1.首先了解一下Token
- uid: 用戶唯一身份標識
- time: 當前時間的時間戳
- sign: 簽名, 使用 hash/encrypt 壓縮成定長的十六進制字符串,以防止第三方惡意拼接
- 固定參數(可選): 將一些常用的固定參數加入到 token 中是為了避免重復查數據庫
2.token 驗證的機制(流程)
- 用戶登錄校驗,校驗成功后就返回Token給客戶端。
- 客戶端收到數據后保存在客戶端
- 客戶端每次訪問API是攜帶Token到服務器端。
- 服務器端采用filter過濾器校驗。校驗成功則返回請求數據,校驗失敗則返回錯誤碼
3.使用SpringBoot搭建基於token驗證
3.1 引入 POM 依賴
<!--Json web token-->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.4.0</version>
</dependency>
3.2 新建一個攔截器配置 用於攔截前端請求 實現 WebMvcConfigurer
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.InterceptorRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration public class InterceptorConfig implements WebMvcConfigurer { @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(authenticationInterceptor()) .addPathPatterns("/**");//攔截所有請求,通過判斷是否有 @LoginRequired 注解 決定是否需要登錄 } @Bean public AuthenticationInterceptor authenticationInterceptor() { return new AuthenticationInterceptor(); } }
3.3 新建一個 AuthenticationInterceptor 實現HandlerInterceptor接口 實現攔截還是放通的邏輯
import com.auth0.jwt.JWT; import com.auth0.jwt.JWTVerifier; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.exceptions.JWTDecodeException; import com.auth0.jwt.exceptions.JWTVerificationException; import com.my_springboot.rbac.pojo.Admin; import com.my_springboot.rbac.service.IAdminService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.lang.reflect.Method; /** * 攔截器去獲取token並驗證token*/ public class AuthenticationInterceptor implements HandlerInterceptor { @Autowired private IAdminService adminService; @Override public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object object) { String token = httpServletRequest.getHeader ("token");// 從 http 請求頭中取出 token // 如果不是映射到方法直接通過 if (!(object instanceof HandlerMethod)) { return true; } HandlerMethod handlerMethod = (HandlerMethod) object; Method method = handlerMethod.getMethod (); //檢查是否有@passtoken注解,有則跳過認證 if (method.isAnnotationPresent (PassToken.class)) { PassToken passToken = method.getAnnotation (PassToken.class); if (passToken.required ()) { return true; } } //檢查有沒有需要用戶權限的注解 if (method.isAnnotationPresent (UserLoginToken.class)) { UserLoginToken userLoginToken = method.getAnnotation (UserLoginToken.class); if (userLoginToken.required ()) { // 執行認證 if (token == null) { throw new RuntimeException ("無token"); } // 獲取 token 中的 user id String adminId; try { adminId = JWT.decode (token).getAudience ().get (0); } catch (JWTDecodeException j) { throw new RuntimeException ("401"); } Admin admin = adminService.getById (adminId); if (admin == null) { throw new RuntimeException ("用戶不存在"); } // 驗證 token JWTVerifier jwtVerifier = JWT.require (Algorithm.HMAC256 (admin.getPassword ())).build (); try { jwtVerifier.verify (token); } catch (JWTVerificationException e) { throw new RuntimeException ("401"); } return true; } } return true; } @Override public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception { } @Override public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception { } }
3.4 新建兩個注解 用於標識請求是否需要進行Token 驗證
import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; /** * 需要登錄才能進行操作的注解UserLoginToken*/ @Target({ElementType.METHOD, ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) public @interface UserLoginToken { boolean required() default true; }
import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; /** * 用來跳過驗證的PassToken*/ @Target({ElementType.METHOD, ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) public @interface PassToken { boolean required() default true; }
3.5 新建一個Service用於下發Token
import com.auth0.jwt.JWT; import com.auth0.jwt.algorithms.Algorithm; import com.my_springboot.rbac.pojo.Admin; import org.springframework.stereotype.Service; import java.util.Date; /** * 下發token*/ @Service public class TokenService { public String getToken(Admin admin) { Date start = new Date (); long currentTime = System.currentTimeMillis () + 60 * 60 * 1000;//一小時有效時間 Date end = new Date (currentTime); return JWT.create ().withAudience (admin.getId ()).withIssuedAt (start) .withExpiresAt (end) .sign (Algorithm.HMAC256 (admin.getPassword ())); } }
3.6 新建一個工具類 用戶從token中取出用戶Id
import com.auth0.jwt.JWT; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; import javax.servlet.http.HttpServletRequest; /** * token工具類*/ public class TokenUtil { public static String getTokenUserId() { String token = getRequest().getHeader("token");// 從 http 請求頭中取出 token String userId = JWT.decode(token).getAudience().get(0); return userId; } /** * 獲取request * * @return */ public static HttpServletRequest getRequest() { ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder .getRequestAttributes(); return requestAttributes == null ? null : requestAttributes.getRequest(); } }
以上。