JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

The above is jwt Introduction to the official website of , Simply speaking , Use jwt, Can safely transmit information ,jwt Can be verified . In our system ,jwt Mainly used to authorize .

jwt structure

JWT It's made up of three parts , Namely Header、Payload、Signature, Use points in the middle to separate .

JWT The first part It's the head part , It's a description JWT Metadata Json object , Usually as follows .

{
    "alg": "HS256",
    "typ": "JWT"
}

alg Property indicates the algorithm used for signature , The default is HMAC SHA256（ Written as HS256）,typ Property indicates the type of token ,JWT Token is uniformly written as JWT.

Last , Use Base64 URL The algorithm will JSON Object to string save .

JWT The second part yes Payload, Also a Json object , In addition to containing the data to be transmitted , There are seven default fields to choose from .

Namely ,iss： The issuer 、exp： Due time 、sub： The theme 、aud： user 、nbf： Not available until 、iat： Release time 、jti：JWT ID Used to identify the JWT.

JWT The third part It's a signature . This is how it was generated , First, you need to specify a secret, The secret Save only in the server , Make sure that other users don't know . And then use Header The specified algorithm pair Header and Payload Calculate , Then you get a signature hash . That is to say Signature.

jwt advantage

Talking about jwt, We often follow the traditional session Scheme comparison ,jwt One obvious advantage of is statelessness , Generally speaking , That is, the server does not need to be specific to each ” Sign in “ Users to store additional information for user authorization . Sent out jwt You don't need to know what it is , It only needs to be parsed according to the established parsing method .（ But statelessness is not as beautiful as you think , It also brings many problems , For example, without introducing additional measures , To make a jwt I'm afraid it's difficult to fail , It means , Even if the user logs out , If jwt It's not time to expire , You can still access the interface normally with it ）

Besides ,jwt There are other advantages ： It has fundamentally prevented CSRF attack （jwt Not like the front end cookie So transparent , You can take jwt Put it in header Carry and send out ）, Suitable for mobile applications （ Do not rely on cookie..), Easy to achieve single sign on, etc .

Add dependency

        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.9.0</version>
        </dependency>

Create a tool class

Further , To make it easier for us to create jwt, You can define a tool class （ Methods can be defined as follows ）

    public static String createJWT(String subject, Long ttlMillis,String decodeKey) {
        JwtBuilder builder = getJwtBuilder(subject, ttlMillis, getUUID(),decodeKey);//  Set expiration time 
        return builder.compact();
    }

    private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid, String decodeKey) {
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
        SecretKey secretKey = generalKey(decodeKey);
        long nowMillis = System.currentTimeMillis();
        Date now = new Date(nowMillis);
        if(ttlMillis==null){
            ttlMillis=JwtUtil.JWT_TTL;
        }
        long expMillis = nowMillis + ttlMillis;
        Date expDate = new Date(expMillis);
        return Jwts.builder()
                .setId(uuid)              // Unique ID
                .setSubject(subject)   //  The theme    It can be JSON data 
                .setIssuer("wodeqianming")     //  Issuer 
                .setIssuedAt(now)      //  The issuance of time 
                .signWith(signatureAlgorithm, secretKey) // Use HS256 Symmetric encryption algorithm signature ,  The second parameter is the secret key 
                .setExpiration(expDate);     // Expiration time 
    }