0to1使用JWT实现登录认证
1 引言
JSON Web Token(缩写JWT)是目前流行的跨域认证解决方案,其本质上也是一种token,但是JWT通过纯算法验证合法性,因此无需在服务器存储token数据或者保存用户状态,降低了服务器消耗,也便于系统之间解耦。本章主要讲解使用JWT实现登录认证,并使用redis解决JWT无法主动失效的问题。
2 代码
下面列出关键代码进行介绍,源码链接在文章最后。
2.1 pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.zeroone</groupId>
<artifactId>zeroone</artifactId>
<version>1.0</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<!-- 为Spring Boot项目提供一系列默认的配置和依赖管理-->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.2</version>
<relativePath/>
</parent>
<dependencies>
<!-- Spring Boot核心依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<!-- Spring Boot单元测试和集成测试的依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!-- Spring Boot构建Web应用程序的依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- redis -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<!-- mysql驱动-->
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
</dependency>
<!-- mybatis-plus核心依赖-->
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-spring-boot3-starter</artifactId>
<version>3.5.7</version>
</dependency>
<!-- 阿里数据库连接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-3-starter</artifactId>
<version>1.2.23</version>
</dependency>
<!-- 阿里JSON解析库-->
<dependency>
<groupId>com.alibaba.fastjson2</groupId>
<artifactId>fastjson2</artifactId>
<version>2.0.52</version>
</dependency>
<!-- Jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>4.4.0</version>
</dependency>
</dependencies>
</project>
2.2 TokenService.java
这个就是jwt管理token的类,为了解决JWT无法主动失效的问题,使用redis存储每个用户最后登录时生成的jwtId,然后每次访问都比较header中的token是否最新的。注意:在header中,key为Authorization,value为"Bearer "+token。
package com.zeroone.service;
import com.alibaba.fastjson2.JSON;
import com.alibaba.fastjson2.JSONObject;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.zeroone.common.RedisKey;
import com.zeroone.entity.sys.User;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Service;
import java.util.Date;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
/**
* Jwt服务
*/
@Service("TokenService")
public class TokenService {
@Autowired
protected HttpServletRequest request;
@Autowired
RedisTemplate<String, String> redisTemplate;
/**
* 令牌秘钥
*/
public static final Algorithm algorithm = Algorithm.HMAC512("C9FEE9EAD0F74457B3438AB8CB9CA9A7C9FEE9EAD0F74457B3438AB8CB9CA9A7C9FEE9EAD0F74457B3438AB8CB9CA9A7");
/**
* 令牌有效期,毫秒
*/
public static final long EXPIRATION = 60 * 60 * 1000;
/**
* 用户信息存储标识
*/
public static final String USER_INFO = "USER_INFO";
/**
* 从header中解析出token
*
* @return token
*/
public String getTokenFromHeader() {
String token = request.getHeader("Authorization");
if (null != token) {
token = token.replace("Bearer ", "");
}
return token;
}
/**
* 生成token
*
* @param user 用户信息
* @return token
*/
public String createToken(User user) {
user.setPassword(null);//私密信息不放入token中
String jwtId = UUID.randomUUID().toString();
//存储当前用户最新的jwtId
redisTemplate.opsForValue().set(RedisKey.USER_JWTID + user.getId(), jwtId, EXPIRATION, TimeUnit.MILLISECONDS);
//设置JWTId,设置户信息,设置过期时间,返回token
return JWT.create().withJWTId(jwtId).withClaim(USER_INFO, JSON.toJSONString(user)).withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION)).sign(algorithm);
}
/**
* 验证token,并返回用户信息
*
* @return 用户信息
*/
public User verifyToken() {
try {
String token = getTokenFromHeader();
//获取claims
Map<String, Claim> claims = JWT.require(algorithm).build().verify(token).getClaims();
String jwtId = claims.get("jti").asString();//从claims中解析出jwtId
String userStr = claims.get(USER_INFO).asString();//从claims中解析出用户信息
User user = JSONObject.parseObject(userStr, User.class);
String jwtIdLast = redisTemplate.opsForValue().get(RedisKey.USER_JWTID + user.getId());//取出该用户最新的jwtId
//比较jwtId,如果不一致则说明该token已废弃。
if (null != jwtIdLast && jwtIdLast.equals(jwtId)) {
return user;
}
} catch (Exception e) {
return null;
}
return null;
}
/**
