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.4.0</version>
</dependency>
6.2、生成Token
//获取日历对象
Calendar calendar=Calendar.getInstance();
//给calendar对象时间增加90秒
calendar.add(Calendar.SECOND, 90);
//生成令牌
String token = JWT.create()
.withClaim("username", "刘一手") //设置自定义用户名
//.withHeader();设置头部参数是map
.withExpiresAt(calendar.getTime()) //设置过期时间
.sign(Algorithm.HMAC256("LIUYISHOU@Token666"));//设置签名,盐值需保密且复杂
//输出令牌
System.out.println("token = " + token);
--token生成结果:
token = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OTkzODM2NzIsInVzZXJuYW1lIjoi5YiY5LiA5omLIn0.nwh692qE-giG6wTHKdGQhUZG7NukZwOaMSWY82HmW8k
6.3、根据令牌和签名解析数据
//创建验证对象(根据刚刚输入的盐值生成)
JWTVerifier jwtVerifier = JWT.require(Algorithm.HMAC256("LIUYISHOU@Token666")).build();
//验证字符串
DecodedJWT verify = jwtVerifier.verify("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OTkzODQyNDUsInVzZXJuYW1lIjoi5YiY5LiA5omLIn0.tvUBEmExSb4QE-H8ACJPShB56Ot6yAUJSgTBtRThV48");
//获取验证之后的数据
String header = verify.getHeader();
System.out.println("header = " + header);
String payload = verify.getPayload();
System.out.println("payload = " + payload);
String signature = verify.getSignature();
System.out.println("signature = " + signature);
String username = verify.getClaim("username").asString();
System.out.println("username = " + username);
String token = verify.getToken();
System.out.println("token = " + token);
String algorithm = verify.getAlgorithm();
System.out.println("algorithm = " + algorithm);
--打印结果:
header = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
payload = eyJleHAiOjE1OTkzODQyNDUsInVzZXJuYW1lIjoi5YiY5LiA5omLIn0
signature = tvUBEmExSb4QE-H8ACJPShB56Ot6yAUJSgTBtRThV48
username = 刘一手
token = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OTkzODQyNDUsInVzZXJuYW1lIjoi5YiY5LiA5omLIn0.tvUBEmExSb4QE-H8ACJPShB56Ot6yAUJSgTBtRThV48
algorithm = HS256
注意签名的失效时间,如果过了设置的时间,签名无效:
6.4、JWT工具类封装
package com.lxf.utils;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.Calendar;
import java.util.Map;
public class JWTUtils {
/**
* 盐值
*/
private static final String SING="LIUYISHOU@Token666";
/**
* 生成令牌
* @param map payload载荷声明参数
* @return
*/
public static String getToken(Map<String,String> map){
//获取日历对象
Calendar calendar=Calendar.getInstance();
//默认7天过期
calendar.add(Calendar.DATE, 7);
//新建一个JWT的Builder对象
JWTCreator.Builder builder = JWT.create();
//将map集合中的数据设置进payload
map.forEach((k,v)->{
builder.withClaim(k, v);
});
//设置过期时间和签名
String sign = builder.withExpiresAt(calendar.getTime()).sign(Algorithm.HMAC256(SING));
return sign;
}
/**
* 验签并返回DecodedJWT
* @param token 令牌
*/
public static DecodedJWT getTokenInfo(String token){
return JWT.require(Algorithm.HMAC256(SING)).build().verify(token);
}
}
七、整合SpringBoot
7.1、引入依赖
<!--JWT的依赖-->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.4.0</version>
</dependency>
<!--引入mybatis-->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.3</version>
</dependency>
<!--引入lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.12</version>
</dependency>
<!--引入druid-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.19</version>
</dependency>
<!--引入mysql-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.38</version>
</dependency>
7.2、配置文件配置:
spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/jwt?useSSL=false&useUnicode=true&characterEncoding=utf8
spring.datasource.username=root
spring.datasource.password=root
mybatis.type-aliases-package=com.lxf.pojo
mybatis.mapper-locations=classpath:mapper/*.xml
logging.level.com.lxf.dao=debug
7.3、数据库新建库和表:
添加一个用户:
7.4、新建实体类
package com.lxf.pojo;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@AllArgsConstructor
@NoArgsConstructor
@Data
public class User {
private Integer id;
private String name;
private String password;
}
7.5、dao层
package com.lxf.dao;
import com.lxf.pojo.User;
import org.apache.ibatis.annotations.Mapper;
@Mapper
public interface UserDao {
/**
* 登录方法
* @param user
* @return
*/
User login(User user);
}
7.6、UserMapper.xml文件
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Config 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.lxf.dao.UserDao">
<select id="login" parameterType="User" resultType="User">
select id,name,password from user where name=#{name} and password=#{password}
</select>
</mapper>
7.7、service层
package com.lxf.Service;
import com.lxf.pojo.User;
import org.springframework.stereotype.Service;
@Service
public interface UserService {
/**
* 登录方法
* @param user
* @return
*/
User login(User user);
}
package com.lxf.Service.Impl;
import com.lxf.Service.UserService;
import com.lxf.dao.UserDao;
import com.lxf.pojo.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@Service
@Transactional
public class UserServiceImpl implements UserService {
@Autowired
private UserDao userDao;
@Override
public User login(User user) {
//接受用户查询数据库
User userDB = userDao.login(user);
//查询到这个用户就返回,没有则抛出错误
if (userDB != null) {
return userDB;
}else{
throw new RuntimeException("登录失败!");
}
}
}
7.8、controller层
package com.lxf.controller;
import com.lxf.Service.UserService;
import com.lxf.pojo.User;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.HashMap;
import java.util.Map;
@RestController
@Slf4j
public class UserController {
@Autowired
private UserService userService;
@GetMapping("/user/login")
public Map<String,Object> login(User user){
log.info("用户名:[{}]",user.getName());
log.info("密码:[{}]",user.getPassword());
HashMap<String, Object> map = new HashMap<>();
try {
User login = userService.login(user);
map.put("state", true);
map.put("msg", "认证成功");
} catch (Exception e) {
map.put("state", false);
map.put("msg", e.getMessage());
}
return map;
}
}
7.9、测试
成功登录:
登录失败:
7.10、使用JWT
package com.lxf.controller;
import com.lxf.Service.UserService;
import com.lxf.pojo.User;
import com.lxf.utils.JWTUtils;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.HashMap;
import java.util.Map;
@RestController
@Slf4j
public class UserController {
@Autowired
private UserService userService;
@Autowired
private JWTUtils jwtut;
@GetMapping("/user/login")
public Map<String,Object> login(User user){
log.info("用户名:[{}]",user.getName());
log.info("密码:[{}]",user.getPassword());
HashMap<String, Object> map = new HashMap<>();
try {
//登录用户
User userDB = userService.login(user);
//存储载荷声明参数map
HashMap<String, String> plMap = new HashMap<>();
plMap.put("name", userDB.getName());
//生成JWT令牌
String token = jwtut.getToken(plMap);
map.put("state", true);
map.put("msg", "认证成功");
map.put("token", token);
} catch (Exception e) {
map.put("state", false);
map.put("msg", e.getMessage());
}
return map;
}
}
测试: