{"id":415,"date":"2022-08-08T16:02:42","date_gmt":"2022-08-08T08:02:42","guid":{"rendered":"https:\/\/aaaahui.top\/?p=415"},"modified":"2023-07-31T23:44:31","modified_gmt":"2023-07-31T15:44:31","slug":"jwt_security","status":"publish","type":"post","link":"https:\/\/ahui.blog\/index.php\/2022\/08\/08\/jwt_security\/","title":{"rendered":"JWT\u5b89\u5168\u76f8\u5173\u95ee\u9898"},"content":{"rendered":"

\u524d\u8a00\uff1a\u5de5\u4f5c\u4e2d\u9700\u8981\u57fa\u4e8e\u6846\u67b6\u5f00\u53d1\u4e00\u4e2a\u8d34\u8fd1\u5b9e\u9645\u7684\u5e94\u7528\uff0c\u627e\u5230\u4e00\u6b3e\u6bd4\u8f83\u5408\u9002\u7684cms\u6846\u67b6\uff0c\u5176\u4e2d\u6b63\u597d\u7528\u5230\u7684\u5c31\u662fjwt\u505a\u8eab\u4efd\u4fe1\u606f\u9a8c\u8bc1\uff0c\u4e5f\u8bb0\u5f55\u4e00\u4e0bjwt\u76f8\u5173\u7684\u5b89\u5168\u95ee\u9898\u3002
\nJWT\u5229\u7528\u5de5\u5177\uff1ahttps:\/\/github.com\/ticarpi\/jwt_tool<\/a>
\nJWT\u52a0\u89e3\u5bc6\u7f51\u7ad9\uff1ahttps:\/\/jwt.io\/<\/a><\/p>\n

JWT\u4ecb\u7ecd<\/h2>\n
\n

Json web token (JWT), \u662f\u4e3a\u4e86\u5728\u7f51\u7edc\u5e94\u7528\u73af\u5883\u95f4\u4f20\u9012\u58f0\u660e\u800c\u6267\u884c\u7684\u4e00\u79cd\u57fa\u4e8eJSON\u7684\u5f00\u653e\u6807\u51c6\uff08(RFC 7519).\u8be5token\u88ab\u8bbe\u8ba1\u4e3a\u7d27\u51d1\u4e14\u5b89\u5168\u7684\uff0c\u7279\u522b\u9002\u7528\u4e8e\u5206\u5e03\u5f0f\u7ad9\u70b9\u7684\u5355\u70b9\u767b\u5f55\uff08SSO\uff09\u573a\u666f\u3002JWT\u7684\u58f0\u660e\u4e00\u822c\u88ab\u7528\u6765\u5728\u8eab\u4efd\u63d0\u4f9b\u8005\u548c\u670d\u52a1\u63d0\u4f9b\u8005\u95f4\u4f20\u9012\u88ab\u8ba4\u8bc1\u7684\u7528\u6237\u8eab\u4efd\u4fe1\u606f\uff0c\u4ee5\u4fbf\u4e8e\u4ece\u8d44\u6e90\u670d\u52a1\u5668\u83b7\u53d6\u8d44\u6e90\uff0c\u4e5f\u53ef\u4ee5\u589e\u52a0\u4e00\u4e9b\u989d\u5916\u7684\u5176\u5b83\u4e1a\u52a1\u903b\u8f91\u6240\u5fc5\u987b\u7684\u58f0\u660e\u4fe1\u606f\uff0c\u8be5token\u4e5f\u53ef\u76f4\u63a5\u88ab\u7528\u4e8e\u8ba4\u8bc1\uff0c\u4e5f\u53ef\u88ab\u52a0\u5bc6\u3002<\/p>\n<\/blockquote>\n

JWT\u7ec4\u6210<\/h2>\n

JWT\u53ef\u5206\u4e3a\u4e09\u90e8\u5206\uff0c\u5206\u522b\u4e3a\u5934\u90e8\uff08header\uff09\u3001\u8f7d\u8377\uff08payload\uff09\u3001\u7b7e\u540d\uff08signature\uff09\uff0c\u7b80\u5355\u4ecb\u7ecd\u4e00\u4e0b\u6bcf\u4e2a\u90e8\u5206\u7684\u4f5c\u7528\u3002<\/p>\n

\u6574\u4f53\u7ec4\u6210\u5982\u4e0b\uff0c\u4ee5\u201c.\u201d\u5206\u9694\u4e3a\u4e09\u5934\u90e8\u3001\u8f7d\u8377\u3001\u7b7e\u540d\u90e8\u5206\uff1a<\/p>\n