* 获取用户信息
*
* @return 用户信息
*/
public User getUserInfo() {
try {
String token = getTokenFromHeader();
String userStr = JWT.require(algorithm).build().verify(token).getClaims().get(USER_INFO).asString();
return JSONObject.parseObject(userStr, User.class);
} catch (Exception e) {
return null;
}
}
/**
* 使用户token失效
*/
public void deleteToken() {
User uer = getUserInfo();
if (null != uer) {
redisTemplate.delete(RedisKey.USER_JWTID + uer.getId());
}
}
}
2.3 LoginServiceImpl.java
登录和退出
package com.zeroone.service.sys;
import com.zeroone.entity.sys.User;
import com.zeroone.service.BaseService;
import com.zeroone.utils.Param;
import org.springframework.stereotype.Service;
@Service("UserService")
public class LoginServiceImpl extends BaseService implements LoginService {
@Override
public Object webLogin(Param info) {
String account = info.getStringNotNull("account").trim();
String password = info.getStringNotNull("password").trim();
//TODO 验证通过
User user = new User();
user.setId(1L);
user.setName("张三");
user.setAccount("12345678901@qq.com");
user.setPhone("12345678901");
String token = tokenService.createToken(user);
return token;
}
@Override
public void logout() {
tokenService.deleteToken();
}
}
2.4 WebMvcConfigurerImpl.java
注册组件类,如拦截器等。
package com.zeroone.config.spring;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import java.util.ArrayList;
import java.util.List;
/**
* SpringMvc(组件注册:拦截器、静态资源……)
*/
@Configuration
public class WebMvcConfigurerImpl implements WebMvcConfigurer {
@Autowired
private MyHandlerInterceptor myHandlerInterceptor;
@Override
public void addInterceptors(InterceptorRegistry registry) {
List<String> patterns = new ArrayList<>();
patterns.add("/download/**");
patterns.add("/upload/**");
patterns.add("/error");
patterns.add("/");
registry.addInterceptor(myHandlerInterceptor).addPathPatterns("/**").excludePathPatterns(patterns);
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
}
}
2.4 MyHandlerInterceptor.java
拦截器类,在拦截器中验证token是否合法
package com.zeroone.config.spring;
import com.zeroone.common.HttpCode;
import com.zeroone.config.exception.MyRuntimeException;
import com.zeroone.service.TokenService;
import com.zeroone.entity.sys.User;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
/**
* SpringMvc 拦截器
*/
@Component
public class MyHandlerInterceptor implements HandlerInterceptor {
Logger log = LoggerFactory.getLogger(getClass());
@Autowired
TokenService tokenService;
/**
* 完成页面的render后调用
*/
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object object, Exception exception) throws Exception {
}
/**
* 在调用controller具体方法后拦截
*/
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object object, ModelAndView modelAndView) throws Exception {
}
/**
* 在调用controller具体方法前拦截
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
String origin = request.getHeader("Origin");
// 设置头信息,以支持跨域请求
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type,token,Cookie");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setContentType("text/html;charset=utf-8");
response.setCharacterEncoding("utf-8");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
return true;
}
String ip = request.getRemoteAddr();
String url = request.getRequestURI();
// 打印日志
log.info("[" + ip + "]" + url);
// 判断是否是开放的请求
if (isPassUrl(url)) {
return true;
}
User userInfo = tokenService.verifyToken();
// 判断是否已登录
if (null != userInfo) {
return true;
} else {
throw new MyRuntimeException(HttpCode.UNAUTHORIZED_CODE, "请重新登陆!");
}
}
/**
* 是否是开放的url
*/
private boolean isPassUrl(String url) {
switch (url) {
case "/web/login":// WEB登录
return true;
case "/web/logout":// WEB登出
return true;
}
return false;
}
}
3 测试
1 启动项目访问:http://localhost:8080/UserController/listAllMaster。可以看到提示"请重新登陆!"。
2 调用http://localhost:8080/web/login登录。将返回的token信息,放入前面接口的header中,可以看到正常返回了,说明认证成功。
5 源码
Gitee代码链接