我正在使用基于Jwt令牌的身份验证,它的工作正常,直到页面刷新。如果我按F5页面正在重新加载但令牌丢失
Host "localhost:9090"
User-Agent "Mozilla/5.0 (Windows NT 10.0;… Gecko/20100101 Firefox/54.0"
Accept "application/json, text/plain, */*"
Accept-Language "en-US,en;q=0.5"
Accept-Encoding "gzip, deflate"
**Authorization "Bearer eyJhbGciOiJIUzI1NiIsIn…sd-ZDIpMziBmK4gq_DdmGUWbizsI"**
Referer "http://localhost:9090/fg.html"
Connection "keep-alive"
刷新页面后
Host "localhost:9090"
User-Agent "Mozilla/5.0 (Windows NT 10.0;… Gecko/20100101 Firefox/54.0"
Accept "application/json, text/plain, */*"
Accept-Language "en-US,en;q=0.5"
Accept-Encoding "gzip, deflate"
**Authorization "null"**
Referer "http://localhost:9090/fg.html"
Connection "keep-alive"
创建身份验证问题,因为标头
中缺少令牌 登录检查控制器中的
responseMap.put("loginName",adminUser1.getAdminId());
responseMap.put("isUserExist",Boolean.toString(true));
responseMap.put("role",adminUser1.getPermissionGroup());
responseMap.put("session",session);
responseMap.put("balance",adminUser1.getBalance().toString());
responseMap.put("phase",phase.getPrefix());
responseMap.put("token",getToken(adminUser1.getAdminId()));
return objectMapper.writeValueAsString(responseMap);
public String getToken(String loginName){
String jwtToken = "";
final String uuid = UUID.randomUUID().toString().replaceAll("-", "");
Map<String, Object> headerClaims = new HashMap<>();
headerClaims.put("typ", "JWT");
jwtToken = Jwts.builder()
.setSubject(loginName)
.setIssuedAt(new Date())
.setAudience(uuid)
.setHeader(headerClaims)
.setExpiration(new Date(System.currentTimeMillis() + 120000L))
.signWith(SignatureAlgorithm.HS256, Constants.KEY)
.compact();
return jwtToken;
}
JwtFilter
public class JwtFilter extends GenericFilterBean {
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain)
throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
final String authHeader = request.getHeader("Authorization");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
chain.doFilter(req, res);
} else {
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
throw new ServletException("Missing or invalid Authorization header");
}
final String token = authHeader.substring(7);
final Claims claims;
try {
claims = parseClaims(Constants.KEY,token);
request.setAttribute("claims", claims);
} catch (BadCredentialsException e) {
e.printStackTrace();
} catch (JwtExpiredTokenException e) {
e.printStackTrace();
}
}
chain.doFilter(req, res);
}
public Claims parseClaims(String signingKey, String token) throws BadCredentialsException, JwtExpiredTokenException {
try {
return Jwts.parser().setSigningKey(signingKey).parseClaimsJws(token).getBody();
} catch (UnsupportedJwtException | MalformedJwtException | IllegalArgumentException | io.jsonwebtoken.SignatureException ex) {
throw new BadCredentialsException("Invalid JWT token: ");
} catch (ExpiredJwtException expiredEx) {
throw new JwtExpiredTokenException("JWT Token expired");
}
}
如何解决问题,在localstorage中存储令牌可能会产生更多安全问题..?