当前位置：网站首页>JWT diagram

JWT diagram

2022-07-25 15:56:00 【51CTO】

JWT brief introduction

JWT（Json Web Token） adopt json form , As web Token in application , Used to securely treat information as between parties json Object creation , In the process of data transmission, data encryption can also be completed 、 Signature and other related processing , The characteristics are as follows :

Cross language ： Support for mainstream languages
Self contained ： Include all necessary information , Such as user information and signature
Easy to transmit ： It's easy to get through HTTP Head pass

Conventional session authentication

# JWT The illustration _json

There are problems with traditional schemes :

More users , The more expensive the server is
cookie It's not safe
In the case of clusters , Users must be on the same server or through session Sharing mechanism realizes authentication
Front and rear end separation increases complexity , Such as ： agent 、 Routing Gateway

be based on JWT authentication

# JWT The illustration _json_02

The certification process

First , Front end by Web The form sends its user name and password to the backend . This process is generally a HTTP POST request . The way to suggest it is through SSL Encrypted transmission （https agreement ）, So as to avoid sensitive information being sniffed
After the back end checks the user name and password successfully , The user's id And other information as JWT Payload（ load ）, Separate it from the head Base64 Code stitching and signature , Form an identity xxx.yyy.zzz A string of JWT(Token)
Backend will JWT The string is returned to the front end as the result of successful login . The front end can save the returned results in localStorage or sessionStorage On , When logging out, the front end will delete the saved JWT that will do
The front end will JWT Put in HTTP Header Medium Authorization position .( solve XSS and XSRF problem )
Back end check JWT Whether there is , If it exists, verify its effectiveness . for example , Check that the signature is correct ; Check Token Is it overdue ; Check Token Whether the recipient is himself （ Optional ）
After verification, the back end uses JWT The user information contained in is used for other logical operations , Return the corresponding results

JWT The advantages of

concise (Compact): Can pass URL,POST Parameters may be in HTTP header Sent in , Small amount of data , Fast transmission speed
Self contained (Self-contained)： The load contains the information that users need , Avoid multiple queries to the database
because Token In order to JSON The encrypted form is saved on the client , therefore JWT It's Cross Language Of , In principle, any web All forms support
There is no need to save session information on the server , Especially for distributed microservices

JWT Structure

Token yes String ====> header.payload.signature

1、 token （token） form

header （header）
Payload （payload）
Signature （signature）

2、Header

The header usually consists of two parts ： Type of token （ namely JWT） And so on The algorithm used
It will use Base64 Code composition JWT The first part of the structure
Be careful ：Base64 It's a kind of coding , in other words , He can translate back to the original data , It's not an encryption process

3、payload

The second part of the token is Payload , It contains a statement , Life is about Entity （ It is usually a declaration of users and other data ）
It USES Base64 The code consists of JWT The second part of the structure
Be careful ： Don't store sensitive information （eg.password）

4、signature

The first two parts are Base64 Coded , That is, the front end can unlock the information inside
signature You need to use the encoded Header and payload And myself A key provided （ That is, salt value ）, Use header The algorithm specified in （HS256） To sign
The function of signature To ensure the JWT It has not been tampered with

eg.

Verification ： header + payload + Salt value == signature The data of

JWT Common abnormal information in

AlgorithmMismatchException Algorithm mismatch exception （ That is, the algorithm used is inconsistent ）
SignatureVerificationException Signature inconsistency exception （ That is, the signatures used are inconsistent ）
InvalidClaimException Invalid payload abnormal （ That is, the data is tampered ）
TokenExpiredException Token expiration exception

Java Use JWT actual combat

Import JWT rely on

<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
    <groupId>com.auth0</groupId>
    <artifactId>java-jwt</artifactId>
    <version>4.0.0</version>
</dependency>

     1.
2.
3.
4.
5.
6.

To write JWT Tool class

package com.example.jwt.utils;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;

import java.util.Calendar;
import java.util.Map;

/** * @author  Xie Yang  * @version 1.8.0_131 * @date 2022/7/22 14:34 * @description JWT token  Tool class  *  contain token Generation 、 verification 、 Access to data, etc ... */
public class JWTUtils {

    //  Private signature  ( salt )
    private static final String SECRET = "[email protected]";

    //  Default token Survival time 
    private static final Integer DEFAULT_DAY = 7;

    /** *  Get the default time token data  * * @param map  data , Do not pass in user sensitive information  * @return token token  */
    public static String getToken(Map<String, String> map) {
        return getToken(map, DEFAULT_DAY, SECRET);
    }

