The difference jwt and traditional session?
Traditional session authentication
1, the user sends the user name and password to the server.
2, server authentication is passed, stored data in the current session (session) inside, such as user roles, login time, and so on.
3, the server returns to the user a session_id writing user Cookie.
4. The user then every request will by Cookie, the session_id back to the server.
5, the server receives session_id, find pre-stored data, therefore represents the user's identity.
Based session problems revealed certification
The problem with this model is that, scalability (scaling) is not good. Stand-alone course, no problem, if it is a cluster of servers, or cross-domain service-oriented architecture, it requires data sharing session, each server can read the session.
For example, A and B sites sites are associated with a company's service. Now it requires, as long as the user in which a website login, and then visit another website will automatically log in, ask how to achieve?
One solution is to session data persistence, written to the database or other persistence layer. Various services receipt of the request, all requested data to the persistence layer. The advantage of this approach is obvious structure, the disadvantage is larger than engineering. Further, in case of hanging persistence, will single point of failure.
cookie-session mechanism has another disadvantage is stored on the cookie, in the case of the client browser, the browser can help us to automatically cookie (sessionId) save up to manage, and in the current large front-end (APP, under the trend of H5, applets, PC applications, networking, etc.), many clients (weak terminals) do not support cookie, cookie and we own realization has increased the complexity, cookie-session mechanism does not apply.
Another option is simply the server does not save session data, and all data is stored in the client, each request back to the server. JWT is a representative of this program.
Based token authentication mechanism
Similar to the http protocol is stateless token-based authentication mechanism, which does not require the server to retain the authentication information or session information of the user. This means that applications based on token authentication mechanism does not need to consider which server the user is logged in, which facilitated the application of the extension.
The process is this:
- User for username and password to the server request
- Server to verify the user's information
- The server sends to the user by verifying a token
- Client token memory, and each request included in this token value
- The server authentication token, and returns the data
这个token必须要在每次请求时传递给服务端,它应该保存在请求头里, 另外,服务端要支持CORS(跨来源资源共享)策略,一般我们在服务端这么做就可以了Access-Control-Allow-Origin: *。
JWT look like?
JWT is composed of three pieces of information (separated by decimal points), using these three pieces of information text link together constitute Jwt string. like this:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
- The first part we call the head (header)
- The second part of our call load (payload, similar to items carried on the airplane)
- The third part is the visa (signature).
header
jwt head carries two pieces of information:
{
'typ': 'JWT',
'alg': 'HS256'
}
声明类型Here is jwt声明加密的算法commonly used directly HMAC SHA256
Then the head base64-encryption (the encrypted can be decrypted symmetric), constitutes the first portion.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
playload
Load local storage is valid information. The name refers specifically to such goods carried on the aircraft, these effective information consists of three parts
- Standard registration statement
- Public Statement
- Private statement
- Standard registration statement (recommended, but not mandatory to use):
iss: jwt issuer
sub: Theme
aud: receiving jwt party
exp: jwt the expiration time, the expiration date must be greater than the issue of time
nbf: effective time
iat: The issue of time
jti: jwt unique identity, primarily as a of the token, and thus avoid a replay attack.
-
Public statement:
public declarations can add any information, general information about the user to add the necessary information or other business needs, but is not recommended for sensitive information to add, because the part of the client can decrypt. -
Private statement:
Private statement is a statement providers and consumers as common definition, is generally not recommended to store sensitive information, because base64 is decrypted symmetric, meaning that some of the information may be classified as plaintext.
Define a payload:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
Base64 then be encrypted to obtain the second portion of Jwt.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9
signature
Signature
- header (after the base64)
- payload (after the base64)
- secret
payload header and use the base64 rear portion of the encrypted encryption requires base64. connected to form a string, followed by a combination of salt secret encrypted by encryption header is declared, and the third portion constitutes the jwt.
These three parts with connection into a complete string, constitutes the final jwt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
注意:secret is stored on the server side, the issue generated jwt also on the server side, the secret is used for authentication and issuance of jwt jwt, so it is your server's private key, it should not be revealed to any scene. Once the client has learned the secret, it means that the client can be self-signed jwt up.
