我想确保在可配置的大量时间之后我的JSON Web令牌被撤销/过期,并且我有以下设置:
安全过滤器:
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import yourwebproject2.service.UserService;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
/**
* @author: kameshr
*/
public class JWTTokenAuthFilter extends OncePerRequestFilter {
private static List<Pattern> AUTH_ROUTES = new ArrayList<>();
private static List<String> NO_AUTH_ROUTES = new ArrayList<>();
public static final String JWT_KEY = "JWT-TOKEN-SECRET";
static {
AUTH_ROUTES.add(Pattern.compile("/api/*"));
NO_AUTH_ROUTES.add("/api/user/authenticate");
NO_AUTH_ROUTES.add("/api/user/register");
}
private Logger LOG = LoggerFactory.getLogger(JWTTokenAuthFilter.class);
@Autowired
private UserService userService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String authorizationHeader = request.getHeader("authorization");
String authenticationHeader = request.getHeader("authentication");
String route = request.getRequestURI();
// no auth route matching
boolean needsAuthentication = false;
for (Pattern p : AUTH_ROUTES) {
if (p.matcher(route).matches()) {
needsAuthentication = true;
break;
}
}
if(route.startsWith("/api/")) {
needsAuthentication = true;
}
if (NO_AUTH_ROUTES.contains(route)) {
needsAuthentication = false;
}
// Checking whether the current route needs to be authenticated
if (needsAuthentication) {
// Check for authorization header presence
String authHeader = null;
if (authorizationHeader == null || authorizationHeader.equalsIgnoreCase("")) {
if (authenticationHeader == null || authenticationHeader.equalsIgnoreCase("")) {
authHeader = null;
} else {
authHeader = authenticationHeader;
LOG.info("authentication: " + authenticationHeader);
}
} else {
authHeader = authorizationHeader;
LOG.info("authorization: " + authorizationHeader);
}
if (StringUtils.isBlank(authHeader) || !authHeader.startsWith("Bearer ")) {
throw new AuthCredentialsMissingException("Missing or invalid Authorization header.");
}
final String token = authHeader.substring(7); // The part after "Bearer "
try {
final Claims claims = Jwts.parser().setSigningKey(JWT_KEY)
.parseClaimsJws(token).getBody();
request.setAttribute("claims", claims);
// Now since the authentication process if finished
// move the request forward
filterChain.doFilter(request, response);
} catch (final Exception e) {
throw new AuthenticationFailedException("Invalid token. Cause:"+e.getMessage());
}
} else {
filterChain.doFilter(request, response);
}
}
}
创建身份验证令牌的方法:
String token = Jwts.builder().setSubject(user.getEmail())
.claim("role", user.getRole().name()).setIssuedAt(new Date())
.signWith(SignatureAlgorithm.HS256, JWTTokenAuthFilter.JWT_KEY).compact();
authResp.put("token", token);
authResp.put("user", user);
上面我有我在JWT上使用的所有声明,我想请求在x ammount时间之后撤销令牌(如果可能的话,不活动)。
我如何使用JWT / Spring MVC / Angular JS / Spring Security实现这一目标
答案 0 :(得分:2)
设置令牌的到期时间
String token = Jwts.builder()
.setSubject(user.getEmail())
.claim("role", user.getRole().name())
.setIssuedAt(new Date())
.setExpiration(expirationDate)
.signWith(SignatureAlgorithm.HS256, WTTokenAuthFilter.JWT_KEY)
.compact();
然后,如果currentTime&gt; expirationDate
,则parseClaimsJws会引发ExpiredJwtException
撤销有效令牌是一项难以解决的难题:
1)在服务器中维护一个黑名单并比较每个请求
2)设置较小的到期时间并发出新令牌
3)在令牌中插入登录时间并比较是否符合您的标准
4)删除客户端的jwt