java JWT 登录认证
转自:https://www.cnblogs.com/itfeng813/p/14333422.html
Java JWT做登录认证
1.JWT的介绍
知乎有一篇文章介绍的很形象 认证方式的前世今生,以及 JWT 的使用
具体和Springboot的集成使用可参考另一篇博客:SpringBoot集成JWT实现token验证
2.使用demo
1 package com.drz.proxy.internetProxy.util;
2
3 import java.util.Date;
4 import java.util.HashMap;
5 import java.util.Map;
6
7 import org.apache.commons.codec.binary.Base64;
8 import org.apache.commons.codec.binary.StringUtils;
9
10 import com.auth0.jwt.JWT;
11 import com.auth0.jwt.JWTVerifier;
12 import com.auth0.jwt.algorithms.Algorithm;
13 import com.auth0.jwt.exceptions.JWTCreationException;
14 import com.auth0.jwt.exceptions.JWTVerificationException;
15 import com.auth0.jwt.interfaces.DecodedJWT;
16
17 /**
18 * JWT token串结构: header.payload.signature
19 * signature=HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),Secret)
20 *
21 * token保存在客户端,每次请求传到后端,服务端只保留密钥,不要把密钥放在header和payload中;
22 *
23 * header中默认传递参数:
24 * {"typ":"JWT","alg":"HS256"}
25 *
26 * payload官方定义包含属性如下(非强制):
27 * iss: jwt签发者
28 * sub: jwt所面向的用户
29 * aud: 接收jwt的一方
30 * exp: jwt的过期时间,这个过期时间必须要大于签发时间
31 * nbf: 定义在什么时间之前,该jwt都是不可用的.
32 * iat: jwt的签发时间
33 * jti: jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击。
34 * payload 自定义数据:存放我们想放在token中存放的key-value值
35 */
36 public class JWTUtil {
37
38 /**
39 * 过期时间
40 */
41 private static final long EXPIRE_TIMEMILLS = 6000;
42
43 /**
44 * jwt 密钥
45 */
46 private static final String SECRET = "jwt_secret";
47
48 public static String create() {
49 try {
50 Algorithm algorithm = Algorithm.HMAC256(SECRET);
51
52 Map<String, Object> headerMap = new HashMap<String, Object>();
53 headerMap.put("date", "2022-01-01 18:00");
54 headerMap.put("where", "城东小树林");
55 String token = JWT.create().withHeader(headerMap)//可自定义传递参数
56 // .withIssuer("auth0")//签发者
57 .withIssuedAt(new Date())//签发时间
58 .withSubject("subject").withAudience("100102134")
59 .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRE_TIMEMILLS))
60 //payload中加入自定义数据
61 .withClaim("name", "小明").withClaim("introduce", "TTT").sign(algorithm);
62 System.out.println("当前时间:" + new Date());
63 System.out.println("jwt token:" + token);
64 return token;
65 } catch (JWTCreationException exception) {
66 //Invalid Signing configuration / Couldn't convert Claims.
67 throw exception;
68 }
69 }
70
71 public static Boolean verify(String token) {
72 try {
73 Algorithm algorithm = Algorithm.HMAC256(SECRET);
74 JWTVerifier verifier = JWT.require(algorithm).build(); //Reusable verifier instance
75 DecodedJWT jwt = verifier.verify(token);
76
77 String decodeHeader = StringUtils.newStringUtf8(Base64.decodeBase64(jwt.getHeader()));
78 String decodePayload = StringUtils.newStringUtf8(Base64.decodeBase64(jwt.getPayload()));
79
80 String signature = jwt.getSignature();
81 String name = jwt.getClaim("name").asString();
82 String introduce = jwt.getClaim("introduce").asString();
83
84 System.out.println("header:" + jwt.getHeader());
85 System.out.println("payload:" + jwt.getPayload());
86 System.out.println("signature:" + signature);
87
88 System.out.println("headerString:" + decodeHeader);
89 System.out.println("payloadString:" + decodePayload);
90
91 System.out.println("name:" + name);
92 System.out.println("introduce:" + introduce);
93 return true;
94 } catch (JWTVerificationException exception) {
95 System.out.println("当前时间:" + new Date());
96 System.out.println("验证token失败:" + exception.getMessage());
97 return false;
98 }
99 }
100
101 public static void main(String[] args) {
102 String token = create();
103 // try {