利用JWT判断用户登录以及安全校验

废话不多说，直接上代码，自己之前写过一篇介绍token的，有兴趣的话可以去翻看下。

1.首先先引用jar，项目是maven，贴出代码：

<!-- jwt --><dependency> <groupid>io.jsonwebtoken</groupid> <artifactid>jjwt</artifactid> <version>0.7.0</version></dependency>

2.token工具类---TokenUtil.java，一个方法是生成token，另一个是校验token有效性，我这里没有查数据库，是把用户名和密码放到了配置文件里边，下边会挨着贴出代码。

public class TokenUtil {private static Logger logger = (Logger) LoggerFactory.getLogger(TokenUtil.class);/** * 存储token * @param name * @param password * @return */public static String getToken(String json_py){String signKey = PropertiesUtil.getValue("signingKey");//此处就是在服务器定义的自己的密匙try { // The JWT signature algorithm we will be using to sign the tokenSignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;// We will sign our JWT with our ApiKey secretbyte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(signKey);Key signingKey = new SecretKeySpec(apiKeySecretBytes,signatureAlgorithm.getJcaName());// Let's set the JWT ClaimsJwtBuilder builder = Jwts.builder().setPayload(json_py.toString()).signWith(signatureAlgorithm, signingKey); return builder.compact(); } catch(Exception e) { logger.error("getToken异常", e); return "error"; } }/** * 判断是否token值看是否登录成功 * @return */public static String isLogin(String jwt){String signingKey = PropertiesUtil.getValue("signingKey");//此处就是在服务器定义的自己的密匙String params="";if (jwt.split("\\.").length == 3) {String header = jwt.split("\\.")[0];String payload = jwt.split("\\.")[1];System.out.println(Base64Codec.BASE64URL.decodeToString(header));System.out.println(Base64Codec.BASE64URL.decodeToString(payload));String sign = jwt.split("\\.")[2];//带过来的签名String headerNew = getToken(Base64Codec.BASE64URL.decodeToString(payload)).split("\\.")[0]; String signNew = getToken(Base64Codec.BASE64URL.decodeToString(payload)).split("\\.")[2];System.out.println("新的token："+getToken(Base64Codec.BASE64URL.decodeToString(payload)));System.out.println(signNew);if(header.equals(headerNew) && sign.equals(signNew)){//进行安全校验（头部和签名）Claims claims = Jwts.parser().setSigningKey(DatatypeConverter.parseBase64Binary(signingKey)).parseClaimsJws(jwt).getBody();if(claims!=null){long expdate = (Long) claims.get("expDate");long nowMillis = System.currentTimeMillis();if(expdate>nowMillis){//判断token有效性String username = (String) claims.get("username");String password = (String) claims.get("password");String name = PropertiesUtil.getValue("username");//从本地读取用户名String pword = PropertiesUtil.getValue("password");//从本地读取密码if(name.equals(username) && pword.equals(password)){params="success";//校验成功，有此用户}else{params="用户名或密码错误---faile";}}else{params="timeout";}}}else{params="修改数据--faile";}}return params;}public static void main(String[] args) {JSONObject json_py = new JSONObject();long nowMillis = System.currentTimeMillis();System.out.println(Integer.parseInt(PropertiesUtil.getValue("timeOut")));long expMillis = nowMillis + Integer.parseInt(PropertiesUtil.getValue("timeOut"));//一分钟过期json_py.put("username", "admin1");json_py.put("password", "123456");json_py.put("expDate", expMillis);System.out.println("expDate:"+expMillis);String token = TokenUtil.getToken(json_py.toString());System.out.println(json_py.toString());System.out.println("token的值："+token);//String params=TokenUtil.isLogin("eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluMSIsImV4cERhdGUiOjE1MDk1MzU1NTA4MjMsInBhc3N3b3JkIjoiMTIzNDU2In0.WQHsnrnbfPCh-cP7NB_x7y6cwe3JuvwI-9JaKW419cg");String params=TokenUtil.isLogin(token);System.out.println("返回参数params："+params);}}

3.配置文件：system_config.properties

username=adminpassword=123456signingKey=zanjinbao#过期时间--6秒timeOut=6000

4.测试类代码：

public static void main(String[] args) {JSONObject json_py = new JSONObject();long nowMillis = System.currentTimeMillis();System.out.println(Integer.parseInt(PropertiesUtil.getValue("timeOut")));long expMillis = nowMillis + Integer.parseInt(PropertiesUtil.getValue("timeOut"));//一分钟过期json_py.put("username", "admin1");json_py.put("password", "123456");json_py.put("expDate", expMillis);System.out.println("expDate:"+expMillis);String token = TokenUtil.getToken(json_py.toString());System.out.println(json_py.toString());System.out.println("token的值："+token);//String params=TokenUtil.isLogin("eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluMSIsImV4cERhdGUiOjE1MDk1MzU1NTA4MjMsInBhc3N3b3JkIjoiMTIzNDU2In0.WQHsnrnbfPCh-cP7NB_x7y6cwe3JuvwI-9JaKW419cg");String params=TokenUtil.isLogin(token);System.out.println("返回参数params："+params);}

5.PropertiesUtil代码：

public class PropertiesUtil {public static Properties props = new Properties();// private static Logger logger = Logger.getLogger(PropertiesUtil.class);public static void load(String path) {InputStream in = PropertiesUtil.class.getClassLoader().getResourceAsStream(path);try {props.load(in);in.close();} catch (IOException e) {e.printStackTrace();}}public static String getValue(String key) {// 根据指定key值获取valueload("system_config.properties");return props.getProperty(key);}}

测试结果：

最后需要再说一点的就是，一般token里边是不应该带用户的主要信息的，自己上边的用户名和密码没有加密，更标准的应该是先对用户名和密码进行加密，当做负荷存到token里边，然后解析token得到负荷之后，再进行解密，然后根据自己的代码做校验。。。