堆栈内存溢出
  繁体   English   中英

如何在Spring Boot中从旧令牌生成新的JWT令牌?

[英]How to generate new JWT token from old token in Spring Boot?

 原文  2019-09-10 10:44:08       java/ spring-boot/ jwt/ jwt-auth

问题描述

我正在像这样使用WebSecurityConfigurerAdapter 

@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
    private UserDetailServiceImpl userDetailsService;
    private BCryptPasswordEncoder bCryptPasswordEncoder;
    private ApplicationUserRepository applicationUserRepository;

    public WebSecurity(UserDetailServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder, ApplicationUserRepository applicationUserRepository) {
        this.userDetailsService = userDetailsService;
        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
        this.applicationUserRepository = applicationUserRepository;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling().authenticationEntryPoint(new AuthExceptionEntryPoint());
        http.cors().and().csrf().disable().authorizeRequests()
                .antMatchers(""/configuration/ui",
                        "/configuration/security" 
                        "/webjars/**", "/users/social-sign-up", "client/**","/actuator/**",
                        "/instances","/assets/**","/home","/tables","/resources/**","/static/**",
                        "/css/**","/js/**","/scss/**","/templates").permitAll()
                .antMatchers(HttpMethod.POST, SecurityConstants.SIGN_UP_VERIFY_URL).permitAll()
                .antMatchers(HttpMethod.POST, SecurityConstants.SIGN_UP_URL).permitAll().anyRequest().authenticated()
                .and().addFilter(new JWTAuthenticationFilter(authenticationManager(), applicationUserRepository))
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
                // this disables session creation on Spring Security

                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }



}

然后我有一个像这样的BasicAuthenticationFilter 

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    public JWTAuthorizationFilter(AuthenticationManager authManager) {
        super(authManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        String header = req.getHeader(SecurityConstants.HEADER_STRING);

        if (header == null || !header.startsWith(SecurityConstants.TOKEN_PREFIX)) {
            chain.doFilter(req, res);
            return;
        }

        UsernamePasswordAuthenticationToken authentication = getAuthentication(req);

        SecurityContextHolder.getContext().setAuthentication(authentication);
        chain.doFilter(req, res);
    }

    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
        String token = request.getHeader(SecurityConstants.HEADER_STRING);
        if (token != null) {
            // parse the token.
            String user = JWT.require(Algorithm.HMAC512(SecurityConstants.SECRET.getBytes())).build()
                    .verify(token.replace(SecurityConstants.TOKEN_PREFIX, "")).getSubject();

            if (user != null) {
                return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
            }
            return null;
        }
        return null;
    }
}

然后我有这样的UsernamePasswordAuthenticationFilter 

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    private AuthenticationManager authenticationManager;
    private ApplicationUserRepository applicationUserRepository;
    public JWTAuthenticationFilter(AuthenticationManager authenticationManager,ApplicationUserRepository applicationUserRepository) {
        this.authenticationManager = authenticationManager;
        this.applicationUserRepository = applicationUserRepository;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws AuthenticationException {
        try {

            ApplicationUser creds = new ObjectMapper().readValue(req.getInputStream(), ApplicationUser.class);
            System.err.println("Creds " + creds.getUsername() + ", " + creds.getPassword());

            return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(creds.getUsername(),
                    creds.getPassword(), new ArrayList<>()));
        } catch (Exception e) {
            // e.printStackTrace();
            throw new RuntimeException(e);
        }
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest req, HttpServletResponse res, FilterChain chain,
            Authentication auth) throws IOException, ServletException {

        String token = JWT.create().withSubject(((User) auth.getPrincipal()).getUsername())
                .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)).sign(HMAC512(SECRET.getBytes()));
        res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
        res.setStatus(HttpServletResponse.SC_OK);
        String userName = ((User)auth.getPrincipal()).getUsername();
        ApplicationUser au= applicationUserRepository.findByUsername(userName);
        String json = new ObjectMapper().writeValueAsString(au);
        res.getWriter().write(json);
        res.getWriter().flush();
        res.getWriter().close();



    }
}

我能够在HEADER中生成JWT令牌。 像这样 

Authorization →Bearer awgaagarbrqe342tewrbwrewh.23tebvre34h4wbseb43qberqbqv.23gwrwvw4hw5445jmet76e-gqgqggq323t9003qgnibqp2389bvqp9q83bv9

我要实现的目标是,只要令牌过期,发送最新过期令牌的客户端将根据他们发送的令牌获得一个新令牌。 所以我的问题是,如何生成刷新令牌或将旧的过期令牌生成新令牌的机制?

1 个解决方案

解决方案1
 0  2019-09-10 14:57:05

这样做会削弱应用程序的安全性,因为可以从过期的令牌(无效的令牌)中检索新令牌。 因此,您应该尝试不要这样做。

如果必须这样做,请在数据库中保留一个表,其中包含令牌及其有效性,然后当您收到无效的jwt令牌异常时,请进入db检查该令牌,并查看其何时过期。 如果是5分钟前,那么您可能可以续订,否则请不要续订。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从弹簧启动生成jwt令牌以进行角度应用 如何在 Spring Boot 中使用 Facebook 凭据生成 JWT 令牌 Spring Boot:过期后如何生成新的访问令牌? 如何为整个Spring Boot应用程序生成令牌 从 JWT 令牌获取 Spring Boot 资源服务器中的主体 Spring Boot:如何验证 Azure B2C JWT 令牌 如何模拟 JWT 令牌以将其与 Mockito 和 Spring 引导一起使用 如何在 Spring Boot 中的 Rsocket 客户端的元数据中传递 JWT 令牌 Spring 启动 oauth2:无 userInfo 端点 - 如何直接在客户端从 JWT 访问令牌加载身份验证(主体) Spring 中的 JWT 令牌启动配置问题
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM