Article directory
1. What is JWT?
Before introducing JWT, let's review the process of using token for user authentication:
1. The client requests login with username and password
2. The server receives the request and verifies the username and password
3. After the verification is successful, the server will issue a token, and then return the token to the client
4. After receiving the token, the client can store it, such as putting it in a cookie
5. The client needs to carry the token issued by the server every time it requests resources from the server, which can be carried in the cookie or header
6. The server receives the request, and then verifies the token contained in the client request. If the verification is successful, it returns the request data to the client.
Compared with the traditional session authentication method, this token-based authentication method saves server resources and is more friendly to mobile terminals and distribution. Its advantages are as follows :
Support cross-domain access : cookies cannot cross domains, and tokens do not use cookies (the premise is to put the token in the request header), so there will be no problem of information loss after crossing domains
Stateless : the token mechanism is not available on the server side Session information needs to be stored, because the token itself contains information of all logged-in users, so it can reduce the pressure on the server.
More suitable for CDN : you can request all the information on the server through the content distribution network.
More suitable for mobile : when the client is a non-browser platform , cookies are not supported. At this time, it is much easier to use token authentication
without considering CSRF : Since cookies are no longer relied on, CSRF will not occur when using token authentication, so there is no need to consider CSRF defense
JWT is a specific implementation of token in the above process, its full name is JSON Web Token, official website address: https://jwt.io/
In layman's terms, the essence of JWT is a string, which saves user information in a Json string, and then encodes it to get a JWT token, and this JWT token has signature information, which can be verified after receiving Tampering, so can be used to securely transfer information between parties as Json objects. The JWT authentication process is as follows:
1. First, the front-end sends its user name and password to the back-end interface through the web form. This process is generally a POST request. The recommended way is to use SSL encrypted transmission (HTTPS) to avoid sniffing of sensitive information
2. After the backend checks the user name and password successfully, the data containing the user information is used as the JWT Payload, and the JWT Header is Base64-encoded and concatenated to form a JWT Token. The formed JWT Token is a JWT Token like lll.zzz The string of .xxx
3. The backend returns the JWT Token string to the frontend as a result of successful login. The front end can save the returned result in the browser, and delete the saved JWT Token when logging out
4. The front end puts the JWT Token into the Authorization attribute in the HTTP request header for each request (to solve XSS and XSRF problems)
5. The backend checks the JWT Token passed from the frontend to verify its validity, such as checking whether the signature is correct, whether it has expired, whether the receiver of the token is yourself, etc.
6. After the verification is passed, the backend parses out the user information contained in the JWT Token, performs other logical operations (generally obtain permissions based on user information, etc.), and returns the result
Finally: To put it bluntly, JWT: JSON Web Token, in fact, token is a string consisting of three parts: Header, Payload, Signature
2. Use steps
1. Project structure
2. Related dependencies
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.22</version>
</dependency>
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.7.21</version>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.4.3.2</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.79</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.22</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>4.1.2</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>2.3.8.RELEASE</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.18.3</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
</dependencies>
3. Database
Test here, so the user class only has username and password, create it yourself
4. Related code
1、annotation包
PassToken:
package com.geesun.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:26
* @description:用来跳过验证的 PassToken
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface PassToken {
boolean required() default true;
}
UserLoginToken:
package com.geesun.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:26
* @description:用于登录后才能操作的token
*/
/*RetentionPolicy.RUNTIME:这种类型的Annotations将被JVM保留,
所以他们能在运行时被JVM或其他使用反射机制的代码所读取和使用。*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface UserLoginToken {
boolean required() default true;
}
2. Common package
CodeMsg:
package com.geesun.common;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:26
* @description:返回提示
*/
public class CodeMsg {
private int retCode;
private String message;
// 按照模块定义CodeMsg
// 通用异常
public static CodeMsg SUCCESS = new CodeMsg(0,"success");
public static CodeMsg SERVER_EXCEPTION = new CodeMsg(500100,"服务端异常");
public static CodeMsg PARAMETER_ISNULL = new CodeMsg(500101,"输入参数为空");
