本文用于個(gè)人學(xué)習(xí)筆記
上篇文章中目的是介紹 Json Web Token(以下簡(jiǎn)稱 jwt) 馏鹤,由于我對(duì) Java 比較熟悉就介紹 Java 服務(wù)端 的實(shí)現(xiàn)方式,其他語言原理是相同的哈~
PS:如果不清楚JWT雄人,請(qǐng)先看 《Web安全通訊之Token與JWT》
- 官網(wǎng)地址:https://jwt.io/
- jwt github:https://github.com/jwtk/jjwt
- Demo源碼地址: https://github.com/wangcantian/SecurityCommDemo
- JWT Jar 包下載:http://pan.baidu.com/s/1pLqJYUv
下面按照這幾個(gè)方面來介紹它:
- Java 基本實(shí)現(xiàn)
- 開源庫 jjwt 的使用
- 源碼解析 jjwt
廢話不多說拷淘,擼起袖子就是干梢睛,上代碼
Java 實(shí)現(xiàn)
private static final String MAC_INSTANCE_NAME = "HMacSHA256";
public static String Hmacsha256(String secret, String message) throws NoSuchAlgorithmException, InvalidKeyException {
Mac hmac_sha256 = Mac.getInstance(MAC_INSTANCE_NAME);
SecretKeySpec key = new SecretKeySpec(secret.getBytes(), MAC_INSTANCE_NAME);
hmac_sha256.init(key);
byte[] buff = hmac_sha256.doFinal(message.getBytes());
return Base64.encodeBase64URLSafeString(buff);
}
// java jwt
public void testJWT() throws InvalidKeyException, NoSuchAlgorithmException {
String secret = "eerp";
String header = "{\"type\":\"JWT\",\"alg\":\"HS256\"}";
String claim = "{\"iss\":\"cnooc\", \"sub\":\"yrm\", \"username\":\"yrm\", \"admin\":true}";
String base64Header = Base64.encodeBase64URLSafeString(header.getBytes());
String base64Claim = Base64.encodeBase64URLSafeString(claim.getBytes());
String signature = ShaUtil.Hmacsha256(secret, base64Header + "." + base64Claim);
String jwt = base64Header + "." + base64Claim + "." + signature;
System.out.println(jwt);
}
使用開源庫 jjwt 實(shí)現(xiàn) JWT
jjwt 是 java 對(duì) JWT 的封裝,下面演示 Java 如何使用 jjwt
添加依賴
有兩種方法添加
- 使用 Maven 倉庫(推薦)
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.7.0</version>
</dependency>
- 直接導(dǎo)入 Jar 包性锭,注意:由于開源包使用的 Json 解析框架是 Jackson ,因此要同時(shí)導(dǎo)入相關(guān) Jar 包叫胖,一套 jar 包我已經(jīng)幫你們準(zhǔn)備好了 >>下載Jar包<<
簽發(fā) JWT
public static String createJWT() {
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
SecretKey secretKey = generalKey();
JwtBuilder builder = Jwts.builder()
.setId(id) // JWT_ID
.setAudience("") // 接受者
.setClaims(null) // 自定義屬性
.setSubject("") // 主題
.setIssuer("") // 簽發(fā)者
.setIssuedAt(new Date()) // 簽發(fā)時(shí)間
.setNotBefore(new Date()) // 失效時(shí)間
.setExpiration(long) // 過期時(shí)間
.signWith(signatureAlgorithm, secretKey); // 簽名算法以及密匙
return builder.compact();
}
驗(yàn)證 JWT
public static Claims parseJWT(String jwt) throws Exception {
SecretKey secretKey = generalKey();
return Jwts.parser()
.setSigningKey(secretKey)
.parseClaimsJws(jwt)
.getBody();
}
一般我們把驗(yàn)證操作作為中間件或者攔截器就行了
Java 服務(wù)端Demo沒有用流行框架草冈,基礎(chǔ)的 JSP + Servlet + JavaBean
下面貼出主要的類:
-
TokenMgr.java
驗(yàn)證和簽發(fā)的 JWT 的操作類
public class TokenMgr {
public static SecretKey generalKey() {
byte[] encodedKey = Base64.decode(Constant.JWT_SECERT);
SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");
return key;
}
/**
* 簽發(fā)JWT
* @param id
* @param subject
* @param ttlMillis
* @return
* @throws Exception
*/
public static String createJWT(String id, String subject, long ttlMillis) {
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
SecretKey secretKey = generalKey();
JwtBuilder builder = Jwts.builder()
.setId(id)
.setSubject(subject)
.setIssuedAt(now)
.signWith(signatureAlgorithm, secretKey);
if (ttlMillis >= 0) {
long expMillis = nowMillis + ttlMillis;
Date expDate = new Date(expMillis);
builder.setExpiration(expDate);
}
return builder.compact();
}
/**
* 驗(yàn)證JWT
* @param jwtStr
* @return
*/
public static CheckResult validateJWT(String jwtStr) {
CheckResult checkResult = new CheckResult();
Claims claims = null;
try {
claims = parseJWT(jwtStr);
