zoukankan      html  css  js  c++  java
  • API安全验证之JWT(JSON WEB TOKEN) OLCMS

    假如www.olcms.com/getUserInfo获取用户信息,你怎么知道当前用户是谁?有人说登陆时候我把他UID写入session了,如果是API接口,没有session怎么办,那么就需要把UID带到参数里面,如果直接带里面,安全怎么办?所以我们需要加密成别人看不懂的字符串,这就是JWT(JSON WEB TOKEN),你可以把它理解为微信SDK中的access token(其实本身就是一样的东西).JWT加密和解密你自己写也行,不过没有必要重复造轮子,我们在github上搜一下jwt,我搜到一个lcobucci/jwt,看起来用的人也挺多,好,下来我们大概用tp来演示下

    下载tp3.2.3

    安装lcobucci/jwt

    新建composer.json

        {
        "name": "olcms jwt demo",
        "description": "just a jwt demo with tp",
        "type": "demo",
        "keywords": ["jwt","tp"],
        "homepage": "https://www.olcms.com/",
        "license": "Apache2",
        "authors": [
            {
                "name": "olcms",
                "email": "admin@olcms.com"
            }
        ],
        "require": {
            "lcobucci/jwt" : "*"
        }
    }

    composer update composer安装看 https://www.olcms.com/2015

    打开index.php,在载入tp前载入comoposer的自动加载

    //composer
    require 'vendor/autoload.php';
    
    // 引入ThinkPHP入口文件
    require './ThinkPHP/ThinkPHP.php';

    生成和使用jwt

    IndexController.class.php

    namespace HomeController;
    
    use ThinkController;
    use LcobucciJWTBuilder;
    
    class IndexController extends Controller {
    
        public function index(){
            $token = (new Builder())
                            ->set('uid', 1) // Configures a new claim, called "uid"
                            ->getToken(); // Retrieves the generated token
            echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
        }
    
    }

    浏览器访问,我们看到生成的jwteyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1aWQiOjF9.刷新一下,发现什么?没变,恩,不够安全,我们再修改下代码

    namespace HomeController;
    
    use ThinkController;
    use LcobucciJWTBuilder;
    use LcobucciJWTSignerHmacSha256;
    
    class IndexController extends Controller {
    
        public function index(){
            $signer = new Sha256();
            $token = (new Builder())
                            ->set('uid', 1) // Configures a new claim, called "uid"
                            ->setExpiration(time() + 3600)
                            ->sign($signer, 'olcms') // creates a signature using "testing" as key
                            ->getToken(); // Retrieves the generated token
            echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
        }
    
    }

    生成的jwteyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsImV4cCI6MTQ2MDYwNjk0Mn0.GdbEXStqQR-5zofQVmorrB4U3yuyCYDdX-jFu58dPpY每次刷新也变- -

    从jwt中获取信息

    namespace HomeController;
    
    use ThinkController;
    use LcobucciJWTBuilder;
    use LcobucciJWTSignerHmacSha256;
    use LcobucciJWTParser;
    
    class IndexController extends Controller {
    
        public function index(){
            $signer = new Sha256();
            $token = (new Builder())
                            ->set('uid', 1) // Configures a new claim, called "uid"
                            ->setExpiration(time() + 3600)
                            ->sign($signer, 'olcms') // creates a signature using "testing" as key
                            ->getToken(); // Retrieves the generated token
            echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
    
            //从jwt获取信息
            $token = (new Parser())->parse((string) $token); // Parses from a string
            echo $token->getClaim('uid'); // will print "1"
        }
    
    }

    大概逻辑

    用户登录,服务器生成jwt,放入memcache等缓存并返回jwt,client所有请求都必须带jwt

  • 相关阅读:
    宠物店4.0的安装
    《professional asp.net 2.0》读书笔记连载2
    《xhtml 入门系列》之一
    ALinq 让Mysql变得如此简单
    ALinq 入门学习(八)ALinq 对Vs2010 的支持
    教你一款极为简单实用的图表插件
    虚拟机下无法启动 Linux 系统
    怎样去突破文件依赖缓存
    jQuery 表单验证扩展(五)
    Log4Net 全方位跟踪程序运行
  • 原文地址:https://www.cnblogs.com/wzjwffg/p/9884012.html
Copyright © 2011-2022 走看看