当前位置:网站首页>JWT(Json Web Token)
JWT(Json Web Token)
2022-06-24 22:42:00 【Passerby Chen】
1.JWT(Json Web Token)
JWT Token by Header( Head )、Payload( load )、Signature( Signature ) Three parts , The essence is a string . Use points in the middle of each part (.) Separate , such as :xxxxx.yyyyy.zzzzz
Header( Head )
The header includes the type of token ( namely JWT) And the hash algorithm used ( Such as HMAC、SHA256 or RSA), The main statement is JWT The signature algorithm of .
Payload( load )
The second part is the load , The content is also a Json object , It's a place to store valid information , It can store JWT Off the shelf fields provided , Than Such as :iss( Issuer ),exp( Expiration time stamp ), sub( For users ) etc. , You can also customize fields . It is not recommended to store sensitive information in this section , Because this part can decode and restore the original content . It mainly carries various declarations and transmits plaintext data .
Signature( Signature )
The third part is signature , This part is used to prevent JWT The content has been tampered with . This part uses base64url Code the first two parts , Use points after coding (.) Join to form a string , Finally using header In a statement Signature algorithm to sign .
JWT The main purpose of is to transfer declarations in a secure way between the server and the client .
The main application scenarios are as follows :
- authentication Authentication;
- to grant authorization Authorization;
- associated recognition ;
- Client session ( Stateless session );
- Client secrets .
2.JWS、JWE、JWK、JWKset、JWA and nonsecure JWT difference
JWS | JSON Web Signature( Signature ) | Have Signature( Signature ) Part of the JWT go by the name of JWS, That is to say JWT The signature of the JWS, That is to say JWT Signature |
JWE | JSON Web Encryption( encryption ) | JWT part payload Encrypted JWT |
JWK | JSON Web Key | JWT The key of ( Private key ), That's what we often say scret |
JWKset | JSON Web Key set | JWT key set In asymmetric encryption , What is needed is a key pair, not a separate key , It will be explained later |
JWA | JSON Web Algorithms( Algorithm ) | At present JWT The cryptographic algorithm used |
nonsecure JWT | When the signature algorithm of the header is set to none When , The JWT It's not safe ; Because part of the signature is vacant , Everyone can modify | No, Signature( Signature ) Part of the JWT go by the name of nonsecure JWT, That is, unsafe JWT |
JJWT | Used in JVM Create and validate on JSON Web token (JWTs) The library of | Is based on JWT、JWS、JWE、JWK and JWA RFC canonical Java Realization ( Is to provide end-to-end JWT Create and verify Java library ) |
JWS The third part of the is a visa information , This visa information consists of three parts :
base64UrlEncode(header):JWT The first part of the token .
base64UrlEncode(payload):JWT The second part of the token .
secret: The key used for signing .
3.JWT How user authentication works
1. The client uses the user name and password to request login
2. The server receives the request , Verify user name and password
3. After successful verification , The server will issue a token, Put this again. token Return to the client
4. Client received token Then you can store it , For example, put it in cookie in
5. Each time the client requests resources from the server, it needs to carry the certificate issued by the server token, Can be in cookie perhaps header Middle carry
6. The server receives the request , Then go to verify the client request token, If the validation is successful , Just return the request data to the client
4. Realization JWT Generate token
4.1 stay Maven In Engineering pom.xml Add JWT Related dependencies
<!--JWT token -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
4.2JWT Tool class
import com. Company name .SystemConstants;
import io.jsonwebtoken.*;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.util.*;
public class AppJwtUtil {
// TOKEN Is valid for one day (S)
private static final int TOKEN_TIME_OUT = 3600;
