Spring 安全性:阅读 jwt 详细信息

【问题标题】:Spring security: Read jwt detailsSpring 安全性:阅读 jwt 详细信息
【发布时间】:2019-03-08 13:06:13
【问题描述】:

我在致电/login 后收到一条 jwt:

ResponseEntity<Void> responseEntity = restTemplate
  .postForEntity(url, entity, Void.class); 

String bearer = responseEntity
  .getHeaders()
  .get("Authorization")
  .stream().findFirst().get();

之后,我在Authorization 标头上获得了一个 jwt 令牌,例如:

“承载eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1Mzg1NjExNDgsInN1YiI6ImFkbWluIiwiZXhwIjoxNTM5NDI1MTQ4fQ.mr4MdNzNC8h1uq-OF9DeEBGS8AFgkN6ysooptNrvJeyyn6L6TLV1W4hv6osMggNpo_Ee6RqBhwuJu1beA8OFoA” P>

我想阅读到期日期和其他相关信息。

有什么库可以处理吗?

Spring 是否提供任何 Helper 来处理它?

显然,我有密钥。

【问题讨论】:

标签: spring spring-boot spring-security


【解决方案1】:

这是我项目中的代码示例;

static final String CLAIM_KEY_USERNAME = "sub";
static final String CLAIM_KEY_AUDIENCE = "audience";
static final String CLAIM_KEY_CREATED = "created";

private static final String AUDIENCE_UNKNOWN = "unknown";
private static final String AUDIENCE_WEB = "web";
private static final String AUDIENCE_MOBILE = "mobile";
private static final String AUDIENCE_TABLET = "tablet";

@Value("${jwt.secret}")
private String secret;

@Value("${jwt.expiration}")
private Long expiration;

public String getUsernameFromToken(String token) {
    final Claims claims = getClaimsFromToken(token);
    return claims != null ? claims.getSubject() : null;
}

public Date getCreatedDateFromToken(String token) {
    final Claims claims = getClaimsFromToken(token);
    return claims != null ? new Date((Long) claims.get(CLAIM_KEY_CREATED)) : null;
}

public Date getExpirationDateFromToken(String token) {
    final Claims claims = getClaimsFromToken(token);
    return claims != null ? claims.getExpiration() : null;
}

public String getAudienceFromToken(String token) {
    final Claims claims = getClaimsFromToken(token);
    return claims != null ? (String) claims.get(CLAIM_KEY_AUDIENCE) : null;
}

private Claims getClaimsFromToken(String token) {
    return StringUtils.hasText(token) ? Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody() : null;
}

private Date generateExpirationDate() {
    return new Date(System.currentTimeMillis() + expiration * 1000);
}

private Boolean isTokenExpired(String token) {
    final Date expirationDate = getExpirationDateFromToken(token);
    return expirationDate.before(new Date());
}

private Boolean isCreatedBeforeLastPasswordReset(Date created, Date lastPasswordReset) {
    return (lastPasswordReset != null && created.before(lastPasswordReset));
}

private String generateAudience(Device device) {
    String audience = AUDIENCE_UNKNOWN;
    if (device.isNormal()) {
        audience = AUDIENCE_WEB;
    } else if (device.isTablet()) {
        audience = AUDIENCE_TABLET;
    } else if (device.isMobile()) {
        audience = AUDIENCE_MOBILE;
    }
    return audience;
}

private Boolean ignoreTokenExpiration(String token) {
    String audience = getAudienceFromToken(token);
    return (AUDIENCE_TABLET.equals(audience) || AUDIENCE_MOBILE.equals(audience));
}

 public String generateToken(UserDetails userDetails, Device device) {
    Map<String, Object> claims = new HashMap<>();
    claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
    claims.put(CLAIM_KEY_AUDIENCE, generateAudience(device));
    claims.put(CLAIM_KEY_CREATED, new Date());
    return generateToken(claims);
}

String generateToken(Map<String, Object> claims) {
    return Jwts.builder().setClaims(claims).setExpiration(generateExpirationDate()).signWith(SignatureAlgorithm.HS512, secret).compact();
}

public Boolean canTokenBeRefreshed(String token, Date lastPasswordReset) {
    final Date created = getCreatedDateFromToken(token);
    return !isCreatedBeforeLastPasswordReset(created, lastPasswordReset) && (!isTokenExpired(token) || ignoreTokenExpiration(token));
}

public String refreshToken(String token) {
    String refreshedToken;
    try {
        final Claims claims = getClaimsFromToken(token);
        claims.put(CLAIM_KEY_CREATED, new Date());
        refreshedToken = generateToken(claims);
    } catch (Exception e) {
        refreshedToken = null;
    }
    return refreshedToken;
}

public Boolean validateToken(String token, UserDetails userDetails) {
    JwtUser user = (JwtUser) userDetails;
    final String username = getUsernameFromToken(token);
    final Date created = getCreatedDateFromToken(token);
    return (username.equals(user.getUsername()) && !isTokenExpired(token) && !isCreatedBeforeLastPasswordReset(created, user.getLastPasswordResetDate()));
}

【讨论】:

    【解决方案2】:

    你可以使用jwt library来解析你收到的jwt token。

    例如,我使用jsonwebtoken 来解析令牌。某物 像这样;

    public Claims getClaimsFromToken(String token) throws Exception {
        Claims claims;

        claims = Jwts.parser()
                .setSigningKey(SECRET)
                .parseClaimsJws(token)
                .getBody(); 

        return claims;
    }

    如果您想在声明中获取特定键的值,您可以 可以这样做;

    public Object getClaimsValueFromToken(String token, String key) throws Exception {
        Claims claims = getClaimsFromToken(token);
        Object value = claims.get(key);
        return value;
    }

    理想情况下,您可以使用jwt library 创建自己的custom util 用于解析令牌。

    不要忘记将库添加为 maven 依赖项;

    <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.6.0</version>
        </dependency>

    【讨论】:

      猜你喜欢
      • 2017-01-01
      • 2020-05-09
      • 2017-10-02
      • 1970-01-01
      • 2013-03-15
      • 1970-01-01
      • 1970-01-01
      • 2013-07-18
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode