我为我的
Spring启动应用程序实现了JWT身份验证.总的来说,它的工作原理如下:
>客户端将用户名,密码发送到登录端点.
>服务器检查提供的凭据是否有效.
>如果不是,则会返回错误
>如果是,它将返回一个令牌,该令牌实际包含
>客户端会在每个将来的请求中发送该令牌
问题是,我们应该如何实施注销?
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Date;
class TokenAuthenticationService {
static final long EXPIRATIONTIME = 864_000_000; // 10 days
static final String SECRET = "ThisIsASecret";
static final String TOKEN_PREFIX = "Bearer";
static final String HEADER_STRING = "Authorization";
static void addAuthentication(HttpServletResponse res,String username) {
String JWT = Jwts
.builder()
.setSubject(username)
.setExpiration(
new Date(System.currentTimeMillis() + EXPIRATIONTIME))
.signWith(SignatureAlgorithm.HS512,SECRET).compact();
res.addHeader(HEADER_STRING,TOKEN_PREFIX + " " + JWT);
}
static Authentication getAuthentication(HttpServletRequest request,UserDetailsService customUserDetailsService) {
String token = request.getHeader(HEADER_STRING);
if (token != null) {
// parse the token.
Claims claims = Jwts.parser().setSigningKey(SECRET)
.parseClaimsJws(token.replace(TOKEN_PREFIX,"")).getBody();
String userName = claims.getSubject();
Date expirationTime = claims.getExpiration();
if (expirationTime.compareTo(new Date()) < 0) {
return null;
}
UserDetails user = customUserDetailsService.loadUserByUsername(userName);
return user != null ? new UsernamePasswordAuthenticationToken(user.getUsername(),user.getPassword(),user.getAuthorities()) : null;
}
return null;
}
}
jWTLoginFilter类使用addAuthentication在登录时发送身份验证代码,’getAuthentication由jWTAuthenticationFilter使用,用于过滤对端点的所有请求.
这里的最佳做法是什么?