JWT場(chǎng)景優(yōu)劣:
http://blog.didispace.com/learn-how-to-use-jwt-xjf/
JWT入門教程:
https://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html
JWTUtil.java
package org.inlighting.util;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.UnsupportedEncodingException;
import java.util.Date;
public class JWTUtil {
// 過(guò)期時(shí)間5分鐘
private static final long EXPIRE_TIME = 5*60*1000;
/**
* 校驗(yàn)token是否正確
* @param token 密鑰
* @param secret 用戶的密碼
* @return 是否正確
*/
public static boolean verify(String token, String username, String secret) {
try {
Algorithm algorithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.require(algorithm)
.withClaim("username", username)
.build();
DecodedJWT jwt = verifier.verify(token);
return true;
} catch (Exception exception) {
return false;
}
}
/**
* 獲得token中的信息無(wú)需secret解密也能獲得
* @return token中包含的用戶名
*/
public static String getUsername(String token) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim("username").asString();
} catch (JWTDecodeException e) {
return null;
}
}
/**
* 生成簽名,5min后過(guò)期
* @param username 用戶名
* @param secret 用戶的密碼
* @return 加密的token
*/
public static String sign(String username, String secret) {
try {
Date date = new Date(System.currentTimeMillis()+EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(secret);
// 附帶username信息
return JWT.create()
.withClaim("username", username)
.withExpiresAt(date)
.sign(algorithm);
} catch (UnsupportedEncodingException e) {
return null;
}
}
}
加密過(guò)程:
JWT.create().withClaim("username", username).withExpiresAt(date).sign(algorithm)
create()
com.auth0.jwt.JWT#create
public static JWTCreator.Builder create() {
return JWTCreator.init();
}
com.auth0.jwt.JWTCreator#init
static JWTCreator.Builder init() {
return new Builder();
}
public static class Builder {
private final Map<String, Object> payloadClaims;
private Map<String, Object> headerClaims;
Builder() {
this.payloadClaims = new HashMap<>();
this.headerClaims = new HashMap<>();
}
...
}
withClaim(key,value)
com.auth0.jwt.JWTCreator.Builder#addClaim 該方法有多個(gè)重載形式狼犯,即value可為
Boolean Integer Long Double String Date
//其中addClaim方法 將鍵值對(duì)加入到payload里面
public Builder withClaim(String name, String value) throws IllegalArgumentException {
assertNonNull(name);
addClaim(name, value);
return this;
}
//在payload中添加一個(gè)鍵為exp 值為過(guò)期時(shí)間的鍵值對(duì)
public Builder withExpiresAt(Date expiresAt) {
addClaim(PublicClaims.EXPIRES_AT, expiresAt);
return this;
}
sign(algorithm)
com.auth0.jwt.JWTCreator.Builder#sign
//該方法時(shí)進(jìn)行JWTCreator對(duì)象的建造崭孤,并調(diào)用JWTCreator中的方法生成最終的字符串,在這個(gè)方法里對(duì)向jwt的頭添加
//鍵為alg 值為加密名稱和鍵為typ 值為"JWT"茂蚓,將JWTCreator建造者中的算法對(duì)象锁荔,表示jwt header的map對(duì)象乃摹,表示jwt payload的map對(duì)象傳入JWTCreator
public String sign(Algorithm algorithm) throws IllegalArgumentException, JWTCreationException {
if (algorithm == null) {
throw new IllegalArgumentException("The Algorithm cannot be null.");
}
headerClaims.put(PublicClaims.ALGORITHM, algorithm.getName());
headerClaims.put(PublicClaims.TYPE, "JWT");
String signingKeyId = algorithm.getSigningKeyId();
if (signingKeyId != null) {
withKeyId(signingKeyId);
}
return new JWTCreator(algorithm, headerClaims, payloadClaims).sign();
}
com.auth0.jwt.JWTCreator#sign
//將傳入的JWT 的header payload信息進(jìn)行Base64編碼,JWT的signature用算法對(duì)header payload組成的字符串進(jìn)行加密生成簽名,拼接其后,這就是最后的結(jié)果
private String sign() throws SignatureGenerationException {
String header = Base64.encodeBase64URLSafeString(headerJson.getBytes(StandardCharsets.UTF_8));
String payload = Base64.encodeBase64URLSafeString(payloadJson.getBytes(StandardCharsets.UTF_8));
String content = String.format("%s.%s", header, payload);
byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));
String signature = Base64.encodeBase64URLSafeString((signatureBytes));
return String.format("%s.%s", content, signature);
}
解密:
JWT.require(algorithm).withClaim("username", username).build()
verifier.verify(json);
com.auth0.jwt.JWTVerifier#verify
public DecodedJWT verify(String token) throws JWTVerificationException {
//JWTParser對(duì)jwt解析豆赏,由base64解析為原字符串,即jwt對(duì)象包含jwt的header和payload信息
DecodedJWT jwt = JWT.decode(token);
//判斷加密方式是否正確
verifyAlgorithm(jwt, algorithm);
//利用構(gòu)建JWTVerifier對(duì)象傳入的Algorithm對(duì)象富稻,即Algorithm.HMAC256("test123")掷邦,對(duì)jwt中的header和payload進(jìn)行加密,判斷加密后的得到的簽名和當(dāng)前的是否相等
algorithm.verify(jwt);
//進(jìn)行過(guò)期時(shí)間等判斷
verifyClaims(jwt, claims);
return jwt;
}
public void verify(DecodedJWT jwt) throws SignatureVerificationException {
byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());
try {
boolean valid = crypto.verifySignatureFor(getDescription(), secret, contentBytes, signatureBytes);
if (!valid) {
throw new SignatureVerificationException(this);
}
} catch (IllegalStateException | InvalidKeyException | NoSuchAlgorithmException e) {
throw new SignatureVerificationException(this, e);
}
}
private void verifyClaims(DecodedJWT jwt, Map<String, Object> claims) throws TokenExpiredException, InvalidClaimException {
for (Map.Entry<String, Object> entry : claims.entrySet()) {
switch (entry.getKey()) {
case PublicClaims.AUDIENCE:
//noinspection unchecked
assertValidAudienceClaim(jwt.getAudience(), (List<String>) entry.getValue());
break;
case PublicClaims.EXPIRES_AT:
assertValidDateClaim(jwt.getExpiresAt(), (Long) entry.getValue(), true);
break;
case PublicClaims.ISSUED_AT:
assertValidDateClaim(jwt.getIssuedAt(), (Long) entry.getValue(), false);
break;
case PublicClaims.NOT_BEFORE:
assertValidDateClaim(jwt.getNotBefore(), (Long) entry.getValue(), false);
break;
case PublicClaims.ISSUER:
assertValidStringClaim(entry.getKey(), jwt.getIssuer(), (String) entry.getValue());
break;
case PublicClaims.JWT_ID:
assertValidStringClaim(entry.getKey(), jwt.getId(), (String) entry.getValue());
break;
case PublicClaims.SUBJECT:
assertValidStringClaim(entry.getKey(), jwt.getSubject(), (String) entry.getValue());
break;
default:
assertValidClaim(jwt.getClaim(entry.getKey()), entry.getKey(), entry.getValue());
break;
}
}
}