checkResult.setSuccess(true);
checkResult.setClaims(claims);
} catch (ExpiredJwtException e) {
checkResult.setErrCode(Constant.JWT_ERRCODE_EXPIRE);
checkResult.setSuccess(false);
} catch (SignatureException e) {
checkResult.setErrCode(Constant.JWT_ERRCODE_FAIL);
checkResult.setSuccess(false);
} catch (Exception e) {
checkResult.setErrCode(Constant.JWT_ERRCODE_FAIL);
checkResult.setSuccess(false);
}
return checkResult;
}
/**
*
* 解析JWT字符串
* @param jwt
* @return
* @throws Exception
*/
public static Claims parseJWT(String jwt) throws Exception {
SecretKey secretKey = generalKey();
return Jwts.parser()
.setSigningKey(secretKey)
.parseClaimsJws(jwt)
.getBody();
}
/**
* 生成subject信息
* @param user
* @return
*/
public static String generalSubject(SubjectModel sub){
return GsonUtil.objectToJsonStr(sub);
}
}
-
SignFilter.java
驗(yàn)證 Token 的過濾器
PS:Token 可以放在 URL、Cookie瓮增、請(qǐng)求頭Auth或者body中以一種特定格式解析怎棱,這里只是規(guī)定把 Token 放在 URL 或者表單示例。
CheckResult:驗(yàn)證結(jié)果模型绷跑,包含成功Claim拳恋、通過狀態(tài)、失敗碼砸捏。由于驗(yàn)證結(jié)果基本三種狀態(tài):通過谬运,不通過,通過但過期垦藏,因此多出失敗碼來區(qū)分開梆暖。其實(shí)驗(yàn)證結(jié)果狀態(tài)還有很多,據(jù)需求決定掂骏。
public class SignFilter implements Filter {
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) arg0;
HttpServletResponse httpServletResponse = (HttpServletResponse) arg1;
String tokenStr = httpServletRequest.getParameter("token");
if (tokenStr == null || tokenStr.equals("")) {
PrintWriter printWriter = httpServletResponse.getWriter();
printWriter.print(ResponseMgr.err());
printWriter.flush();
printWriter.close();
return;
}
// 驗(yàn)證JWT的簽名轰驳,返回CheckResult對(duì)象
CheckResult checkResult = TokenMgr.validateJWT(tokenStr);
if (checkResult.isSuccess()) {
Claims claims = checkResult.getClaims();
SubjectModel model = GsonUtil.jsonStrToObject(claims.getSubject(), SubjectModel.class);
httpServletRequest.setAttribute("tokensub", model);
httpServletRequest.getRequestDispatcher("/success.jsp").forward(httpServletRequest, httpServletResponse);
} else {
switch (checkResult.getErrCode()) {
// 簽名過期,返回過期提示碼
case Constant.JWT_ERRCODE_EXPIRE:
PrintWriter printWriter = httpServletResponse.getWriter();
printWriter.print(ResponseMgr.loginExpire());
printWriter.flush();
printWriter.close();
break;
// 簽名驗(yàn)證不通過
case Constant.JWT_ERRCODE_FAIL:
PrintWriter printWriter2 = httpServletResponse.getWriter();
printWriter2.print(ResponseMgr.noAuth());
printWriter2.flush();
printWriter2.close();
break;
default:
break;
}
}
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
- web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.paul.sertest.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/api/login</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>com.paul.sertest.filter.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>SignFilter</filter-name>
<filter-class>com.paul.sertest.filter.SignFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SignFilter</filter-name>
<url-pattern>/api/check/*</url-pattern>
<url-pattern>/api/bussin/*</url-pattern>
</filter-mapping>
</web-app>
其中 CorsFilter 對(duì) API 接口的響應(yīng)頭添加 Content-Type : text/json 以及編碼格式等等弟灼,所以它對(duì) /SERTEXT/api/* 的地址進(jìn)行攔截级解,避免影響請(qǐng)求靜態(tài)頁面;Filter 的執(zhí)行順序是根據(jù)解析 web.xml 文件中節(jié)點(diǎn)的 先后順序 決定的袜爪,需要把 CorsFilter 放首位蠕趁,因?yàn)榧偃缒程帓伋霎惓?huì)導(dǎo)致返回?cái)?shù)據(jù)亂碼。
看看 jjwt 的源碼
PS:源碼從 GIT 倉庫 Clone 下來就行了
從使用示例代碼看得出 jjwt 使用了 Builder模式 以及靈活多變的 鏈?zhǔn)秸{(diào)用 辛馆,builder() 出 JwtBuilder 對(duì)象俺陋。
在進(jìn)行一系列鏈?zhǔn)?set 方法后執(zhí)行 compact() 方法返回我們想要的結(jié)果,來看看它到底是怎么簽名的:
DefaultJwtBuilder.java
@Override
public String compact() {
...
