springboot 集成jwt设置过期时间_spring boot 2 集成JWT实现api接口认证

一、JWT的数据结构

JWT由header(头信息)、payload(有效载荷)和signature(签名)三部分组成的,用“.”连接起来的字符串。
JWT的计算逻辑如下:
(1)signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
其中私钥secret保存于服务器端,不能泄露出去。
(2)JWT = base64UrlEncode(header) + "." + base64UrlEncode(payload) + signature

下面截图以官网的例子,简单说明

87971ce3b3f08c4f8d2ff62fb7ac8181.png

二、JWT工作机制

客户端使用其凭据成功登录时,服务器生成JWT并返回给客户端。
当客户端访问受保护的资源时,用户代理使用Bearer模式发送JWT,通常在Authorization header中,如下所示:
Authorization: Bearer
服务器检查Authorization header中的有效JWT ,如果有效,则允许用户访问受保护资源。JWT包含必要的数据,还可以减少查询数据库或缓存信息。

三、spring boot集成JWT实现api接口验证

开发环境:IntelliJ IDEA 2019.2.2jdk1.8Spring Boot 2.1.11

1、创建一个SpringBoot项目,pom.xml引用的依赖包如下

2c1ab7c7140f2d18fd14584385b17d3e.png

        <dependency><groupId>org.springframework.bootgroupId><artifactId>spring-boot-starter-webartifactId>dependency><dependency><groupId>com.auth0groupId><artifactId>java-jwtartifactId><version>3.8.3version>dependency><dependency><groupId>org.projectlombokgroupId><artifactId>lombokartifactId><version>1.18.10version><scope>providedscope>dependency><dependency><groupId>com.alibabagroupId><artifactId>fastjsonartifactId><version>1.2.62version>dependency>

2c1ab7c7140f2d18fd14584385b17d3e.png

2、定义一个接口的返回类

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.entity;import lombok.Data;import lombok.NoArgsConstructor;import lombok.ToString;import java.io.Serializable;
@Data
@NoArgsConstructor
@ToStringpublic class ResponseDataimplements Serializable {/**
* 状态码:0-成功,1-失败
* */private int code;/**
* 错误消息,如果成功可为空或SUCCESS
* */private String msg;/**
* 返回结果数据
* */private T data;public static ResponseData success() {return success(null);
}public static ResponseData success(Object data) {
ResponseData result = new ResponseData();
result.setCode(0);
result.setMsg("SUCCESS");
result.setData(data);return result;
}public static ResponseData fail(String msg) {return fail(msg,null);
}public static ResponseData fail(String msg, Object data) {
ResponseData result = new ResponseData();
result.setCode(1);
result.setMsg(msg);
result.setData(data);return result;
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

3、统一拦截接口返回数据

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.config;import com.alibaba.fastjson.JSON;import com.example.jwtdemo.entity.ResponseData;import org.springframework.core.MethodParameter;import org.springframework.http.MediaType;import org.springframework.http.converter.HttpMessageConverter;import org.springframework.http.server.ServerHttpRequest;import org.springframework.http.server.ServerHttpResponse;import org.springframework.web.bind.annotation.RestControllerAdvice;import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;/**
* 实现ResponseBodyAdvice接口,可以对返回值在输出之前进行修改*/
@RestControllerAdvicepublic class GlobalResponseHandler implements ResponseBodyAdvice {//判断支持的类型 @Overridepublic boolean supports(MethodParameter methodParameter, Class extends HttpMessageConverter>> aClass) {return true;
}
@Overridepublic Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class extends HttpMessageConverter>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {// 判断为null构建ResponseData对象进行返回if (o == null) {return ResponseData.success();
}// 判断是ResponseData子类或其本身就返回Object o本身,因为有可能是接口返回时创建了ResponseData,这里避免再次封装if (o instanceof ResponseData) {return (ResponseData) o;
}// String特殊处理,否则会抛异常if (o instanceof String) {return JSON.toJSON(ResponseData.success(o)).toString();
}return ResponseData.success(o);
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

4、统一异常处理

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.exception;import com.example.jwtdemo.entity.ResponseData;import org.springframework.web.bind.annotation.ExceptionHandler;import org.springframework.web.bind.annotation.RestControllerAdvice;
@RestControllerAdvicepublic class GlobalExceptionHandler {
@ExceptionHandler(Exception.class)public ResponseData exceptionHandler(Exception e) {
e.printStackTrace();return ResponseData.fail(e.getMessage());
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

