不可不学系列(其二): Token认证机制让你的Web项目插入梦想的翅膀

最新推荐文章于 2024-08-04 16:21:07 发布
最新推荐文章于 2024-08-04 16:21:07 发布
阅读量213 收藏
点赞数
分类专栏: 笔记 文章标签: Token认证机制 让你的Web项目插入梦想的翅膀
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_42273775/article/details/109972567
版权

文章目录

Token认证机制

Token的优势

  • 可实现多种客户端的统一会话管理
  • 降低与其业务系统的耦合
  • 很容易加入第三方认证的支持

生成Token

服务器端 : 按规则生成token信息缓存在redis中, 同时返回给客户端

客户端: 请求登录成功保存token, 并附加在下次请求的http信息头中, 以供服务器验证

置换Token

设置定期刷新会话, 防止被恶意盗取

Token数据结构

客户端标识-USERCODE - USERID -CREATIONDATE-RONDEM(6位)

Token示例

  • TokenService
@Service
public class TokenServiceImpl  implements  TokenService{

<span class="token annotation punctuation">@Resource</span>
<span class="token keyword">private</span> RedisAPI redisAPI<span class="token punctuation">;</span>

<span class="token comment">/**
 * token: 客户端标识-USERCODE - USERID -CREATIONDATE-RONDEM(6位)
 * @param userAgent
 * @param admin
 * @return
 */</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> String <span class="token function">generateToken</span><span class="token punctuation">(</span>String userAgent<span class="token punctuation">,</span> WebAdmin admin<span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
    StringBuilder sb <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">StringBuilder</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

    UserAgent agent <span class="token operator">=</span> UserAgent<span class="token punctuation">.</span><span class="token function">parseUserAgentString</span><span class="token punctuation">(</span>userAgent<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">//移动设备</span>
    <span class="token keyword">if</span><span class="token punctuation">(</span>agent<span class="token punctuation">.</span><span class="token function">getOperatingSystem</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">isMobileDevice</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
        sb<span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token string">"MOBILE-"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">else</span>
        sb<span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token string">"PC-"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

    sb<span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span>MD5Util<span class="token punctuation">.</span><span class="token function">getMD5</span><span class="token punctuation">(</span>admin<span class="token punctuation">.</span><span class="token function">getLoginCode</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token number">16</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token string">"-"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    sb<span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span>admin<span class="token punctuation">.</span><span class="token function">getId</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">toString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token string">"-"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    sb<span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">SimpleDateFormat</span><span class="token punctuation">(</span><span class="token string">"yyyyMMddHHmmsss"</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">format</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">Date</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span><span class="token string">"-"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    sb<span class="token punctuation">.</span><span class="token function">append</span><span class="token punctuation">(</span>MD5Util<span class="token punctuation">.</span><span class="token function">getMD5</span><span class="token punctuation">(</span>userAgent<span class="token punctuation">,</span> <span class="token number">6</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">return</span> sb<span class="token punctuation">.</span><span class="token function">toString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>


<span class="token comment">/**
 * 需要针对不同的客户端 需要不同的过期处理
 * @param token
 * @param admin
 */</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">void</span> <span class="token function">save</span><span class="token punctuation">(</span>String token<span class="token punctuation">,</span> WebAdmin admin<span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
    <span class="token keyword">if</span><span class="token punctuation">(</span>token<span class="token punctuation">.</span><span class="token function">startsWith</span><span class="token punctuation">(</span><span class="token string">"PC-"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
        redisAPI<span class="token punctuation">.</span><span class="token function">set</span><span class="token punctuation">(</span>token<span class="token punctuation">,</span>  JSONObject<span class="token punctuation">.</span><span class="token function">toJSONString</span><span class="token punctuation">(</span>admin<span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token number">2</span> <span class="token operator">*</span> <span class="token number">60</span> <span class="token operator">*</span> <span class="token number">60</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{<!-- --></span>
        <span class="token comment">//移动端不需要过期</span>
        redisAPI<span class="token punctuation">.</span><span class="token function">set</span><span class="token punctuation">(</span>token<span class="token punctuation">,</span>  JSONObject<span class="token punctuation">.</span><span class="token function">toJSONString</span><span class="token punctuation">(</span>admin<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>

