The Bast Practice of JWT

发表于 更新于 分类于 阅读次数: Valine:
JWT 最佳实践

官网

JSON Web Token 入门教程 | 阮一峰

Supercharge Java Authentication with JSON Web Tokens (JWTs)

Spring Boot Security 整合 JWT 实现 无状态的分布式API接口

Java 中 JWT 的实现

java-jwt

java-jwt | GitHub

Json Web Token的介绍和最佳实践

如何在SpringBoot中集成JWT(JSON Web Token)鉴权

  1. 导入依赖

    1
    2
    3
    4
    5
    <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>java-jwt</artifactId>
      <version>3.8.3</version>
    </dependency>

  2. 生成 token

    1
    2
    3
    4
    5
    6
    private static final String KEY = "secret";
    private static Algorithm ALGORITHM = Algorithm.HMAC256(KEY);
    String token = JWT.create()
      .withIssuer("gzhennaxia") // 签发人
      .withSubject(userId) // 主题,需要全局唯一
      .sign(ALGORITHM);

  3. 验证 token

    1
    2
    JWTVerifier verifier = JWT.require(ALGORITHM).build();
    DecodedJWT decodedJWT = verifier.verify(token);

    DecodedJWT:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    {
        "algorithm":"HS256",
        "claims":{
            "iss":{
                "null":false
            },
            "sub":{
                "null":false
            }
        },
        "header":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9",
        "issuer":"gzhennaxia",
        "payload":"eyJzdWIiOiIxIiwiaXNzIjoiZ3poZW5uYXhpYSJ9",
        "signature":"ItL7KsvAp4Zezk5N5uu1ayAh2HlHU2EgIW3NiSZw1f8",
        "subject":"1",
        "token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIiwiaXNzIjoiZ3poZW5uYXhpYSJ9.ItL7KsvAp4Zezk5N5uu1ayAh2HlHU2EgIW3NiSZw1f8",
        "type":"JWT"
    }

jjwt

jjwt | GitHub

  1. 导入依赖

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    <dependency>
      <groupId>io.jsonwebtoken</groupId>
      <artifactId>jjwt-api</artifactId>
      <version>0.10.7</version>
    </dependency>
    <dependency>
      <groupId>io.jsonwebtoken</groupId>
      <artifactId>jjwt-impl</artifactId>
      <version>0.10.7</version>
      <scope>runtime</scope>
    </dependency>
    <dependency>
      <groupId>io.jsonwebtoken</groupId>
      <artifactId>jjwt-jackson</artifactId>
      <version>0.10.7</version>
      <scope>runtime</scope>
    </dependency>
    <!-- Uncomment this next dependency if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
    <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>1.60</version>
        <scope>runtime</scope>
    </dependency>
    -->

  2. 生成 token

    1
    2
    3
    4
    5
    6
    private static Key KEY = Keys.secretKeyFor(SignatureAlgorithm.HS256);
    Jwts.builder()
      .setIssuer("gzhennaxia")
      .setSubject(userId.toString())
      .signWith(KEY)
      .compact();
    1
    token: eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnemhlbm5heGlhIiwic3ViIjoiMSJ9._Q0XHRhoS0a-ZA4pMzEmY2hShds86IrE5i4-XSj6sGI

  3. 验证 token

    1
    Jwt jwt = Jwts.parser().setSigningKey(KEY).parse(token);

    Jwt:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    {
        "header":{
            "alg":"HS256"
        },
        "body":{
            "iss":"gzhennaxia",
            "sub":"1"
        },
        "signature":"_Q0XHRhoS0a-ZA4pMzEmY2hShds86IrE5i4-XSj6sGI"
    }