This demo jwt for testing, by logging the verified using jwt generated token, token carried in the request header and then completed the user access list information.
Ready to work:
1. The entity class SysUser.java
package com.king.entity; import lombok.Data; @Data public class SysUser { private String id; private String username; private String password; public SysUser(String username,String password){ this.username = username; this.password = password; } }
2. 1 Service method to authenticate the user ID and password (this lazy did not write dao layer)
2.2 Service method to get a list of users
package com.king.service; import com.king.entity.SysUser; import org.springframework.stereotype.Service; import java.util.ArrayList; import java.util.List; @Service public class SysUserServiceImpl implements SysUserService{ @Override public boolean login(SysUser user) { String username = user.getUsername(); String password = user.getPassword(); if(username.equals("king") && password.equals("123")){ return true; } return false; } @Override public List<SysUser> getList() { SysUser user1= new SysUser("king1","12345"); SysUser user2 = new SysUser("king2","12345"); SysUser user3 = new SysUser("king3","12345"); List<SysUser> list = new ArrayList<>(); list.add(user1); list.add(user2); list.add(user3); return list; } }
2.3 Service Interface
package com.king.service; import com.king.entity.SysUser; import java.util.List; public interface SysUserService { public boolean login(SysUser user); public List<SysUser> getList(); }
Focus here, then implement token tools:
3. jwt complete verification method and a signature generation method
package com.king.util; import com.auth0.jwt.JWT; import com.auth0.jwt.JWTVerifier; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.interfaces.DecodedJWT; import com.king.entity.SysUser; import java.util.Date; public class TokenUtil { private static final long EXPIRE_TIME= 15*60*1000; private static final String TOKEN_SECRET="token123"; //密钥盐 /** * 签名生成 * @param user * @return */ public static String sign(SysUser user){ String token = null; try { Date expiresAt = new Date(System.currentTimeMillis() + EXPIRE_TIME); token = JWT.create() .withIssuer("auth0") .withClaim("username", user.getUsername()) .withExpiresAt(expiresAt) // 使用了HMAC256加密算法。 .sign(Algorithm.HMAC256(TOKEN_SECRET)); } catch (Exception e){ e.printStackTrace(); } return token; } /** * 签名验证 * @param token * @return */ public static boolean verify(String token){ try { JWTVerifier verifier = JWT.require(Algorithm.HMAC256(TOKEN_SECRET)).withIssuer("auth0").build(); DecodedJWT jwt = verifier.verify(token); System.out.println("认证通过:"); System.out.println("issuer: " + jwt.getIssuer()); System.out.println("username: " + jwt.getClaim("username").asString()); System.out.println("过期时间: " + jwt.getExpiresAt()); return true; } catch (Exception e){ return false; } } }
4. Add the interceptor
package com.king.interceptor; import com.alibaba.fastjson.JSONObject; import com.king.util.TokenUtil; import org.springframework.stereotype.Component; import org.springframework.web.servlet.HandlerInterceptor; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.PrintWriter; @Component public class TokenInterceptor implements HandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response,Object handler)throws Exception{ if(request.getMethod().equals("OPTIONS")){ response.setStatus(HttpServletResponse.SC_OK); return true; } response.setCharacterEncoding("utf-8"); String token = request.getHeader("admin-token"); if(token != null){ boolean result = TokenUtil.verify(token); if(result){ System.out.println("通过拦截器"); return true; } } response.setCharacterEncoding("UTF-8"); response.setContentType("application/json; charset=utf-8"); PrintWriter out = null; try{ JSONObject json = new JSONObject(); json.put("success","false"); json.put("msg","认证失败,未通过拦截器"); json.put("code","50000"); response.getWriter().append(json.toJSONString()); System.out.println("Authentication failure, not by interceptor " ); // response.getWriter().write("50000"); }catch (Exception e){ e.printStackTrace(); response.sendError(500); return false; } return false; } }
5. Configure the interceptor
package com.king.config; import com.king.interceptor.TokenInterceptor; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.InterceptorRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import java.util.ArrayList; import java.util.List; /** * 拦截器配置 */ @Configuration public class IntercepterConfig implements WebMvcConfigurer { private TokenInterceptor tokenInterceptor; //构造方法 public IntercepterConfig(TokenInterceptor tokenInterceptor){ this.tokenInterceptor = tokenInterceptor; } @Override public void addInterceptors(InterceptorRegistry registry){ List<String> excludePath = new ArrayList<>(); excludePath.add("/user_register"); //注册 excludePath.add("/login"); //登录 excludePath.add("/logout"); //登出 excludePath.add("/static/**"); //静态资源 excludePath.add("/assets/**"); static resources// registry.addInterceptor(tokenInterceptor) .addPathPatterns("/**") .excludePathPatterns(excludePath); WebMvcConfigurer.super.addInterceptors(registry); } }
6. controller layer implementation login method and access method for the user list
package com.king.controller; import com.king.entity.SysUser; import com.king.service.SysUserService; import com.king.util.TokenUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; import java.util.HashMap; import java.util.List; import java.util.Map; @RestController public class UserController { @Autowired private SysUserService userService; @PostMapping(value="/login") @ResponseBody public Map<String,Object> login(String username,String password){ Map<String,Object> map = new HashMap<>(); SysUser user = new SysUser(username,password); if(userService.login(user)){ String token = TokenUtil.sign(user); if(token != null){ map.put("code", "10000"); map.put("message", "认证成功"); map.put("token", token); return map; } } map.put("code", "0000"); map.put("message", "认证失败"); return map; } @PostMapping(value="/getList") public List<SysUser> getList(){ List userList = userService.getList(); return userList; } }
Next test:
1. Use the postman to submit login information, passwords when intentionally wrong, return validation failure.
2. Submit the correct user name and password, verify through, you can get the token information.
3. Use of the token information into the header, key set admin-token, then the user list information request.
In the background we can see the token to carry valid time information and the user's token:
The above is the entire jwt use process.