大家以前都使用过session存储信息,有的交给容器创建,有的存储到mysql或者redis,这次项目用到了JWT,我们把用户的信息和登录的过期时间都封装到一个token字符串里,客户端每次请求只需要在头信息里携带token即可,话不多说,下面是目录结构.
package com.demo.annotation; import java.lang.annotation.*; @Target(ElementType.METHOD) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface IgnoreLogin { } 复制代码
该注解主要作用是过滤掉请求拦截器,使用该注解就不会对该请求进行拦截(权限校验),具体使用下面讲.
package com.demo.annotation; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; /** * 登录用户信息 */ @Target(ElementType.PARAMETER) @Retention(RetentionPolicy.RUNTIME) public @interface LoginUser {} 复制代码
该注解作用是SpringMVC参数解析器,类似于RequestBody注解(希望大家了解springmvc的参数解析机制),和我们后面的resolver相关联.
package com.demo.bean; public class User { private long userId; private String userName; private String password; 忽略get/set } 复制代码
我们的用户信息
package com.demo.bean; public class Business { private String str; private int num; 忽略get/set } 复制代码
我们的业务参数
package com.demo.config; import com.demo.interceptor.AuthorizationInterceptor; import com.demo.resolver.UserArgumentResolver; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.web.method.support.HandlerMethodArgumentResolver; import org.springframework.web.servlet.config.annotation.InterceptorRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import java.util.List; /** * MVC配置 */ @Configuration public class WebMvcConfig implements WebMvcConfigurer { @Autowired private AuthorizationInterceptor authorizationInterceptor; @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(authorizationInterceptor).addPathPatterns("/**"); //注入我们自定义的拦截器,拦截所有请求 } @Override public void addArgumentResolvers(List<HandlerMethodArgumentResolver> resolvers) { resolvers.add(new UserArgumentResolver()); //注入我们的用户参数解析器 } } 复制代码
package com.demo.controller; import com.demo.annotation.IgnoreLogin; import com.demo.annotation.LoginUser; import com.demo.bean.Business; import com.demo.bean.User; import com.demo.util.JwtUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.*; @RestController public class UserController { private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired private JwtUtils jwtUtils; @PostMapping(value = "/login") @IgnoreLogin public String login() { //在此 我们不做登录检验 假设检验成功 User user = new User(); user.setUserId(9527); user.setUserName("小星星"); return jwtUtils.generateToken(user);//这里只是为了测试只返回token,(请求不含IgnoreLogin注解时需要将token放在头信息里) } @PostMapping("/business") public User business(@RequestBody Business business, @LoginUser User user) {//在业务逻辑可以使用注解将我们的user注入进来 logger.info("用户信息参数id:{},姓名:{}", user.getUserId(), user.getUserName()); logger.info("我们的业务参数:{},{}", business.getStr(), business.getNum()); return user; } } 复制代码
可以看到当我们登陆成功后我们可以生成一个token字符串返回给客户端,这个字符串包含了用户信息和时间信息(jwt机制),同时我们做了一个模仿业务的请求,business是我们的业务参数,user是我们根据客户端上发的token解析出来的,下面会讲到如何解析.可以看到只要我们需要user的参数,我们就可以直接使用LoginUser注解和User就可以直接得到,非常方便,客户端并不需要将我们的用户信息参杂到我们的业务参数中.相对安全。
package com.demo.exception; public class RRException extends RuntimeException { private static final long serialVersionUID = 1L; private String msg; private int code = 500; } 复制代码
这里我就不解析了,根据需求可以和客户端协商相应的错误码
package com.demo.interceptor; import com.demo.annotation.IgnoreLogin; import com.demo.exception.RRException; import com.demo.util.JwtUtils; import io.jsonwebtoken.Claims; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.stereotype.Component; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * 权限(Token)验证 */ @Component public class AuthorizationInterceptor extends HandlerInterceptorAdapter { @Autowired private JwtUtils jwtUtils; public static final String USER_KEY = "user"; private Logger logger = LoggerFactory.getLogger(getClass()); @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { if (!(handler instanceof HandlerMethod) || ((HandlerMethod) handler). getMethodAnnotation(IgnoreLogin.class) != null) { //如果不是HandlerMethod或者忽略登录 logger.info("无需token校验,handler:{}", handler); return true; } //获取用户凭证 String token = request.getHeader(jwtUtils.getHeader()); if (StringUtils.isBlank(token)) { token = request.getParameter(jwtUtils.getHeader()); } //凭证为空 if (StringUtils.isBlank(token)) { throw new RRException(jwtUtils.getHeader() + "不能为空", HttpStatus.UNAUTHORIZED.value()); } Claims claims = jwtUtils.getClaimByToken(token); if (claims == null || jwtUtils.isTokenExpired(claims.getExpiration())) { throw new RRException(jwtUtils.getHeader() + "失效,请重新登录", HttpStatus.UNAUTHORIZED.value()); } //设置userId到request里,后续根据userId,获取用户信息 request.setAttribute(USER_KEY, jwtUtils.getUser(claims)); return true; } } 复制代码
我们会过滤掉不是HandlerMethod的请求和带有IgnoreLogin的注解(并不是所有方法都需要校验,例如登录请求,支付回调请求),我们会取出客户端发出的token,解析出来并判断是否过期,没有token或者已过期我们可以需要返回一个错误码给客户端然后重新登录,当我们校验成功后我们会取出用户信息放入到request里(后面会在参数解析器里解析出来),这也是这个拦截器的精髓,既能校验又能获取用户的信息.
