菜鸟のJWT理解
初学菜鸟做复习,参考需谨慎QAQ
这个东西主要是为了生成token。
分三部分组成header,payload,signature
{
“alg”:“HS256” //签名算法
“typ”:“JWT” //令牌类型
}~(把它当作一个中间的点QAQ)
{
“name”:"#%#%$$" //你要存的数据(最好不要放密码)
}~
{
header和payload的Base64编码与一个密钥key(你自己写的)进行签名算法生成一串字符串就是signature(不能逆向解密key)
}
token就是header和payload的Base64编码加signature。
后端对JWT的使用(配合shiro)
package com.zyf.springcloud.utils;
import java.util.Calendar;
import java.util.Date;
import java.util.Map;
import java.util.Map.Entry;
import org.apache.shiro.crypto.SecureRandomNumberGenerator;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator.Builder;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
public class JwtUtils {
// 过期时间5分钟
private static final long EXPIRE_TIME = 5 * 60 * 1000;
// 私钥
public static final String SECRET = "SECRET_VALUE";
// 请求头
public static final String AUTH_HEADER = "X-Authorization-With";
/**
* 验证token是否正确
*/
public static boolean verify(String token, String username, String secret) {
try {
Algorithm algorithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.require(algorithm).withClaim("username", username).build();
verifier.verify(token);
return true;
} catch (JWTVerificationException exception) {
return false;
}
}
/**
* 获得token中的自定义信息,无需secret解密也能获得
*/
public static String getClaimFiled(String token, String filed) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim(filed).asString();
} catch (JWTDecodeException e) {
return null;
}
}
/**
* 生成签名
*/
public static String sign(String username, String secret) {
try {
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(secret);
// 附带username,nickname信息
return JWT.create().withClaim("username", username).withExpiresAt(date).sign(algorithm);
} catch (JWTCreationException e) {
return null;
}
}
/**
* 获取 token的签发时间
*/
public static Date getIssuedAt(String token) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getIssuedAt();
} catch (JWTDecodeException e) {
return null;
}
}
/**
* 验证 token是否过期
*/
public static boolean isTokenExpired(String token) {
Date now = Calendar.getInstance().getTime();
DecodedJWT jwt = JWT.decode(token);
return jwt.getExpiresAt().before(now);
}
/**
* 刷新 token的过期时间
*/
public static String refreshTokenExpired(String token, String secret) {
DecodedJWT jwt = JWT.decode(token);
Map<String, Claim> claims = jwt.getClaims();
try {
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(secret);
Builder builer = JWT.create().withExpiresAt(date);
for (Entry<String, Claim> entry : claims.entrySet()) {
builer.withClaim(entry.getKey(), entry.getValue().asString());
}
return builer.sign(algorithm);
} catch (JWTCreationException e) {
return null;
}
}
/**
* 生成16位随机盐
*/
public static String generateSalt() {
SecureRandomNumberGenerator secureRandom = new SecureRandomNumberGenerator();
String hex = secureRandom.nextBytes(16).toHex();
return hex;
}
}
对于JWTFilter(由于 结合shiro,配合进行拦截验证)
package com.zyf.springcloud.config.filter;
import java.io.PrintWriter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.zyf.springcloud.utils.JwtToken;
import com.zyf.springcloud.utils.JwtUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
/**
* 自定义的认证过滤器,用来拦截Header中携带 JWT token的请求
*/
public class JwtFilter extends BasicHttpAuthenticationFilter {
private Logger log = LoggerFactory.getLogger(this.getClass());
/**
* 前置处理
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
// 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
/**
* 后置处理
*/
@Override
protected void postHandle(ServletRequest request, ServletResponse response) {
// 添加跨域支持
this.fillCorsHeader(WebUtils.toHttp(request), WebUtils.toHttp(response));
}
/**
* 过滤器拦截请求的入口方法
* 返回 true 则允许访问
* 返回false 则禁止访问,会进入 onAccessDenied()
*/
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
// 原用来判断是否是登录请求,在本例中不会拦截登录请求,用来检测Header中是否包含 JWT token 字段
if (this.isLoginRequest(request, response))
return false;
boolean allowed = false;
try {
// 检测Header里的 JWT token内容是否正确,尝试使用 token进行登录
allowed = executeLogin(request, response);
} catch (IllegalStateException e) { // not found any token
log.error("Not found any token");
} catch (Exception e) {
log.error("Error occurs when login", e);
}
return allowed || super.isPermissive(mappedValue);
}
/**
* 检测Header中是否包含 JWT token 字段
*/
@Override
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
return ((HttpServletRequest) request).getHeader(JwtUtils.AUTH_HEADER) == null;
}
/**
* 身份验证,检查 JWT token 是否合法
*/
@Override
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
AuthenticationToken token = createToken(request, response);
if (token == null) {
String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken "
+ "must be created in order to execute a login attempt.";
throw new IllegalStateException(msg);
}
try {
Subject subject = getSubject(request, response);
subject.login(token); // 交给 Shiro 去进行登录验证
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e) {
return onLoginFailure(token, e, request, response);
}
}
/**
* 从 Header 里提取 JWT token
*/
@Override
protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
String authorization = httpServletRequest.getHeader(JwtUtils.AUTH_HEADER);
JwtToken token = new JwtToken(authorization);
return token;
}
/**
* isAccessAllowed()方法返回false,会进入该方法,表示拒绝访问
*/
@Override
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
HttpServletResponse httpResponse = WebUtils.toHttp(servletResponse);
httpResponse.setCharacterEncoding("UTF-8");
httpResponse.setContentType("application/json;charset=UTF-8");
httpResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
PrintWriter writer = httpResponse.getWriter();
writer.write("{\"errCode\": 401, \"msg\": \"UNAUTHORIZED\"}");
fillCorsHeader(WebUtils.toHttp(servletRequest), httpResponse);
return false;
}
/**
* Shiro 利用 JWT token 登录成功,会进入该方法
*/
@Override
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request,
ServletResponse response) throws Exception {
HttpServletResponse httpResponse = WebUtils.toHttp(response);
String newToken = null;
if (token instanceof JwtToken) {
newToken = JwtUtils.refreshTokenExpired(token.getCredentials().toString(), JwtUtils.SECRET);
}
if (newToken != null)
httpResponse.setHeader(JwtUtils.AUTH_HEADER, newToken);
return true;
}
/**
* Shiro 利用 JWT token 登录失败,会进入该方法
*/
@Override
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request,
ServletResponse response) {
// 此处直接返回 false ,交给后面的 onAccessDenied()方法进行处理
return false;
}
/**
* 添加跨域支持
*/
protected void fillCorsHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,HEAD");
httpServletResponse.setHeader("Access-Control-Allow-Headers",
httpServletRequest.getHeader("Access-Control-Request-Headers"));
}
}