一、概述
用户身份验证主要有传统的Session认证和基于Token的认证
1.1 传统的Session认证
服务端根据用户的SessionID去Session中读取用户是否登陆的信息。
用户在登陆时向我们的服务器发送用户名和密码,通过验证后,服务器需要记录用户已经登陆的信息,以便用户继续请求其他接口时通过验证,用户已经登陆的信息是保存在服务器的Session中,随着登陆用户的增多,服务端的开销会明显增大,通常多台服务器的应用还需要做集群环境下的Session共享。
1.2 基于Token的认证
客户端每次请求时在请求头中带上Token信息,服务端不需要去保留用户的已登陆信息,不记录用户的登陆状态,轻便开销也小。
二、JWT
JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).
2.1 JWT的原理
客户端在调用服务器的登录接口后,服务器在验证通过后,生成一个JSON对象,发回给客户端,就像下面这样。
{
"姓名": "admin",
"角色": "管理员",
"到期时间": "2020年4月15日0点0分"
}
客户端与服务端之后的通信,都要发回这个JSON对象,服务器端完全只靠这个对象来认定用户身份。为了防止用户篡改数据,服务器在生成这个对象的时候,会加上签名。服务器不保存任何Session数据,也就是说,服务器端是无状态的,从而比较容易实现扩展。
2.2 JWT消息构成
一个token由三部分组成,按顺序为:
- 头部(HEADER: ALGORITHM & TOKEN TYPE)
- 载荷(PAYLOAD:DATA)
- 签证(VERIFY SIGNATURE)
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxMDEiLCJpYXQiOjE1ODY3NDc5NzEsImV4cCI6MTU4NzM1Mjc3MX0.UTiV4WQpPQdAmjvdqHLq6YUvRI_-3JpLInLFB5pIGR8
三、创建Spring Boot工程
四、修改POM文件
在pom.xml文件中添加jwt
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
五、创建类
5.1 WebConfig类
package com.anron.config;
import com.anron.interceptor.AppInterceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
/**
* @Author: Anron
* @Date: 2020/4/13 15:44
*/
@Configuration
public class WebConfig implements WebMvcConfigurer {
Logger log = LoggerFactory.getLogger(this.getClass());
@Autowired
private AppInterceptor appInterceptor;
@Override
public void addInterceptors(InterceptorRegistry registry) {
log.info("addInterceptors---------------");
// 注册拦截器
InterceptorRegistration ir = registry.addInterceptor(appInterceptor);
// 配置拦截的路径
ir.addPathPatterns("/app/user/info");
// 配置不拦截的路径
ir.excludePathPatterns("/app/user/login");
}
}
5.2 BaseConstant类
package com.anron.constant;
/**
* @Author: Anron
* @Date: 2020/4/13 15:03
*/
public class BaseConstant {
/**
* 用户登陆ID
*/
public static final String LOGIN_USER_ID = "LOGIN_USER_ID";
/**
* 用户登陆TOKEN
*/
public static final String LOGIN_USER_TOKEN = "LOGIN_USER_TOKEN";
}
5.3 AppController类
package com.anron.controller;
import com.anron.dto.BaseDto;
import com.anron.service.IUserService;
import com.anron.util.WebControllerUtil;
import com.anron.vo.LoginVo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.validation.BindingResult;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* @Author: Anron
* @Date: 2020/4/13 14:00
*/
@RestController
@RequestMapping(value = "/app")
public class AppController {
Logger log = LoggerFactory.getLogger(this.getClass());
@Autowired
private IUserService userService;
@RequestMapping(value = "/user/login", method = {RequestMethod.POST, RequestMethod.GET}, produces = "application/json;charset=UTF-8")
public BaseDto login(@RequestBody @Validated LoginVo vo, BindingResult bindingResult, HttpServletRequest request, HttpServletResponse response) {
log.info("---login start---vo:{}", vo.toString());
WebControllerUtil.buildErrorMsg(bindingResult, request);
return userService.loginFromApp(vo, response);
}
@RequestMapping(value = "/user/info", method = {RequestMethod.POST, RequestMethod.GET}, produces = "application/json;charset=UTF-8")
public BaseDto info(HttpServletRequest request, HttpServletResponse response) {
log.info("---info start---");
return new BaseDto();
}
}
5.4 BaseDto类
package com.anron.dto;
import java.io.Serializable;
/**
* @Author: Anron
* @Date: 2020/4/13 14:02
*/
public class BaseDto implements Serializable {
private static final long serialVersionUID = 5773283302091208323L;
private int code;
private String message;
public int getCode() {
return code;
}
public void setCode(int code) {
this.code = code;
}
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
public BaseDto() {
this.code = 0;
this.message = "OK";
}
public BaseDto(int code, String message) {
this.code = code;
this.message = message;
}
public BaseDto(boolean success, String message) {
if (success) {
this.code = 0;
}else {
this.code = 500;
}
this.message = message;
}
}
5.5 LocaleEnum类
package com.anron.enums;
/**
* @Author: Anron
* @Date: 2020/4/13 15:01
*/
public enum LocaleEnum {
USER_NOT_LOGIN(1000, "USER_NOT_LOGIN"),
USER_PASSWORD_WRONG(1001, "USER_PASSWORD_WRONG"),
ERROR_INTERNAL_SERVER(1002, "ERROR_INTERNAL_SERVER");
private int value;
private String reason;
public int getValue() {
return value;
}
public void setValue(int value) {
this.value = value;
}
public String getReason() {
return reason;
}
public void setReason(String reason) {
this.reason = reason;
}
private LocaleEnum(int value, String reason) {
this.value = value;
this.reason = reason;
}
}
5.6 BusinessException类
package com.anron.exception;
/**
* @Author: Anron
* @Date: 2020/4/13 14:28
*/
public class BusinessException extends RuntimeException {
private int code;
private String message;
public int getCode() {
return code;
}
public void setCode(int code) {
this.code = code;
}
@Override
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
public BusinessException(String message){
super();
this.code = 500;
this.message = message;
}
}
5.7 GlobalExceptionHandler类
package com.anron.exception;
import com.anron.dto.BaseDto;
import com.anron.enums.LocaleEnum;
import com.anron.util.LanguageUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
/**
* @Author: Anron
* @Date: 2020/4/13 14:39
*/
@ControllerAdvice
public class GlobalExceptionHandler {
Logger log = LoggerFactory.getLogger(this.getClass());
@ExceptionHandler(BusinessException.class)
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ResponseBody
public BaseDto handleException(BusinessException e) {
log.error("业务异常: {}", e.getMessage());
return new BaseDto(e.getCode(), e.getMessage());
}
@ExceptionHandler(Exception.class)
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ResponseBody
public BaseDto handleException(Exception e) {
log.error("异常: {}", e.getMessage());
e.printStackTrace();
return new BaseDto(500, LanguageUtil.getStr(LocaleEnum.ERROR_INTERNAL_SERVER.name()));
}
}
5.8 AppInterceptor类
package com.anron.interceptor;
import com.anron.constant.BaseConstant;
import com.anron.enums.LocaleEnum;
import com.anron.exception.BusinessException;
import com.anron.util.JwtUtil;
import com.anron.util.LanguageUtil;
import io.jsonwebtoken.Claims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* @Author: Anron
* @Date: 2020/4/13 14:54
*/
@Service
public class AppInterceptor implements HandlerInterceptor {
Logger log = LoggerFactory.getLogger(this.getClass());
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object obj) throws Exception {
log.info("preHandle-------------------");
//支持跨域访问设置
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET,POST");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with,content-type");
String strToken = request.getHeader(HttpHeaders.AUTHORIZATION);
if (StringUtils.isEmpty(strToken)) {
throw new BusinessException(LanguageUtil.getStr(LocaleEnum.USER_NOT_LOGIN.name()));
}
Claims claims = JwtUtil.getTokenBody(strToken);
String userToken = claims.toString();
Integer userID = Integer.getInteger(claims.getId());
log.info("token: {}", claims.toString());
log.info("token2: IssuedAt={}, Expiration={}, NotBefore={}, userId={}, userName={}", claims.getIssuedAt(),