...
// 進(jìn)行參數(shù)判斷
Header header = ensureHeader();
Key key = this.key;
if (key == null && !Objects.isEmpty(keyBytes)) {
key = new SecretKeySpec(keyBytes, algorithm.getJcaName());
}
JwsHeader jwsHeader;
if (header instanceof JwsHeader) {
jwsHeader = (JwsHeader)header;
} else {
jwsHeader = new DefaultJwsHeader(header);
}
// 構(gòu)造密匙對(duì)象
if (key != null) {
jwsHeader.setAlgorithm(algorithm.getValue());
} else {
//no signature - plaintext JWT:
jwsHeader.setAlgorithm(SignatureAlgorithm.NONE.getValue());
}
if (compressionCodec != null) {
jwsHeader.setCompressionAlgorithm(compressionCodec.getAlgorithmName());
}
String base64UrlEncodedHeader = base64UrlEncode(jwsHeader, "Unable to serialize header to json.");
String base64UrlEncodedBody;
if (compressionCodec != null) {
byte[] bytes;
try {
bytes = this.payload != null ? payload.getBytes(Strings.UTF_8) : toJson(claims);
} catch (JsonProcessingException e) {
throw new IllegalArgumentException("Unable to serialize claims object to json.");
}
base64UrlEncodedBody = TextCodec.BASE64URL.encode(compressionCodec.compress(bytes));
} else {
base64UrlEncodedBody = this.payload != null ?
TextCodec.BASE64URL.encode(this.payload) :
base64UrlEncode(claims, "Unable to serialize claims object to json.");
}
// 這里已經(jīng)組成了實(shí)現(xiàn) Header 和 Playload 部分
String jwt = base64UrlEncodedHeader + JwtParser.SEPARATOR_CHAR + base64UrlEncodedBody;
if (key != null) { //jwt must be signed:
JwtSigner signer = createSigner(algorithm, key);
String base64UrlSignature = signer.sign(jwt);
jwt += JwtParser.SEPARATOR_CHAR + base64UrlSignature;
} else {
// no signature (plaintext), but must terminate w/ a period, see
// https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-6.1
jwt += JwtParser.SEPARATOR_CHAR;
}
return jwt;
}
首先會(huì)進(jìn)行 payload 以及 key 的判斷昙篙,原則是 payload 與 自定義 claims 不能為 null 以及不能同時(shí)賦值參數(shù)腊状,key 和 keyBytes 不能同時(shí)存在;然后通過 ensureHeader() 獲取 Header 對(duì)象苔可。
protected Header ensureHeader() {
if (this.header == null) {
this.header = new DefaultHeader();
}
return this.header;
}
如果沒有設(shè)置自定義 Header 缴挖,則實(shí)例一個(gè)默認(rèn) Header 對(duì)象 ---- DefaultHeader,其中 Header 接口是個(gè)繼承 Map 接口的集合焚辅,符合了 header 部分鍵值對(duì)形式映屋。
然后 Header 實(shí)例會(huì)被“轉(zhuǎn)換”為 JwsHeader 實(shí)例苟鸯,其中 JwsHeader 接口繼承 Header 接口,多定義了“簽名”和“密匙ID”這個(gè)兩個(gè)屬性棚点。
JwsHeader jwsHeader;
if (header instanceof JwsHeader) {
jwsHeader = (JwsHeader)header;
} else {
jwsHeader = new DefaultJwsHeader(header);
}
最終通過 base64UrlEncode() 方法的到 base64url 編碼后的 header 字符串早处。
protected String base64UrlEncode(Object o, String errMsg) {
byte[] bytes;
try {
// 使用 Jackson 框架將對(duì)象序列化
bytes = toJson(o);
} catch (JsonProcessingException e) {
throw new IllegalStateException(errMsg, e);
}
// 將 byte 數(shù)組轉(zhuǎn)化為 base64url 編碼的 byte 數(shù)組
return TextCodec.BASE64URL.encode(bytes);
}
接著同理將 payload 或 claims base64url 編碼組成 playload 部分。
最后就是簽名部分了瘫析。createSigner(algorithm, key) 方法實(shí)例一個(gè) DefaultJwtSigner 對(duì)象砌梆,該對(duì)象進(jìn)行統(tǒng)一的簽名和編碼操作,它的構(gòu)造函數(shù)會(huì)傳入簽名算法枚舉 SignatureAlgorithm 對(duì)象贬循,定義所有算法的名字咸包、描述、組類等等。
public enum SignatureAlgorithm {
/** JWA name for {@code No digital signature or MAC performed} */
NONE("none", "No digital signature or MAC performed", "None", null, false),
/** JWA algorithm name for {@code HMAC using SHA-256} */
HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true),
........
