Base64

编码 :字节数组(文本或其他格式)64个字符的表示形式

-解码 :

散列算法 

散列函数生成信息的摘要(数据的指纹。唯一标识),摘要信息长度固定

MD5,SHA-128,SHA-256

 数据完整性的校验,

秒传,先发散列值,判断服务器是否存在

散列值无法变成原始数据(不可逆)

密码在数据库的存储,散列函数+盐

 不能找回密码,只能重置

 加密算法 

对称密钥(一个密钥)

非对称密钥(公钥,私钥)

 SSH ,HTTPS

JWT 

令牌是在用户验证通过后颁发给用户的身份标示,之后请求只需携带令牌,令牌中用户的标示,不存储敏感信息,

 

如何防止被伪造,追加签名???下面将以代码形式带你领略,分为三个模块,初级,中级,高级

初级

工程目录:

Java 无密钥 jwt解析token_java

 


 pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>jwt2</groupId>
	<artifactId>jwt2</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<build>
		<sourceDirectory>src</sourceDirectory>
		<plugins>
			<plugin>
				<artifactId>maven-compiler-plugin</artifactId>
				<version>3.8.0</version>
				<configuration>
					<release>13</release>
				</configuration>
			</plugin>
		</plugins>
	</build>

	<dependencies>

		<!-- JWT 的 java 实现 -->
		<dependency>
			<groupId>io.jsonwebtoken</groupId>
			<artifactId>jjwt-api</artifactId>
			<version>0.11.1</version>
		</dependency>
		<dependency>
			<groupId>io.jsonwebtoken</groupId>
			<artifactId>jjwt-impl</artifactId>
			<version>0.11.1</version>
			<scope>runtime</scope>
		</dependency>
		<dependency>
			<groupId>io.jsonwebtoken</groupId>
			<artifactId>jjwt-jackson</artifactId>
			<version>0.11.1</version>
			<scope>runtime</scope>
		</dependency>

	</dependencies>

</project>

App.java

package jwt2;

import java.security.Key;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;

public class App {

	public static void main(String[] args) {
		
		// JWT 密钥长度不小于 256 位
		Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256);
		System.out.println(key.getAlgorithm());
//		System.out.println(key.getFormat());
//		System.out.println(key.toString());
		System.out.println(key.getEncoded().length * 8);
//		System.out.println(Arrays.toString(key.getEncoded()));
		
		// 密钥
		System.out.println(Base64.getEncoder().encodeToString(key.getEncoded()));
		
		// 负载数据
		Claims claims = Jwts.claims();
		claims.put("user", "king");
		claims.put("role", "admin");
		claims.put("roles", new String[] {"admin", "test", "user"});
		
		// 生成了一个 JWT 令牌(未签名)
		String token = Jwts.builder()
				.setSubject("demo")
				.setIssuer("newer")
				.setAudience("you")
				.setIssuedAt(new Date())
				.setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60))
				.addClaims(claims)	// 自定义数据
				.signWith(key)
				.compact();// 压缩
		// header.payload
		System.out.println(token);
		
		// 收到客户端请求,从请求头获得令牌解析令牌中的信息
		Claims c = Jwts.parserBuilder()
				.setSigningKey(key)
				.build()
				.parseClaimsJws(token)
				.getBody();
		
		System.out.println(c);
	}
}

运行程序,控制台输出:

Java 无密钥 jwt解析token_spring_02


 中级

工程目录:

Java 无密钥 jwt解析token_maven_03


pom.xml(依赖)

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.5.RELEASE</version>
        <relativePath/>
    </parent>
    <groupId>com.newer</groupId>
    <artifactId>jwt</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>jwt</name>

    <properties>
        <java.version>13</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <!--JWT-->
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-api</artifactId>
            <version>0.10.7</version>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-impl</artifactId>
            <version>0.10.7</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-jackson</artifactId>
            <version>0.10.7</version>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

 


application.yml(配置信息)

jwt:
  secret: OhtVGp0YixAH5+NnruPpXY/yU2E22uYNk4rwZDOAEvQ=

JwtApplication.java

package com.newer.jwt;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class JwtApplication {

    public static void main(String[] args) {
        SpringApplication.run(JwtApplication.class, args);
    }

}

JWTController.java

package com.newer.jwt.controller;

import io.jsonwebtoken.*;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.SignatureException;
import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.*;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@RestController
public class JWTController {

