SpringBoot 2.1.4集成JWT實現token驗證

SpringBoot 2.1.4集成JWT實現token驗證

編者： wRitchie（吳理琪） 來源：http://www.bj9420.com

什麼是JWT：Json web token (JWT) 是為了在網絡應用環境間傳遞聲明而執行的一種基於JSON的開放標準（(RFC 7519)。定義了一種簡潔的，自包含的方法用於通信雙方之間以JSON對象的形式安全的傳遞信息。因為數字簽名的存在，這些信息是可信的，JWT可以使用HMAC算法或者是RSA或ECDSA的公私祕鑰對進行簽名。

JWT如何獲取訪問令牌(token)並用於訪問資源(API)流程：1、應用端向權限服務器請求授權；2、權限服務器授權成功嚮應用端返回一個訪問令牌（token）；3、應用端使用訪問令牌(token)訪問受保護的資源(如API)。

JWT是由三段信息構成，將這三段信息文本用“.“連接一起就構成了JWT字符串，Header.Payload.Signature，例如：eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE1NTgwNjI2OTYsInVzZXJJZCI6IjEifQ.XiI0xjX0izVeJRmhbXN1w1fXKdHB0wsc9teFKq84pclpJt6yS2k0BVXAklHrke_nz6XtcCyi1hgvpn8bf95gwg。

第一步：pom.xml添加依賴，引入jar包：

版本聲明

<properties>
<!--jjwt -->
<jjwt.version>0.9.1</jjwt.version>
</properties>

版本依賴:

<dependencies>

<dependency>

<groupId>io.jsonwebtoken</groupId>

<artifactId>jjwt</artifactId>

<version>${jjwt.version}</version>

</dependency>

</dependencies>

第二步：實現JWT的token驗證共3個Java類。首先註冊一個檢驗JWT的過濾器jwtFilter, 通過jwtFilter過濾器實現對每個Rest API請求都驗證JWT的功能。 其中JwtAuthenticationFilter繼承了OncePerRequestFilter，任何請求都會先經過jwtFilter過濾器, 然後選擇讓合法JWT請求通過jwtFilter。 具體在SpringBoot的Application啟動類中增加@Bean註解，代碼如下：

@Bean

public FilterRegistrationBean jwtFilter() {

logger.info("JWT Filter 運行中...");

final FilterRegistrationBean registrationBean = new FilterRegistrationBean();

JwtAuthenticationFilter filter = new JwtAuthenticationFilter();

registrationBean.setFilter(filter);

return registrationBean;

}

第三步：再看JWT權限過濾器JwtAuthenticationFilter.java，JwtAuthenticationFilter類繼承了OncePerRequestFilter抽象類， 確保任何用戶請求資源都會運行doFilterInternal方法。此處將從HTTP Header裡面截取JWT， 並且驗證JWT的簽名和過期時間，若有問題，會返回HTTP 401錯誤。

package com.bj9420.jwt;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.util.AntPathMatcher;

import org.springframework.util.PathMatcher;

import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;

import javax.servlet.ServletException;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

/**

* @Author: wRitchie

* @Description: JWT權限過濾器

* @Param:

* @return:

* @Date: 2019/1/14 14:32

*/

public class JwtAuthenticationFilter extends OncePerRequestFilter {

private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationFilter.class);

private static final PathMatcher pathMatcher = new AntPathMatcher();

@Override

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

log.info("JWT權限過濾器 JwtAuthenticationFilter開始...");

try {

String servletPath = request.getServletPath();

if(isProtectedUrl(request)) {

log.info("私密API請求："+servletPath);

request = JwtUtil.validateTokenAndAddUserIdToHeader(request);

}else{

log.info("開放API請求："+servletPath);

}

} catch (Exception e) {

log.info("JWT權限過濾器異常："+e);

response.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());

return;

}

filterChain.doFilter(request, response);

}

/**

* @Author: wRitchie

* @Description: 是否需要token驗證 路徑中url含api，則返回true，不含則返回false

* @Param: [request]

* @return: boolean

* @Date: 2019/1/14 14:34

*/

private boolean isProtectedUrl(HttpServletRequest request) {

/** 對路徑中url含有api的請求的返回true */

boolean matchFlag = pathMatcher.match("/**/api/**", request.getServletPath());

return matchFlag;

}

}

第四步： JwtUtil.java工具類，主要是生成令牌方法和驗證令牌是否有效，具體如下：

package com.bj9420.jwt;

import io.jsonwebtoken.Jwts;

import io.jsonwebtoken.SignatureAlgorithm;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import java.util.*;

/**

* @Author: wRitchie

* @Description: JwtUtil工具類

* @Param:

* @return:

* @Date: 2019/1/14 15:14

*/

public class JwtUtil {

private static final Logger log = LoggerFactory.getLogger(JwtUtil.class);