........
/**
* JWA algorithm name for {@code RSASSA-PSS using SHA-512 and MGF1 with SHA-512}. <b>This is not a JDK standard
* algorithm and requires that a JCA provider like BouncyCastle be in the classpath.</b> BouncyCastle will be used
* automatically if found in the runtime classpath.
*/
PS512("PS512", "RSASSA-PSS using SHA-512 and MGF1 with SHA-512", "RSA", "SHA512withRSAandMGF1", false);
}
那 DefaultJwtSigner 怎么分別實(shí)現(xiàn)具體算法呢?
public class DefaultJwtSigner implements JwtSigner {
private static final Charset US_ASCII = Charset.forName("US-ASCII");
private final Signer signer;
public DefaultJwtSigner(SignatureAlgorithm alg, Key key) {
this(DefaultSignerFactory.INSTANCE, alg, key);
}
public DefaultJwtSigner(SignerFactory factory, SignatureAlgorithm alg, Key key) {
Assert.notNull(factory, "SignerFactory argument cannot be null.");
this.signer = factory.createSigner(alg, key);
}
@Override
public String sign(String jwtWithoutSignature) {
byte[] bytesToSign = jwtWithoutSignature.getBytes(US_ASCII);
byte[] signature = signer.sign(bytesToSign);
return TextCodec.BASE64URL.encode(signature);
}
}
構(gòu)造函數(shù) DefaultJwtSigner 中有個(gè)單例簽名工廠 ---- DefaultSignerFactory袭祟,讓我們來看看這個(gè)工廠都做了些什么
public class DefaultSignerFactory implements SignerFactory {
public static final SignerFactory INSTANCE = new DefaultSignerFactory();
@Override
public Signer createSigner(SignatureAlgorithm alg, Key key) {
Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
Assert.notNull(key, "Signing Key cannot be null.");
switch (alg) {
case HS256:
case HS384:
case HS512:
return new MacSigner(alg, key);
case RS256:
case RS384:
case RS512:
case PS256:
case PS384:
case PS512:
return new RsaSigner(alg, key);
case ES256:
case ES384:
case ES512:
return new EllipticCurveSigner(alg, key);
default:
throw new IllegalArgumentException("The '" + alg.name() + "' algorithm cannot be used for signing.");
}
}
}
原來在工廠中根據(jù)不同算法實(shí)例化不同的簽名對(duì)象 Signer,看來具體簽名算法就是放在 Signer 接口的實(shí)現(xiàn)類了忱反,由于我們上面使用 HMacSHA256 算法,關(guān)心 MacSigner 類就好了滤愕,讓我們看看它是怎么做的:
public class MacSigner extends MacProvider implements Signer {
... ...
@Override
public byte[] sign(byte[] data) {
Mac mac = getMacInstance();
return mac.doFinal(data);
}
protected Mac getMacInstance() throws SignatureException {
try {
return doGetMacInstance();
} catch (NoSuchAlgorithmException e) {
String msg = "Unable to obtain JCA MAC algorithm '" + alg.getJcaName() + "': " + e.getMessage();
throw new SignatureException(msg, e);
} catch (InvalidKeyException e) {
String msg = "The specified signing key is not a valid " + alg.name() + " key: " + e.getMessage();
throw new SignatureException(msg, e);
}
}
protected Mac doGetMacInstance() throws NoSuchAlgorithmException, InvalidKeyException {
Mac mac = Mac.getInstance(alg.getJcaName());
mac.init(key);
return mac;
}
}
是不是很熟悉温算?也是通過 Mac.getInstance(ALG_NAME) 獲取 Mac 對(duì)象后調(diào)用其 mac.doFinal(data) 獲取簽名后的 byte 數(shù)組,最后轉(zhuǎn)字符串啦间影,簽名代碼到這里基本結(jié)束了注竿。
上面提到的類如圖:
JJWT 的驗(yàn)證代碼就不講解了,原理是:取出 header 部分和 playload 部分魂贬,根據(jù) header 定義的算法再一次簽名巩割,比較這個(gè)簽名是否和 JWT 自帶的簽名是否完全相同,驗(yàn)證是否成功付燥。
