小贝子编程

春季安全性:阅读 jwt 详细信息



我在打电话给/login后收到一个 jwt:

ResponseEntity<Void> responseEntity = restTemplate
.postForEntity(url, entity, Void.class); 
String bearer = responseEntity
.getHeaders()
.get("Authorization")
.stream().findFirst().get();

之后,我在Authorization标题上得到一个 jwt 令牌,例如:

"Bearer eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1Mzg1NjExNDgsInN1YiI6ImFkbWluIiwiZXhwIjoxNTM5NDI1MTQ4fQ.mr4MdNzNC8h1uq-OF9DeEBGS8AFgkN6ysooptNrvJeyyn6L6TLV1W4hv6osMggNpo_Ee6RqBhwuJu1beA8OFoA">

我想阅读到期日期和与之相关的其他信息。

有没有库来处理它?

春天有没有提供任何帮手来治疗它?

显然,我有密钥。

您可以使用 jwt 库来解析收到的 jwt 令牌。

例如,我正在使用jsonwebtoken来解析令牌。东西 喜欢这个;

public Claims getClaimsFromToken(String token) throws Exception {
Claims claims;
claims = Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token)
.getBody(); 
return claims;
}

如果要获取声明中特定键的值,请 可以这样做;

public Object getClaimsValueFromToken(String token, String key) throws Exception {
Claims claims = getClaimsFromToken(token);
Object value = claims.get(key);
return value;
}

理想情况下,您可以使用jwt library创建自己的custom util用于分析令牌。

不要忘记将库添加为 maven 依赖项;

<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.6.0</version>
</dependency>

这是我项目中的代码示例;

static final String CLAIM_KEY_USERNAME = "sub";
static final String CLAIM_KEY_AUDIENCE = "audience";
static final String CLAIM_KEY_CREATED = "created";
private static final String AUDIENCE_UNKNOWN = "unknown";
private static final String AUDIENCE_WEB = "web";
private static final String AUDIENCE_MOBILE = "mobile";
private static final String AUDIENCE_TABLET = "tablet";
@Value("${jwt.secret}")
private String secret;
@Value("${jwt.expiration}")
private Long expiration;
public String getUsernameFromToken(String token) {
final Claims claims = getClaimsFromToken(token);
return claims != null ? claims.getSubject() : null;
}
public Date getCreatedDateFromToken(String token) {
final Claims claims = getClaimsFromToken(token);
return claims != null ? new Date((Long) claims.get(CLAIM_KEY_CREATED)) : null;
}
public Date getExpirationDateFromToken(String token) {
final Claims claims = getClaimsFromToken(token);
return claims != null ? claims.getExpiration() : null;
}
public String getAudienceFromToken(String token) {
final Claims claims = getClaimsFromToken(token);
return claims != null ? (String) claims.get(CLAIM_KEY_AUDIENCE) : null;
}
private Claims getClaimsFromToken(String token) {
return StringUtils.hasText(token) ? Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody() : null;
}
private Date generateExpirationDate() {
return new Date(System.currentTimeMillis() + expiration * 1000);
}
private Boolean isTokenExpired(String token) {
final Date expirationDate = getExpirationDateFromToken(token);
return expirationDate.before(new Date());
}
private Boolean isCreatedBeforeLastPasswordReset(Date created, Date lastPasswordReset) {
return (lastPasswordReset != null && created.before(lastPasswordReset));
}
private String generateAudience(Device device) {
String audience = AUDIENCE_UNKNOWN;
if (device.isNormal()) {
audience = AUDIENCE_WEB;
} else if (device.isTablet()) {
audience = AUDIENCE_TABLET;
} else if (device.isMobile()) {
audience = AUDIENCE_MOBILE;
}
return audience;
}
private Boolean ignoreTokenExpiration(String token) {
String audience = getAudienceFromToken(token);
return (AUDIENCE_TABLET.equals(audience) || AUDIENCE_MOBILE.equals(audience));
}
public String generateToken(UserDetails userDetails, Device device) {
Map<String, Object> claims = new HashMap<>();
claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
claims.put(CLAIM_KEY_AUDIENCE, generateAudience(device));
claims.put(CLAIM_KEY_CREATED, new Date());
return generateToken(claims);
}
String generateToken(Map<String, Object> claims) {
return Jwts.builder().setClaims(claims).setExpiration(generateExpirationDate()).signWith(SignatureAlgorithm.HS512, secret).compact();
}
public Boolean canTokenBeRefreshed(String token, Date lastPasswordReset) {
final Date created = getCreatedDateFromToken(token);
return !isCreatedBeforeLastPasswordReset(created, lastPasswordReset) && (!isTokenExpired(token) || ignoreTokenExpiration(token));
}
public String refreshToken(String token) {
String refreshedToken;
try {
final Claims claims = getClaimsFromToken(token);
claims.put(CLAIM_KEY_CREATED, new Date());
refreshedToken = generateToken(claims);
} catch (Exception e) {
refreshedToken = null;
}
return refreshedToken;
}
public Boolean validateToken(String token, UserDetails userDetails) {
JwtUser user = (JwtUser) userDetails;
final String username = getUsernameFromToken(token);
final Date created = getCreatedDateFromToken(token);
return (username.equals(user.getUsername()) && !isTokenExpired(token) && !isCreatedBeforeLastPasswordReset(created, user.getLastPasswordResetDate()));
}

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium