This chapter complete source address: Https://github.com/kwang2003/springcloud-study-ch08.git 1. Project Summary The content of this chapter is based on the seventh chapter of the code as a https://github.com/ Kwang2003/springcloud-study-ch07.git. Traditional Web applications, we usually through the cookie+session mechanism to ensure the security of the call, without authentication, automatically redirect to the login page or call the failure page, and now the entire architecture programming micro-service mode, Cookies and session mechanisms have not been able to meet the needs of the protection API, and more cases adopt token verification mechanism, JWT is also a kind of token. Jwt:json Web Token is a JSON-style lightweight licensing and authentication specification that enables stateless, distributed Web application authorization. The contents of JWT are composed of three parts, namely, Header,payload,signature and three parts. Split, for example xxxxx.yyyyyy.zzzzz header header headers generally consist of 2 parts of ALG and Typ, ALG is a cryptographic algorithm, such as HMAC or Sha256,typ, which is a token type, takes a value of JWT, a header example {"ALG": "HS256", "Typ": "JWT"} and then the header portion is BASE64 encoded, and the value of the first part is obtained Eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9. {PAYLOAD}. {SIGNATURE} The Payload content part Payload is the JWT that stores the information, contains the declaration that registers in the declared public declaration standard that registers in the three kinds of content standard declaration ISS:JWT the user AUD that the issuer SUB:JWT is facing: receives JWT's expiration time of the party EXP:JWT NBF: Defines the time before which the JWT is unavailable IAT:JWT The unique identification of the issuing time JTI:JWT, primarily as a one-time token, to avoid replay attacks public statements: can store any information, according to the actual needs of the business to add, such as User ID, name, etc., But do not store proprietary statements of sensitive information: private sound is a statement shared by providers and consumers, and does not recommend storing sensitive information as an example: Define a payload: {"sub": "1234567890", "name": "John Doe", "admin": true} to Its intoLine Base64 code to get the second part Eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjzdwiioiixmjm0nty3odkwiiwibmftzsi6ikpvag4grg9liiwiywrtaw4ionrydwv9. {SIGNATURE} The signature portion of the Signature token consists of three parts of the 256 signature var encodedstring = Base64urlencode (header) + '. ' + base64urlencode (payload); var signature = HMACSHA256 (encodedstring, ' secret '); Get the final token string EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBa Generate JWT Token A in b30rmhrhdcefxjoyzgefonfh7hgq 2.oauth2-server Keytool generate certificates through Keytool-genkeypair-alias kevin_key-keyalg Rsa-keypass 123456-keystore Kevin_key.jks-storepass 123456
View certificate information: Keytool-list-v-keystore kevin_key.jks-storepass 123456
View Public key information Keytool-list-rfc-keystore Kevin_key.jks-storepass 123456
b placing the generated KEVIN_KEY.JKS files in the srce/main/resources directory of the Oauth2-server project
c) Add JWT related jar pack dependencies <dependency> <groupId>org.springframework.security</groupId> <artifactId> spring-security-jwt</artifactid> </dependency> D) Add JWT token related configuration in OAuth2 server-side configuration core class Authorizationserverconfiguration
3. Test Oauth2 Service http://localhost:8888/oauth/authorize?response_type=code&client_id=client&redirect_uri= http://baidu.com&state=123 appear login page, enter username: admin password; 123456
Click the Submit button to enter the user authorization confirmation page
Click Approve, jump to the Baidu page, followed by the code and State parameters https://www.baidu.com/?code=F7LsMB&state=123
In exchange for Access_code according to code, pay attention to using POST method Http://localhost:8888/oauth/token?client_id=client&grant_type=authorization_ Code&redirect_uri=http://baidu.com&code= F7LSMB Note that this code is consistent with the code obtained in the previous step
Username input client, password is secret, click OK, you can see Access_token is already JWT format characters
{"Access_token": " Eyjhbgcioijsuzi1niisinr5cci6ikpxvcj9.eyjlehaioje1mtaxnzq2mdysinvzzxjfbmftzsi6imfkbwluiiwiyxv0ag9yaxrpzxmiolsiywrtaw4ixswi Anrpijointjhogm5mtutmte2os00yzu5lwi0mmetzgy4zdm0y2qwzwu0iiwiy2xpzw50x2lkijoiy2xpzw50iiwic2nvcguiolsiyxbwil19.gecjm-fhapwz Nyyl-d3ijb0tpjhdhuxfyv782kfs9vdt0vzsu2hn-mgb-n-6hf0efz_mmz54iahjaq3ktw251v4l2o5a1r_imuup7gxs_ Qphagn3k1b4l-mnnpjdh5hhs5zyirqox2a8dxyi4zd7g8bql-9pir3kj9k_z9nw8vy9l2_x5kyoc-sehxxq5uqhm3xu6dzowbpbber7u_ Nnuwmcz5ns9yyaexsdnbbzavpqavl2s1yyqvmj5dreq2asxhfbeqhxu5uqvbbtfuogaylbfj9k-3nsgakt9nbzqbprovi3s_ X9HGJRZJHAUOJBMEK0QMBVYSBUG2HB7MNNJW "," Token_type ":" Bearer "," expires_in ": 43199," Scope ":" App "," user_name ":" Admin "," JTI ":" 52a8c915-1169-4c59-b42a-df8d34cd0ee4 "} 4.access_token information parsing the token information we get from the previous step is unreadable, but because of the header, The body is passed through the base64, so we can decode it through the Base64, and Spring Cloud also provides JWT-related tool classes to help us parse the string package Com.pachiraframework.springcloud.oauth2.config;
Import Org.junit.Test; Import ORG.SPRINGFRAMEWORK.SECURITY.JWT.JWT; Import Org.springframework.security.jwt.JwtHelper;
public class Jwttest {@Test public void Test () {String token = "Eyjhbgcioijsuzi1niisinr5cci6ikpxvcj9.eyjlehaioje1mtaxnz Q2mdysinvzzxjfbmftzsi6imfkbwluiiwiyxv0ag9yaxrpzxmiolsiywrtaw4ixswianrpijointjhogm5mtutmte2os00yzu5lwi0mmetzgy4zdm0y2qwzwu 0iiwiy2xpzw50x2lkijoiy2xpzw50iiwic2nvcguiolsiyxbwil19.gecjm-fhapwznyyl-d3ijb0tpjhdhuxfyv782kfs9vdt0vzsu2hn-mgb-n-6hf0efz _mmz54iahjaq3ktw251v4l2o5a1r_imuup7gxs_qphagn3k1b4l-mnnpjdh5hhs5zyirqox2a8dxyi4zd7g8bql-9pir3kj9k_z9nw8vy9l2_ X5kyoc-sehxxq5uqhm3xu6dzowbpbber7u_ Nnuwmcz5ns9yyaexsdnbbzavpqavl2s1yyqvmj5dreq2asxhfbeqhxu5uqvbbtfuogaylbfj9k-3nsgakt9nbzqbprovi3s_ X9HGJRZJHAUOJBMEK0QMBVYSBUG2HB7MNNJW "; JWT JWT = Jwthelper.decode (token); System.out.println (Jwt.tostring ()); } }
As we can see from this test, token already contains information about the current user, including the extra information we added to token in the Accesstokenconvertor () method user_name
