Spring boot 集成jwt 实现请求认证（带有过期时间）

一、添加依赖

    io.jsonwebtoken
    jjwt
    0.9.0

二、编写 jwt 过滤器并进行 配置
 

JwtFilter 过滤器

package com.tnar.config;

import com.tnar.utils.JwtUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureException;
import org.springframework.web.filter.GenericFilterBean;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * @author dzx
 * @ClassName:
 * @Description:
 * @date 2019年04月23日 15:05:21
 */
public class JwtFilter extends GenericFilterBean {


    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) req;
        final HttpServletResponse response = (HttpServletResponse) res;
        String requestURI = request.getRequestURI();
        System.out.println("当前请求URI路径："+requestURI);

        //如果是用户注册，登录，验证，同步操作则直接放行
        if(requestURI.startsWith("/tAcctCustOperate")){
            chain.doFilter(req, res);
            return;
        }

        //请求头中需要添加authorization字段
        final String authHeader = request.getHeader("authorization");

        // If the Http request is OPTIONS then just return the status code 200
        // which is HttpServletResponse.SC_OK in this code
        if ("OPTIONS".equals(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
            chain.doFilter(req, res);
        } else {
            //authorization 的 值，需要以Bearer 开头，否则认证不通过
            // Check the authorization, check if the token is started by "Bearer "
            if (authHeader == null || !authHeader.startsWith("Bearer ")) {
                throw new ServletException("Missing or invalid Authorization header");
            }

            // Then get the JWT token from authorization
            final String token = authHeader.replaceFirst("Bearer", "").trim();

            try {
                // Use JWT parser to check if the signature is valid with the Key "secretkey"
                //final Claims claims = Jwts.parser().setSigningKey("secretkey").parseClaimsJws(token).getBody();
                final Claims claims = JwtUtil.parseJWT(token);
                // Add the claim to request header
                request.setAttribute("claims", claims);
            } catch (final SignatureException e) {
                throw new ServletException("Invalid token");
            }

            chain.doFilter(req, res);
        }
    }
}

JwtConfig 配置项

package com.tnar.config;

import org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

/**
 * @author dzx
 * @ClassName:
 * @Description:
 * @date 2019年04月23日 14:58:30
 */
@Configuration
public class JwtConfig {

    @Bean
    public FilterRegistrationBean jwtFilter() {
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean();
        registrationBean.setFilter(new JwtFilter());
        registrationBean.addUrlPatterns("/*");
        System.out.println("加载jwt过滤器完成。。。。。。。。。。。。。");
        return registrationBean;
    }
}

JwtUtil 工具类，生成jwttoken ，以及解析 jwtToken 获取到 用户名，密码，过期时间信息等

package com.tnar.utils;

import com.alibaba.fastjson.JSON;
import com.oracle.xmlns.internal.webservices.jaxws_databinding.JavaWsdlMappingType;
import com.tnar.exception.MyException;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import java.security.Key;
import java.util.Date;

public class JwtUtil {

    public static final long EXPIRATION_TIME = 3600_000_000L; // 1000 hour 有效期
    public static final String SECRET = "lambeter";//  密钥

    //解析
    public static Claims parseJWT(String jsonWebToken) {
        try {
            Claims claims = Jwts.parser()
                    .setSigningKey(DatatypeConverter.parseBase64Binary(SECRET))
                    .parseClaimsJws(jsonWebToken).getBody();
            return claims;
        } catch (Exception ex) {
            throw new MyException(ex.getMessage());
        }
    }

    //和时间有关的token
    public static String generateToken(Integer id, Date loginTime) {
        return MD5Util.getMD5ofStr((long)id + (loginTime == null ? 0L : Math.round(loginTime.getTime()/1000.0)) + SECRET);
    }

    //生成
    public static String createJWT(String userName, String password) {
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
        //当前时间
        long nowMillis = System.currentTimeMillis();
        Date now = new Date(nowMillis);
        //生成签名密钥
        byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(SECRET);
        Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
        //添加构成JWT的参数
        JwtBuilder builder = Jwts.builder().setHeaderParam("type", "JWT")
                .claim("userName", userName)
                .claim("password", password)
                .signWith(signatureAlgorithm, signingKey);
        //添加Token过期时间
        long expMillis = nowMillis + EXPIRATION_TIME;
        Date exp = new Date(expMillis);
        builder.setExpiration(exp).setNotBefore(now);
        //生成JWT
        String jwtTokenStr = builder.compact();
        return jwtTokenStr;
    }


    public static void main(String[] args){
        String token = JwtUtil.createJWT("admin", "123456");
         System.out.println(token);
        Claims claims = JwtUtil.parseJWT(token);

       System.out.println(JSON.toJSONString(claims));

    }

}

三、测试过程 ：

项目启动成功之后，访问 除了  /tAcctCustOperate/** 之外的其它任意接口，发现都会报以下错误，说明请求头中没有

jwtToken

 

然后我们 在登录的 时候 利用jwtUtil 生成 一个token

String jwtToken = JwtUtil.createJWT(userName,password);

之后将 token 返回 给 前端，前端下次在请求接口的时候，在 请求头中带上以下信息就可以通过认证，并成功访问接口了。

key 为  authorization ，value 为 Bearer(接一个空格) 开头的在登录的时候生成的jwtToken，过期时间为1000小时