Integrate JWT in SpringBoot to realize Token verification (Integration)
JSON web token (JWT) is a JSON-based open standard ((RFC 7519) implemented to transfer claims between web application environments. The token is designed to be compact and secure, especially suitable for single-spots on distributed sites. Sign-on (SSO) scenario.
JWT statements are generally used to pass the authenticated user identity information between the identity provider and the service provider, in order to obtain resources from the resource server, and can also add some additional business logic necessary, The token can also be used for authentication directly, or it can be encrypted.
Why do we need JWT?
When we develop a front-end and back-end separation project, we are required to perform a stateless process on the user session state. Then we know that ordinary web projects are often used to manage user sessions. Sessions are often used by the server every time the user authenticates with the server. Send a sessionid to the user.
The session is stored on the server. The server distinguishes the user through the session and performs a series of operations such as authorization authentication. After each request, the sessionid will be returned to the browser in the response header, and the browser will store the sessionid in the cookie. Each subsequent request will carry the sessionid information in the request header, and the server will use this sessionid as The index gets the specific session.
Then there will be a pain point in the scenario described above. When we separate the front and back end, our front-end projects and back-end projects are deployed separately, and even Nginx is used to proxy forwarding, which means that the front-end and back-end separation is increased after the application is decoupled. The complexity of deployment is reduced.
Usually, the user has to forward multiple times for one request. If you use the session to carry the sessionid to the server every time, the server will also query user information. At the same time if there are many users. This information is stored in the server’s memory, which increases the burden on the server. There is also a CSRF (Cross-Site Request Forgery Attack) attack.
The session is based on cookies for user identification. If the cookie is intercepted, the user will be vulnerable to cross-site request forgery attacks. Also, sessionid is a characteristic value, and the information expressed is not rich enough. Not easy to expand. And if your back-end application is a multi-node deployment. Then you need to implement a session sharing mechanism. It is not convenient for cluster applications.
Application scenarios of JWT
JWT is one of the solutions to the above pain points. When the client requests the server to log in, the server verifies the user’s account and password. After the verification is successful, the token is generated and returned to the client. After that, every operation of the browser will be requested with this token in the header, the server will verify the token information, and the resource will be returned to the browser after the verification is successful.
The overhead of JWT is very small and can be easily transmitted in different domain names, so it is widely used in single sign-on (SSO). Information exchange is a very safe way to use JWT to encode data between the two parties in the communication. , Because its information is signed, it can ensure that the information sent by the sender has not been forged.
Introduce JWT dependency
Tools include: create token, verify token, obtain user id, etc.
We can see that the following parameters are used in the creation of the token:
- Algorithm: HS256
- Type: jwt
- withAudience: Add a specific audience (“aud”) statement to the payload, where we can put some user information, such as userid
- withClaim: add a custom claim value, we use the user’s account and password to encrypt together to generate jwt
- withExpiresAt: timeout time setting, the token will be invalid when timeout
- withIssuedAt: Issued time, generally set to the current time
- sign: signature, we can customize the signature and algorithm
- First of all, we must first obtain the HttpServletRequest request object, the tool class is placed below.
- Get the token information from the request header, and get the value according to the key (Authorization).
- Then use the signature to encrypt the algorithm to obtain the verification object of jwt, and JWTVerifier.verify(token) is used to verify the correctness of the token.
- We can also get the information we put when creating the token from the DecodedJWT object obtained by verification, for example, userid.
Get HttpServletRequest object tool class
Custom JSON object tool class
We have integrated JWT in SpringBoot to implement Token verification