How jjwt application
We asked if the token understand a character encrypted information to carry, it can be divided into three steps
- Adding information to the token in
- The information is encrypted
- Decryption access to information
Project structure
jwt core code
public class JwtHelper {
/**
* token 过期时间, 单位: 秒. 这个值表示 30 天
*/
private static final long TOKEN_EXPIRED_TIME = 30 * 24 * 60 * 60;
/**
* jwt 加密解密密钥
*/
private static final String JWT_SECRET = "MDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjY=";
public static final String jwtId = "tokenId";
/**
* 创建JWT
*/
public static String createJWT(Map<String, Object> claims, Long time) {
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256; //指定签名的时候使用的签名算法,也就是header那部分,jjwt已经将这部分内容封装好了。
Date now = new Date(System.currentTimeMillis());
SecretKey secretKey = generalKey();
long nowMillis = System.currentTimeMillis();//生成JWT的时间
//下面就是在为payload添加各种标准声明和私有声明了
JwtBuilder builder = Jwts.builder() //这里其实就是new一个JwtBuilder,设置jwt的body
.setClaims(claims) //如果有私有声明,一定要先设置这个自己创建的私有的声明,这个是给builder的claim赋值,一旦写在标准的声明赋值之后,就是覆盖了那些标准的声明的
.setId(jwtId) //设置jti(JWT ID):是JWT的唯一标识,根据业务需要,这个可以设置为一个不重复的值,主要用来作为一次性token,从而回避重放攻击。
.setIssuedAt(now) //iat: jwt的签发时间
.signWith(signatureAlgorithm, secretKey);//设置签名使用的签名算法和签名使用的秘钥
if (time >= 0) {
long expMillis = nowMillis + time;
Date exp = new Date(expMillis);
builder.setExpiration(exp); //设置过期时间
}
return builder.compact();
}
/**
* 验证jwt
*/
public static Claims verifyJwt(String token) {
//签名秘钥,和生成的签名的秘钥一模一样
SecretKey key = generalKey();
Claims claims;
try {
claims = Jwts.parser() //得到DefaultJwtParser
.setSigningKey(key) //设置签名的秘钥
.parseClaimsJws(token).getBody();
} catch (Exception e) {
claims = null;
}//设置需要解析的jwt
return claims;
}
/**
* 由字符串生成加密key
*
* @return
*/
public static SecretKey generalKey() {
String stringKey = JWT_SECRET;
byte[] encodedKey = Base64.decodeBase64(stringKey);
SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");
return key;
}
/**
* 根据userId和openid生成token
*/
public static String generateToken(String openId, Integer userId) {
Map<String, Object> map = new HashMap<>();
map.put("userId", userId);
map.put("openId", openId);
return createJWT(map, TOKEN_EXPIRED_TIME);
}
}
Controller layer
@RestController
public class LoginController {
@RequestMapping("/user/login")
public String login() {
String jwtToken = JwtHelper.generateToken("123",456);
return jwtToken;
}
@RequestMapping("user/hello")
public String user(){
return "hello";
}
}
Use filters
public class MyFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request =(HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
String token = request.getHeader("authorization"); //获取请求传来的token
Claims claims = JwtHelper.verifyJwt(token); //验证token
if (claims == null) {
response.getWriter().write("token is invalid");
}else {
filterChain.doFilter(request,response);
}
}
@Override
public void destroy() {
}
}
Filter loading
@Configuration
public class BeanRegisterConfig {
@Bean
public FilterRegistrationBean createFilterBean() {
//过滤器注册类
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new MyFilter());
registration.addUrlPatterns("/user/hello"); //需要过滤的接口
return registration;
}
}
启动项目:Visit localhost:8080/user/hello
the following figure:
携带token访问/user/hello
Transfer from above [ https://www.jianshu.com/p/29d7eea97339 ]
Related: springboot + Security + jjwt perfect solution restful interfaces stateless authentication
The following complementary BI tools Davinci 's JWT tools:
import com.alibaba.druid.util.StringUtils;
import edp.core.consts.Consts;