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c<\/code><\/p>\n

\u5934\u90e8\uff08header\uff09<\/h4>\n

\u4f5c\u7528\uff1a\u58f0\u660e\u7c7b\u578b\u3001\u52a0\u5bc6\u7b97\u6cd5\u7b49<\/p>\n

\u539f\u59cb\u683c\u5f0f\uff1aeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9<\/p>\n

\u89e3base64\uff1a<\/p>\n

{\n  "alg": "HS256",\n  "typ": "JWT"\n}<\/code><\/pre>\n
typ\uff1a\u58f0\u660e\u7b97\u6cd5\u7c7b\u578b\uff0c\u8fd9\u91cc\u662fJWT\uff0c<\/p>\n
alg\uff1a\u58f0\u660e\u52a0\u5bc6\u7b97\u6cd5\uff0c\u8fd9\u91cc\u662fHS256\uff0c\u4e3a\u5bf9\u79f0\u7b97\u6cd5\uff08\u524d\u540e\u7aef\u4f7f\u7528\u540c\u4e00\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\uff0c\u5e76\u975e\u80fd\u591f\u89e3\u5bc6\uff09\uff0c\u5e38\u7528\u7684\u8fd8\u6709RS256\u548cES256\u4e24\u4e2a\u975e\u5bf9\u79f0\u7b97\u6cd5\uff08\u7b7e\u540d\u65f6\u4f7f\u7528\u79c1\u94a5\uff0c\u9a8c\u8bc1\u65f6\u4f7f\u7528\u516c\u94a5\uff09\u3002<\/p>\n
\u8f7d\u8377\uff08payload\uff09<\/h4>\n
\u4f5c\u7528\uff1a\u5b58\u50a8\u6709\u6548\u6570\u636e<\/p>\n
\u539f\u59cb\u683c\u5f0f\uff1aeyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ<\/p>\n
\u89e3base64:<\/p>\n
{\n  "sub": "1234567890",\n  "name": "John Doe",\n  "iat": 1516239022\n}<\/code><\/pre>\n
\u8f7d\u8377\u90e8\u5206\u9ed8\u8ba4\u5b57\u6bb5\uff1a<\/p>\n
iss (issuer)\uff1aJWT\u7684\u53d1\u884c\u8005\nexp (expiration time)\uff1a\u8fc7\u671f\u65f6\u95f4\nsub (subject)\uff1aJWT\u9762\u5411\u7684\u4e3b\u9898\naud (audience)\uff1aJWT\u7684\u7528\u6237\nnbf (Not Before)\uff1a\u751f\u6548\u65f6\u95f4\niat (Issued At)\uff1a\u7b7e\u53d1\u65f6\u95f4\njti (JWT ID)\uff1aJWT\u552f\u4e00\u6807\u8bc6<\/code><\/pre>\n
\u6ce8\uff1a\u7528\u6237\u53ef\u6839\u636e\u9700\u6c42\u81ea\u5b9a\u4e49\u5b57\u6bb5<\/p>\n
\u7b7e\u540d\uff08signature\uff09<\/h4>\n
\u4f5c\u7528\uff1a\u7b7e\u540d\u90e8\u5206\uff0c\u670d\u52a1\u7aef\u6821\u9a8c\u6b64\u5b57\u6bb5\u6765\u9a8c\u8bc1\u8f7d\u8377\uff08payload\uff09\u5b57\u6bb5\u662f\u5426\u5408\u6cd5<\/p>\n
\u539f\u59cb\u683c\u5f0f\uff1aSflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c<\/p>\n
\u8be5\u5b57\u6bb5\u52a0\u5bc6\u65b9\u5f0f\u5982\u4e0b\uff1a<\/p>\n
signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),secret)<\/code><\/pre>\n
\u8fd9\u91cc\u7684HMACSHA256\u5c31\u662f\u5728header\u4e2dalg\u5b57\u6bb5\u6307\u5b9a\u7684HS256\u52a0\u5bc6\u7b97\u6cd5\uff0c\u800cRS256\u548cES256\u5219\u662f\u670d\u52a1\u7aef\u4f7f\u7528\u79c1\u94a5\u52a0\u5bc6\uff0c\u597d\u5904\u662f\u53ef\u4ee5\u5c06\u9a8c\u8bc1\u59d4\u6258\u7ed9\u5176\u4ed6\u5e94\u7528\uff0c\u53ea\u8981\u6563\u53d1\u81ea\u5df1\u7684\u516c\u94a5\u5373\u53ef\u3002<\/strong><\/p>\n
JWT\u7528\u6cd5<\/h2>\n
