本人在最近使用到的一個項目中,權限系統使用的是Spring Cloud OAuth2,然後使用了JWT非對稱加密的授權模式。其他的資源服務器可通過http://localhost:9090/oauth/token_key來獲取publicKey,下面談一下對token進行驗籤的幾種方式:
第一種:yml配置,依賴於spring-cloud-starter-oauth2
引入依賴:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
yml配置:
security:
oauth2:
client:
client-id: orderService
client-secret: 123456
resource:
jwt:
key-uri: http://localhost:9090/oauth/token_key
第二種:代碼校驗,依賴於spring-cloud-starter-oauth2
引入依賴:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
String publicKey = "-----BEGIN PUBLIC KEY-----\n.......\n-----END PUBLIC KEY-----"; // 填寫你的publicKey
String token = "xxxx.xxxx.xxxx"; // 填寫token
System.out.println(JwtHelper.decodeAndVerify(token,new RsaVerifier(publicKey)));
第三種:代碼校驗,依賴於java-jwt
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.9</version>
</dependency>
String PUBLIC_KEY = "publicKey"
public static KeyPair getPublicKey(){
PublicKey publicKey = null;
PrivateKey privateKey = null;
try {
KeyFactory fact = KeyFactory.getInstance("RSA");
Base64 decoder = new Base64(false);
KeySpec keySpec = new X509EncodedKeySpec(decoder.decode(MiracleCodecs.utf8Encode(PUBLIC_KEY)));
publicKey = fact.generatePublic(keySpec);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
e.printStackTrace();
}
return new KeyPair(publicKey, privateKey);
}
public static void main(String[] args) {
try {
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) RSA.getPublicKey().getPublic(),(RSAPrivateKey) RSA.getPublicKey().getPrivate());
JWTVerifier verifier = JWT.require(algorithm).build();
DecodedJWT jwt = verifier.verify(PLAIN_TEXT);
} catch (JWTVerificationException exception){
//Invalid signature/claims
exception.printStackTrace();
}
}