// encryption KEY
private static final String TOKEN_ENCRY_KEY = "MDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjY";
// Minimum refresh interval (S)
private static final int REFRESH_TIME = 300;
// production ID
public static String createToken(Long id) {
Map<String, Object> claimMaps = new HashMap<>();
claimMaps.put("id", id);
long currentTime = System.currentTimeMillis();
return Jwts.builder()
.setId(UUID.randomUUID().toString())
.setIssuedAt(new Date(currentTime)) // The issuance of time
.setSubject("system") // explain
.setIssuer("heima") // Signer information
.setAudience("app") // Receiving user
.compressWith(CompressionCodecs.GZIP) // Data compression
.signWith(SignatureAlgorithm.HS512, generalKey()) // encryption
// One hour overdue
.setExpiration(new Date(currentTime + TOKEN_TIME_OUT * 1000)) // Expiration time stamp
.addClaims(claimMaps) //cla Information
.compact();
}
/**
* obtain token Medium claims Information
* @param token
* @return
*/
private static Jws<Claims> getJws(String token) {
return Jwts.parser()
.setSigningKey(generalKey())
.parseClaimsJws(token);
}
/**
* obtain payload body Information
* @param token
* @return
*/
public static Claims getClaimsBody(String token) {
try {
return getJws(token).getBody();
} catch (ExpiredJwtException e) {
return null;
}
}
/**
* obtain hearder body Information
* @param token
* @return
*/
public static JwsHeader getHeaderBody(String token) {
return getJws(token).getHeader();
}
/**
* Is it overdue
* @param token
* @return 1 It works 0 Invalid 2 Has expired
*/
public static Integer verifyToken(String token) {
try {
Claims claims = AppJwtUtil.getClaimsBody(token);
if (claims == null) {
return SystemConstants.JWT_FAIL;
}
return SystemConstants.JWT_OK;
} catch (ExpiredJwtException ex) {
return SystemConstants.JWT_EXPIRE;
} catch (Exception e) {
return SystemConstants.JWT_FAIL;
}
}
/**
* Encryption by string generation key
* @return
*/
public static SecretKey generalKey() {
byte[] encodedKey = Base64.getEncoder().encode(TOKEN_ENCRY_KEY.getBytes());
SecretKey key = new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");
return key;
}
}
4.3JWT System constant class
public class SystemConstants {
//JWT TOKEN Has expired
public static final Integer JWT_EXPIRE = 2;
//JWT TOKEN It works
public static final Integer JWT_OK = 1;
//JWT TOKEN Invalid
public static final Integer JWT_FAIL = 0;
}
边栏推荐
- ThreadLocal memory leak
- LeetCode Algorithm 剑指 Offer II 027. 回文链表
- Firewall working principle and detailed conversation table
- Embedded development: tips and tricks -- clean jump from boot loader to application code
- Interrupt, interrupted, isinterrupted differences
- Envoy obtain the real IP address of the client
- Idea close global search box
- Seven principles of software design
- Redis hop table
- 华大4A0GPIO设置
猜你喜欢
Data center basic network platform
Description of transparent transmission function before master and slave of kt6368a Bluetooth chip, 2.4G frequency hopping automatic connection
Nuscenes -- remedies for missing image files or 0-size images encountered during dataset configuration
结构体的内存对齐
详细了解关于sentinel的实际应用
Leetcode: push domino (domino simulation)
AQS source code analysis
Can AI chat robots replace manual customer service?
Main steps of system test
MySQL + JSON = King fried!!
随机推荐
Envoy obtain the real IP address of the client
Nuscenes -- remedies for missing image files or 0-size images encountered during dataset configuration
Common voting governance in Dao
Web security XSS foundation 06
如何比较两个或多个分布:从可视化到统计检验的方法总结
Problèmes de concurrence dans l'allocation de mémoire en tas
【Mongodb】READ_ME_TO_RECOVER_YOUR_DATA,数据库被恶意删除
04A interrupt configuration
堆内存分配的并发问题
find your present (2)
Future development of education industry of e-commerce Express
源码阅读 | OpenMesh读取文本格式stl的过程
CSRF and SSRF for web attacks
Use of selector for NiO multiplexing
How to solve the problem that the computer suddenly can't connect to WiFi
HTTP的缓存控制
Information update on automatic control principle
磁盤的結構
重磅!法大大上榜“专精特新”企业
NiO, bio, AIO