<span class="token punctuation">}</span>

  <span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">boolean</span> <span class="token function">validate</span><span class="token punctuation">(</span>String userAgent<span class="token punctuation">,</span> String token<span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
    <span class="token keyword">if</span><span class="token punctuation">(</span><span class="token operator">!</span>redisAPI<span class="token punctuation">.</span><span class="token function">keyExist</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
        <span class="token keyword">return</span> <span class="token boolean">false</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>

    String md5Agent <span class="token operator">=</span> token<span class="token punctuation">.</span><span class="token function">split</span><span class="token punctuation">(</span><span class="token string">"-"</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">4</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
    <span class="token comment">//判断是不是同一个浏览器</span>
    <span class="token keyword">if</span><span class="token punctuation">(</span><span class="token operator">!</span>md5Agent<span class="token punctuation">.</span><span class="token function">equals</span><span class="token punctuation">(</span>MD5Util<span class="token punctuation">.</span><span class="token function">getMD5</span><span class="token punctuation">(</span>userAgent<span class="token punctuation">,</span> <span class="token number">6</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{<!-- --></span>
        <span class="token keyword">return</span>  <span class="token boolean">false</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>

    <span class="token comment">//不需要考虑过期时间 一方面如果是pc端过期 redis会直接清理 如果是移动端也不用考虑</span>
    <span class="token keyword">return</span>  <span class="token boolean">true</span><span class="token punctuation">;</span>

<span class="token punctuation">}</span>

}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64

注: 需要引入1个依赖: 至于redis和MD5,你使用token肯定是引入了,这里就不赘述了

<dependency>
    <groupId>nl.bitwalker</groupId>
    <artifactId>UserAgentUtils</artifactId>
    <version>1.2.4</version>
</dependency>
  
  

  
  
  • 1
  • 2
  • 3
  • 4

验证Token

客户端: 将token附加到请求的header中

服务端: 从header取出token, 将其和redis中key-value进行比对

代码在validate方法中

删除Token

直接手动调用redis的del的方法即可

重置Token

这个场景是, 用户每次请求业务时,都应该校验其token的有效期, 如果约定时间有效(一般是半个小时) 那么你可以访问, 如果无效那么 我需要置换token 具体细节如下

 	//保护期30分钟
    private long protectedTime = 30 * 60 * 1000;
	//延迟
    private int delayTime = 2 * 60;
    @Override
    public String reload(String userAgent, String token) throws Exception {
        //1验证token是否有效
        if (!redisAPI.keyExist(token)) {
            throw  new Exception("token 无效!");
        }
        //2.是否到了置换时间
        String genDateStr = token.split("-")[3];
        Date genDate = new SimpleDateFormat("yyyyMMddHHmmsss").parse(genDateStr);
        //经过的时间
        long pass = Calendar.getInstance().getTimeInMillis() - genDate.getTime();
        //判断是否在保护期之内
        if(pass < protectedTime) {
            throw new Exception("token置换保护期, 无法置换! 剩余" + (protectedTime - pass ) / 1000);
        }

    <span class="token comment">//生成新的tokne</span>
    WebAdmin admin <span class="token operator">=</span> JSONObject<span class="token punctuation">.</span><span class="token function">parseObject</span><span class="token punctuation">(</span>redisAPI<span class="token punctuation">.</span><span class="token function">get</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">,</span> WebAdmin<span class="token punctuation">.</span><span class="token keyword">class</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    String newToken <span class="token operator">=</span> <span class="token function">generateToken</span><span class="token punctuation">(</span>userAgent<span class="token punctuation">,</span> admin<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">//3.老的token 延迟2分钟过期</span>
    redisAPI<span class="token punctuation">.</span><span class="token function">set</span><span class="token punctuation">(</span>token<span class="token punctuation">,</span>  redisAPI<span class="token punctuation">.</span><span class="token function">get</span><span class="token punctuation">(</span>token<span class="token punctuation">)</span><span class="token punctuation">,</span> delayTime<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token comment">//4.新的token保存</span>
    <span class="token function">save</span><span class="token punctuation">(</span>newToken<span class="token punctuation">,</span> admin<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">return</span> newToken<span class="token punctuation">;</span>
<span class="token punctuation">}</span><div class="hljs-button {2}" data-title="复制" data-report-click="{&quot;spm&quot;:&quot;1001.2101.3001.4259&quot;}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li><li style="color: rgb(153, 153, 153);">9</li><li style="color: rgb(153, 153, 153);">10</li><li style="color: rgb(153, 153, 153);">11</li><li style="color: rgb(153, 153, 153);">12</li><li style="color: rgb(153, 153, 153);">13</li><li style="color: rgb(153, 153, 153);">14</li><li style="color: rgb(153, 153, 153);">15</li><li style="color: rgb(153, 153, 153);">16</li><li style="color: rgb(153, 153, 153);">17</li><li style="color: rgb(153, 153, 153);">18</li><li style="color: rgb(153, 153, 153);">19</li><li style="color: rgb(153, 153, 153);">20</li><li style="color: rgb(153, 153, 153);">21</li><li style="color: rgb(153, 153, 153);">22</li><li style="color: rgb(153, 153, 153);">23</li><li style="color: rgb(153, 153, 153);">24</li><li style="color: rgb(153, 153, 153);">25</li><li style="color: rgb(153, 153, 153);">26</li><li style="color: rgb(153, 153, 153);">27</li><li style="color: rgb(153, 153, 153);">28</li></ul></pre>

一般置换Token是放在定时任务中

说说心里话

最近又到了秋招的环节了, 笔者作为一名即将步入职场的新盆友, 正在疯狂吸收"全(栈)站"的知识, 虽然有些疲倦 但是每次掌握一个技能然后分享给大家这个阶段还是挺快乐的, 希望我的童鞋们多多捧场 让我更有信心更新下去, I need You!

