servlet jwt
时间: 2023-09-30 18:06:21 浏览: 61
Servlet是Java编写的服务器端程序,可以接收HTTP请求并返回HTTP响应。而JWT(JSON Web Token)是一种安全的身份验证和授权机制。当用户登录成功后,服务器会生成一个JWT并发送给客户端,客户端在每次请求时携带该JWT,服务器会校验JWT的合法性并返回相应数据。
在Servlet中,可以使用第三方库(如jjwt)来生成和解析JWT。具体步骤如下:
1. 生成JWT:在用户登录成功后,服务器通过jjwt库生成一个JWT,并将JWT发送给客户端。
2. 将JWT存储在客户端:客户端可以将JWT存储在cookie或localStorage中。
3. 在每次请求时携带JWT:客户端在每次请求时都携带JWT,可以将JWT放在请求头部或请求体中。
4. 校验JWT的合法性:服务器在接收到请求后,会校验JWT的合法性。如果JWT合法,服务器会返回相应数据;否则,服务器会返回错误信息。
需要注意的是,在生成JWT时,可以添加一些自定义的信息(如用户ID、角色等),以便在校验JWT时获取这些信息。另外,为了增加JWT的安全性,可以添加一些过期时间、签名等信息。
相关问题
springboot添加jwt
Spring Boot 是一个流行的Java Web开发框架,JWT(JSON Web Token)是一种基于JSON的开放标准(RFC 7519),用于在网络应用间传递声明。Spring Boot 可以与JWT结合使用,以增强Web应用程序的安全性。
要添加JWT到Spring Boot项目中,需要完成以下步骤:
1. 添加Maven依赖项
在 pom.xml 文件中添加如下依赖项:
```
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.2</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.2</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.2</version>
<scope>runtime</scope>
</dependency>
```
2. 创建JWT类
创建一个JWT类,该类将负责创建和解析JWT。例如:
```
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Date;
public class JwtUtil {
private static final String SECRET_KEY = "your_secret_key_here";
private static final long EXPIRATION_TIME = 864_000_000; // 10 days in milliseconds
public static String createToken(String username) {
return Jwts.builder()
.setSubject(username)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET_KEY)
.compact();
}
public static String getUsernameFromToken(String token) {
Jws<Claims> claimsJws = Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token);
return claimsJws.getBody().getSubject();
}
public static boolean validateToken(String token) {
try {
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token);
return true;
} catch (Exception e) {
return false;
}
}
}
```
3. 添加JWT过滤器
创建一个JWT过滤器,该过滤器将验证传入的HTTP请求是否具有有效的JWT,并将用户信息添加到Spring Security上下文中。例如:
```
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String token = getTokenFromRequest(request);
if (token != null && JwtUtil.validateToken(token)) {
String username = JwtUtil.getUsernameFromToken(token);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, null);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
filterChain.doFilter(request, response);
}
private String getTokenFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (bearerToken != null && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7);
}
return null;
}
}
```
4. 在Spring Security配置中添加JWT过滤器
在 Spring Security 配置类中添加上述 JWT 过滤器。例如:
```
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(new JwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
```
shiro 结合 jwt
Shiro可以与JWT(JSON Web Token)结合使用来实现认证和授权功能。具体步骤如下:
1.编写JWT工具类,用于生成和验证JWT token。
2.编写JWTToken,继承Shiro的AuthenticationToken接口,用于封装JWT token。
3.编写JWTFilter,继承Shiro的AuthenticatingFilter类,用于在请求中验证JWT token。
4.编写JWTRealm,继承Shiro的AuthorizingRealm类,用于从JWT token中获取用户信息并进行授权。
5.编写Shiro配置类,配置JWTFilter和JWTRealm。
下面是一个简单的示例代码:
```java
// JWT工具类
public class JWTUtil {
// 生成JWT token
public static String createToken(String username, String secret) {
Date now = new Date();
Date expireDate = new Date(now.getTime() + 3600 * 1000); // 过期时间为1小时
return Jwts.builder()
.setSubject(username)
.setIssuedAt(now)
.setExpiration(expireDate)
.signWith(SignatureAlgorithm.HS256, secret)
.compact();
}
// 验证JWT token
public static boolean verifyToken(String token, String username, String secret) {
try {
Claims claims = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
return claims.getSubject().equals(username) && !claims.getExpiration().before(new Date());
} catch (Exception e) {
return false;
}
}
}
// JWTToken
public class JWTToken implements AuthenticationToken {
private String token;
public JWTToken(String token) {
this.token = token;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