claims.getExpiration(),
claims.getNotBefore(),
claims.getId(),
claims.getSubject());
//用户是否被禁用,查redis
//保存用户登录的信息
request.setAttribute(BaseConstant.LOGIN_USER_ID, userID);
request.setAttribute(BaseConstant.LOGIN_USER_TOKEN, userToken);
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
log.info("postHandle-------------------");
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
log.info("afterCompletion-------------------");
}
}
5.9 UserServiceImpl类
package com.anron.service.impl;
import com.anron.dto.BaseDto;
import com.anron.enums.LocaleEnum;
import com.anron.service.IUserService;
import com.anron.util.JwtUtil;
import com.anron.util.LanguageUtil;
import com.anron.vo.LoginVo;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Service;
import javax.servlet.http.HttpServletResponse;
/**
* @Author: Anron
* @Date: 2020/4/13 14:05
*/
@Service
public class UserServiceImpl implements IUserService {
@Override
public BaseDto loginFromApp(LoginVo vo, HttpServletResponse response) {
String userName = "admin";
String password = "123456";
Integer userId = 1001;
if (userName.equals(vo.getName()) && password.equals(vo.getPassword())) {
String token = JwtUtil.createJwtToken(userId, userName, JwtUtil.JWT_EXPIRATION);
response.setHeader(HttpHeaders.AUTHORIZATION, token);
return new BaseDto();
} else {
return new BaseDto(false, LanguageUtil.getStr(LocaleEnum.USER_PASSWORD_WRONG.name()));
}
}
@Override
public BaseDto loginFromThirdpart(LoginVo vo) {
return null;
}
}
5.10 IUserService类
package com.anron.service;
import com.anron.dto.BaseDto;
import com.anron.vo.LoginVo;
import javax.servlet.http.HttpServletResponse;
/**
* @Author: Anron
* @Date: 2020/4/13 14:01
*/
public interface IUserService {
/**
* APP登录
* @param vo
* @param response
* @return
*/
BaseDto loginFromApp(LoginVo vo, HttpServletResponse response);
/**
* 第三方登录
* @param vo
* @return
*/
BaseDto loginFromThirdpart(LoginVo vo);
}
5.11 JwtUtil类
package com.anron.util;
import com.anron.exception.BusinessException;
import io.jsonwebtoken.*;
import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.http.HttpHeaders;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletRequest;
import java.util.Date;
/**
* @Author: Anron
* @Date: 2020/4/13 14:07
*/
public class JwtUtil {
private static final String SECRET = "anron_jwt_token";
/**
* 7天过期
*/
public static final long JWT_EXPIRATION = (long) 7 * 24 * 60 * 60000;
/**
* 测试环境30分钟过期
*/
public static final long JWT_EXPIRATION_TEST = (long) 30 * 60000;
/**
* 由字符串生成加密key
*/
public static SecretKey generalKey() {
String stringKey = JwtUtil.SECRET;
byte[] encodedKey = Base64.decodeBase64(stringKey);
SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");
return key;
}
/**
* Issuer: 签发者
* iat(IssuedAt): 在什么时候签发的
* exp(Expiration): 什么时候过期
* id: 可以放userId
* subject: 可以放用户名或其他信息
*/
public static String createJwtToken(Integer userId, long ttlMillis) {
long nowMillis = System.currentTimeMillis();
long expMillis = nowMillis + ttlMillis;
return Jwts.builder()
.signWith(SignatureAlgorithm.HS256, generalKey())
.setId(userId.toString())
.setIssuedAt(new Date())
.setExpiration(new Date(expMillis))
.compact();
}
public static String createJwtToken(Integer userId, String userNameOrMobile, long ttlMillis) {
long nowMillis = System.currentTimeMillis();
long expMillis = nowMillis + ttlMillis;
return Jwts.builder()
.signWith(SignatureAlgorithm.HS256, generalKey())
.setId(userId.toString())
.setSubject(userNameOrMobile)
