我正在使用 JWT 为 REST API 做 spring 安全。我已经完成了创建具有到期时间且工作正常的网络令牌。我已将时间限制设置为 5 分钟。5 分钟后,令牌将过期。这给我带来了问题,所以任何人都可以指导我如何使用刷新令牌来解决这个问题,因为我对这个概念很陌生。
这是我的代码..
SpringSecurity配置
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilter() {
JwtAuthenticationTokenFilter filter = new
JwtAuthenticationTokenFilter();
filter.setAuthenticationManager(authenticationManager());
filter.setAuthenticationSuccessHandler(new JwtSuccessHandler());
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("/admin/**").authenticated()
.antMatchers("/admin/**").hasAnyAuthority("Admin")
.and()
.exceptionHandling().authenticationEntryPoint(entryPoint)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(authenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
令牌控制器
@RestController
@RequestMapping("/token")
public class TokenController {
private JwtGenerator jwtGenerator;
public TokenController(JwtGenerator jwtGenerator) {
this.jwtGenerator = jwtGenerator;
}
@RequestMapping(method = RequestMethod.POST)
public String generate(@RequestBody final User user) {
return jwtGenerator.generate(user);
}
}
Jwt生成器
@Component
public class JwtGenerator {
private Long expiration;
private String secret = "youtube";
static final String CLAIM_KEY_CREATED = "created";
public String generate(User user) {
Claims claims = Jwts.claims()
.setSubject(user.getFirstName());
claims.put("password", String.valueOf(user.getPassword()));
//claims.put("role", jwtUser.getRole());
return Jwts.builder()
.setClaims(claims)
.setExpiration(generateExpirationDate())
.signWith(SignatureAlgorithm.HS512, "youtube")
.compact();
}
private Date generateExpirationDate() {
return new Date(System.currentTimeMillis() + (5 * 60 * 1000));
}
}
JwtAuthenticationProvider
@Override
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) usernamePasswordAuthenticationToken;
String token = jwtAuthenticationToken.getToken();
User user = validator.validate(token);
if (user == null) {
throw new RuntimeException("JWT Token is incorrect");
}
String firstname=user.getFirstName();
User user1=userRepository.getRoleId(firstname);
List<GrantedAuthority> grantedAuthorities = AuthorityUtils
.commaSeparatedStringToAuthorityList(user1.getRole().getRoleName());
return new JwtUserDetails(user.getFirstName(), user.getPassword(),
token,
grantedAuthorities);
}
@Override
public boolean supports(Class<?> aClass) {
return (JwtAuthenticationToken.class.isAssignableFrom(aClass));
}
验证器
@Component
public class JwtValidator {
private String secret = "youtube";
public User validate(String token) {
User user = null;
try {
Claims body = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
user = new User();
user.setFirstName(body.getSubject());
user.setPassword((String) body.get("password"));
//user.setRole((String) body.get("role"));
}
catch (Exception e) {
System.out.println(e);
}
return user;
}
}
我正在传递用户名和密码以获取令牌。提前致谢
您可能需要对现有解决方案进行一些更改。一般来说,在成功授权后,您必须返回 2 个 JWT 令牌 - 一个“访问”JWT 令牌用于对服务器的任何其他授权请求,以及“刷新”JWT 令牌,用于在第一个令牌过期时检索新的“访问”JWT 令牌。这也意味着您将需要更改/修改/拦截应用程序的前端部分才能应用这些规则。对我来说,这里的要点是JWT 身份验证教程 - 使用 Spring Boot 的示例。
| 归档时间: |
|
| 查看次数: |
8073 次 |
| 最近记录: |