import edp.core.model.TokenDetail;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.io.UnsupportedEncodingException;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import static edp.core.consts.Consts.EMPTY;
@Slf4j
@Component
public class TokenUtils {
/**
* 自定义 token 私钥
*/
@Value("${jwtToken.secret:Pa@ss@Word}")
private String SECRET;
/**
* 默认 token 超时时间
*/
@Value("${jwtToken.timeout:1800000}")
private Long TIMEOUT;
/**
* 默认 jwt 生成算法
*/
@Value("${jwtToken.algorithm:HS512}")
private String ALGORITHM;
/**
* 根据 TokenDetail 实体生成Token
*
* @param tokenDetail
* @return
*/
public String generateToken(TokenDetail tokenDetail) {
Map<String, Object> claims = new HashMap<String, Object>();
claims.put(Consts.TOKEN_USER_NAME, StringUtils.isEmpty(tokenDetail.getUsername()) ? EMPTY : tokenDetail.getUsername());
claims.put(Consts.TOKEN_USER_PASSWORD, StringUtils.isEmpty(tokenDetail.getPassword()) ? EMPTY : tokenDetail.getPassword());
claims.put(Consts.TOKEN_CREATE_TIME, System.currentTimeMillis());
return generate(claims);
}
/**
* 刷新token
*
* @param token
* @return
*/
public String refreshToken(String token) {
Claims claims = getClaims(token);
claims.put(Consts.TOKEN_CREATE_TIME, System.currentTimeMillis());
return generate(claims);
}
/**
* 根据 TokenDetail 实体和自定义超时时长生成Token
*
* @param tokenDetail
* @param timeOutMillis (毫秒)
* @return
*/
public String generateToken(TokenDetail tokenDetail, Long timeOutMillis) {
Map<String, Object> claims = new HashMap<String, Object>();
claims.put(Consts.TOKEN_USER_NAME, StringUtils.isEmpty(tokenDetail.getUsername()) ? EMPTY : tokenDetail.getUsername());
claims.put(Consts.TOKEN_USER_PASSWORD, StringUtils.isEmpty(tokenDetail.getPassword()) ? EMPTY : tokenDetail.getPassword());
claims.put(Consts.TOKEN_CREATE_TIME, System.currentTimeMillis());
Long expiration = Long.parseLong(claims.get(Consts.TOKEN_CREATE_TIME) + EMPTY) + timeOutMillis;
try {
return Jwts.builder()
.setClaims(claims)
.setSubject(claims.get(Consts.TOKEN_USER_NAME).toString())
.setExpiration(new Date(expiration))
.signWith(null != SignatureAlgorithm.valueOf(ALGORITHM) ?
SignatureAlgorithm.valueOf(ALGORITHM) :
SignatureAlgorithm.HS512, SECRET.getBytes("UTF-8"))
.compact();
} catch (UnsupportedEncodingException ex) {
log.warn(ex.getMessage());
return Jwts.builder()
.setClaims(claims)
.setSubject(claims.get(Consts.TOKEN_USER_NAME).toString())
.setExpiration(new Date(expiration))
.signWith(null != SignatureAlgorithm.valueOf(ALGORITHM) ?
SignatureAlgorithm.valueOf(ALGORITHM) :
SignatureAlgorithm.HS512, SECRET)
.compact();
}
}
/**
* 根据 TokenDetail 实体生成永久 Token
*
* @param tokenDetail
* @return
*/
public String generateContinuousToken(TokenDetail tokenDetail) {
Map<String, Object> claims = new HashMap<String, Object>();
claims.put(Consts.TOKEN_USER_NAME, StringUtils.isEmpty(tokenDetail.getUsername()) ? EMPTY : tokenDetail.getUsername());
claims.put(Consts.TOKEN_USER_PASSWORD, StringUtils.isEmpty(tokenDetail.getPassword()) ? EMPTY : tokenDetail.getPassword());
claims.put(Consts.TOKEN_CREATE_TIME, System.currentTimeMillis());
try {
return Jwts.builder()
.setClaims(claims)
.setSubject(claims.get(Consts.TOKEN_USER_NAME).toString())
.signWith(null != SignatureAlgorithm.valueOf(ALGORITHM) ?
SignatureAlgorithm.valueOf(ALGORITHM) :
SignatureAlgorithm.HS512, SECRET.getBytes("UTF-8"))
.compact();
} catch (UnsupportedEncodingException ex) {
log.warn(ex.getMessage());
return Jwts.builder()
.setClaims(claims)
.setSubject(claims.get(Consts.TOKEN_USER_NAME).toString())
.signWith(null != SignatureAlgorithm.valueOf(ALGORITHM) ?