package com.demo.resolver; import com.demo.annotation.LoginUser; import com.demo.bean.User; import com.demo.interceptor.AuthorizationInterceptor; import org.springframework.core.MethodParameter; import org.springframework.web.bind.support.WebDataBinderFactory; import org.springframework.web.context.request.NativeWebRequest; import org.springframework.web.method.support.HandlerMethodArgumentResolver; import org.springframework.web.method.support.ModelAndViewContainer; import javax.servlet.http.HttpServletRequest; /** * 用户参数解析器 */ public class UserArgumentResolver implements HandlerMethodArgumentResolver { @Override public boolean supportsParameter(MethodParameter parameter) { return parameter.hasParameterAnnotation(LoginUser.class); } @Override public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) throws Exception { HttpServletRequest request = webRequest.getNativeRequest(HttpServletRequest.class); User user = (User) request.getAttribute(AuthorizationInterceptor.USER_KEY); return user; } } 复制代码
springmvc的参数解析器,需要继承HandlerMethodArgumentResolver,有两个方法,第一个就是支持什么类型的参数,可以看到我们支持拥有LoginUser注解的参数,第二个方法是从request里取出我们在拦截器中放入的user并返回,这样就实现了user对象的注入.
package com.demo.util; import com.alibaba.fastjson.JSONObject; import com.demo.bean.User; import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.stereotype.Component; import java.util.Date; import java.util.HashMap; import java.util.Map; /** * jwt工具类 */ @Component @ConfigurationProperties(prefix = "jwt") public class JwtUtils { private Logger logger = LoggerFactory.getLogger(getClass()); private long expire; private String secret; private String header; /** * 生成jwt token */ public String generateToken(User user) { Date nowDate = new Date(); //过期时间 Date expireDate = new Date(nowDate.getTime() + expire * 1000); return Jwts.builder() .setHeaderParam("typ", "JWT") .setSubject(JSONObject.toJSONString(user)) .setIssuedAt(nowDate) .setExpiration(expireDate) .signWith(SignatureAlgorithm.HS512, secret) .compact(); } /** * 解析出来claim * @param token * @return */ public Claims getClaimByToken(String token) { try { return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody(); } catch (Exception e) { logger.debug("validate is token error ", e); return null; } } /** * 得到user * @param claims * @return */ public User getUser(Claims claims) { return JSONObject.parseObject(claims.getSubject(), User.class); } /** * token是否过期 * @return true:过期 */ public boolean isTokenExpired(Date expiration) { return expiration.before(new Date()); } public String getSecret() { return secret; } public void setSecret(String secret) { this.secret = secret; } public long getExpire() { return expire; } public void setExpire(long expire) { this.expire = expire; } public String getHeader() { return header; } public void setHeader(String header) { this.header = header; } } 复制代码
expire过期时间,secret密钥,header头信息名称 这些数据在application.yml里,这里我们会根据User对象生成一个token字符串,根据token取出claims对象,这里就包含了我们的过期时间和之前我们所存的user信息.
package com.demo; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class SpringBootStart { public static void main(String[] agrs) { SpringApplication.run(SpringBootStart.class, agrs); } } application.yml jwt: #加密秘钥 secret: f4e2e5203fg45sf45g4de581c0f9eb5 #token,单位秒 expire: 6000 header: token 复制代码