使用token替换session保存信息,防篡改
1.token三部分
header
{
"typ": "JWT",
"alg": "HS256"
}
payload
{
"iss": "ninghao.net",
"exp": "1438955445",
"name": "wanghao",
"admin": true
}
iss:Issuer,发行者
sub:Subject,主题
aud:Audience,观众
exp:Expiration time,过期时间
nbf:Not before
iat:Issued at,发行时间
jti:JWT ID
signature
先是用 Base64 编码的 header.payload ,再用加密算法加密一下,加密的时候要放进去一个 Secret ,这个相当于是一个密码,这个密码秘密地存储在服务端。
2.Base64 编码
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
3.token生成 验证
生成token
1 import java.lang.reflect.Field; 2 import java.lang.reflect.Modifier; 3 import java.security.Key; 4 import java.util.Date; 5 import java.util.TreeMap; 6 import java.util.UUID; 7 8 import com.alibaba.fastjson.JSONObject; 9 10 import io.jsonwebtoken.JwtBuilder; 11 import io.jsonwebtoken.Jwts; 12 import io.jsonwebtoken.SignatureAlgorithm; 13 14 public class SignToken { 15 private String id; // token对外的ID号 16 17 private String mid; // 开发者编号 18 private String docId; // 合同编号 19 private String devId; // 签约的ID号码 20 21 private Date createTime; // Token的创建时间 22 private Date expiredIn; // Token的过期时间 23 24 private String value; // token的值 25 26 public SignToken(String mid, String docId, String devId) { 27 this.id=getUID(); 28 this.mid = mid; 29 this.docId = docId; 30 this.devId = devId; 31 } 32 33 34 public static synchronized String getUID() { 35 UUID uuid = UUID.randomUUID(); 36 return uuid.toString().replace("-", ""); 37 } 38 39 40 ///////////////////////////////////////////////////////// 41 public void setData(String jsonString) { 42 JSONObject json = JSONObject.parseObject(jsonString); 43 this.setData(json); 44 } 45 public String toJSONString() { 46 return this.toJSONObject().toJSONString(); 47 } 48 49 public void setData(JSONObject json) { 50 Class<?> clazz = this.getClass(); 51 for (String name: json.keySet()) { 52 Object value = json.get(name); 53 try { 54 Field field = clazz.getDeclaredField(name); 55 field.setAccessible(true); 56 field.set(this, value); 57 } catch (IllegalArgumentException e) { 58 e.printStackTrace(); 59 } catch (IllegalAccessException e) { 60 e.printStackTrace(); 61 } catch (NoSuchFieldException e) { 62 e.printStackTrace(); 63 } catch (SecurityException e) { 64 e.printStackTrace(); 65 } 66 } 67 } 68 69 public JSONObject toJSONObject() { 70 Field[] fields = this.getClass().getDeclaredFields(); 71 if (fields.length == 0) { 72 return null; 73 } 74 TreeMap<String, Object> map = new TreeMap<String, Object>(); 75 for (int i = 0; i < fields.length; i++) { 76 Field field = fields[i]; 77 int modifier = field.getModifiers(); 78 //if (!Modifier.isPublic(modifier) || Modifier.isStatic(modifier) || Modifier.isFinal(modifier)) { 79 // continue; 80 //} 81 if (Modifier.isStatic(modifier) || Modifier.isFinal(modifier)) { 82 continue; 83 } 84 field.setAccessible(true); 85 String name = field.getName(); 86 Object value = null; 87 try { 88 value = field.get(this); 89 } catch (IllegalArgumentException e) { 90 continue; 91 } catch (IllegalAccessException e) { 92 continue; 93 } 94 map.put(name, value); 95 } 96 JSONObject object = new JSONObject(map); 97 return object; 98 } 99 100 101 102 public String getId() { 103 return id; 104 } 105 106 public void setId(String id) { 107 this.id = id; 108 } 109 110 public String getMid() { 111 return mid; 112 } 113 114 public void setMid(String mid) { 115 this.mid = mid; 116 } 117 118 public String getDocId() { 119 return docId; 120 } 121 122 public void setDocId(String docId) { 123 this.docId = docId; 124 } 125 126 public String getDevId() { 127 return devId; 128 } 129 130 public void setDevId(String devId) { 131 this.devId = devId; 132 } 133 134 public Date getCreateTime() { 135 return createTime; 136 } 137 138 public void setCreateTime(Date createTime) { 139 this.createTime = createTime; 140 } 141 142 public Date getExpiredIn() { 143 return expiredIn; 144 } 145 146 public void setExpiredIn(Date expiredIn) { 147 this.expiredIn = expiredIn; 148 } 149 150 public String getValue() { 151 return value; 152 } 153 154 public void setValue(String value) { 155 this.value = value; 156 } 157 158 }
验签
1 package cn.bestsign.mixed.token; 2 3 import java.security.InvalidKeyException; 4 import java.security.Key; 5 import java.security.KeyFactory; 6 import java.security.KeyPair; 7 import java.security.KeyPairGenerator; 8 import java.security.NoSuchAlgorithmException; 9 import java.security.PrivateKey; 10 11 import java.security.Signature; 12 import java.security.SignatureException; 13 import java.security.interfaces.RSAPrivateKey; 14 import java.security.interfaces.RSAPublicKey; 15 import java.security.spec.InvalidKeySpecException; 16 import java.security.spec.PKCS8EncodedKeySpec; 17 import java.security.spec.X509EncodedKeySpec; 18 import java.util.Base64; 19 import java.util.Date; 20 import java.util.HashMap; 21 import java.util.Map; 22 23 import javax.xml.bind.DatatypeConverter; 24 25 import org.junit.Test; 26 27 import cn.gov.shnotary.fingerprint.service.PublicKey; 28 import io.jsonwebtoken.Jwt; 29 import io.jsonwebtoken.JwtBuilder; 30 import io.jsonwebtoken.Jwts; 31 import io.jsonwebtoken.SignatureAlgorithm; 32 import