// 业务异常
public static CodeMsg USER_NOT_EXSIST = new CodeMsg(500102,"用户不存在");
public static CodeMsg ONLINE_USER_OVER = new CodeMsg(500103,"在线用户数超出允许登录的最大用户限制。");
public static CodeMsg SESSION_NOT_EXSIST = new CodeMsg(500104,"不存在离线session数据");
public static CodeMsg NOT_FIND_DATA = new CodeMsg(500105,"查找不到对应数据");
public static CodeMsg USER_OR_PASS_ERROR = new CodeMsg(500102,"账号或者密码错误,请重试!");
private CodeMsg(int retCode, String message) {
this.retCode = retCode;
this.message = message;
}
public int getRetCode() {
return retCode;
}
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
}
Result:
package com.geesun.common;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:26
* @description:返回统一结果集
*/
public class Result<T> {
private String message;
private int retCode;
private T data;
private Result(T data) {
this.retCode = 200;
this.message = "成功";
this.data = data;
}
private Result(CodeMsg cm) {
if(cm == null){
return;
}
this.retCode = cm.getRetCode();
this.message = cm.getMessage();
}
/**
* 成功时候的调用
* @return
*/
public static <T> Result<T> success(T data){
return new Result<T>(data);
}
/**
* 成功,不需要传入参数
* @return
*/
@SuppressWarnings("unchecked")
public static <T> Result<T> success(){
return (Result<T>) success("");
}
/**
* 失败时候的调用
* @return
*/
public static <T> Result<T> error(CodeMsg cm){
return new Result<T>(cm);
}
/**
* 失败时候的调用,扩展消息参数
* @param cm
* @param msg
* @return
*/
public static <T> Result<T> error(CodeMsg cm,String msg){
cm.setMessage(cm.getMessage()+"--"+msg);
return new Result<T>(cm);
}
public T getData() {
return data;
}
public String getMessage() {
return message;
}
public int getRetCode() {
return retCode;
}
}
3、config包
InterceptorConfig:
package com.geesun.config;
import com.geesun.Interceptor.AuthenticationInterceptor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.format.FormatterRegistry;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.validation.MessageCodesResolver;
import org.springframework.validation.Validator;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.method.support.HandlerMethodReturnValueHandler;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.config.annotation.*;
import java.util.List;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:25
* @description:新建Token拦截器
*/
@Configuration
public class InterceptorConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(authenticationInterceptor())
.addPathPatterns("/**"); // 拦截所有请求,通过判断是否有 @LoginRequired 注解 决定是否需要登录
}
@Bean
public AuthenticationInterceptor authenticationInterceptor() {
return new AuthenticationInterceptor();
}
@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> arg0) {
// TODO Auto-generated method stub
}
@Override
public void addCorsMappings(CorsRegistry arg0) {
// TODO Auto-generated method stub
}
@Override
public void addFormatters(FormatterRegistry arg0) {
// TODO Auto-generated method stub
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry arg0) {
// TODO Auto-generated method stub
}
@Override
public void addReturnValueHandlers(List<HandlerMethodReturnValueHandler> arg0) {
// TODO Auto-generated method stub
}
@Override
public void addViewControllers(ViewControllerRegistry arg0) {
// TODO Auto-generated method stub
}
@Override
public void configureAsyncSupport(AsyncSupportConfigurer arg0) {
// TODO Auto-generated method stub
}
@Override
public void configureContentNegotiation(ContentNegotiationConfigurer arg0) {
// TODO Auto-generated method stub
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer arg0) {
// TODO Auto-generated method stub
}
@Override
public void configureHandlerExceptionResolvers(List<HandlerExceptionResolver> arg0) {
// TODO Auto-generated method stub
}
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> arg0) {
// TODO Auto-generated method stub
}
@Override
public void configurePathMatch(PathMatchConfigurer arg0) {
// TODO Auto-generated method stub
}
@Override
public void configureViewResolvers(ViewResolverRegistry arg0) {
// TODO Auto-generated method stub
}
@Override
public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> arg0) {
// TODO Auto-generated method stub
}
@Override
public void extendMessageConverters(List<HttpMessageConverter<?>> arg0) {
// TODO Auto-generated method stub
}
@Override
public MessageCodesResolver getMessageCodesResolver() {
// TODO Auto-generated method stub
return null;
}
@Override
public Validator getValidator() {
// TODO Auto-generated method stub
return null;
}
}
4、Interceptor包
AuthenticationInterceptor:
package com.geesun.Interceptor;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.geesun.annotation.PassToken;
import com.geesun.annotation.UserLoginToken;
import com.geesun.pojo.User;
import com.geesun.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Method;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:24
* @description:拦截器
*/
public class AuthenticationInterceptor implements HandlerInterceptor {
@Autowired
UserService userService;
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object object) throws Exception {
String token = httpServletRequest.getHeader("token");// 从 http 请求头中取出 token
// 如果不是映射到方法直接通过
if(!(object instanceof HandlerMethod)){
return true;
}
HandlerMethod handlerMethod=(HandlerMethod)object;
Method method=handlerMethod.getMethod();
//检查是否有passtoken注释,有则跳过认证
if (method.isAnnotationPresent(PassToken.class)) {
PassToken passToken = method.getAnnotation(PassToken.class);
if (passToken.required()) {
return true;
}
}
//检查有没有需要用户权限的注解
if (method.isAnnotationPresent(UserLoginToken.class)) {
UserLoginToken userLoginToken = method.getAnnotation(UserLoginToken.class);
