SpringBoot整合JWT完成登录认证

爱被打了一巴掌 2024-03-31 11:59 78阅读 0赞

## SpringBoot整合JWT完成登录认证 ##

对现有的使用cookie/seesion进行会话认证的项目改造，使用JWT进行登录认证。

### 依赖 ###

<dependency>
                <groupId>com.auth0</groupId>
                <artifactId>java-jwt</artifactId>
                <version>3.15.0</version>
            </dependency>

### JWT配置 ###

对请求进行拦截，在拦截器中获取到请求头中携带的token，然后进行校验，校验通过才能进行其它操作。

/**
     *
     * JWT验证拦截器
     */
    public class JWTInterceptor implements HandlerInterceptor {
        
    
    
        @Override
        public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        
            HashMap<String, Object> map = new HashMap<>();
            //令牌建议放在请求头中，获取请求头中的令牌
            String token = request.getHeader("token");
            try {
        
                JWTUtils.verify(token);
                //验证通过，放行
                return true;
            } catch (SignatureVerificationException e) {
        
                e.printStackTrace();
                map.put("msg", "无效签名");
            } catch (TokenExpiredException e) {
        
                e.printStackTrace();
                map.put("msg", "token过期");
            } catch (AlgorithmMismatchException e) {
        
                e.printStackTrace();
                map.put("msg", "token算法不一致");
            } catch (Exception e) {
        
                e.printStackTrace();
                map.put("msg", "token失败");
            }
            //设置状态
            map.put("state", false);
            //将map转化为json，response使用的是Jacksson
            String resultJson = new ObjectMapper().writeValueAsString(map);
            response.setContentType("application/json;charset=UTF-8");
            response.getWriter().print(resultJson);
            return false;
        }
    }

对Interceptor进行配置，主要是配置拦截器可以拦截的路径和要放行的路径。

@Configuration
    public class WebMvcConfig implements WebMvcConfigurer {
        
    
        @Override
        public void addResourceHandlers(ResourceHandlerRegistry registry) {
        
            registry.addResourceHandler("/images/**")
                    .addResourceLocations("file:" + Constant.FILE_UPLOAD_DIR);
            // 解决swagger无法访问
            registry.addResourceHandler("/swagger-ui.html")
                    .addResourceLocations("classpath:/META-INF/resources/");
            // 解决swagger的js文件无法访问
            registry.addResourceHandler("/webjars/**")
                    .addResourceLocations("classpath:/META-INF/resources/webjars/");
            registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/");
            WebMvcConfigurer.super.addResourceHandlers(registry);
        }
    
        @Override
        public void addInterceptors(InterceptorRegistry registry) {
        
            registry.addInterceptor(new JWTInterceptor())
                    //拦截率路径
                    .addPathPatterns("/**")
                    //放行路径
                    .excludePathPatterns(Arrays.asList("/swagger-ui.html", "/swagger-ui.html/**", "/user/**"));
        }
    }

### JWT工具类 ###

public class JWTUtils {
        
    
        private static final String SIGNATURE = "nfw&8534';/#njYdwNJKDW10!`";
    
        /**
         * 生成token
         * @param map 传入payload
         * @return
         */
        public static String getToken(Map<String, String> map) {
        
            JWTCreator.Builder builder = JWT.create();
            map.forEach((k,v) -> {
        
                builder.withClaim(k,v);
            });
            Calendar instance = Calendar.getInstance();
            instance.add(Calendar.SECOND, 7);
            builder.withExpiresAt(instance.getTime());
            return builder.sign(Algorithm.HMAC256(SIGNATURE)).toString();
        }
    
    
        /**
         * 验证token
         * @param token
         */
        public static void verify(String token) {
        
            JWT.require(Algorithm.HMAC256(SIGNATURE)).build().verify(token);
        }
    
    
        /**
         * 获取Token中的payload
         * @param token
         * @return
         */
        public static DecodedJWT getToken(String token) {
        
            return JWT.require(Algorithm.HMAC256(SIGNATURE)).build().verify(token);
        }
    
    }

### 登录验证 ###

/**
         * 用户登录
         * @return
         */
        @RequestMapping("/login")
        public ApiRestResponse login(@RequestParam String username, @RequestParam String password, HttpSession session) {
        
            if (StringUtils.isEmpty(username)) {
        
                return ApiRestResponse.error(IMallExceptionEnum.NEED_USER_NAME);
            }
            if (StringUtils.isEmpty(password)) {
        
                return ApiRestResponse.error(IMallExceptionEnum.NEED_PASSWORD);
            }
            User user = new User(username, password);
            User result = userService.login(user);
            if (result != null) {
        
                //session中不保存用户密码
    //            user.setPassword(null);
    //            session.setAttribute(Constant.SESSION_USER, user);
    
                //使用JWT 完成
                Map<String, Object> map = new HashMap<>();
                HashMap<String, String> playload = new HashMap<>();
                playload.put("id", result.getId().toString());
                playload.put("name", result.getUsername());
                //生成JWT令牌
                String token = JWTUtils.getToken(playload);
                map.put("state", true);
                map.put("msg", "认证成功");
                map.put("token", token);
                return ApiRestResponse.success(map);
            } else {
        
                return ApiRestResponse.error(IMallExceptionEnum.NAMEORPASSWORD_ERROR);
            }
        }

需要注意的是，**后端获取token是从header中获取的，所以前端在第一次登录成功拿到token后，之后的每一次请求都要在header中携带token**。

### 参考 ###

*  [JWT详细教程与使用][JWT]

[JWT]: https://blog.csdn.net/Top_L398/article/details/109361680