// JWTFilter
public class JWTFilter extends AuthenticatingFilter {
@Override
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {
String token = getRequestToken((HttpServletRequest) request);
if (StringUtils.isBlank(token)) {
return null;
}
return new JWTToken(token);
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
String token = getRequestToken((HttpServletRequest) request);
if (StringUtils.isBlank(token)) {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpResponse.setHeader("Access-Control-Allow-Origin", ((HttpServletRequest) request).getHeader("Origin"));
httpResponse.setCharacterEncoding("UTF-8");
httpResponse.setContentType("application/json");
httpResponse.getWriter().print("{\"code\":401,\"msg\":\"未登录\"}");
return false;
}
return executeLogin(request, response);
}
private String getRequestToken(HttpServletRequest request) {
String token = request.getHeader("Authorization");
if (StringUtils.isBlank(token)) {
token = request.getParameter("token"); }
return token;
}
}
// JWTRealm
public class JWTRealm extends AuthorizingRealm {
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof JWTToken;
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = JWTUtil.getUsername(principals.toString());
// 根据用户名获取用户角色和权限信息
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setRoles(user.getRoles());
info.setStringPermissions(user.getPermissions());
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException {
String token = (String) auth.getCredentials();
String username = JWTUtil.getUsername(token);
// 根据用户名获取用户信息
if (user == null) {
throw new UnknownAccountException("用户不存在");
}
if (!JWTUtil.verify(token, username, user.getPassword())) {
throw new IncorrectCredentialsException("token无效");
}
return new SimpleAuthenticationInfo(token, token, "jwtRealm");
}
}
// Shiro配置类
@Configuration
public class ShiroConfig {
@Bean
public JWTFilter jwtFilter() {
return new JWTFilter();
}
@Bean
public JWTRealm jwtRealm() {
return new JWTRealm();
}
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(jwtRealm());
return securityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager, JWTFilter jwtFilter) {
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(securityManager);
Map<String, Filter> filters = new HashMap<>();
filters.put("jwt", jwtFilter);
shiroFilter.setFilters(filters);
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/login", "anon");
filterChainDefinitionMap.put("/**", "jwt");
shiroFilter.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilter;
}
}
// 异常处理类
@RestControllerAdvice
public class ExceptionHandler {
@ExceptionHandler(UnknownAccountException.class)
public Result handleUnknownAccountException(UnknownAccountException e) {
return Result.error("用户不存在");
}
@ExceptionHandler(IncorrectCredentialsException.class)
public Result handleIncorrectCredentialsException(IncorrectCredentialsException e) {
return Result.error("密码错误");
}
@ExceptionHandler(AuthenticationException.class)
public Result handleAuthenticationException(AuthenticationException e) {
return Result.error("认证失败");
}
@ExceptionHandler(Exception.class)
public Result handleException(Exception e) {
return Result.error("系统异常");
}
}
// Controller
@RestController
public class UserController {
@PostMapping("/login")
public Result login(String username, String password) {
// 根据用户名和密码验证用户信息
String token = JWTUtil.createToken(username, password);
return Result.success(token);
}
@GetMapping("/user")
public Result getUser() {
// 获取当前用户信息
return Result.success(user);
}
}
```
相关推荐
![zip](https://img-home.csdnimg.cn/images/20210720083736.png)
![docx](https://img-home.csdnimg.cn/images/20210720083331.png)
![pdf](https://img-home.csdnimg.cn/images/20210720083512.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)
![](https://csdnimg.cn/download_wenku/file_type_ask_c1.png)