ShiroJwt

Front-end address: https://github.com/wang926454/VueStudy/tree/master/VueStudy08-JWT

1. #14 Will repeated requests generate multiple tokens?
2. #19 Cross-domain sso issue
3. #29 Token refresh concurrent processing

If you have any questions, please scan the code and join the QQ group to communicate: 779168604

• JavaDoc: https://apidoc.gitee.com/dolyw/ShiroJwt
• Interface document: https://note.dolyw.com/shirojwt/ShiroJwt-Interface.html
• Tutorial directory: https://note.dolyw.com/shirojwt
• Change to database form (MySQL): https://note.dolyw.com/shirojwt/ShiroJwt02-MySQL.html
• Solve the problem that the 401 error cannot be returned directly: https://note.dolyw.com/shirojwt/ShiroJwt03-401.html
• Implement Shiro's Cache (Redis) function: https://note.dolyw.com/shirojwt/ShiroJwt04-Redis.html

1. RESTful API
2. Maven integrates Mybatis Generator (reverse engineering)
3. Shiro + Java-JWT implements stateless authentication mechanism (Token)
4. Password encryption (using AES-128 + Base64)
5. Integrate Redis (Jedis)
6. Rewrite Shiro caching mechanism (Redis)
7. Save RefreshToken information in Redis (making JWT controllable)
8. Automatically refresh AccessToken based on RefreshToken

1. First, post the username and password to user/login to log in. If successful, the encrypted AccessToken will be returned. If failed, a 401 error will be returned directly (the account or password is incorrect).
2. Just bring this AccessToken with you for future visits.
3. The authentication process mainly rewrites Shiro 's entry filter JWTFilter ( BasicHttpAuthenticationFilter ) to determine whether the request header contains the Authorization field.
4. If yes, perform Shiro 's Token login authentication and authorization (every request for user access that requires permission must add the Authorization field in the header to store the AccessToken ), if not, use direct access as a visitor (if there is permission control, visitor access will be intercepted)

Most of them solve this problem in the form of MD5 + salt (details from Baidu). I use AES-128 + Base64 to encrypt the password in the form of account + password. Because the account is unique, the same structure will not appear. The problem of secret password

Originally, JedisUtil was directly injected as a Bean . Every time it is used, it can be injected directly @Autowired . However, after rewriting Shiro 's CustomCache , JedisUtil could not be injected, so it was changed to static injection into the JedisPool connection pool . The JedisUtil tool class still directly calls the static method. No need for @Autowired injection

1. After the login authentication is passed, the AccessToken information is returned ( the current timestamp and account number are saved in the AccessToken )
2. At the same time, set a RefreshToken in Redis with the account as the Key and the Value as the current timestamp (login time)
3. Now during authentication, the AccessToken must not have expired and the corresponding RefreshToken must exist in Redis , and the RefreshToken timestamp must be consistent with the timestamp in the AccessToken information before the authentication is passed. This can achieve the controllability of JWT.
4. If you log in again and obtain a new AccessToken , the old AccessToken cannot be authenticated, because the RefreshToken timestamp information stored in Redis will only be consistent with the timestamp carried in the latest generated AccessToken information , so each user can only use The latest AccessToken certification
5. Redis 's RefreshToken can also be used to determine whether a user is online. If a Redis RefreshToken is deleted, the AccessToken corresponding to this RefreshToken will no longer be able to pass authentication. This is equivalent to controlling the user's login and eliminating the user.

1. The expiration time of AccessToken itself is 5 minutes (configurable in the configuration file), and the expiration time of RefreshToken is 30 minutes (configurable in the configuration file)
2. When 5 minutes have passed after logging in, the current AccessToken will expire. If you bring the AccessToken again to access JWT, a TokenExpiredException exception will be thrown, indicating that the Token has expired.
3. Start to determine whether to refresh the AccessToken . Redis queries whether the current user's RefreshToken exists , and whether the timestamp carried by this RefreshToken is consistent with the timestamp carried by the expired AccessToken.
4. If it exists and is consistent, refresh the AccessToken, set the expiration time to 5 minutes (configurable in the configuration file), the timestamp to the latest timestamp, and also set the timestamp in the RefreshToken to the latest timestamp, and refresh the expiration time to 30 again. Expiration in minutes (configurable in configuration file)
5. Finally, the refreshed AccessToken is stored in the Authorization field in the Header of the Response and returned (the front end obtains and replaces it, and uses the new AccessToken for access next time)

1. SpringBoot + Mybatis core framework
2. PageHelper plug-in + universal Mapper plug-in
3. Shiro + Java-JWT stateless authentication mechanism
4. Redis (Jedis) caching framework

1. The database account password defaults to root. If it is modified, please modify the configuration file application.yml yourself.
2. After decompression, execute the srcmainresourcessqlMySQL.sql script to create the database and table
3. Redis needs to install the Redis service by itself, and the port password is default
4. SpringBoot can be started directly with the testing tool PostMan

First configure the srcmainresourcesgeneratorgeneratorConfig.xml file (the default configuration is under the reverse package at the lower level of the original package), and execute it in the command line window of the pom.xml level directory (that is, under the project root directory) (The premise is that mvn is configured) (IDEA can be executed directly by double-clicking in the Maven window Plugins)

mvn mybatis-generator:generate

先设置Content - Type为application / json 

然后填写请求参数帐号密码信息

进行请求访问，请求访问成功

点击查看Header信息的Authorization属性即是Token字段

访问需要权限的请求将Token字段放在Header信息的Authorization属性访问即可

 Token的自动刷新也是在Token失效时返回新的Token在Header信息的Authorization属性

1. Thanks to SmithCruise for the Shiro+JWT+Spring Boot Restful simple tutorial: https://www.jianshu.com/p/f37f8c295057
2. Thanks to Wang Hongyu for [Getting Started with Shiro] (1) Using Redis as a cache manager: https://blog.csdn.net/why15732625998/article/details/78729254
3. Thank you bag? Breeder’s springboot (7). springboot integrates jedis to implement redis cache: http://www.cnblogs.com/GodHeng/p/9301330.html
4. Thanks to W_Z_W_888 for the three methods of spring injecting static variables and their precautions: https://blog.csdn.net/W_Z_W_888/article/details/79979103
5. Thanks to Vue2.0+ElementUI+PageHelper from Heavenly Wind and Cloud for implementing table paging: https://blog.csdn.net/u012907049/article/details/70237457
6. Thanks to yaxx's Vuejs axios to get the Http response header: https://segmentfault.com/a/1190000009125333
7. Thanks to Twilight for solving the problem caused by using jwt refresh token: https://segmentfault.com/a/1190000013151506
8. Thanks to chuhx's shiro interceptor, which returns json data: https://blog.csdn.net/chuhx/article/details/51148877
9. Thanks to yidao620c for Shiro’s built-in interceptor configuration rules: https://github.com/yidao620c/SpringBootBucket/tree/master/springboot-jwt

1. Fork this project
2. Create a new Feat_xxx branch
3. Submit code
4. New Pull Request