    /** *  Get the specified time of token data  * * @param map  data , Do not pass in user sensitive information  * @param day  Appoint  token  Survival time  ( God ) * @return token token  */
    public static String getToken(Map<String, String> map, Integer day) {
        return getToken(map, day, SECRET);
    }

    /** *  Get the specified signature  token * * @param map  data , Do not pass in user sensitive information  * @param secret  Signature  * @return token token  */
    public static String getToken(Map<String, String> map, String secret) {
        return getToken(map, DEFAULT_DAY, secret);
    }


    /** *  Customize token token  * * @param map  data  * @param day token  Survival time  ( God ) * @param secret  Signature  * @return token token  */
    public static String getToken(Map<String, String> map, Integer day, String secret) {
        JWTCreator.Builder builder = JWT.create();

        map.forEach((key, value) -> {
            builder.withClaim(key, value); //  Save the data 
        });

        Calendar instance = Calendar.getInstance();
        instance.add(Calendar.DATE, day);

        return builder.withExpiresAt(instance.getTime()) //  Set up token Expiration time 
                .sign(Algorithm.HMAC256(secret)); //  Set signature 
    }

    /** *  Verify the default signature  token * * @param token  token  */
    public static void verify(String token) {
        verify(token, SECRET);
    }

    /** *  Verify the specified signature token * * @param token  token  * @param secret  Custom signature  */
    public static void verify(String token, String secret) {
        JWT.require(Algorithm.HMAC256(secret)).build().verify(token);
    }


    /** *  Get the specified signature  DecodedJWT  data  * * @param token  token  * @param secret  Signature  * @return DecodedJWT */
    public static DecodedJWT getDecodedJWT(String token, String secret) {
        return JWT.require(Algorithm.HMAC256(secret)).build().verify(token);
    }

    /** *  Get default signature  DecodedJWT  data  * * @param token  token  * @return DecodedJWT */
    public static DecodedJWT getDecodedJWT(String token) {
        return getDecodedJWT(token, SECRET);
    }

    /** *  Get the single data of the default signature  * * @param token  token  * @param claim  Declaration name  * @param slazz  Declaration type  * @param <T>  Method type  * @return  data <T> */
    public static <T> T getClaim(String token, String claim, Class<T> slazz) {
        return getClaim(token, SECRET, claim, slazz);
    }

    /** *  Get the single data of the specified signature  * * @param token  token  * @param secret  Signature  * @param claim  Declaration name  * @param slazz  Declaration type  * @param <T>  Method type  * @return  data <T> */
    public static <T> T getClaim(String token, String secret, String claim, Class<T> slazz) {
        return getDecodedJWT(token, secret).getClaim(claim).as(slazz);
    }

    /** *  Get all default data  * * @param token  token  * @return Map<String, Claim> */
    public static Map<String, Claim> getClamins(String token) {
        return getClamins(token, SECRET);
    }

    /** *  In the past, specify to sign all data  * * @param token  token  * @param secret  Signature  * @return Map<String, Claim> */
    public static Map<String, Claim> getClamins(String token, String secret) {
        return getDecodedJWT(token, secret).getClaims();
    }

}













































































































































































Write interceptors

package com.example.jwt.interceptors;

import com.auth0.jwt.exceptions.AlgorithmMismatchException;
import com.auth0.jwt.exceptions.InvalidClaimException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.example.jwt.utils.JWTUtils;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.web.servlet.HandlerInterceptor;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;

/** * @author  Xie Yang  * @version 1.8.0_131 * @date 2022/7/22 16:55 * @description  Interceptor  */
public class JwtInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        String token = request.getHeader("token");
        Map<String, Object> map = new HashMap<>();
        try {
            JWTUtils.verify(token);
            return true;
        } catch (AlgorithmMismatchException | SignatureVerificationException | InvalidClaimException e) {
            map.put("msg"," Do not modify the data ");
            map.put("state","4001");
        } catch (TokenExpiredException e) {
            map.put("msg", " Login expired ");
            map.put("state", "4002");
        } catch (Exception e) {
            map.put("msg", " Please log in first ");
            map.put("state", "4003");
        }
        String json = new ObjectMapper().writeValueAsString(map);
        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().println(json);
        return false;

    }
}

     1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.

package com.example.jwt.config;

import com.example.jwt.interceptors.JwtInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;

/** * @author  Xie Yang  * @version 1.8.0_131 * @date 2022/7/22 17:02 * @description */
@Configuration
public class InterceptorConfig extends WebMvcConfigurationSupport {
    @Override
    protected void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new JwtInterceptor())
                .addPathPatterns("/user/index")
                .excludePathPatterns("/user/login");
    }
}

     1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.