一、java jwt
https://www.cnblogs.com/vhyc/p/7953779.html
https://www.cnblogs.com/yueguanguanyun/p/9055049.html
https://blog.csdn.net/u012017645/article/details/53585872
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
二、auth0/angular-jwt
https://github.com/auth0/angular-jwt
三、where-to-store-your-jwts-cookies-vs-html5-web-storage
JWTS是一个令人敬畏的身份验证机制。它们给你一种结构化的方式来声明用户和他们能访问的内容。它们可以被加密和签名,以防止在客户端进行篡改,但问题在于细节和存储它们的位置。Stormpath建议您将JWT存储在Web应用程序的cookie中,因为它们提供了额外的安全性,并且使用现代Web框架可以简化对CSRF的保护。HTML5 Web Storage易受XSS攻击,具有更大的攻击面积,并且可以影响所有应用程序用户成功攻击。
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
三、Authorization
认证 (authentication) 和授权 (authorization) 的区别
authentication 和 authorization
你要登陆论坛,输入用户名张三,密码1234,密码正确,证明你张三确实是张三,这就是 authentication;
再一check用户张三是个版主,所以有权限加精删别人帖,这就是 authorization。
四、angular http header
httpHeaders.add("Authorization", "Bearer " + token);
添加Bearer Token
如何将JWT Token添加到header中呢?
一种方式是在http请求中添加httpOptions。
const httpOptions = {
headers: new HttpHeaders({
'Content-Type': 'application/json'}),
'Authorization': 'Bearer ' + this.authenticationService.getToken()
};
另一种方式使用HttpInterceptor
import {Injectable} from '@angular/core';
import {HttpEvent, HttpHandler, HttpInterceptor, HttpRequest} from '@angular/common/http';
import {Observable} from 'rxjs';
@Injectable()
export class AuthenticationInterceptor implements HttpInterceptor {
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const idToken = this.getToken();
if (idToken) {
const cloned = req.clone({
headers: req.headers.set('Authorization', 'Bearer ' + idToken)
});
return next.handle(cloned);
} else {
return next.handle(req);
}
}
getToken(): string {
const userStr = localStorage.getItem('currentUser');
return userStr ? JSON.parse(userStr).token : '';
}
}
HttpInterceptor会自动在所有http请求中添加token。HttpInterceptor需要在app.module.ts中注册
providers: [
[{provide: HTTP_INTERCEPTORS, useClass: AuthenticationInterceptor, multi: true}]
],
http://blog.51cto.com/7308310/2072364
java:
restTemplate.getRestTemplate().setInterceptors(
Collections.singletonList((request, body, execution) -> {
HttpHeaders headers = request.getHeaders();
headers.add("Authorization", "Bearer " + token);
headers.add("Content-Type", "application/json");
return execution.execute(request, body);
}));