JWT登錄認證Springboot詳解

更新時間：2024年11月20日 15:04:08 作者：十&年

文章主要介紹了如何在Java項目中使用JWT進行用戶認證和授權,通過定義一個常量,編寫JWT工具類來生成和解析token,登錄時在服務端生成token并返回給客戶端,客戶端使用攔截器攔截請求,驗證token的有效性,從而實現(xiàn)權限控制,文章旨在分享個人經驗,為開發(fā)者提供參考

依賴

        <!-- token -->
        <dependency>
            <groupId>com.auth0</groupId>
            <artifactId>java-jwt</artifactId>
            <version>3.3.0</version>
        </dependency>

一、JWT工具類

package com.cn.util;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.cn.util.SystemPara;
import com.sun.org.apache.xml.internal.security.algorithms.SignatureAlgorithm;

import java.io.UnsupportedEncodingException;
import java.security.SignatureException;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

/**
  * @Author 徐本錫
  * @Date 2019/7/4
  * @Param
  * @return
  **/
public class JWTUtil {

    private static final long EXPIRE_TIME = 5 * 60 * 1000;

    public static final String TOKEN_HEADER = "token";
    public static final String TOKEN_PREFIX = "xbx_";

    /**
      * @Author 徐本錫
      * @Description 生成token
      * @Date 2019/7/4  
      * @Param 
      * @return 
      **/
    public static  String  createToken (String logon_name) throws UnsupportedEncodingException {

        //簽名發(fā)布時間
        Date createTime = new Date();

        //設置簽名過期時間  5分鐘
        Calendar nowTime=Calendar.getInstance();
        nowTime.add(Calendar.MINUTE,5);
        Date expiresTime = nowTime.getTime();
        //Date expiresTime = new Date(System.currentTimeMillis() + EXPIRE_TIME);

        Map<String,Object> map=new HashMap<String, Object>();
        map.put("alg","HS256");//設置算法 為HS256
        map.put("typ","JWT");//設置類型為JWT

        String token= JWT.create()
                .withHeader(map)
                .withClaim("logon_name",logon_name) //可以將基本不重要的對象信息放到claims中
                .withIssuedAt(createTime)//設置簽發(fā)時間
                .withExpiresAt(expiresTime)//設置過去時間 過期時間大于簽發(fā)時間
                .sign(Algorithm.HMAC256(SystemPara.SECRET));//用公共密鑰加密

        return token;

    }

    /**
     * 校驗token是否正確
     *
     * @param token  密鑰
     * @param secret 用戶的密碼
     * @return 是否正確
     */
    public static boolean verify(String token, String logon_name, String secret) {
        try {
            //根據密碼生成JWT效驗器
            Algorithm algorithm = Algorithm.HMAC256(SystemPara.SECRET);
            JWTVerifier verifier = JWT.require(algorithm)
                    .withClaim("logon_name", logon_name)
                    .build();
            //效驗TOKEN
            DecodedJWT jwt = verifier.verify(token);
            return true;
        } catch (Exception exception) {
            return false;
        }
    }

    /**
     * 獲得token中的信息無需secret解密也能獲得
     *
     * @return token中包含的用戶名
     */
    public static String getLogonName(String token) {
        try {
            DecodedJWT jwt = JWT.decode(token);
            return jwt.getClaim("logon_name").asString();
        } catch (JWTDecodeException e) {
            return null;
        }
    }

}

二、登錄時生成token

service方法中生成token，然后放入返回結果

  //service方法中生成token，然后放入返回結果
  String token = JWTUtil.createToken(loginName);
  resultMap.put("token", token);

controller中把token放入 response響應中

package com.cn.controller;

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.cn.domain.EmpinforVo;
import com.cn.service.LogonService;
import com.cn.util.JWTUtil;
import com.cn.util.R;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/**
 * @author xbx
 * @date 2019-05-13
 */
@RestController
@RequestMapping("/Logon")
public class LogonController {
    private final LogonService logonService;

    @Autowired
    public LogonController(LogonService logonService) {
        this.logonService = logonService;
    }

    @RequestMapping(value = "", method = RequestMethod.POST)
    public R logon(HttpServletResponse response, EmpinforVo entity) throws Exception{
        Map resultMap = logonService.logon(entity);
        String token = (String) resultMap.get("token");

        //放到響應頭部
        response.setHeader(JWTUtil.TOKEN_HEADER, JWTUtil.TOKEN_PREFIX + token);

        return R.success(resultMap);
    }

}

三、創(chuàng)建攔截器

package com.cn.interceptor;

import com.cn.util.JWTUtil;
import com.cn.util.SystemPara;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * token驗證攔截
 */
public class JwtInterceptor implements HandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {

        // 取得token
        String tokenHeader = request.getHeader(JWTUtil.TOKEN_HEADER);
        if (tokenHeader == null || "".equals(tokenHeader)) {
            throw new Exception("token不存在");
        }
        if (!tokenHeader.startsWith(JWTUtil.TOKEN_PREFIX)) {
            throw new Exception("這是你自己造的token吧");
        }
        String token = tokenHeader.replace(JWTUtil.TOKEN_PREFIX, "");//真正的token

        String logonName = JWTUtil.getLogonName(token);

        // 驗證token是否有效
        if (!JWTUtil.verify(token, logonName, SystemPara.SECRET)){
            throw new Exception("token已失效");
        }

        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
                           ModelAndView modelAndView) throws Exception {
        // TODO Auto-generated method stub

    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
            throws Exception {
        // TODO Auto-generated method stub

    }

}

四、配置攔截器

package com.cn.config;

import com.cn.interceptor.JwtInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;


/**
  * @Author 徐本錫
  **/
@Configuration
public class WebAppConfiguration implements WebMvcConfigurer  {

    /**
     * 配置靜態(tài)資源
     */
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        String path= "/";
        for(int i=1900; i<=2500; i++){
            path = String.valueOf(i);
            registry.addResourceHandler("/"+path+"/**").addResourceLocations("file:C:/"+path+"/");
            registry.addResourceHandler("/"+path+"/**").addResourceLocations("file:/"+path+"/");
        }
    }

    /**
     * 跨域支持
     */
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("*")
                .allowCredentials(true)
                .allowedMethods("GET", "POST", "DELETE", "PUT", "PATCH")
                .maxAge(3600 * 24);
    }

    /**
     * 添加攔截器
     */
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        //攔截路徑可自行配置多個 可用 ，分隔開
        registry.addInterceptor(new JwtInterceptor()).addPathPatterns("/**").excludePathPatterns("/Logon");
    }


}