5、创建一个JWT工具类

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.common;import com.auth0.jwt.JWTVerifier;import com.auth0.jwt.algorithms.Algorithm;import com.auth0.jwt.interfaces.DecodedJWT;import com.auth0.jwt.JWT;import java.util.Date;public class JwtUtils {public static final String TOKEN_HEADER = "Authorization";public static final String TOKEN_PREFIX = "Bearer ";// 过期时间,这里设为5分钟private static final long EXPIRE_TIME = 5 * 60 * 1000;// 密钥private static final String SECRET = "jwtsecretdemo";/**
* 生成签名,5分钟后过期
*
* @param name 名称
* @param secret 密码
* @return 加密后的token*/public static String sign(String name) {
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(SECRET); //使用HS256算法
String token = JWT.create() //创建令牌实例
.withClaim("name", name) //指定自定义声明,保存一些信息//.withSubject(name) //信息直接放在这里也行
.withExpiresAt(date) //过期时间
.sign(algorithm); //签名return token;
}/**
* 校验token是否正确
*
* @param token 令牌
* @param secret 密钥
* @return 是否正确*/public static boolean verify(String token) {try{
String name = getName(token);
Algorithm algorithm = Algorithm.HMAC256(SECRET);
JWTVerifier verifier = JWT.require(algorithm)
.withClaim("name", name)//.withSubject(name) .build();
DecodedJWT jwt = verifier.verify(token);return true;
} catch (Exception e){return false;
}
}/**
* 获得token中的信息
*
* @return token中包含的名称*/public static String getName(String token) {try {
DecodedJWT jwt = JWT.decode(token);return jwt.getClaim("name").asString();
}catch(Exception e){return null;
}
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

6、新建两个自定义注解:一个需要认证、另一个不需要认证

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.config;import java.lang.annotation.ElementType;import java.lang.annotation.Retention;import java.lang.annotation.RetentionPolicy;import java.lang.annotation.Target;
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)public @interface LoginToken {boolean required() default true;
}

2c1ab7c7140f2d18fd14584385b17d3e.png

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.config;import java.lang.annotation.ElementType;import java.lang.annotation.Retention;import java.lang.annotation.RetentionPolicy;import java.lang.annotation.Target;
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)public @interface PassToken {boolean required() default true;
}

2c1ab7c7140f2d18fd14584385b17d3e.png

7、新建拦截器并验证token

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.config;import com.example.jwtdemo.common.JwtUtils;import org.springframework.web.method.HandlerMethod;import org.springframework.web.servlet.HandlerInterceptor;import org.springframework.web.servlet.ModelAndView;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.lang.reflect.Method;public class AuthenticationInterceptor implements HandlerInterceptor {
@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {// 如果不是映射到方法直接通过if(!(handler instanceof HandlerMethod)){return true;
}
HandlerMethod handlerMethod=(HandlerMethod)handler;
Method method=handlerMethod.getMethod();//检查是否有passtoken注释,有则跳过认证if (method.isAnnotationPresent(PassToken.class)) {
PassToken passToken = method.getAnnotation(PassToken.class);if (passToken.required()) {return true;
}
}//检查有没有需要用户权限的注解if (method.isAnnotationPresent(LoginToken.class)) {
LoginToken loginToken = method.getAnnotation(LoginToken.class);if (loginToken.required()) {// 执行认证
String tokenHeader = request.getHeader(JwtUtils.TOKEN_HEADER);// 从 http 请求头中取出 tokenif(tokenHeader == null){throw new RuntimeException("没有token");
}
String token = tokenHeader.replace(JwtUtils.TOKEN_PREFIX, "");if (token == null) {throw new RuntimeException("没有token");
}boolean b = JwtUtils.verify(token);if (b == false) {throw new RuntimeException("token不存在或已失效,请重新获取token");
}return true;
}
}return false;
}
@Overridepublic void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Overridepublic void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

8、配置拦截器

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.config;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.web.servlet.config.annotation.InterceptorRegistry;import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configurationpublic class InterceptorConfig implements WebMvcConfigurer {
@Overridepublic void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(authenticationInterceptor())
.addPathPatterns("/**");
}
@Beanpublic AuthenticationInterceptor authenticationInterceptor() {return new AuthenticationInterceptor();
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

9、新建一个测试的控制器

2c1ab7c7140f2d18fd14584385b17d3e.png

package com.example.jwtdemo.controller;import com.example.jwtdemo.common.JwtUtils;import com.example.jwtdemo.config.LoginToken;import com.example.jwtdemo.config.PassToken;import org.springframework.web.bind.annotation.*;
@RestControllerpublic class DemoController {
@PassToken
@PostMapping("getToken")public String getToken(@RequestParam String userName, @RequestParam String password){if(userName.equals("admin") && password.equals("123456")){
String token = JwtUtils.sign("admin");return token;
}return "用户名或密码错误";
}
@LoginToken
@GetMapping("getData")public String getData() {return "获取数据...";
}
}

