pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- JWT依赖 -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.7.0</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.4.0</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.28</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
编写JwtConfig
package com.hy.jwt_demo.config;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import java.util.Date;
/**
* @author hy
* @description:
* @date 2020/09/07
*/
@ConfigurationProperties(prefix = "config.jwt")
@Component
public class JwtConfig {
private String secret;
private long expire;
private String header;
/**header
* 生成token
* @param subject
* @return
*/
public String createToken (String subject){
Date nowDate = new Date();
Date expireDate = new Date(nowDate.getTime() + expire * 1000);//过期时间
return Jwts.builder()
.setHeaderParam("typ", "JWT")
.setSubject(subject)
.setIssuedAt(nowDate)
.setExpiration(expireDate)
.signWith(SignatureAlgorithm.HS256, secret)
.compact();
}
/**
* 获取token中注册信息
* @param token
* @return
*/
public Claims getTokenClaim (String token) {
try {
return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
}catch (Exception e){
// e.printStackTrace();
return null;
}
}
/**
* 验证token是否过期失效
* @param expirationTime
* @return
*/
public boolean isTokenExpired (Date expirationTime) {
return expirationTime.before(new Date());
}
/**
* 获取token失效时间
* @param token
* @return
*/
public Date getExpirationDateFromToken(String token) {
return getTokenClaim(token).getExpiration();
}
/**
* 获取用户名从token中
*/
public String getUsernameFromToken(String token) {
return getTokenClaim(token).getSubject();
}
/**
* 获取jwt发布时间
*/
public Date getIssuedAtDateFromToken(String token) {
return getTokenClaim(token).getIssuedAt();
}
// --------------------- getter & setter ---------------------
public String getSecret() {
return secret;
}
public void setSecret(String secret) {
this.secret = secret;
}
public long getExpire() {
return expire;
}
public void setExpire(long expire) {
this.expire = expire;
}
public String getHeader() {
return header;
}
public void setHeader(String header) {
this.header = header;
}
}
配置拦截器
package com.hy.jwt_demo.interceptor;
import com.hy.jwt_demo.config.JwtConfig;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.SignatureException;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* @author hy
* @description:
* @date 2020/09/07
*/
@Component
public class TokenInterceptor extends HandlerInterceptorAdapter {
@Resource
private JwtConfig jwtConfig ;
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response,
Object handler) throws SignatureException {
/** 地址过滤 */
String uri = request.getRequestURI() ;
if (uri.contains("/login")){
return true ;
}
/** Token 验证 */
String token = request.getHeader(jwtConfig.getHeader());
if(StringUtils.isEmpty(token)){
token = request.getParameter(jwtConfig.getHeader());
}
if(StringUtils.isEmpty(token)){
throw new SignatureException(jwtConfig.getHeader()+ "不能为空");
}
Claims claims = null;
try{
claims = jwtConfig.getTokenClaim(token);
if(claims == null || jwtConfig.isTokenExpired(claims.getExpiration())){
throw new SignatureException(jwtConfig.getHeader() + "失效,请重新登录。");
}
}catch (Exception e){
throw new SignatureException(jwtConfig.getHeader() + "失效,请重新登录。");
}
/** 设置 identityId 用户身份ID */
request.setAttribute("identityId", claims.getSubject());
return true;
}
}
注册拦截器到SpringMvc
package com.hy.jwt_demo.config;
import com.hy.jwt_demo.interceptor.TokenInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import javax.annotation.Resource;
/**
* @author hy
* @description:
* @date 2020/09/07
*/
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Resource
private TokenInterceptor tokenInterceptor ;
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(tokenInterceptor).addPathPatterns("/**");
}
}
统一异常处理类
package com.hy.jwt_demo.exception;
import com.hy.jwt_demo.config.ResultDto;
import com.hy.jwt_demo.config.ResultUtil;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import java.security.SignatureException;
/**
* @author hy
* @description:
* @date 2020/09/07
*/
@RestControllerAdvice
public class PermissionHandler {
@ExceptionHandler(value = { SignatureException.class })
@ResponseBody
public ResultDto<?> authorizationException(SignatureException e){
return ResultUtil.error("1008",e.getMessage());
}
@ExceptionHandler(value = { RuntimeException.class })
@ResponseBody
public ResultDto<?> RuntimeException(RuntimeException e){
return ResultUtil.error("1002",e.getMessage());
}
}
编写测试接口
package com.hy.jwt_demo.controller;
import com.alibaba.fastjson.JSONObject;
import com.hy.jwt_demo.config.JwtConfig;
import com.hy.jwt_demo.config.ResultDto;
import com.hy.jwt_demo.config.ResultUtil;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
/**
* @author hy
* @description:
* @date 2020/09/07
*/
@RestController
public class TokenController {
@Resource
private JwtConfig jwtConfig;
/**
* 用户登录接口
*
* @param userName
* @param passWord
* @return
*/
@PostMapping("/login")
public ResultDto<?> login(@RequestParam("userName") String userName,
@RequestParam("passWord") String passWord,HttpServletRequest request) {
HttpSession session = request.getSession();
Object userName1 = session.getAttribute("userName");
JSONObject json = new JSONObject();
String userId = null;
/** 验证userName,passWord和数据库中是否一致,如不一致,直接return ResultTool.errer(); 【这里省略该步骤】*/
// 这里模拟通过用户名和密码,从数据库查询userId
// 这里把userId转为String类型,实际开发中如果subject需要存userId,则可以JwtConfig的createToken方法的参数设置为Long类型
if ("zhangsan".equals(userName) && "123".equals(passWord)) {
userId =5 + "";
}else {
throw new RuntimeException("用户名或密码有误");
}
String token = jwtConfig.createToken(userId);
if (!StringUtils.isEmpty(token)) {
json.put("token", token);
}
return ResultUtil.success(json,"0000","success");
}
/**
* 需要 Token 验证的接口
*/
@PostMapping("/info")
public ResultDto<?> info() {
return ResultUtil.success("info","0000","success");
}
/**
* 根据请求头的token获取userId
*
* @param request
* @return
*/
@GetMapping("/getUserInfo")
public ResultDto<?> getUserInfo(HttpServletRequest request) {
String usernameFromToken = jwtConfig.getUsernameFromToken(request.getHeader("token"));
return ResultUtil.success(usernameFromToken,"0000","success");
}
/*
为什么项目重启后,带着之前的token还可以访问到需要info等需要token验证的接口?
答案:只要不过期,会一直存在,类似于redis
*/
}
用PostMan测试工具测试一下,访问登录接口,当对账号密码验证通过时,则返回一个token给客户端:
当直接去访问info接口时,会返回token为空的自定义异常:
当在请求头加上正确token时,则拦截器验证通过,可以正常访问到接口:
当在请求头加入一个错误token,则会返回token失效的自定义异常:
JWT总结
-
基于JSON,所以JWT是可以进行跨语言支持的,像JAVA,JavaScript,Node.JS,PHP等很多语言都可以使用。
-
payload部分,需要时JWT可以存储一些其他业务逻辑所必要的非敏感信息。
-
体积小巧,便于传输;JWT的构成非常简单,字节占用很小,所以它是非常便于传输的。它不需要在服务端保存会话信息, 所以它易于应用的扩展。
21万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
