利用jwt生成token,用于http请求身份验证

  前段时间在做移动端接口过程中,考虑到安全性,所有移动端发送请求(除了登录请求)过程中进行token有效验证。

   1.利用jwt生成token

   a.导入jwt相关包

  

        
        <dependency>
            <groupId>com.nimbusdsgroupId>
            <artifactId>nimbus-jose-jwtartifactId>
            <version>4.23version>
        dependency>            

 

   b.编写生成token的工具类TokenUtils

  

public class TokenUtils {

    private static final byte[] secret = "geiwodiangasfdjsikolkjikolkijswe".getBytes();


    //生成一个token
    public static String creatToken(String uid) throws JOSEException {

        Map payloadMap = new HashMap<>();
        payloadMap.put("uid", uid);
        //生成时间
        payloadMap.put("sta", new Date().getTime());
        //过期时间
        payloadMap.put("exp", new Date().getTime()+1000*60*60*24); //24小时token失效
        
        //先建立一个头部Header
        JWSHeader jwsHeader = new JWSHeader(JWSAlgorithm.HS256);

        //建立一个载荷Payload
        Payload payload = new Payload(new JSONObject(payloadMap));

        //将头部和载荷结合在一起
        JWSObject jwsObject = new JWSObject(jwsHeader, payload);

        //建立一个密匙

        JWSSigner jwsSigner = new MACSigner(secret);

        //签名
        jwsObject.sign(jwsSigner);

        //生成token
        return jwsObject.serialize();
    }
    

    public static Map valid(String token) throws JOSEException, ParseException {

        JWSObject jwsObject = JWSObject.parse(token);

        //获取到载荷
        Payload payload=jwsObject.getPayload();

        //建立一个解锁密匙
        JWSVerifier jwsVerifier = new MACVerifier(secret);

        Map resultMap = new HashMap<>();
        //判断token
        if (jwsObject.verify(jwsVerifier)) {
            resultMap.put("Result", 0);
            //载荷的数据解析成json对象。
            JSONObject jsonObject = payload.toJSONObject();
            resultMap.put("data", jsonObject);

            //判断token是否过期
            if (jsonObject.containsKey("exp")) {
                Long expTime = Long.valueOf(jsonObject.get("exp").toString());
                Long nowTime = new Date().getTime();
                //判断是否过期
                if (nowTime > expTime) {
                    //已经过期
                    resultMap.clear();
                    resultMap.put("Result", 2);
                }
            }
        }else {
            resultMap.put("Result", 1);
        }
        return resultMap;

    }
}

  

    2.对于移动端所有请求进行过滤

    a.在web.xml中配置相关过滤器(对所有请求含有/app开头的进行拦截,除了/app/login)

    

   <filter>
        <filter-name>AppRequestFilterfilter-name>
        <filter-class>com.demo.common.filter.AppRequestFilterfilter-class>
        <init-param>
            <param-name>excludedRequestsparam-name>
            <param-value>/app/loginparam-value>
        init-param>
    filter>
    <filter-mapping>
        <filter-name>AppRequestFilterfilter-name>
        <url-pattern>/app/*url-pattern>
    filter-mapping>

    b.编写AppRequestFilter类

    

public class AppRequestFilter implements Filter{
    
    private String excludedRequests;
    private String[] excludedRequestArr;
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        excludedRequests = filterConfig.getInitParameter("excludedRequests");
        if(excludedRequests != null && excludedRequests.length() > 0){
            excludedRequestArr = excludedRequests.split(",");
        }
        return;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        
        boolean isExcludedRequest = false;
        for (String requestStr : excludedRequestArr) {
            if (((HttpServletRequest) request).getServletPath().startsWith(requestStr)) {
                isExcludedRequest = true;
                break;
            }
        }
        if(isExcludedRequest){
            chain.doFilter(request, response);
        }else{
            String token = req.getHeader("app_token");
            if(StringUtil.isEmpty(token)){
                responseError(res, "token为空!");
                return;
            }else{
                Map validMap;
                try {
                    validMap = TokenUtils.valid(token);
                    int i = (int) validMap.get("Result");
                    if (i == 0) {
                        chain.doFilter(request, response);
                    } else if (i == 2) {
                        responseError(res, "token已经过期!");
                        return;
                    } else if(i == 1) {
                        responseError(res, "token无效!");
                        return;
                    }
                } catch (JOSEException e) {
                    e.printStackTrace();
                } catch (ParseException e) {
                    e.printStackTrace();
                }
            }
            
        }
    }
    
    @SuppressWarnings("deprecation")
    private void responseError(HttpServletResponse res, String errorMsg) throws IOException {
        res.setHeader("content-type", "application/json;charset=UTF-8");
        OutputStream outputStream = res.getOutputStream();
        JsonResult msg = new JsonResult(false, errorMsg);
        IOUtils.write(JSONUtil.toJsonPrettyStr(msg), outputStream);
    }

    @Override
    public void destroy() {
        return;
    }
}

    3.测试类编写

    

@Controller
@RequestMapping(value = "/app")
public class AppLogin {

    @RequestMapping(value = "/login")
    @ResponseBody
    public String login(String loginCode, String password){
        String token = "";
        try {
            token = TokenUtils.creatToken(loginCode);
        } catch (JOSEException e) {
            e.printStackTrace();
        }
        return token;
    }
}
@Controller
@RequestMapping(value = "/app/user")
public class AppSysUserController {

    @RequestMapping(value = "/getLoginName")
    @ResponseBody
    public String getLoginName(){
        return "admin";
    }
}

    4.调用查看结果

    利用jwt生成token,用于http请求身份验证_第1张图片

 

    利用jwt生成token,用于http请求身份验证_第2张图片

 

 

 
  

转载于:https://www.cnblogs.com/chao555/p/9713496.html

你可能感兴趣的:(php,json,web.xml)