2c1ab7c7140f2d18fd14584385b17d3e.png

10、Postman测试

(1)GET请求:http://localhost:8080/getData,返回如下

07df5ccd0c9ffdc5f8f347d760f009e8.png

 (2)GET请求:http://localhost:8080/getData,在token中随便输入字符串,返回如下

811857370a7c9a3f3034cd71f9dcb238.png

 (3)POST请求:http://localhost:8080/getToken,并设置用户名和密码参数,返回如下

918b9ca5fa11f9dcb4485b8618c4af66.png

 (4)GET请求:http://localhost:8080/getData,在token中输入上面token字符串,返回如下

a208cc9b4973bcecddfa05625f2b51a5.png

116a6616a50f149cac2b4043dd8665c9.png

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Spring Boot中,可以使用以下步骤将JWT集成到应用程序中以实现token认证: 1. 添加依赖项 在pom.xml文件中添加以下依赖项: ``` <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency> ``` 2. 创建Token工具类 创建一个JwtTokenUtil工具类,该类将用于生成和验证JWT令牌。以下是一个基本的JwtTokenUtil类: ```java public class JwtTokenUtil { private static final String SECRET_KEY = "secret"; public static String generateToken(String username) { Date now = new Date(); Date expiryDate = new Date(now.getTime() + 3600000); return Jwts.builder() .setSubject(username) .setIssuedAt(now) .setExpiration(expiryDate) .signWith(SignatureAlgorithm.HS512, SECRET_KEY) .compact(); } public static String getUsernameFromToken(String token) { return Jwts.parser() .setSigningKey(SECRET_KEY) .parseClaimsJws(token) .getBody() .getSubject(); } public static boolean validateToken(String token) { try { Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token); return true; } catch (SignatureException ex) { System.out.println("Invalid JWT signature"); } catch (MalformedJwtException ex) { System.out.println("Invalid JWT token"); } catch (ExpiredJwtException ex) { System.out.println("Expired JWT token"); } catch (UnsupportedJwtException ex) { System.out.println("Unsupported JWT token"); } catch (IllegalArgumentException ex) { System.out.println("JWT claims string is empty."); } return false; } } ``` 3. 创建安全配置类 创建一个SecurityConfig类,该类将用于配置Spring Security以使用JWT进行认证。以下是一个基本的SecurityConfig类: ```java @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; @Autowired private JwtUserDetailsService jwtUserDetailsService; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder()); } @Bean public JwtAuthenticationFilter jwtAuthenticationFilter() { return new JwtAuthenticationFilter(); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests().antMatchers("/authenticate").permitAll() .anyRequest().authenticated().and() .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); } } ``` 4. 创建用户详细信息服务类 创建一个JwtUserDetailsService类,该类将用于从数据库或其他存储中获取用户信息以进行身份验证。以下是一个基本的JwtUserDetailsService类: ```java @Service public class JwtUserDetailsService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { // 在这里获取用户信息并返回UserDetails对象 return null; } } ``` 5. 创建身份验证过滤器 创建一个JwtAuthenticationFilter类,该类将用于拦截所有请求,并进行JWT身份验证。以下是一个基本的JwtAuthenticationFilter类: ```java public class JwtAuthenticationFilter extends OncePerRequestFilter { @Autowired private JwtUserDetailsService jwtUserDetailsService; @Autowired private JwtTokenUtil jwtTokenUtil; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { final String requestTokenHeader = request.getHeader("Authorization"); String username = null; String jwtToken = null; // JWT Token is in the form "Bearer token". Remove Bearer word and get only the Token if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) { jwtToken = requestTokenHeader.substring(7); try { username = jwtTokenUtil.getUsernameFromToken(jwtToken); } catch (IllegalArgumentException e) { System.out.println("Unable to get JWT Token"); } catch (ExpiredJwtException e) { System.out.println("JWT Token has expired"); } } else { logger.warn("JWT Token does not begin with Bearer String"); } // Once we get the token validate it. if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { UserDetails userDetails = this.jwtUserDetailsService.loadUserByUsername(username); // if token is valid configure Spring Security to manually set authentication if (jwtTokenUtil.validateToken(jwtToken)) { UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken( userDetails, null, userDetails.getAuthorities()); usernamePasswordAuthenticationToken .setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); // After setting the Authentication in the context, we specify // that the current user is authenticated. So it passes the // Spring Security Configurations successfully. SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken); } } chain.doFilter(request, response); } } ``` 6. 创建身份验证控制器 创建一个JwtAuthenticationController类,该类将用于处理身份验证请求,生成JWT令牌并返回给客户端。以下是一个基本的JwtAuthenticationController类: ```java @RestController public class JwtAuthenticationController { @Autowired private AuthenticationManager authenticationManager; @Autowired private JwtTokenUtil jwtTokenUtil; @Autowired private JwtUserDetailsService jwtUserDetailsService; @RequestMapping(value = "/authenticate", method = RequestMethod.POST) public ResponseEntity<?> createAuthenticationToken(@RequestBody JwtRequest authenticationRequest) throws Exception { authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword()); final UserDetails userDetails = jwtUserDetailsService .loadUserByUsername(authenticationRequest.getUsername()); final String token = jwtTokenUtil.generateToken(userDetails.getUsername()); return ResponseEntity.ok(new JwtResponse(token)); } private void authenticate(String username, String password) throws Exception { try { authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password)); } catch (DisabledException e) { throw new Exception("USER_DISABLED", e); } catch (BadCredentialsException e) { throw new Exception("INVALID_CREDENTIALS", e); } } } ``` 现在,您的Spring Boot应用程序已经集成JWT以进行身份验证。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值