Shulou(Shulou.com)06/03 Report--

Editor to share with you SpringBoot integration of JWT example analysis, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to understand it!

Background

The full name of JWT is json web token. It encrypts user information into token, and the server does not save any user information. The server verifies the correctness of the token by using the saved key and passes the verification as long as it is correct.

Advantages

1. Summary: it can be sent through URL POST parameters or in HTTP header, because the amount of data is small and the transmission speed is fast.

two。 Self-contained: the load can contain the information needed by the user, avoiding multiple queries to the database

3. Because Token is stored on the client side in the form of JSON encryption, JWT is cross-language and is supported in principle in any web form

4. There is no need for the server to save session information, so it is especially suitable for distributed micro-services.

Shortcoming

1. Cannot invalidate issued tokens

two。 It is not easy to deal with data expiration.

A JWT message is composed of 1.1

A Token is divided into three parts, in order as follows

1. Head (header)

two。 Load (payload)

3. Visa (signature)

It is used between the three parts. Split. For example:

EyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIxYzdiY2IzMS02ODFlLTRlZGYtYmU3Yy0wOTlkODAzM2VkY2UiLCJleHAiOjE1Njk3Mjc4OTF9.wweMzyB3tSQK34Jmez36MmC5xpUh25Ni3vOV_SGCzJ8

1.2 header

The header of JWT carries two pieces of information:

1. Declare the type, this is JWT

two。 Declare the encryption algorithm, usually using HMAC SHA256 directly

The algorithms used for verification and signature in JWT are listed below:

JWT algorithm name HS256HMAC256HS384HMAC384HS512HMAC512RS256RSA256RS384RSA384RS512RSA512ES256ECDSA256ES384ECDSA384ES512ECDSA5121.3 playload

Load is the place where valid information is stored. Basically fill in two types of data

1. Declared data registered in the standard

two。 Custom data

Base64 encryption is done internally by these two parts.

Declaration of registration in the standard (recommended but not mandatory)

Iss: issuer of jwt

Sub: the user for which jwt is targeted

Aud: the party that receives the jwt

Exp: the expiration time of jwt, which must be greater than the issuing time

Nbf: defines when the jwt is not available.

Iat: the issuing time of the jwt

Jti: the unique identity of the jwt, mainly used as an one-time token to avoid replay attacks.

Custom data: store the key-value values we want to store in token

1.4 signature

The third part of JWT is a visa information, which consists of three parts.

A string composed of base64 encrypted header and base64 encrypted payload connection, then salted secret combined encryption through the encryption method declared in header, and then constitutes the third part of JWT

Two examples of integration of Spring Boot and JWT

Dependence

2.1 the project relies on com.auth0 java-jwt 3.8.1 org.springframework.boot spring-boot-starter-web io.jsonwebtoken jjwt 0.9.1 com.auth0 java-jwt 3.8.1 org.springframework.boot spring-boot-starter -data-redis org.projectlombok lombok 1.8.4 com.alibaba fastjson 1.2.47 2.2 Custom Annotation @ JwtToken

The interface with this annotation needs to be logged in to access it.

@ Target ({ElementType.METHOD, ElementType.TYPE}) @ Retention (RetentionPolicy.RUNTIME) public @ interface JwtToken {boolean required () default true;} 2.3 JWT Certification tool Class JwtUtil.java

It is mainly used to generate signature verification visa and obtain information through signature.

Public class JwtUtil {/ * Expiration time 5 minutes * / private static final long EXPIRE_TIME = 5 * 60 * 1000; / * jwt key * / private static final String SECRET = "jwt_secret" / * generate signature and expire in five minutes * @ param userId * @ return * / public static String sign (String userId) {try {Date date = new Date (System.currentTimeMillis () + EXPIRE_TIME); Algorithm algorithm = Algorithm.HMAC256 (SECRET) Return JWT.create () / saves user id to token. Withaudience (userId) / / token expires in five minutes. WithExpiresAt (date) / / key of token .sign (algorithm) } catch (Exception e) {return null;}} / * obtain userId * @ param token * @ return * / public static String getUserId (String token) {try {String userId = JWT.decode (token). GetAudience (). Get (0); return userId } catch (JWTDecodeException e) {return null;}} / * * check token * @ param token * @ return * / public static boolean checkSign (String token) {try {Algorithm algorithm = Algorithm.HMAC256 (SECRET) JWTVerifier verifier = JWT.require (algorithm) / / .withClaim ("username", username) .build (); DecodedJWT jwt = verifier.verify (token); return true;} catch (JWTVerificationException exception) {throw new RuntimeException ("invalid token, please get it again") Interceptor intercepts annotated interface JwtInterceptor.javapublic class JwtInterceptor implements HandlerInterceptor {@ Override public boolean preHandle (HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object object) {/ / fetches token String token = httpServletRequest.getHeader ("token") from the http request header; / / if it is not mapped to the method directly through if (! (object instanceof HandlerMethod)) {return true } HandlerMethod handlerMethod= (HandlerMethod) object; Method method=handlerMethod.getMethod (); / / check if there are any annotations that require user permission if (method.isAnnotationPresent (JwtToken.class)) {JwtToken jwtToken = method.getAnnotation (JwtToken.class) If (jwtToken.required ()) {/ / execute authentication if (token = = null) {throw new RuntimeException ("No token, please log in again");} / / get userId String userId = JwtUtil.getUserId (token) in token System.out.println ("user id:" + userId); / / verify token JwtUtil.checkSign (token);} return true;} @ Override public void postHandle (HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {} @ Override public void afterCompletion (HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {}}

Register interceptor: WebConfig.java

@ Configurationpublic class WebConfig implements WebMvcConfigurer {/ * add jwt interceptor * @ param registry * / @ Override public void addInterceptors (InterceptorRegistry registry) {registry.addInterceptor (jwtInterceptor ()) / / intercept all requests and determine whether you need to log in to .addPathPatterns ("/ * *") by determining whether there is a @ JwtToken annotation. } / * jwt interceptor * @ return * / @ Bean public JwtInterceptor jwtInterceptor () {return new JwtInterceptor ();} 2.5 Global exception capture @ RestControllerAdvicepublic class GlobalExceptionHandler {@ ResponseBody @ ExceptionHandler (Exception.class) public Object handleException (Exception e) {String msg = e.getMessage () If (msg = = null | | msg.equals (")) {msg =" server error ";} JSONObject jsonObject = new JSONObject (); jsonObject.put (" message ", msg); return jsonObject Interface JwtController.java@RestController@RequestMapping ("/ jwt") public class JwtController {/ * log in and get token * @ param userName * @ param passWord * @ return * / @ PostMapping ("/ login") public Object login (String userName, String passWord) {JSONObject jsonObject=new JSONObject () / / verify whether the user exists (for simplicity, assume that the user exists, and create a uuid that is assumed to be the user id) String userId = UUID.randomUUID (). ToString (); / / generate signature String token= JwtUtil.sign (userId); Map userInfo = new HashMap (); userInfo.put ("userId", userId); userInfo.put ("userName", userName) UserInfo.put ("passWord", passWord); jsonObject.put ("token", token); jsonObject.put ("user", userInfo); return jsonObject;} / * * this API requires a signature to access * @ return * / @ JwtToken @ GetMapping ("/ getMessage") public String getMessage () {return "you have passed the verification" }} 2.7 Postman Test Interface 2.7.1 access to the jwt/getMessage interface without token

2.7.2 Log in before accessing the jwt/getMessage interface

Login:

Request the jwt/getMessage interface again with token

The above is all the contents of the article "sample Analysis of SpringBoot Integration JWT". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.