	// 读取配置文件中的值,Spring EL
	@Value("${jwt.secret}")
	String base64Key;

	/**
	 * 生一个Token
	 *
	 * @return String token
	 */
	@PostMapping("/login")
	public String login(@RequestParam(name = "user", defaultValue = "alice") String user,
			@RequestParam(name = "info", defaultValue = "负载信息") String info) {

		Map<String, Object> claims = new HashMap<>();
		claims.put("user", user);
		claims.put("info", info);

		Date nowDate = new Date();

		// 建造者模式(创建对象的设计模式)
		// 生成 JWT 令牌
		return Jwts.builder()
				.setClaims(claims)
				.setSubject("jwt")
				.setIssuedAt(nowDate) // 令牌生成时间
				.setExpiration(new Date(nowDate.getTime() + 1000 * 60 * 5)) // 令牌的有效期
				.signWith(getSecretKey()) // 使用了密钥
				.compact(); // 压缩
	}

	/**
	 * 解码一个Token
	 */
	@PostMapping("/dec")
	public String decode(@RequestParam(name = "jwt") String jwt) {
		try {
			// 令牌解码
			Claims claims = Jwts.parser().setSigningKey(getSecretKey()).parseClaimsJws(jwt).getBody();

			return claims.toString();

		} catch (ExpiredJwtException e) {
			return "Token已过期";
		} catch (UnsupportedJwtException e) {
			e.printStackTrace();
		} catch (MalformedJwtException e) {
			e.printStackTrace();
		} catch (SignatureException e) {
			e.printStackTrace();
		} catch (IllegalArgumentException e) {
			e.printStackTrace();
		}

		return "未知的异常";
	}

	/**
	 * 随机生成一个base64的key
	 *
	 * @return String base64Key
	 */
	@GetMapping("/key")
	public String generateKey() {
		// 生成一个 HS256 算法的密钥
		Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256);

		// 用 Base64 把密钥编码成 字符串
		return Base64.encodeBase64String(key.getEncoded());
	}

	/**
	 * 从配置文件中获取加密key,并构造SecretKey对象返回
	 * 
	 * @return SecretKey
	 */
	private SecretKey getSecretKey() {
		return new SecretKeySpec(Base64.decodeBase64(base64Key), "HmacSHA256");
	}
}

程序运行,浏览器打开

Java 无密钥 jwt解析token_spring_04

同时可以通过postman去测试/login以及/dec ,在此就不做演示。


 高级

工程目录:

Java 无密钥 jwt解析token_Java 无密钥 jwt解析token_05


pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.1.1.RELEASE</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>
	<groupId>es.softtek</groupId>
	<artifactId>jwtDemo</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>jwtDemo</name>
	<description>Demo project for Spring Boot</description>

	<properties>
		<java.version>11</java.version>
	</properties>

	<dependencies>

		<!-- Spring Security -->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>

		<!-- JSON WEB TOKEN -->
		<dependency>
			<groupId>io.jsonwebtoken</groupId>
			<artifactId>jjwt-api</artifactId>
			<version>0.11.1</version>
		</dependency>
		<dependency>
			<groupId>io.jsonwebtoken</groupId>
			<artifactId>jjwt-impl</artifactId>
			<version>0.11.1</version>
			<scope>runtime</scope>
		</dependency>
		<dependency>
			<groupId>io.jsonwebtoken</groupId>
			<artifactId>jjwt-jackson</artifactId>
			<version>0.11.1</version>
			<scope>runtime</scope>
		</dependency>

	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

 


application.properties

spring.http.log-request-details=true
logging.level.web=debug

jwt.secret=V1beFinb07YUJuAjdBevbvCqv9FNqyw4KhM5bMKxCyU=

User.java

package es.softtek.jwtDemo.dto;

public class User {

	private String user;
	private String pwd;
	private String token;

	public String getUser() {
		return user;
	}

	public void setUser(String user) {
		this.user = user;
	}

	public String getPwd() {
		return pwd;
	}

	public void setPwd(String pwd) {
		this.pwd = pwd;
	}

	public String getToken() {
		return token;
	}

	public void setToken(String token) {
		this.token = token;
	}

}

JwtDemoApplication.java

package es.softtek.jwtDemo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class JwtDemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(JwtDemoApplication.class, args);
	}