/**

* 失效時間： 1 天 =24*3600*1000 ms

*/

public static final long EXPIRATION_TIME = 1 * 24 * 3600 * 1000;

/**

* 私鑰

*/

public static final String SECRET = "http://www.bj9420.com/jwt";

/**

* token 前綴

*/

public static final String TOKEN_PREFIX = "Bearer ";

/**

* Authorization header

*/

public static final String HEADER_STRING = "Authorization";

/**

* 保存的數據字段名稱

*/

public static final String USER_NAME = "userId";

public static String generateToken(String userId) {

HashMap<String, Object> map = new HashMap<>();

//可以將自定義相關的數據放入Map中

map.put(USER_NAME, userId);

String jwt = Jwts.builder()

.setClaims(map)

.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))

.signWith(SignatureAlgorithm.HS512, SECRET)

.compact();

//jwt前面一般都會加Bearer

return TOKEN_PREFIX + jwt;

}

public static HttpServletRequest validateTokenAndAddUserIdToHeader(HttpServletRequest request) {

String token = request.getHeader(HEADER_STRING);

log.info("請求token:" + token);

if (token != null) {

// 解析令牌token.

try {

Map<String, Object> body = Jwts.parser()

.setSigningKey(SECRET)

.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))

.getBody();

//遍歷自定的相關數據，可以刪除

for (Map.Entry<String, Object> entry : body.entrySet()) {

log.info("****JWT paser Key = " + entry.getKey() + ", Value = " + entry.getValue());

}

return new CustomHttpServletRequest(request, body);

} catch (Exception e) {

log.info(e.getMessage());

throw new TokenValidationException(e.getMessage());

}

} else {

throw new TokenValidationException("The token is invalid!");

}

}

public static class CustomHttpServletRequest extends HttpServletRequestWrapper {

private Map<String, String> claims;

public CustomHttpServletRequest(HttpServletRequest request, Map<String, ?> claims) {

super(request);

this.claims = new HashMap<>();

claims.forEach((k, v) -> this.claims.put(k, String.valueOf(v)));

}

@Override

public Enumeration<String> getHeaders(String name) {

if (claims != null && claims.containsKey(name)) {

return Collections.enumeration(Arrays.asList(claims.get(name)));

}

return super.getHeaders(name);

}

public Map<String, String> getClaims() {

return claims;

}

}

static class TokenValidationException extends RuntimeException {

public TokenValidationException(String msg) {

super(msg);

}

}

}

第五步：在控制類中編寫接口，如LoginController.java，對於需要令牌token驗證的，可以相應的請求路徑中加JwtAuthenticationFilter 類中定義的匹配規則標識符，如“api“，例如在LoginController類中，登錄方法public Result<Map<String, Object>> login(@RequestBody User user) ，註解路徑映射@PostMapping("/login")中，不含“api”，故該方法無需令牌token驗證；根據用戶ID獲取用戶信息方法public Result<Map<String, Object>> getUserInfo(@RequestHeader(value = JwtUtil.USER_NAME) String userId)，註解路徑映射@GetMapping("/api/getUserInfo")中含有“api”，故該方法令牌token驗證；如要總個控制類中的方法都需令牌token驗證，則在類的註解路徑映射中加“api”,例如：註解路徑映射@RequestMapping("loginController")改為註解路徑映射@RequestMapping("/api/loginController")，具體示例代碼如下：

package com.bj9420.controller.login;

import com.bj9420.controller.common.BaseController;

import com.bj9420.framework.SystemConstant;

import com.bj9420.framework.util.AESUtil;

import com.bj9420.framework.util.MD5Util;

import com.bj9420.framework.util.StringUtil;

import com.bj9420.jwt.JwtUtil;

import com.bj9420.model.Menu;

import com.bj9420.model.Result;

import com.bj9420.model.User;

import com.bj9420.service.menu.IMenuService;

import com.bj9420.service.user.IUserService;

import io.jsonwebtoken.Jwts;

import io.swagger.annotations.Api;

import io.swagger.annotations.ApiOperation;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.http.HttpStatus;

import org.springframework.http.ResponseEntity;

import org.springframework.web.bind.annotation.*;

import java.util.HashMap;

import java.util.List;

import java.util.Map;

/**

* @Title: LoginController.java

* @Description: 登錄控制類

* @author: wRitchie

* @date: 2018/12/28 15:39

* @version: V1.0

* @Copyright (c): 2018 http://bj9420.com All rights reserved.