SignatureAlgorithm.valueOf(ALGORITHM) :
SignatureAlgorithm.HS512, SECRET)
.compact();
}
}
/**
* 根据 clams生成token
*
* @param claims
* @return
*/
private String generate(Map<String, Object> claims) {
Long expiration = Long.parseLong(claims.get(Consts.TOKEN_CREATE_TIME) + EMPTY) + TIMEOUT;
try {
return Jwts.builder()
.setClaims(claims)
.setSubject(claims.get(Consts.TOKEN_USER_NAME).toString())
.setExpiration(new Date(expiration))
.signWith(null != SignatureAlgorithm.valueOf(ALGORITHM) ?
SignatureAlgorithm.valueOf(ALGORITHM) :
SignatureAlgorithm.HS512, SECRET.getBytes("UTF-8"))
.compact();
} catch (UnsupportedEncodingException ex) {
log.warn(ex.getMessage());
return Jwts.builder()
.setClaims(claims)
.setSubject(claims.get(Consts.TOKEN_USER_NAME).toString())
.setExpiration(new Date(expiration))
.signWith(null != SignatureAlgorithm.valueOf(ALGORITHM) ?
SignatureAlgorithm.valueOf(ALGORITHM) :
SignatureAlgorithm.HS512, SECRET)
.compact();
}
}
/**
* 解析 token 用户名
*
* @param token
* @return
*/
public String getUsername(String token) {
String username;
try {
final Claims claims = getClaims(token);
username = claims.get(Consts.TOKEN_USER_NAME).toString();
} catch (Exception e) {
username = null;
}
return username;
}
/**
* 解析 token 密码
*
* @param token
* @return
*/
public String getPassword(String token) {
String password;
try {
final Claims claims = getClaims(token);
password = claims.get(Consts.TOKEN_USER_PASSWORD).toString();
} catch (Exception e) {
password = null;
}
return password;
}
/**
* 获取token claims
*
* @param token
* @return
*/
private Claims getClaims(String token) {
Claims claims;
try {
claims = Jwts.parser()
.setSigningKey(SECRET.getBytes("UTF-8"))
.parseClaimsJws(token.startsWith(Consts.TOKEN_PREFIX) ?
token.substring(token.indexOf(Consts.TOKEN_PREFIX) + Consts.TOKEN_PREFIX.length()).trim() :
token.trim())
.getBody();
} catch (Exception e) {
log.warn(e.getMessage());
claims = Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token.startsWith(Consts.TOKEN_PREFIX) ?
token.substring(token.indexOf(Consts.TOKEN_PREFIX) + Consts.TOKEN_PREFIX.length()).trim() :
token.trim())
.getBody();
}
return claims;
}
/**
* 根据 TokenDetail 验证token
*
* @param token
* @param tokenDetail
* @return
*/
public Boolean validateToken(String token, TokenDetail tokenDetail) {
TokenDetail user = (TokenDetail) tokenDetail;
String username = getUsername(token);
String password = getPassword(token);
return (username.equals(user.getUsername()) && password.equals(user.getPassword()) && !(isExpired(token)));
}
/**
* 根据 用户名、密码 验证 token
*
* @param token
* @param username
* @param password
* @return
*/
public Boolean validateToken(String token, String username, String password) {
String tokenUsername = getUsername(token);
String tokenPassword = getPassword(token);
return (username.equals(tokenUsername) && password.equals(tokenPassword) && !(isExpired(token)));
}
/**
* 解析 token 创建时间
*
* @param token
* @return
*/
private Date getCreatedDate(String token) {
Date created;
try {
final Claims claims = getClaims(token);
created = new Date((Long) claims.get(Consts.TOKEN_CREATE_TIME));
} catch (Exception e) {
created = null;
}
return created;
}
/**
* 获取 token 超时时间
*
* @param token
* @return
*/
private Date getExpirationDate(String token) {
Date expiration;
try {
final Claims claims = getClaims(token);
expiration = claims.getExpiration();
} catch (Exception e) {
expiration = null;
}
return expiration;
}
/**
* token 是否超时
*
* @param token
* @return
*/
private Boolean isExpired(String token) {
final Date expiration = getExpirationDate(token);
//超时时间为空则永久有效
return null == expiration ? false : expiration.before(new Date(System.currentTimeMillis()));
}
}Controller layer in the process, by request.getHeader ( "Authorization") or @RequestHeader ( "Authorization") way to obtain the token string sent by the client.