io.jsonwebtoken.impl.crypto.RsaProvider; 33 import net.sf.json.JSONObject; 34 35 public class SignTokenTest { 36 37 @Test 38 public void generateTokenTest3() throws Exception { 39 String pubKey="xxx"; 40 String priKey="xxx"; 41 byte[] privateKeyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(priKey); 42 byte[] pubKeyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(pubKey); 43 44 PrivateKey privateKey = getPrivateKey("RSA", privateKeyBytes); 45 java.security.PublicKey publicKey = getPublicKey("RSA", pubKeyBytes); 46 47 SignToken token1 = generateToken("E0000000000000000009", "101101-00000004", "13003618788", 7, SignatureAlgorithm.RS256, privateKey); 48 System.out.println(token1.getValue()); 49 String tokenString = token1.getValue(); 50 Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(tokenString); 51 System.out.println(jwt.getHeader()); 52 System.out.println(jwt.getBody()); 53 Jwt jwt = verifyToken(pubKey, token1.getValue()); 54 System.out.println(jwt.getHeader()); 55 System.out.println(jwt.getBody()); 56 JSONObject json = JSONObject.fromObject(jwt.getBody()); 57 JSONObject aud = json.getJSONObject("aud"); 58 System.out.println(aud); 59 } 60 61 public static PrivateKey getPrivateKey(String KEY_ALGORITHM, byte[] priKey) throws NoSuchAlgorithmException, InvalidKeySpecException { 62 KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM); 63 PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(priKey); 64 return keyFactory.generatePrivate(pkcs8KeySpec); 65 } 66 67 public static java.security.PublicKey getPublicKey(String KEY_ALGORITHM, byte[] pubKey) throws InvalidKeySpecException, NoSuchAlgorithmException { 68 69 X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(pubKey); 70 KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM); 71 return keyFactory.generatePublic(x509KeySpec); 72 } 73 74 @Test 75 public void generateTokenTest2() throws Exception { 76 String pubKey=""; 77 String priKey=""; 78 79 KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); 80 // 初始化密钥对儿生成器 81 keyPairGen.initialize(512); 82 // 生成密钥对儿 83 KeyPair keyPair = keyPairGen.generateKeyPair(); 84 RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); 85 RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); 86 87 SignToken token1 = generateToken("460cfedac66149c2a832e66fa1de28a6", "101101-00000004", "13003618788", 7, SignatureAlgorithm.RS256, privateKey); 88 System.out.println(token1.getValue()); 89 String tokenString = token1.getValue(); 90 Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(tokenString); 91 System.out.println(jwt.getHeader()); 92 System.out.println(jwt.getBody()); 93 } 94 95 96 97 @Test 98 public void generateTokenTest1() throws Exception { 99 KeyPair kp = RsaProvider.generateKeyPair(512); 100 java.security.PublicKey publicKey = kp.getPublic(); 101 PrivateKey privateKey = kp.getPrivate(); 102 103 SignToken token1 = generateToken("460cfedac66149c2a832e66fa1de28a6", "101101-00000004", "13003618788", 7, SignatureAlgorithm.RS256, privateKey); 104 System.out.println(token1.getValue()); 105 String tokenString = token1.getValue(); 106 107 // String tokenInfo[] = tokenString.split("\."); 108 // for (String str : tokenInfo) { 109 // 110 // // String info = new String(Base64.getDecoder().decode(str)); 111 // // System.out.println(info); 112 // } 113 114 Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(tokenString); 115 System.out.println(jwt.getHeader()); 116 System.out.println(jwt.getBody()); 117 118 // Jwts.parser().setSigningKey(publicKey).parseClaimsJws(jwt).getBody(); 119 120 } 121 122 public SignToken generateToken(String mid, String docId, String devId, long delay, SignatureAlgorithm alg, Key signingKey) { 123 SignToken token = new SignToken(mid, docId, devId); 124 // 定义开始时间 125 Date now = new Date(); 126 Date end = new Date(now.getTime() + delay * 24 * 60 * 60 * 1000); 127 token.setCreateTime(now); 128 token.setExpiredIn(end); 129 130 // 构建一个Token 131 JwtBuilder builder = Jwts.builder().setId(token.getId()); 132 builder.setIssuedAt(token.getCreateTime()); // Token颁布的时间 133 builder.setExpiration(token.getExpiredIn()); // Token失效的时间 134 135 builder.setIssuer(mid); //发行者 授权者"ssqian.com.cn" 136 builder.setSubject("hand-sign"); //主题 137 builder.setAudience(token.toJSONString()); // 观众 138 builder.signWith(alg, signingKey); 139 140 token.setValue(builder.compact()); 141 return token; 142 143 } 144 145 public static byte[] rsaSign(byte[] data, String privateKey) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException { 146 // 解密由base64编码的私钥 147 byte[] privateKeyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(privateKey); 148 149 // 构造PKCS8EncodedKeySpec对象 150 PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(privateKeyBytes); 151 152 // KEY_ALGORITHM 指定的加密算法 153 KeyFactory keyFactory = KeyFactory.getInstance("RSA"); 154 155 // 取私钥匙对象 156 PrivateKey priKey = keyFactory.generatePrivate(pkcs8KeySpec); 157 158 // 用私钥对信息生成数字签名 159 Signature signature = Signature.getInstance("SHA1withRSA"); 160 signature.initSign(priKey); 161 signature.update(data); 162 163 return signature.sign(); 164 } 165 166 167 }