袁清波i
关注
专栏目录
Web基础:Token
不怕猫的耗子A
03-08 3万+
传统身份验证的方法: HTTP 是一种没有状态的协议,也就是它并不知道是谁是访问应用。这里我们把用户看成是客户端,客户端使用用户名还有密码通过了身份验证,不过下回这个客户端再发送请求时候,还得再验证一下。解决的方法就是,当用户请求登录的时候,如果没有问题,我们在服务端生成一条记录,这个记录里可以说明一下登录的用户是谁,然后把这条记录的 ID 号发送给客户端,客户端收到以后把这个 ID 号存储在 C...
Python Web开发--Django框架:全套习路线和知识总结
Hello大家好,我是Dream,如果帮得到你,那我深感荣幸!交流学习、商务合作:https://bbs.csdn.net/topics/614347534
08-10 7万+
Python Web开发--Django框架:全套习路线和知识总结
web前端处理token
你如今的气质里,藏着你走过的路,经历过的事,读过的书,和爱过的人。
02-20 9132
一 使用基于 Token 的身份验证方法,在服务端不需要存储用户的登录记录。大概的流程是这样的: 客户端使用用户名跟密码请求登录 服务端收到请求,去验证用户名与密码 验证成功后,服务端会签发一个 Token,再把这个 Token 发送给客户端 客户端收到 Token 以后可以把它存储起来,比如放在 Cookie 里或者 Local Storage 里 客户端每次向服务端请求资源的时候需要带着服务...
基于Token的WEB后台认证机制
carcarrot的博客
04-19 63
转载自: https://www.cnblogs.com/xiekeli/p/5607107.html HTTP Basic Auth简单点说明就是每次请求API时都提供用户的username和password,简言之,Basic Auth是配合RESTful API 使用的最简单的认证方式,只需提供用户名密码即可,但由于有把用户名密码暴露给第三方客户端的风险,在生产环境下被使用的越来越少。因此,在开发对外开放的RESTful API时,尽量避免采用HTTP Basic AuthOAuth(开放授权)是一个
Azure AD认证和Azure AD B2C的token获取
右先生、的博客
11-16 1999
B2C认证拿到的code只能换取idToken, 就算拿到了access_token也是属于web_token,不能用于调用graph api。个人理解比较浅显,我认为Azure AD和Azure AD B2C都可作为用户管理的系统,他们提供了自己的登录认证画面,统一使用Graph API对自己的用户和其他功能做管理。B2C不能使用认证code获取access_token,所以采用了Azure AD免登录的方式获取了access_token。这里主要贴一下,当时使用的认证相关获取token的代码。
前后端分离电商B2C模式之_后台_购物车
随风而欲的博客
01-04 2901
单位
【SpringBoot】44、SpringBoot中整合JWT实现Token验证(整合篇)
热门推荐
Asurplus
02-28 21万+
什么是JWT? Json web token (JWT),是为了在网络应用环境间传递声明而执行的一种基于 JSON 的开放标准((RFC 7519),该 token 被设计为紧凑且安全的,特别适用于分布式站点的单点登录(SSO)场景。JWT 的声明一般被用来在身份提供者和服务提供者间传递被认证的用户身份信息,以便于从资源服务器获取资源,也可以增加一些额外的其它业务逻辑所必须的声明信息,该token也可直接被用于认证,也可被加密。 为什么需要JWT? 当我们开发前后端分离项目时,要求我们对用户会话状态要进行一
【微服务】springboot 整合 SA-Token 使用详解
最新发布
congge
08-04 1万+
springboot 整合 SA-Token 使用详解
补充知识点五:基于Token的WEB后台认证机制
panchang199266的博客
06-08 419
详情参见基于Token的WEB后台认证机制
Burpsuite爆破之token值替换
weixin_45007073的博客
07-16 1765
burpsuite对token替换并进行暴力破解
javaweb
RzhenDwo的博客
11-13 960
javaweb
token的常用业务处理:生成/保存/置换/读取/获取登录状态
yiXin_Chen的博客
02-24 656
package cn.itrip.service.token; import cn.itrip.beans.pojo.ItripUser; import cn.itrip.beans.vo.token.Token; import cn.itrip.util.MD5; import cn.itrip.util.RedisUtil; import cn.itrip.util.UserAgentUtil; import com.alibaba.fastjson.JSONObject; import org.s.
JWT(JsonWebToken)+SpringMVC项目demo
09-21
JSON Web Token(JWT)是一个非常轻巧的规范。现在免费给大家分享一个JWT(JsonWebToken)+SpringMVC项目的demo!
web认证中使用token
金溪的博客
11-20 766
几种常用的认证机制 1、Http Basic Auth 简单点说就是每次请求API时都提供用户的username和password,简言之,Basic Auth是配合RESTful API使用的最简单的认证方式,只需要提供用户名密码即可,但由于把用户名密码暴露给第三方客户端的风险,在生产环境被使用越来越少。因此,在开发对外开放的RESTful API时,尽量避免采用HTTP Basic Aut...
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account 解决方案
weixin_43178406的博客
09-26 9万+
本文主要介绍了remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of password解决方案,希望能对使用git clone的同们有所帮助。 文章目录 1. 问题描述 2. 解决方案
ElasticSearch 解析机制常见用法库 之 Tokenizer常用用法
菜刚RyuGou的专栏
06-18 1万+
Tokenizer 译作:“分词”,可以说是ElasticSearch Analysis机制中最重要的部分。 standard tokenizer 标准类型的tokenizer对欧洲语言非常友好, 支持Unicode。 如下是设置: 设置 说明 max_token_length 最大的token集合,即经过tokenizer过后得到的结果集的最...
token】刷新token,替换请求头
qq_42341025的博客
06-04 3525
token过期,用refreshToken 去刷新 token 处理: 在每一个请求之前,都去请求刷新token的接口,这里在axios里面用的ajax,因为在axios里面用到了响应拦截,如果还用axios,就会陷入死循环。因为涉及到一个页面刚进入,会去请求多个接口,造成 一个页面刚进入会请求多个token接口,所以 用到 防抖、节流,这些都是在axios的请求拦截器里面进行处理的。 l...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值