*/

@RestController

@RequestMapping("loginController")

@Api(value = "登錄控制類", tags = "登錄控制類")

public class LoginController extends BaseController {

@Autowired

private IUserService userService;

@Autowired

private IMenuService menuService;

@GetMapping("sign")

@ApiOperation(value = "登錄測試", notes = "無權限驗證的登錄測試")

public Result<Map<String, Object>> sign(String loginName) {

logger.info("#######LoginController#######");

Map<String, Object> userMap = new HashMap<String, Object>();

userMap.put("loginName", loginName);

List<Map> userList = userService.selectByPager(userMap);

if (userList.size() > 0) {

userMap.put("password", "");

User user = userService.selectByPrimaryKey(1);

userMap.put("user", user);

return Result.success(userMap);

} else {

return Result.failure("用戶不存在，請先註冊。", null);

}

}

@PostMapping("/login")

@ApiOperation(value = "登錄接口", notes = "公開權限，用戶登錄後返回token")

public Result<Map<String, Object>> login(@RequestBody User user) {

logger.info("####### login #######" + user.getLoginName() + " password:" + user.getPassword());

String jwt="";

String pwdTmp = MD5Util.encode(user.getPassword());

//logger.info("####登錄名："+loginName+"\t密碼：" + password);

String sKey = MD5Util.md5(SystemConstant.SYSTEM_SKEY).substring(0, 16);

String pwdEncrypt = AESUtil.encrypt(pwdTmp, sKey).substring(0, 16);

logger.info("密碼加密：" + pwdEncrypt);

Map<String, Object> userMap = new HashMap<String, Object>();

userMap.put("loginName", user.getLoginName());

List<Map> userList = userService.selectByPager(userMap);

if (userList.size() > 0) {

userMap = userList.get(0);

String pwdDb = userMap.get("password") + "";

if (pwdDb.equals(pwdEncrypt)) {

userMap.put("password", "");

jwt = JwtUtil.generateToken(userMap.get("userId") + "");

userMap.put("token", jwt);

Map<String, Object> param=new HashMap<String, Object>();

param.put("userId", userMap.get("userId"));

List<Menu> menuList=menuService.selectBySelectiveByUserId(param);

userMap.put("menuList",menuList);

return Result.success(userMap);

} else {

logger.info("密碼錯誤。");

userMap.put("authorized", new ResponseEntity(HttpStatus.UNAUTHORIZED));

userMap.put("token", jwt);

return Result.failure("密碼錯誤，登錄失敗。", userMap);

}

} else {

logger.info("用戶不存在，請先註冊。");

userMap.put("authorized", new ResponseEntity(HttpStatus.UNAUTHORIZED));

userMap.put("token", jwt);

return Result.failure("用戶不存在，請先註冊，登錄失敗。", userMap);

}

}

@GetMapping("/api/getUserInfo")

@ApiOperation(value = "獲取用戶信息", notes = "根token獲取用戶的信息")

public Result<Map<String, Object>> getUserInfo(@RequestHeader(value = JwtUtil.USER_NAME) String userId) {

logger.info("#######LoginController getUserInfo#######");

Map<String, Object> userMap = new HashMap<String, Object>();

User user = userService.selectByPrimaryKey(Integer.valueOf(userId));

userMap.put("user", user);

return Result.success("授權成功。", userMap);

}

@GetMapping("/getUserByToken")

@ApiOperation(value = "查詢用戶信息", notes = "根據token獲取用戶的信息")

public Result<Map<String, Object>> getUserByToken(String token) {

logger.info("#######LoginController getUserByToken#######");

Map<String, Object> userMap = new HashMap<String, Object>();

String userId = "";

try {

if (token != null) {

Map<String, Object> body = Jwts.parser()

.setSigningKey(JwtUtil.SECRET)

.parseClaimsJws(token.replace(JwtUtil.TOKEN_PREFIX, ""))

.getBody();

for (Map.Entry<String, Object> entry : body.entrySet()) {

logger.info("****getUserByToken JWT paser Key = " + entry.getKey() + ", Value = " + entry.getValue());

if ("userId".equals(entry.getKey())) {

userId = (String) entry.getValue();

break;

}

}

} else {

logger.info("The token is null!");

return Result.failure("The token is null!",userMap);

}

if (!StringUtil.isEmpty(userId)) {

User user = userService.selectByPrimaryKey(Integer.valueOf(userId));

userMap.put("user", user);

return Result.success("根據token獲取用戶的信息成功。", userMap);

}

return Result.failure();

} catch (Exception e) {

return Result.exception("根據token獲取用戶的信息異常：",userMap);

}

}

}

第六步：測試API，具體結果如下圖所示：

1、登錄，請求服務授權，返回令牌token，如下圖所示

2、根據返回的令牌token，請求根據用戶ID獲取用戶信息API，正確的token請求API返回如下圖：

3、修改返回的令牌token，使用錯誤的令牌token請求根據用戶ID獲取用戶信息API，錯誤的token請求API返回如下圖：

正確錯誤令牌token請求時，IDEA控制檯日誌信息如下圖所示：

至止，SpringBoot集成JWT實驗token驗證完畢，根據具體的實際應用項目，適當修改即可以使用。