}

JWTAuthorizationFilter.java

package es.softtek.jwtDemo.security;

import java.io.IOException;
import java.util.List;
import java.util.stream.Collectors;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.UnsupportedJwtException;

/**
 * 基于 JWT 用户认证的过滤器
 * 
 * @author wtao
 *
 */
public class JWTAuthorizationFilter extends OncePerRequestFilter {

	private final String HEADER = "Authorization";
	private final String PREFIX = "Bearer ";

	String base64Key = "V1beFinb07YUJuAjdBevbvCqv9FNqyw4KhM5bMKxCyU=";

	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
			throws ServletException, IOException {
		try {
			if (checkJWTToken(request, response)) {
				Claims claims = validateToken(request);
				if (claims.get("authorities") != null) {
					setUpSpringAuthentication(claims);
				} else {
					SecurityContextHolder.clearContext();
				}
			}
			chain.doFilter(request, response);
		} catch (ExpiredJwtException | UnsupportedJwtException | MalformedJwtException e) {
			response.setStatus(HttpServletResponse.SC_FORBIDDEN);
			((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
			return;
		}
	}

	private Claims validateToken(HttpServletRequest request) {
		String jwtToken = request.getHeader(HEADER).replace(PREFIX, "");
		return Jwts.parser().setSigningKey(getSecretKey()).parseClaimsJws(jwtToken).getBody();
	}

	private SecretKey getSecretKey() {
		return new SecretKeySpec(Base64.decodeBase64(base64Key), "HmacSHA256");
	}

	/**
	 * Authentication method in Spring flow
	 * 
	 * @param claims
	 */
	private void setUpSpringAuthentication(Claims claims) {
		@SuppressWarnings("unchecked")
		List<String> authorities = (List<String>) claims.get("authorities");

		UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(claims.getSubject(), null,
				authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
		SecurityContextHolder.getContext().setAuthentication(auth);

	}

	private boolean checkJWTToken(HttpServletRequest request, HttpServletResponse res) {
		String authenticationHeader = request.getHeader(HEADER);
		if (authenticationHeader == null || !authenticationHeader.startsWith(PREFIX))
			return false;
		return true;
	}

}

WebSecurityConfig.java

package es.softtek.jwtDemo.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import es.softtek.jwtDemo.security.JWTAuthorizationFilter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.csrf()
			.disable()
			.addFilterAfter(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class)
			.authorizeRequests().antMatchers(HttpMethod.POST, "/user").permitAll()
			.anyRequest().authenticated();
	}
}

HelloWorldController.java

package es.softtek.jwtDemo.controller;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloWorldController {

	@RequestMapping("/hello")
	public String helloWorld(@RequestParam(value="name", defaultValue="World") String name) {
		return "Hello "+name+"!!";
	}
}

UserController.java

package es.softtek.jwtDemo.controller;

import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import es.softtek.jwtDemo.dto.User;
import io.jsonwebtoken.Jwts;

@RestController
public class UserController {

	@Value("${jwt.secret}")
	String base64Key;

	@PostMapping("/user")
	public User login(@RequestParam("user") String username, @RequestParam("password") String pwd) {

		String token = getJWTToken(username);
		User user = new User();
		user.setUser(username);
		user.setToken(token);
		return user;

	}

	private String getJWTToken(String username) {

		List<GrantedAuthority> grantedAuthorities = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");

		String token = Jwts.builder().setSubject(username)
				.claim("authorities",
						grantedAuthorities.stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()))
				.setIssuedAt(new Date(System.currentTimeMillis()))
				.setExpiration(new Date(System.currentTimeMillis() + 600000)).signWith(getSecretKey()).compact();

		return "Bearer " + token;
	}

	private SecretKey getSecretKey() {
		return new SecretKeySpec(Base64.decodeBase64(base64Key), "HmacSHA256");
	}
}

JwtDemoApplicationTests.java

package es.softtek.jwtDemo;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class JwtDemoApplicationTests {

	@Test
	public void contextLoads() {
	}

}

程序运行,此时访问/hello是被禁止的,我们先通过post /user获得令牌信息

Java 无密钥 jwt解析token_spring_06


上图中我们已经获取到令牌信息,然后我们可以用这个令牌访问hello

Java 无密钥 jwt解析token_maven_07