.setIssuedAt(new Date())
.setExpiration(new Date(expMillis))
.compact();
}
public static Claims getTokenBody(String jwtToken){
try{
SecretKey jewKey = generalKey();
return Jwts.parser()
.setSigningKey(jewKey)
.parseClaimsJws(jwtToken)
.getBody();
} catch (ExpiredJwtException expired){
throw new BusinessException("Token已过期");
}catch (SignatureException e){
throw new BusinessException("Token签名无效");
}catch(MalformedJwtException malformedJwt){
//"."切分JWT的数量错误或者载荷为空
throw new BusinessException("Token信息异常");
}
}
public static Integer getUserId(HttpServletRequest request) {
String jwtToken = request.getHeader(HttpHeaders.AUTHORIZATION);
Claims claims = getTokenBody(jwtToken);
return Integer.getInteger(claims.getId());
}
public static String getSubject(HttpServletRequest request) {
String jwtToken = request.getHeader(HttpHeaders.AUTHORIZATION);
Claims claims = getTokenBody(jwtToken);
return claims.getSubject();
}
}
5.12 LanguageUtil类
package com.anron.util;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
import java.util.Locale;
import java.util.ResourceBundle;
/**
* @Author: Anron
* @Date: 2020/4/13 14:59
*/
public class LanguageUtil {
public static String getStr(String key) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
String language = request.getHeader("Accept-Language");
Locale locale = null;
if (StringUtils.hasLength(language)) {
if ("en".equals(language.substring(0, 2))) {
locale = new Locale("en");
} else if ("zh-TW".equals(language.substring(0, 5))) {
locale = new Locale("zh", "TW");
}
}
if (locale == null) {
locale = new Locale("");
}
ResourceBundle rb = ResourceBundle.getBundle("message", locale);
String value = rb.getString(key);
String rstr = key + " do not exist";
if (StringUtils.hasLength(value)) {
return value;
}
return rstr;
}
}
5.13 WebControllerUtil类
package com.anron.util;
import com.anron.exception.BusinessException;
import org.springframework.validation.BindingResult;
import org.springframework.validation.ObjectError;
import javax.servlet.http.HttpServletRequest;
/**
* @Author: Anron
* @Date: 2020/4/13 14:31
*/
public class WebControllerUtil {
public static void buildErrorMsg(BindingResult bindingResult, HttpServletRequest request) {
if (bindingResult.hasErrors()) {
String errorMsg = "";
for (ObjectError error : bindingResult.getAllErrors()) {
errorMsg += error.getDefaultMessage() + ",";
}
throw new BusinessException(errorMsg.substring(0, errorMsg.length() - 1));
}
}
}
5.14 LoginVo类
package com.anron.vo;
import javax.validation.constraints.NotBlank;
import java.io.Serializable;
/**
* @Author: Anron
* @Date: 2020/4/13 13:53
*/
public class LoginVo implements Serializable {
private static final long serialVersionUID = 2579858261187348360L;
@NotBlank(message="账号不能为空")
private String name;
@NotBlank(message="密码不能为空")
private String password;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
@Override
public String toString() {
return "LoginVo{" +
"name='" + name + '\'' +
", password='" + password + '\'' +
'}';
}
}
六、创建资源文件
6.1 message.properties
USER_NOT_LOGIN=您没有登陆,请登陆后访问
USER_PASSWORD_WRONG=错误的用户名或密码
ERROR_INTERNAL_SERVER=服务器内部错误
6.2 message_en.properties
USER_NOT_LOGIN=you have not logined
USER_PASSWORD_WRONG=wrong username or password
ERROR_INTERNAL_SERVER=Internal Server Error
6.3 message_zh_TW.properties
USER_NOT_LOGIN=您沒有登陸,請登陸后訪問
USER_PASSWORD_WRONG=錯誤的用戶名或密碼
ERROR_INTERNAL_SERVER=服務器内部錯誤
七、项目代码结构
项目代码结构如下图:
八、总结
通过拦截器的配置,调用/app/user/info接口时,客户端需要在HTTP的Header中传输Authorization,Authorization的取值为/app/user/login接口登录成功后服务器端返回给客户端的。