java 用户登录token_Java，SpringBoot采用token方式实现登录认证

IT小奋斗2021-01-13 21:48:33

Token，令牌，访问资源的凭证，每次访问带上这个令牌，就可识别出用户身份。

JWT (JsonWebToken)，是实现token技术的一种解决方案，由三部分组成: header(头)、payload(载体)、signature(签名)。

1、头：HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384

2、载体：

iss：Issuer，发行者sub：Subject，主题aud：Audience，观众exp：Expiration time，过期时间nbf：Not beforeiat：Issued at，发行时间jti：JWT ID

3、签名

代码案例：importio.jsonwebtoken.Claims;importio.jsonwebtoken.CompressionCodecs;importio.jsonwebtoken.Jwts;importio.jsonwebtoken.SignatureAlgorithm;importjavax.crypto.spec.SecretKeySpec;importjava.security.Key;importjava.util.Date;importjava.util.HashMap;importjava.util.Map;importjava.util.UUID;publicclassJJWTTokenApply{//使用的KeypublicstaticKeyKEY=newSecretKeySpec('密钥'.getBytes(),SignatureAlgorithm.HS512.getJcaName());/***@paramexpiration==>失效时间*@return*/publicstaticStringgenerateAccessToken(Stringsubject,MapclaimsMap,longexpiration){//生成TokenreturnJwts.builder().setClaims(claimsMap).setSubject(subject).setId(UUID.randomUUID().toString()).setIssuedAt(newDate()).setExpiration(newDate(System.currentTimeMillis()expiration*1000)).compressWith(CompressionCodecs.DEFLATE).signWith(SignatureAlgorithm.HS256,KEY).compact();}/***@paramtoken*@return*/publicstaticMapparseAccessToken(Stringtoken){MapclaimsMap=newHashMap(16);try{Claimsclaims=Jwts.parser().setSigningKey(KEY).parseClaimsJws(token).getBody();//失效时间claimsMap.put('expiration',claims.getExpiration());//签发者claimsMap.put('created',claims.getIssuedAt());claimsMap.put('subject',claims.getSubject());claimsMap.put('user_id',claims.get('user_id'));claimsMap.put('user_info',claims.get('user_info'));claimsMap.put('user_roles',claims.get('user_roles'));}catch(Exceptione){e.printStackTrace();}returnclaimsMap;}publicstaticvoidmain(String[]args){//主题Stringsubject='zhangsan';//加密数据MapclaimsMap=newHashMap(16);claimsMap.put('user_id',123);claimsMap.put('user_info','用户信息');claimsMap.put('user_roles','用户角色');//失效期1天Stringtoken=generateAccessToken(subject,claimsMap,86400);System.out.println('accessToken='token);//解析tokenMapparseMap=parseAccessToken(token);System.out.println('主题='parseMap.get('subject'));System.out.println('user_id='parseMap.get('user_id'));System.out.println('user_info='parseMap.get('user_info'));System.out.println('user_roles='parseMap.get('user_roles'));DateexpirationDate=(Date)parseMap.get('expiration');System.out.println('是否失效='expirationDate.before(newDate()));System.out.println('失效日期='expirationDate);System.out.println('失效时间='(expirationDate.getTime()-System.currentTimeMillis()));}}

SpringBoot采用token方式实现认证

1、SpringSecurity的配置

public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception { CustomAuthenticationProvider customAuthenticationProvider = new CustomAuthenticationProvider(userDetailsService); authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider); }@Overrideprotected void configure(HttpSecurity http) throws Exception { http.cors().and().csrf().disable() .authorizeRequests() // 请求授权// 配置路径放行.antMatchers('/**').permitAll() .antMatchers(HttpMethod.GET, '/webSocket/**').permitAll()// swagger 文档.antMatchers('/swagger-ui.html').permitAll() .antMatchers('/swagger-resources/**').permitAll()// druid.antMatchers('/druid/**').permitAll()// 放行OPTIONS请求.antMatchers(HttpMethod.OPTIONS, '/**').permitAll()// 其他都需要验证.anyRequest().authenticated() .and() .addFilter(new JWTAuthenticationFilter(authenticationManager(), userDetailsService)) .addFilter(new JWTAuthorizationFilter(authenticationManager()))// 不需要session.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); }@BeanCorsConfigurationSource corsConfigurationSource() {final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration('/**', new CorsConfiguration().applyPermitDefaultValues());return source; }}

