JWT
一、简介
1、JWT
JWT为 Json Web Token,是一种令牌生成算法。使用JWT能够保证Token的安全性,且能够进行Token时效性的检验。
2、JWT结构
JWT共由三部分组成,分别是数据头(Header)、Payload(数据体)、验证签名(Verify Signature)组成。其中,Header中的内容为加密信息以及Token的类别,Payload为用户数据、Verify Signature为校验数据。
二、依赖
JWT需要两个依赖java-jwt、jjwt
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.8.2</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
三、Token的生成与解析
1、生成token字符串
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.Date;
import java.util.Hashtable;
import java.util.Map;
@RestController
@RequestMapping("/jwt")
@CrossOrigin
public class JWTController {
@RequestMapping("/token")
public String getToken(){
User user=new User(1,"张三","123",new Date());
String userJson = JSON.toJSONString(user);//序列化user
JwtBuilder jwtBuilder = Jwts.builder(); //获得JWT构造器
Map<String,Object> map=new Hashtable<>();
map.put("kay",userJson);
String token = jwtBuilder.setSubject("hello") //设置用户数据
.setIssuedAt(new Date()) //设置jwt生成时间
.setId("1") //设置id为token id
.setClaims(map) //通过map传值
.setExpiration(new Date(System.currentTimeMillis() + 5000)) //设置token有效期
.signWith(SignatureAlgorithm.HS256, "qianfeng") //设置token加密方式和密码
.compact(); //生成token字符串
return token;
}
}
2、解析token
@RequestMapping("/parser")
@CrossOrigin
public ResponseEntity<User> getUser(@RequestParam("token") String token){
if (token!=null){
JwtParser jwtParser= Jwts.parser(); //获取jwt解析器
jwtParser.setSigningKey("java666");
try{
//如果token正确(密码,有效期)则正常运行,否则抛出异常
Jws<Claims> claimsJws = jwtParser.parseClaimsJws(token);
Claims body = claimsJws.getBody();//获取body
String subject = body.getSubject();//获取body中subject中的值
log.info(subject);
String key = body.get("key", String.class);//获取Claims中map的值
User user = JSON.parseObject(key, User.class);//反序列化user
return new ResponseEntity<User>(user,HttpStatus.OK);
}catch (Exception e){
e.printStackTrace();
return new ResponseEntity<User>(new User(),HttpStatus.NOT_ACCEPTABLE);
}
}else {
return new ResponseEntity<User>(new User(),HttpStatus.NOT_ACCEPTABLE);
}
}
注:通过Claims的map传值时,如果直接将对象放入map中,解析时得到的时LinkedHashMap类型,其中将map中对象的每一个属性作为其LinkedHashMap的键值对存储;若需要串一个对象的话,可以将其序列化,在解析式再将其反序列化即可
不过也可通过构造器重新构造一个对象出来
User user=new User((Integer) key.get("userId"),(String) key.get("userName"),(String) key.get("password"),new Date((Long) key.get("birthday")));
这里还有一个异常,就是
body.getSubject()得到的值总是null,可以通过Claims传值
四、使用拦截器拦截Token
1、通过header传递Token
前端token的存取值请看这篇文章:前端存取Cookie与localStorage
前端axios使用headers域传参
axios({
method:"get",
url:"api/order/orders",
headers:{
token:this.token
}
}).then((res)=>{
console.log(res.data)
})
2、注册拦截器
import com.alibaba.fastjson.JSON;
import io.jsonwebtoken.*;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
@Component
@CrossOrigin
public class JwtInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String method = request.getMethod();
if ("OPTIONS".equals(method)){
return true;
}
//获取请求头部信息
String token = request.getHeader("token");
if (token!=null) {
try {
JwtParser jwtParser = Jwts.parser();
jwtParser.setSigningKey("java666");
//只做token验证,若不通过,则抛异常
Jws<Claims> claimsJws = jwtParser.parseClaimsJws(token);
return true;
}catch (ExpiredJwtException e){
doResponse(response,"Token已过期,请重新登陆!");
return false;
}catch (UnsupportedJwtException e){
doResponse(response,"Token不合法,请自重!");
return false;
}catch (Exception e){
doResponse(response,"Token不合法,请自重!");
return false;
}
}
doResponse(response,"Token已过期,请重新登陆!");
return false;
}
public void doResponse(HttpServletResponse response,String info) throws IOException {
response.setContentType("application/json");
response.setCharacterEncoding("utf-8");
PrintWriter writer = response.getWriter();
ResponseEntity<String> responseEntity=new ResponseEntity<>(info, HttpStatus.NOT_ACCEPTABLE);
String json = JSON.toJSONString(responseEntity);
writer.write(json);
writer.flush();
writer.close();
}
}
3、配置拦截器
import com.qf.interceptor.JwtInterceptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import java.util.ArrayList;
import java.util.List;
@Configuration
public class MyInterceptorConfig implements WebMvcConfigurer {
@Autowired
private JwtInterceptor jwtInterceptor;
@Override
public void addInterceptors(InterceptorRegistry registry) {
List<String> pathPatterns=new ArrayList<>();
pathPatterns.add("/jwt/parser");
pathPatterns.add("/order/**");
List<String> excludePathPatterns=new ArrayList<>();
excludePathPatterns.add("/jwt/token");
registry.addInterceptor(jwtInterceptor) //添加拦截器
.addPathPatterns(pathPatterns) //添加拦截url
.excludePathPatterns(excludePathPatterns); //添加不拦截url
}
}
版权声明:本文为博主原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。