登录科普（四）JWT的使用

JWT的SHA256和RSA256：
本篇采用java-jwt的jar包来实现JWT。主要讲解SHA256和RSA256两种方式，其他的不做讨论。java-jwt是JAVA中最安全的、使用人数最多的jar包。

maven:

<!--JWT-->
        <dependency>
            <groupId>com.auth0</groupId>
            <artifactId>java-jwt</artifactId>
            <version>3.3.0</version>
        </dependency>

HS256：

package com.kindo;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import org.junit.Test;

import java.io.UnsupportedEncodingException;
import java.util.Date;

/**
 * Created by lingbao08 on 2018/1/27.
 */
public class TestJWTHS256 {

   private static JWTVerifier verifier = null;

    static {
        Algorithm algorithm;
        try {
            algorithm = Algorithm.HMAC256("secret");
            verifier = JWT.require(algorithm)
                    .withIssuer("auth1")
                    .build();
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        }
    }

    @Test
    public void testCreate() {
        try {
            Algorithm algorithm = Algorithm.HMAC256("secret");
            String token = JWT.create()
                    .withIssuer("auth1")
                    //设置自定义字段
                    .withClaim("privilege","权限1")
                    .sign(algorithm);
            System.out.println(token);
        } catch (UnsupportedEncodingException e){
            e.printStackTrace();
        } catch (JWTCreationException e){
            e.printStackTrace();
        }
    }

    @Test
    public void validateAndDecode(){
        String token =            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhdXRoMSIsInByaXZpbGlnZSI6Iuadg-mZkDEifQ.jkwTXIdG39VhzDEqEn090MAciuYYNVCGohwd_qJsH-k";
        try {
            DecodedJWT jwt = verifier.verify(token);
            //从jwt中可以直接获取规定的字段，比如issuser,issUsedAt等字段
            String issuer = jwt.getIssuer();
            //自定义字段的获取
            Claim privilege = jwt.getClaim("privilege");
            //在不设置日期时，日期为null
            Date expiresAt = jwt.getExpiresAt();
            System.out.println(expiresAt);
            System.out.println(issuer);
            System.out.println(privilige.asString());
        } catch (JWTVerificationException e){
            e.printStackTrace();
        }
    }
}

RSA256:
首先需要一个RSA工具：

public class RSAUtil {

    //非对称密钥算法
    public static final String KEY_ALGORITHM="RSA";


    /**
     * 密钥长度，DH算法的默认密钥长度是1024
     * 密钥长度必须是64的倍数，在512到65536位之间
     * */
    private static final int KEY_SIZE=1024;
    //公钥
    public static final String PUBLIC_KEY="RSAPublicKey";

    //私钥
    public static final String PRIVATE_KEY="RSAPrivateKey";

    /**
     * 初始化密钥对
     * @return Map 甲方密钥的Map
     * */
    public static Map<String,Object> initKey() throws Exception{
        //实例化密钥生成器
        KeyPairGenerator keyPairGenerator=KeyPairGenerator.getInstance(KEY_ALGORITHM);
        //初始化密钥生成器
        keyPairGenerator.initialize(KEY_SIZE);
        //生成密钥对
        KeyPair keyPair=keyPairGenerator.generateKeyPair();
        //甲方公钥
        RSAPublicKey publicKey=(RSAPublicKey) keyPair.getPublic();
        //甲方私钥
        RSAPrivateKey privateKey=(RSAPrivateKey) keyPair.getPrivate();
        //将密钥存储在map中
        Map<String,Object> keyMap=new HashMap<>(2);
        keyMap.put(PUBLIC_KEY, publicKey);
        keyMap.put(PRIVATE_KEY, privateKey);
        return keyMap;

    }
}

测试RSA256：

@RestController
public class RSAController {
    public static final String ISSUER = "签发人";
    private static Algorithm algorithm;
    private static RSAPublicKey publicKey;
    private static RSAPrivateKey privateKey;
/**
 * 计算密钥
 **/
@RequestMapping("/calculate")
    public void calculate(){

        Map<String, Object> stringObjectMap = null;
        try {
            stringObjectMap = RSACoder.initKey();
        } catch (Exception e) {
            e.printStackTrace();
        }
        publicKey = (RSAPublicKey) stringObjectMap.get(RSACoder
                .PUBLIC_KEY);

        privateKey = (RSAPrivateKey) stringObjectMap.get(RSACoder.PRIVATE_KEY);
        algorithm = Algorithm.RSA256(publicKey, privateKey);
    }
/**
 * 生成JWT
 **/  
@RequestMapping("create")
    public void testCreate() throws Exception {
        try {
            String token = JWT.create()
                    .withIssuer(ISSUER)
                    .sign(algorithm);
            System.out.println(token);
        } catch (JWTCreationException exception) {
            exception.printStackTrace();
        }
    }
/**
 * 校验JWT
 **/
    @RequestMapping("validate")
    public void validateAndDecode(@RequestParam("token") String token) {
        try {
            JWTVerifier verifier = JWT.require(algorithm)
                    .withIssuer(ISSUER)
                    .build();
            DecodedJWT jwt = verifier.verify(token);
            String issuer = jwt.getIssuer();
            System.out.println(issuer);
        } catch (JWTVerificationException e) {
            e.printStackTrace();
        }
    }
}

ps：RS256的额外参数参见HS256.

springboot+spring security +io.jwt：参见链接：https://segmentfault.com/a/1190000009231329。