if (userLoginToken.required()) {
// 执行认证
if (token == null) {
throw new RuntimeException("无token,请重新登录");
}
// 获取 token 中的 user id
String userId;
try {
userId = JWT.decode(token).getAudience().get(0);
} catch (JWTDecodeException j) {
throw new RuntimeException("401");
}
User user = userService.findUserById(userId);
if (user == null) {
throw new RuntimeException("用户不存在,请重新登录");
}
// 验证 token
JWTVerifier jwtVerifier = JWT.require(Algorithm.HMAC256(user.getPassword())).build();
try {
jwtVerifier.verify(token);
} catch (JWTVerificationException e) {
throw new RuntimeException("401");
}
return true;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
}
}
5. utils package
TokenUtil:
package com.geesun.utils;
import com.auth0.jwt.JWT;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:24
* @description:
*/
public class TokenUtil {
public static String getTokenUserId() {
String token = getRequest().getHeader("token");// 从 http 请求头中取出 token
String userId = JWT.decode(token).getAudience().get(0);
return userId;
}
/**
* 获取request
* @return
*/
public static HttpServletRequest getRequest() {
ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder
.getRequestAttributes();
return requestAttributes == null ? null : requestAttributes.getRequest();
}
}
6, pojo package
User:
package com.geesun.pojo;
import com.baomidou.mybatisplus.annotation.IdType;
import com.baomidou.mybatisplus.annotation.TableField;
import com.baomidou.mybatisplus.annotation.TableId;
import com.baomidou.mybatisplus.annotation.TableName;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.io.Serializable;
@Data
@AllArgsConstructor
@NoArgsConstructor
@TableName(value = "`user`")
public class User implements Serializable {
@TableId(value = "id", type = IdType.NONE)
private String id;
@TableField(value = "username")
private String username;
@TableField(value = "password")
private String password;
private static final long serialVersionUID = 1L;
}
7、controller包
UserController:
package com.geesun.controller;
import cn.hutool.json.JSONObject;
import com.geesun.annotation.UserLoginToken;
import com.geesun.common.CodeMsg;
import com.geesun.common.Result;
import com.geesun.pojo.User;
import com.geesun.service.UserService;
import com.geesun.service.impl.TokenService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/26 10:47
* @description:
*/
@RestController
@RequestMapping("/user")
public class UserController {
@Autowired
private UserService userService;
@Autowired
private TokenService tokenService;
/**
* 查询用户信息
* @return
*/
@UserLoginToken
@GetMapping("/list")
public Result<Object> list(){
return Result.success(userService.list());
}
/**
* 登录验证
* @param user
* @param response
* @return
*/
@RequestMapping(value = "/login" ,method = RequestMethod.GET)
public Result<Object> login(User user, HttpServletResponse response) {
JSONObject jsonObject = new JSONObject();
//获取用户账号密码
User userForBase = new User();
userForBase.setId(userService.findByUsername(user).getId());
userForBase.setUsername(userService.findByUsername(user).getUsername());
userForBase.setPassword(userService.findByUsername(user).getPassword());
//判断账号或密码是否正确
if (!userForBase.getPassword().equals(user.getPassword())) {
return Result.error(CodeMsg.USER_OR_PASS_ERROR);
} else {
String token = tokenService.getToken(userForBase);
jsonObject.put("token", token);
Cookie cookie = new Cookie("token", token);
cookie.setPath("/");
response.addCookie(cookie);
return Result.success(jsonObject);
}
}
}
8. Service package
UserService interface:
package com.geesun.service;
import com.baomidou.mybatisplus.extension.service.IService;
import com.geesun.pojo.User;
public interface UserService extends IService<User> {
int deleteByIds(Long[] ids);
int addUser(User user);
User findByUsername(User user);
User findUserById(String userId);
}
UserServiceImpl implementation class:
package com.geesun.service.impl;
import cn.hutool.core.util.ArrayUtil;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.geesun.mapper.UserMapper;
import com.geesun.pojo.User;
import com.geesun.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.Arrays;
@Service
public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements UserService {
@Autowired
private UserMapper userMapper;
/**
* 判断用户名
* @param user
* @return
*/
public User findByUsername(User user){
return userMapper.selectOne(new LambdaQueryWrapper<User>().eq(User::getUsername,user.getUsername()));
}
public User findUserById(String userId) {
return userMapper.selectById(userId);
}
}
TokenService:
package com.geesun.service.impl;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.geesun.pojo.User;
import org.springframework.stereotype.Service;
import java.util.Date;
/**
* @author :Mr.ZJW
* @date :Created 2022/2/28 10:20
* @description:
*/
@Service
public class TokenService {
public String getToken(User user) {
Date start = new Date();
long currentTime = System.currentTimeMillis() + 60* 60 * 1000;//一小时有效时间
Date end = new Date(currentTime);
String token = "";
token = JWT.create().withAudience(user.getId()).withIssuedAt(start).withExpiresAt(end)
.sign(Algorithm.HMAC256(user.getPassword()));
return token;
}
}
9. mapper package
package com.geesun.mapper;
import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.geesun.pojo.User;
public interface UserMapper extends BaseMapper<User> {
}
3. Test results
1. Login verification
2. Query user information
This method adds @UserLoginToken, so token is required to query
3. There will be an error message if the test is not added with Token
Error message:
