基于JWT的token验证
springboot整合JWT实现token验证
- 导入JWT依赖
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.10.3</version>
</dependency>
<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
- 创建token工具包
public static String getToken(Map<String,String> map){
Calendar instance = Calendar.getInstance();// 日期
instance.add(Calendar.DATE,7);// 设置token过期时间
JWTCreator.Builder builder = JWT.create(); // 创建一个JWT实例
// 将map内容加入到token的payload负载当中
map.forEach((k,v)->{
builder.withClaim(k, v);
});
// 将过期时间和口令加入到token并生成token
String token = builder.withExpiresAt(instance.getTime())
.sign(Algorithm.HMAC256(SING));
// 返回token
return token;
}
// 返回token内含的信息
public static DecodedJWT verify(String token){
return JWT.require(Algorithm.HMAC256(SING)).build().verify(token);
}
- 添加JWT拦截器
// token通过http头部传送到后台
public class JWTInterceptor implements HandlerInterceptor {
// 接口访问前验证token
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
Map<String,Object> map = new HashMap<>();
String token = request.getHeader("token");
try {
JWTUtils.verify(token);
return true;
}catch (SignatureVerificationException e){
map.put("msg","token错误");
}catch (TokenExpiredException e){
map.put("msg","token过期");
}catch (AlgorithmMismatchException e){
map.put("msg","token算法不一致");
}catch (Exception e){
map.put("msg","无效签名");
}
map.put("state",false);
String json = new ObjectMapper().writeValueAsString(map);
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
return false;
}
}
- 将拦截器配置到springboot配置
@Configuration
public class InterceptorConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry){
registry.addInterceptor(new JWTInterceptor())
.addPathPatterns("/**") // 拦截所有接口
.excludePathPatterns("/xx/**");//放行xx下的所有接口(不需要验证token)
}
}
- 在自己的实现类配置获取token即可.
例: 用户登陆无需token验证, 登陆后返回token给浏览器, 用户执行后续操作时均将token放到http头部传给后台, 后台验证通过token后再执行各项操作.