JWT结构
header.payload.signature (头部,有效载荷,签名)
快速入门:
导入坐标:
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.16.0</version>
</dependency>
在测试类中获取测试令牌(可以去掉@SpringBootTest注解):
class JwtdemoApplicationTests {
@Test
void contextLoads() {
Calendar instance = Calendar.getInstance();
instance.add(Calendar.SECOND,20);//令牌有效时间20秒
HashMap<String, Object> map = new HashMap<>();
String token = JWT.create()
.withClaim("userId", 18) //payload
.withClaim("username", "zhangsan")
.withExpiresAt(instance.getTime()) //指定令牌过期时间
.sign(Algorithm.HMAC256("!EQWE#ADAD@A")); //签名
System.out.println(token);
}
}
这样我们就得到了token令牌
接下来令牌的验证(验签):
@Test
public void test(){
//创建验证对象
JWTVerifier jwtVerifier = JWT.require(Algorithm.HMAC256("!EQWE#ADAD@A")).build();//此处的签名和之前的一致
DecodedJWT verify = jwtVerifier.verify("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjI0MzE1MTUsInVzZXJJZCI6MTgsInVzZXJuYW1lIjoiemhhbmdzYW4ifQ.Pm0seqlxZxawVDmUGOZwUeUDJGepy8oQ3eUXQc4Zd-4");//之前生成的token
System.out.println(verify.getClaim("userId"));
System.out.println(verify.getClaim("username"));
}
还可以测过期时间:同样的使用 .getExpiresAt();
接下来创建JWT工具类:
package com.yill.util;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.Calendar;
import java.util.List;
import java.util.Map;
public class JWTUtils {
private static final String sing = "!EQWE#ADAD@A";
/*生成token header.payload.sign
* */
public static String getToken(Map<String, String> map){
Calendar instance = Calendar.getInstance();
instance.add(Calendar.DATE,7); //默认7天过期
//创建jwt builder
JWTCreator.Builder builder = JWT.create();
//payload
map.forEach((k,v) ->{
builder.withClaim(k,v);
});
String token = builder.withExpiresAt(instance.getTime()) //指定令牌过期时间
.sign(Algorithm.HMAC256(sing)); //sign
return token;
}
/*
验证token 合法性
* */
public static DecodedJWT verify(String token){
return JWT.require(Algorithm.HMAC256(sing)).build().verify(token);
}
}
service层:
@Service
public class UserServiceImpl implements UserService {
@Autowired
private UserMapper userMapper;
@Override
@Transactional(propagation = Propagation.SUPPORTS)
public User login(User user) {
User userDB = userMapper.login(user);
if (userDB != null) {
return userDB;
}
throw new RuntimeException("登录失败~~");
}
}
controller层:(其余层自己可写,mapper层,配置文件mapper.xml,pojo(id,username,pwd都是String类型)数据库名user
@RestController
@Slf4j
public class UserController {
@Autowired
private UserService userService;
@RequestMapping("/user/login")
public Map<String,Object> login(User user){
log.info("用户名: [{}]",user.getUsername());
log.info("密码: [{}]",user.getPwd());
Map<String,Object> map = new HashMap<>();
try {
User userDB = userService.login(user);
Map<String, String> payload = new HashMap<>();
payload.put("id",userDB.getId());
payload.put("username",userDB.getUsername());
//生成JWT令牌
String token = JWTUtils.getToken(payload);
map.put("state",true);
map.put("msg","认证成功");
map.put("token",token);
} catch (Exception e) {
map.put("state",false);
map.put("msg",e.getMessage());
}
return map;
}
@PostMapping("/user/test")
public Map<String, Object> test(String token){
Map<String, Object> map = new HashMap<>();
log.info("当前的token:[{}]",token);
try {
DecodedJWT verify = JWTUtils.verify(token);
map.put("state",true);
map.put("msg","请求成功");
return map;
} catch (SignatureVerificationException e) {
e.printStackTrace();
map.put("msg","无效签名");
}catch (TokenExpiredException e) {
e.printStackTrace();
map.put("msg","token过期");
}catch (AlgorithmMismatchException e) {
e.printStackTrace();
map.put("msg","token算法不一致");
}catch (Exception e) {
e.printStackTrace();
map.put("msg","token无效");
}
map.put("state",false);
return map;
}
}
测试用户名密码,postman工具中:
解决代码冗余的问题:自定义interceptor
package com.yill.interceptor;
import com.auth0.jwt.exceptions.AlgorithmMismatchException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yill.util.JWTUtils;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;
public class JWTInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
Map<String, Object> map = new HashMap<>();
//获取请求头中的令牌
String token = request.getHeader("token");
try {
JWTUtils.verify(token); //验证令牌
return true;//放行请求
} catch (SignatureVerificationException e) {
e.printStackTrace();
map.put("msg","无效签名");
}catch (TokenExpiredException e) {
e.printStackTrace();
map.put("msg","token过期");
}catch (AlgorithmMismatchException e) {
e.printStackTrace();
map.put("msg","token算法不一致");
}catch (Exception e) {
e.printStackTrace();
map.put("msg","token无效");
}
map.put("state",false);//设置状态
//将map转为json jackson
String json = new ObjectMapper().writeValueAsString(map);
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
return false;
}
}
配置拦截器:
@Configuration
public class InterceptorConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new JWTInterceptor())
.addPathPatterns("/user/test") //其他接口都token验证
.excludePathPatterns("/user/login"); // 所有用户都放行
}
}
优化业务层:
@PostMapping("/user/test")
public Map<String, Object> test(String token){
Map<String, Object> map = new HashMap<>();
//处理业务逻辑
map.put("state",true);
map.put("msg","请求成功");
return map;
}
此时就可以把token放在header请求头 里面经行响应