前言
最近开发小程序后端是需要对接口进行安全性防护,第一步就是考虑使用token。jwt很好的规范了服务端token校验规则。如果对jwt不了解,请看:https://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html
下面是我做的小程序springboot集成jwt的案例,只做了简单操作。
1.导入依赖
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
2.编写jwt工具类(解析、生成jwt)
@Slf4j
public class JwtUtil {
public static long ttl = 1 * 12 * 3600 * 1000;//一天
/**
* 生成token
*/
public static String generateToken(String subject) {
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
JwtBuilder jwt = Jwts.builder()
.setSubject(subject) //主题
.setIssuedAt(now) //签发时间
.signWith(SignatureAlgorithm.HS256, WxStaticData.jwtSecret);
if (ttl > 0) {
//设置过期时间
jwt.setExpiration(new Date(nowMillis + ttl));
}
return jwt.compact();
}
/**
* 解析token
*/
public static ResponseEntity parseToken(String token) {
//ResponseEntity 是我自己定义的返回类
ResponseEntity res = null;
Claims claims = null;
try {
claims = Jwts.parser()
.setSigningKey(WxStaticData.jwtSecret)
.parseClaimsJws(token)
.getBody();
} catch (ExpiredJwtException e) {
res = new ResponseEntity(300, "token过期");
log.debug("token过期");
return res;
} catch (JwtException e) {
res = new ResponseEntity(301, "token解析失败");
log.debug("token解析失败");
return res;
}
res = new ResponseEntity(200, "token校验成功", claims);
return res;
}
}
3. 编写拦截器对部分请求进行拦截校验token
public class JwtHandlerInterceptor implements HandlerInterceptor {
/**
* 在请求处理之前进行调用(Controller方法调用之前)
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String token = request.getParameter("token");
ResponseEntity res = JwtUtil.parseToken(token);
//如果校验成功返回true
if(res.getCode()==200) return true;
else {
//校验失败,返回错误信息
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter writer = response.getWriter();
writer.println(JSON.toJSONString(res));
return false;
}
}
}
4.添加拦截器到springboot
@Configuration
public class MyWebConfigure implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new JwtHandlerInterceptor())
.addPathPatterns("/**")
//排除不需要token校验的接口
.excludePathPatterns("/login","/register");
}
}
总结
其实里面可以做更复杂的逻辑,比如说再加上spring security进行身份权限处理 。我这边只做了简单操作,如果有感兴趣的大佬可以私聊我相互讨论。