一、 token的构造
token是又header(头)、payload(荷载)、sign(签名)三部分组成。
头部信息主要包括(参数的类型--JWT,签名的算法--HS256)
payload:存放自己想要的信息
sign:是为了防止恶意篡改数据
二、JWT的生成和解析
生成:
String token=JavaWebTokenUtil.createJWT("1","www.***.com",subject,1000*60*60*24*2+60000);//2天+60秒
public static String createJWT(String id, String issuer, String subject, long ttlMillis) {
//id,issuer,subject,ttlMillis都是放在payload中的,可根据自己的需要修改
//签名的算法
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
//当前的时间
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
//签名算法的秘钥,解析token时的秘钥需要和此时的一样
byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("miyao");
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
//构造
JwtBuilder builder = Jwts.builder().setId(id)
.setIssuedAt(now)
.setSubject(subject)
.setIssuer(issuer)
.signWith(signatureAlgorithm, signingKey);
logger.info("---token生成---");
//给token设置过期时间
if (ttlMillis >= 0) {
long expMillis = nowMillis + ttlMillis;
Date exp = new Date(expMillis);
logger.info("过期时间:"+exp);
builder.setExpiration(exp);
}
//压缩
return builder.compact();
}
解析:
public static Object parseJWT(String jwt) {
try {
Claims claims = Jwts.parser().setSigningKey(DatatypeConverter.parseBase64Binary("miyao")).parseClaimsJws(jwt).getBody();
logger.info("------解析token----");
logger.info("ID: " + claims.getId());
logger.info("Subject: " + claims.getSubject());
logger.info("Issuer: " + claims.getIssuer());
logger.info("IssuerAt: " + claims.getIssuedAt());
logger.info("Expiration: " + claims.getExpiration());
/*
检验token是或否即将过期,如快要过期,就提前更新token。如果已经过期的,会抛出ExpiredJwtException 的异常
*/
Long exp=claims.getExpiration().getTime(); //过期的时间
long nowMillis = System.currentTimeMillis();//现在的时间
Date now=new Date(nowMillis);
logger.info("currenTime:"+now);
long seconds=exp-nowMillis;//剩余的时间 ,若剩余的时间小与48小时,就返回一个新的token给APP
long days=seconds/(1000*60*60*24);
long hour=(seconds-days*1000*60*60*24)/3600000;
long minutes = (seconds-days*1000*60*60*24-hour*3600000) / 60000;
long remainingSeconds = seconds % 60;
logger.info(seconds + " seconds is "+days+" days "+hour+" hours " + minutes + " minutes and "+ remainingSeconds + " seconds");
if (seconds<=1000*60*60*48){
logger.info("token的有效期小与48小时,请更新token!");
return "update";
}
return "success";
}catch (ExpiredJwtException e){
e.printStackTrace();
return ExpiredJwtException.class.getName();
}catch (SignatureException e1){
e1.printStackTrace();
return SignatureException.class.getName();
}catch (MalformedJwtException e2){
e2.printStackTrace();
return MalformedJwtException.class.getName();
}
}
三、 token的过滤
先拦截所有需要被过滤的HTTP请求,再获取HTTP的head中携带的token字符串,在对其进行解析。
代码的主要逻辑是:
首先拦截http请求,获取head中的token,解析token,得到token的状态码code,然后在httpServletResponse的头中添加code后,继续执行代码,到Controller的方法体中,获取response中的code并根据code进行判断当前token的状态,进行相对应的处理。其他情况也是类似。
@WebFilter(urlPatterns = {"/app/*"})
public class TokenAuthorFilter implements Filter {
private static Logger logger = LoggerFactory.getLogger(TokenAuthorFilter.class);
@Autowired
private JWTService jwtService;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse rep = (HttpServletResponse) response;
//设置允许跨域的配置
// 这里填写你允许进行跨域的主机ip(正式上线时可以动态配置具体允许的域名和IP)
rep.setHeader("Access-Control-Allow-Origin", "*");
// 允许的访问方法
rep.setHeader("Access-Control-Allow-Methods","POST, GET");
// Access-Control-Max-Age 用于 CORS 相关配置的缓存
// rep.setHeader("Access-Control-Max-Age", "3600");
rep.setHeader("Access-Control-Allow-Headers","token");
// rep.setHeader("Access-Control-Allow-Headers","token,Origin, X-Requested-With, Content-Type, Accept");
rep.setCharacterEncoding("UTF-8");
rep.setContentType("application/json; charset=utf-8");
String token = req.getHeader("token");//header方式
String method = ((HttpServletRequest) request).getMethod();
if (method.equals("OPTIONS")) {
rep.setStatus(HttpServletResponse.SC_OK);
}else{
if (null == token || token.isEmpty()) {
logger.info("用户授权认证没有通过!客户端请求参数中无token信息");
rep.setHeader("code","100");
rep.setHeader("msg","用户授权认证没有通过!客户端请求参数中无token信息");
chain.doFilter(req, rep);
} else {
String exception=JavaWebTokenUtil.parseJWT(token).toString();
if (exception!=null){
if (ExpiredJwtException.class.getName().equals(exception)){
logger.info("token已过期!");
rep.setHeader("code","100");
rep.setHeader("msg","token is overtime!");
chain.doFilter(req, rep);
}else if (SignatureException.class.getName().equals(exception)){
System.out.println("token sign解析失败");
rep.setHeader("code","100");
rep.setHeader("msg","token is invalid! ");
chain.doFilter(req, rep);
}else if (MalformedJwtException.class.getName().equals(exception)){
System.out.println("token的head解析失败");
rep.setHeader("code","100");
rep.setHeader("msg","token is invalid! ");
chain.doFilter(req, rep);
}else if ("success".equals(exception)){
logger.info("用户授权认证通过!");
rep.setHeader("code","0");
chain.doFilter(req, rep);
}else {
logger.info("token的有效期小与2天!");
String newToken=jwtService.updateToken(exception);
logger.info("已生成新的token:"+newToken);
rep.setHeader("code","1");
// rep.setHeader("msg","token will invalid at 2 days!please refresh");
rep.setHeader("newToken",newToken);
chain.doFilter(req, rep);
}
}
}
}
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
logger.info("初始化filter");
}
}
Controller中的代码:
@ResponseBody
@GetMapping("app/refresh")
public Object refresh(HttpServletRequest request, HttpServletResponse response) {
Result result=appControllerService.codeFilter(response);
System.out.println(result.getCode());
System.out.println(result.getMsg());
Token token=(Token) result.getData();
if (token!=null){
System.out.println(token.getToken());
}
return result;
}
public Result codeFilter(HttpServletResponse response){
String code = response.getHeader("code");
logger.info("code:" + code);
// String msg = response.getHeader("msg");
// logger.info(msg);
if (code.equals("0")) { //如果code为空,则说明对token认证成功
return ResultUtil.success1();
} else if (code.equals("1")) { //code是1 表示:token解析成功,但是token即将过期,需要更换新的token
String newToken = response.getHeader("newToken");
//把更新的token保存到数据库的user表中。
Integer id=tokenUtil.getCurrentUserId(newToken);
User user1=new User();
user1=userRepo.findOne(id);
System.out.println(id);
user1.setId(id);
user1.setToken(newToken);
userRepo.save(user1);
logger.info("token已经被替换!");
Token token = new Token();
token.setToken(newToken);
return ResultUtil.error(1, "success", token);
} else if (code.equals("100")) { //code是100 表示: token解析失败
return ResultUtil.error(100, "error", null);
} else {
return ResultUtil.error(103, "error", null);
}
}