使用token替换session保存信息,防篡改
1.token三部分
header
{
"typ": "JWT",
"alg": "HS256"
}
payload
{
"iss": "ninghao.net",
"exp": "1438955445",
"name": "wanghao",
"admin": true
}
iss:Issuer,发行者
sub:Subject,主题
aud:Audience,观众
exp:Expiration time,过期时间
nbf:Not before
iat:Issued at,发行时间
jti:JWT ID
signature
先是用 Base64 编码的 header.payload ,再用加密算法加密一下,加密的时候要放进去一个 Secret ,这个相当于是一个密码,这个密码秘密地存储在服务端。
2.Base64 编码
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJc
3.token生成 验证
生成token
1 import java.lang.reflect.Field;
2 import java.lang.reflect.Modifier;
3 import java.security.Key;
4 import java.util.Date;
5 import java.util.TreeMap;
6 import java.util.UUID;
7
8 import com.alibaba.fastjson.JSONObject;
9
10 import io.jsonwebtoken.JwtBuilder;
11 import io.jsonwebtoken.Jwts;
12 import io.jsonwebtoken.SignatureAlgorithm;
13
14 public class SignToken {
15 private String id; // token对外的ID号
16
17 private String mid; // 开发者编号
18 private String docId; // 合同编号
19 private String devId; // 签约的ID号码
20
21 private Date createTime; // Token的创建时间
22 private Date expiredIn; // Token的过期时间
23
24 private String value; // token的值
25
26 public SignToken(String mid, String docId, String devId) {
27 this.id=getUID();
28 this.mid = mid;
29 this.docId = docId;
30 this.devId = devId;
31 }
32
33
34 public static synchronized String getUID() {
35 UUID uuid = UUID.randomUUID();
36 return uuid.toString().replace("-", "");
37 }
38
39
40 /////////////////////////////////////////////////////////
41 public void setData(String jsonString) {
42 JSONObject json = JSONObject.parseObject(jsonString);
43 this.setData(json);
44 }
45 public String toJSONString() {
46 return this.toJSONObject().toJSONString();
47 }
48
49 public void setData(JSONObject json) {
50 Class<?> clazz = this.getClass();
51 for (String name: json.keySet()) {
52 Object value = json.get(name);
53 try {
54 Field field = clazz.getDeclaredField(name);
55 field.setAccessible(true);
56 field.set(this, value);
57 } catch (IllegalArgumentException e) {
58 e.printStackTrace();
59 } catch (IllegalAccessException e) {
60 e.printStackTrace();
61 } catch (NoSuchFieldException e) {
62 e.printStackTrace();
63 } catch (SecurityException e) {
64 e.printStackTrace();
65 }
66 }
67 }
68
69 public JSONObject toJSONObject() {
70 Field[] fields = this.getClass().getDeclaredFields();
71 if (fields.length == 0) {
72 return null;
73 }
74 TreeMap<String, Object> map = new TreeMap<String, Object>();
75 for (int i = 0; i < fields.length; i++) {
76 Field field = fields[i];
77 int modifier = field.getModifiers();
78 //if (!Modifier.isPublic(modifier) || Modifier.isStatic(modifier) || Modifier.isFinal(modifier)) {
79 // continue;
80 //}
81 if (Modifier.isStatic(modifier) || Modifier.isFinal(modifier)) {
82 continue;
83 }
84 field.setAccessible(true);
85 String name = field.getName();
86 Object value = null;
87 try {
88 value = field.get(this);
89 } catch (IllegalArgumentException e) {
90 continue;
91 } catch (IllegalAccessException e) {
92 continue;
93 }
94 map.put(name, value);
95 }
96 JSONObject object = new JSONObject(map);
97 return object;
98 }
99
100
101
102 public String getId() {
103 return id;
104 }
105
106 public void setId(String id) {
107 this.id = id;
108 }
109
110 public String getMid() {
111 return mid;
112 }
113
114 public void setMid(String mid) {
115 this.mid = mid;
116 }
117
118 public String getDocId() {
119 return docId;
120 }
121
122 public void setDocId(String docId) {
123 this.docId = docId;
124 }
125
126 public String getDevId() {
127 return devId;
128 }
129
130 public void setDevId(String devId) {
131 this.devId = devId;
132 }
133
134 public Date getCreateTime() {
135 return createTime;
136 }
137
138 public void setCreateTime(Date createTime) {
139 this.createTime = createTime;
140 }
141
142 public Date getExpiredIn() {
143 return expiredIn;
144 }
145
146 public void setExpiredIn(Date expiredIn) {
147 this.expiredIn = expiredIn;
148 }
149
150 public String getValue() {
151 return value;
152 }
153
154 public void setValue(String value) {
155 this.value = value;
156 }
157
158 }
验签
1 package cn.bestsign.mixed.token;
2
3 import java.security.InvalidKeyException;
4 import java.security.Key;
5 import java.security.KeyFactory;
6 import java.security.KeyPair;
7 import java.security.KeyPairGenerator;
8 import java.security.NoSuchAlgorithmException;
9 import java.security.PrivateKey;
10
11 import java.security.Signature;
12 import java.security.SignatureException;
13 import java.security.interfaces.RSAPrivateKey;
14 import java.security.interfaces.RSAPublicKey;
15 import java.security.spec.InvalidKeySpecException;
16 import java.security.spec.PKCS8EncodedKeySpec;
17 import java.security.spec.X509EncodedKeySpec;
18 import java.util.Base64;
19 import java.util.Date;
20 import java.util.HashMap;
21 import java.util.Map;
22
23 import javax.xml.bind.DatatypeConverter;
24
25 import org.junit.Test;
26
27 import cn.gov.shnotary.fingerprint.service.PublicKey;
28 import io.jsonwebtoken.Jwt;
29 import io.jsonwebtoken.JwtBuilder;
30 import io.jsonwebtoken.Jwts;
31 import io.jsonwebtoken.SignatureAlgorithm;
32 import io.jsonwebtoken.impl.crypto.RsaProvider;
33 import net.sf.json.JSONObject;
34
35 public class SignTokenTest {
36
37 @Test
38 public void generateTokenTest3() throws Exception {
39 String pubKey="xxx";
40 String priKey="xxx";
41 byte[] privateKeyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(priKey);
42 byte[] pubKeyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(pubKey);
43
44 PrivateKey privateKey = getPrivateKey("RSA", privateKeyBytes);
45 java.security.PublicKey publicKey = getPublicKey("RSA", pubKeyBytes);
46
47 SignToken token1 = generateToken("E0000000000000000009", "101101-00000004", "13003618788", 7, SignatureAlgorithm.RS256, privateKey);
48 System.out.println(token1.getValue());
49 String tokenString = token1.getValue();
50 Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(tokenString);
51 System.out.println(jwt.getHeader());
52 System.out.println(jwt.getBody());
53 Jwt jwt = verifyToken(pubKey, token1.getValue());
54 System.out.println(jwt.getHeader());
55 System.out.println(jwt.getBody());
56 JSONObject json = JSONObject.fromObject(jwt.getBody());
57 JSONObject aud = json.getJSONObject("aud");
58 System.out.println(aud);
59 }
60
61 public static PrivateKey getPrivateKey(String KEY_ALGORITHM, byte[] priKey) throws NoSuchAlgorithmException, InvalidKeySpecException {
62 KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
63 PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(priKey);
64 return keyFactory.generatePrivate(pkcs8KeySpec);
65 }
66
67 public static java.security.PublicKey getPublicKey(String KEY_ALGORITHM, byte[] pubKey) throws InvalidKeySpecException, NoSuchAlgorithmException {
68
69 X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(pubKey);
70 KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
71 return keyFactory.generatePublic(x509KeySpec);
72 }
73
74 @Test
75 public void generateTokenTest2() throws Exception {
76 String pubKey="";
77 String priKey="";
78
79 KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
80 // 初始化密钥对儿生成器
81 keyPairGen.initialize(512);
82 // 生成密钥对儿
83 KeyPair keyPair = keyPairGen.generateKeyPair();
84 RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
85 RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
86
87 SignToken token1 = generateToken("460cfedac66149c2a832e66fa1de28a6", "101101-00000004", "13003618788", 7, SignatureAlgorithm.RS256, privateKey);
88 System.out.println(token1.getValue());
89 String tokenString = token1.getValue();
90 Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(tokenString);
91 System.out.println(jwt.getHeader());
92 System.out.println(jwt.getBody());
93 }
94
95
96
97 @Test
98 public void generateTokenTest1() throws Exception {
99 KeyPair kp = RsaProvider.generateKeyPair(512);
100 java.security.PublicKey publicKey = kp.getPublic();
101 PrivateKey privateKey = kp.getPrivate();
102
103 SignToken token1 = generateToken("460cfedac66149c2a832e66fa1de28a6", "101101-00000004", "13003618788", 7, SignatureAlgorithm.RS256, privateKey);
104 System.out.println(token1.getValue());
105 String tokenString = token1.getValue();
106
107 // String tokenInfo[] = tokenString.split("\\.");
108 // for (String str : tokenInfo) {
109 //
110 // // String info = new String(Base64.getDecoder().decode(str));
111 // // System.out.println(info);
112 // }
113
114 Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(tokenString);
115 System.out.println(jwt.getHeader());
116 System.out.println(jwt.getBody());
117
118 // Jwts.parser().setSigningKey(publicKey).parseClaimsJws(jwt).getBody();
119
120 }
121
122 public SignToken generateToken(String mid, String docId, String devId, long delay, SignatureAlgorithm alg, Key signingKey) {
123 SignToken token = new SignToken(mid, docId, devId);
124 // 定义开始时间
125 Date now = new Date();
126 Date end = new Date(now.getTime() + delay * 24 * 60 * 60 * 1000);
127 token.setCreateTime(now);
128 token.setExpiredIn(end);
129
130 // 构建一个Token
131 JwtBuilder builder = Jwts.builder().setId(token.getId());
132 builder.setIssuedAt(token.getCreateTime()); // Token颁布的时间
133 builder.setExpiration(token.getExpiredIn()); // Token失效的时间
134
135 builder.setIssuer(mid); //发行者 授权者"ssqian.com.cn"
136 builder.setSubject("hand-sign"); //主题
137 builder.setAudience(token.toJSONString()); // 观众
138 builder.signWith(alg, signingKey);
139
140 token.setValue(builder.compact());
141 return token;
142
143 }
144
145 public static byte[] rsaSign(byte[] data, String privateKey) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException {
146 // 解密由base64编码的私钥
147 byte[] privateKeyBytes = org.apache.commons.codec.binary.Base64.decodeBase64(privateKey);
148
149 // 构造PKCS8EncodedKeySpec对象
150 PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
151
152 // KEY_ALGORITHM 指定的加密算法
153 KeyFactory keyFactory = KeyFactory.getInstance("RSA");
154
155 // 取私钥匙对象
156 PrivateKey priKey = keyFactory.generatePrivate(pkcs8KeySpec);
157
158 // 用私钥对信息生成数字签名
159 Signature signature = Signature.getInstance("SHA1withRSA");
160 signature.initSign(priKey);
161 signature.update(data);
162
163 return signature.sign();
164 }
165
166
167 }
时间: 2024-11-04 17:36:40