解析：部分代码没贴，实现的类重点包含：JWTAuthenticationFilter、JWTAuthorizationFilter、CustomAuthenticationProvider

2、登录认证的执行流程

3、代码实现部分publicclassCustomAuthenticationProviderimplementsAuthenticationProvider{privateUserDetailsServiceuserService;publicCustomAuthenticationProvider(UserDetailsServiceuserService){this.userService=userService;}@OverridepublicAuthenticationauthenticate(Authenticationauthentication)throwsAuthenticationException{Stringusername=authentication.getName();Stringpassword=authentication.getCredentials().toString();//验证用户和密码返回}@Overridepublicbooleansupports(Class>authentication){returnauthentication.equals(UsernamePasswordAuthenticationToken.class);}}

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;private UserDetailsService userDetailsService;private JwtUtils jwtUtils;public JWTAuthenticationFilter(AuthenticationManager authenticationManager, UserDetailsService userDetailsService) {this.authenticationManager = authenticationManager;this.userDetailsService = userDetailsService;// 精确指定认证地址super.setFilterProcessesUrl('/api/authen/login'); }@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { Authentication returnAuthentication = null;try { AuthenUser loginUser = new ObjectMapper().readValue(request.getInputStream(), AuthenUser.class); Authentication authenticationToken = new UsernamePasswordAuthenticationToken(loginUser.getUsername(), loginUser.getPassword(), new ArrayList<>()); returnAuthentication = authenticationManager.authenticate(authenticationToken);return returnAuthentication; } catch (IOException e) { e.printStackTrace(); }return null; }// 成功验证后调用该方法@Overrideprotected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authen) throws IOException, ServletException { String username = (String) authen.getPrincipal(); UserDetails userDetail = (UserDetails) userDetailsService.loadUserByUsername(username); String token = jwtUtils.generateAccessToken(userDetail); HashMap resultData = Maps.newHashMap(); resultData.put('token', token); resultData.put('userInfo', userDetail); resultData.put('headerName', JwtUtils.TOKEN_HEADER); resultData.put('prefix', JwtUtils.TOKEN_PREFIX); resultData.put('tokenExpiration', jwtUtils.getExpireTime(jwtUtils.getAccess_token_expiration())); String json = JSONObject.toJSONString(ServerResponse.createBySuccess(resultData)); response.setCharacterEncoding('UTF-8'); response.setContentType('application/json; charset=utf-8'); response.getWriter().write(json); }@Overrideprotected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {if (failed instanceof BadCredentialsException) { response.setCharacterEncoding('utf-8'); response.getWriter().write(JSONUtil.toJsonStr(ServerResponse.createDefaultErrorMessage(failed.getMessage()))); } else if (failed instanceof UsernameNotFoundException) { response.setCharacterEncoding('utf-8'); response.getWriter().write(JSONUtil.toJsonStr(ServerResponse.createDefaultErrorMessage(failed.getMessage()))); } else { response.getWriter().write('authentication failed, reason: ' failed.getMessage()); } }}

认证登录成功后，返回JSON串，包含token。

3、再次请求

4、代码处理部分publicclassJWTAuthorizationFilterextendsBasicAuthenticationFilter{publicJWTAuthorizationFilter(AuthenticationManagerauthenticationManager){super(authenticationManager);}@OverrideprotectedvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainchain)throwsIOException,ServletException{StringtokenHeader=request.getHeader('Authorization');//HTTP头中的Authorization信息if(tokenHeader==null||!tokenHeader.startsWith('Bearer')){chain.doFilter(request,response);return;}try{//解析token，并且设置认证信息SecurityContextHolder.getContext().setAuthentication(getAuthentication(tokenHeader));}catch(TokenIsExpiredExceptione){response.setCharacterEncoding('UTF-8');response.setContentType('application/json;charset=utf-8');response.setStatus(HttpServletResponse.SC_FORBIDDEN);Stringreason='错误：'e.getMessage();response.getWriter().write(newObjectMapper().writeValueAsString(reason));response.getWriter().flush();return;}super.doFilterInternal(request,response,chain);

《新程序员》：云原生和全面数字化实践50位技术专家共同创作，文字、视频、音频交互阅读

总结

以上是生活随笔为你收集整理的java 用户登录token_Java，SpringBoot采用token方式实现登录认证的全部内容，希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错，欢迎将生活随笔推荐给好友。