SpringBoot集成JWT

JWT是一种用于双方之间传递安全信息的简洁的、URL安全的表述性声明规范。JWT作为一个开放的标准（RFC 7519），定义了一种简洁的，自包含的方法用于通信双方之间以Json对象的形式安全的传递信息。因为数字签名的存在，这些信息是可信的，JWT可以使用HMAC算法或者是RSA的公私秘钥对进行签名。简洁(Compact): 可以通过URL，POST参数或者在HTTP header发送，因为数据量小，传输速度也很快自包含(Self-contained)：负载中包含了所有用户所需要的信息，避免了多次查询数据库

1.账户实体类

@Data
public class Account {
    public String username;
    public String password;
}

2.认证过滤器

public class JwtAuthenticationFilter extends OncePerRequestFilter {

    private static final PathMatcher PATH_MATCHER = new AntPathMatcher();

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

        try {
            if(isProtectedUrl(request)) {
                request = JwtUtil.  validateTokenAndAddUserIdToHeader(request);
            }
        } catch (Exception e) {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
            return;
        }
        filterChain.doFilter(request, response);
    }

    private boolean isProtectedUrl(HttpServletRequest request) {
        return PATH_MATCHER.match("/api/**", request.getServletPath());
    }

}

3.jwt生成与校验

public class JwtUtil {
    private static final Logger logger = LoggerFactory.getLogger(JwtUtil.class);
    /**
     * 1000 hour
     */
    private static final long EXPIRATION_TIME = 3600_000_000L;
    private static final String SECRET = "ThisIsASecret";
    private static final String TOKEN_PREFIX = "Bearer ";
    private static final String HEADER_STRING = "Authorization";
    public static final String USER_NAME = "userName";

    /**
     * 生成token
     */
    public static String generateToken(String userName) {
        HashMap map = Maps.newHashMap();
        map.put(USER_NAME, userName);
        String jwt = Jwts.builder()
                .setClaims(map)
                .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS512, SECRET)
                .compact();
        //jwt前面一般都会加Bearer
        return TOKEN_PREFIX + jwt;
    }

    /**
     * 校验、解析token
     */
    public static HttpServletRequest validateTokenAndAddUserIdToHeader(HttpServletRequest request) {
        String token = request.getHeader(HEADER_STRING);
        if (token != null) {
            try {
                Map body = Jwts.parser()
                        .setSigningKey(SECRET)
                        .parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
                        .getBody();
                return new CustomHttpServletRequest(request, body);
            } catch (Exception e) {
                logger.info(e.getMessage());
                throw new TokenValidationException(e.getMessage());
            }
        } else {
            throw new TokenValidationException("Missing token");
        }
    }

    public static class CustomHttpServletRequest extends HttpServletRequestWrapper {
        private Map claims;

        public CustomHttpServletRequest(HttpServletRequest request, Map claims) {
            super(request);
            this.claims = new HashMap<>();
            claims.forEach((k, v) -> this.claims.put(k, String.valueOf(v)));
        }

        @Override
        public Enumeration getHeaders(String name) {
            if (claims != null && claims.containsKey(name)) {
                return Collections.enumeration(Arrays.asList(claims.get(name)));
            }
            return super.getHeaders(name);
        }

        public Map getClaims() {
            return claims;
        }
    }

    static class TokenValidationException extends RuntimeException {
        public TokenValidationException(String msg) {
            super(msg);
        }
    }
}

4.测试controller

@RestController
@Slf4j
public class JwtController {

    //需要token的接口
    @GetMapping("/api/protected")
    public Object hellWorld(@RequestHeader(value = USER_NAME) String userName) {
        log.info("user -- {}", userName);
        return "Success - AccessToken is validated ...";
    }

    @GetMapping("/hello")
    public String hello() {
        return "hello world";
    }


    //登录 成功后返回token
    @PostMapping("/login")
    public Object login(@RequestBody final Account account){

        if (!isValidPassword(account)) {
            return new ResponseEntity(HttpStatus.UNAUTHORIZED);
        }

        String jwt = JwtUtil.generateToken(account.username);
        return new HashMap(){{
            put("token", jwt);
        }};
    }



    private boolean isValidPassword(Account credentials) {
        if ("admin".equals(credentials.username)
                && "admin".equals(credentials.password)) {
            return true;
        }
        return false;
    }

}

5.启动类

@SpringBootApplication
@Slf4j
public class JwtApplication {

    public static void main(String[] args) {
        SpringApplication app = new SpringApplication(JwtApplication.class);
        app.setBannerMode(Banner.Mode.CONSOLE);
        app.run(args);
        log.info("PortalApplication is success!");
    }

    //注册过滤器
    @Bean
    public FilterRegistrationBean jwtFilter() {
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean();
        registrationBean.setFilter(new JwtAuthenticationFilter());
        return registrationBean;
    }

}

6.测试

生成token如下

{
    "token": "Bearer eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiwiZXhwIjoxNTMzMDY0NzExfQ.8TGWbR8RXJS743u6hINmxnqLwycPZTN3iNPtKyW74rEBnLS3V0r0we9vJThfTVoz7bHYUa_R-nGiOiBGtq8XDA"
}

请求头里带上token正常访问：

SpringBoot集成JWT

你可能感兴趣的:(SpringBoot集成JWT)