JWT\u88ab\u7528\u4e8e\u8eab\u4efd\u9a8c\u8bc1\u4e2d\uff0c\u4f5c\u7528\u7c7b\u4f3c\u4e8esession\uff0c\u4f46\u76f8\u6bd4\u4e8esession\u8fd9\u79cd\u65b9\u5f0f\u5404\u6709\u4f18\u52a3\uff0c\u4e0b\u9762\u7b80\u8ff0\u4e00\u4e0bJWT\u7684\u4f7f\u7528\u6d41\u7a0b<\/p>\n
\u4e00\u3001\u7528\u6237\u767b\u5f55\uff0c\u8f93\u5165\u767b\u5f55\u6240\u9700\u7684\u4fe1\u606f\uff0c\u540e\u7aef\u9a8c\u8bc1\u540e\uff0c\u8fd4\u56dejwt\u683c\u5f0f\u7684token<\/p>\n
\u4e8c\u3001\u7528\u6237\u643a\u5e26token\u8bbf\u95ee\u9700\u8981\u8eab\u4efd\u9a8c\u8bc1\u7684\u8d44\u6e90\u6216\u63a5\u53e3<\/p>\n
\u4e09\u3001\u670d\u52a1\u7aef\u9a8c\u8bc1jwt\u683c\u5f0ftoken\u4e2d\u7684signature\uff08\u4f7f\u7528\u76f8\u5e94\u52a0\u5bc6\u7b97\u6cd5\u91cd\u65b0\u52a0\u5bc6token\u4e2d\u7684header\u548cpayload\uff0c\u9a8c\u8bc1\u662f\u5426\u76f8\u7b49\uff09<\/p>\n
\u56db\u3001\u9a8c\u8bc1\u6210\u529f\uff0c\u5141\u8bb8\u8bbf\u95ee\u8d44\u6e90<\/p>\n
\u767b\u5f55\u83b7\u53d6token\u4ee3\u7801\u793a\u4f8b\uff08lin-cms-springboot\uff09<\/h4>\n
\u9996\u5148\u5165\u53e3\u662flogin\u65b9\u6cd5<\/p>\n
\/**\n     * \u7528\u6237\u767b\u9646\n     *\/\n    @PostMapping("\/login")\n    public Tokens login(@RequestBody @Validated LoginDTO validator, @RequestHeader(value = "Tag", required = false) String tag) {\n        UserDO user = userService.getUserByUsername(validator.getUsername());\n        if (user == null) {\n            throw new NotFoundException(10021);\n        }\n        boolean valid = userIdentityService.verifyUsernamePassword(\n                user.getId(),\n                user.getUsername(),\n                validator.getPassword());\n        if (!valid) {\n            throw new ParameterException(10031);\n        }\n        return jwt.generateTokens(user.getId());\n    }<\/code><\/pre>\n
\u5224\u65ad\u7528\u6237\u540d\u548c\u5bc6\u7801\u6b63\u786e\u540e\uff0c\u5c06user.getId\uff08\u5373\u7528\u6237\u7684ID\uff09\u4f20\u5165generateTokens\u65b9\u6cd5<\/p>\n
public Tokens generateTokens(long identity) {\n    String access = this.generateToken("access", identity, "lin", this.accessExpire);\n    String refresh = this.generateToken("refresh", identity, "lin", this.refreshExpire);\n    return new Tokens(access, refresh);\n}<\/code><\/pre>\n
\u6839\u636e\u56fa\u5b9a\u7684\u5b57\u6bb5\u548c\u4f20\u5165\u7684\u7528\u6237ID\uff0c\u8c03\u7528generateToken\u65b9\u6cd5\u83b7\u53d6token\uff08\u8fd9\u91cc\u8c03\u7528\u4e86\u4e24\u6b21\uff0c\u5206\u522b\u751f\u6210\u4e24\u4e2atoken\uff0caccess_token\u548crefresh_token\uff0c\u540e\u9762\u4f1a\u8bb2\uff09<\/p>\n
public String generateToken(String tokenType, long identity, String scope, long expire) {\n    Date expireDate = DateUtil.getDurationDate(expire);\n    return this.builder.withClaim("type", tokenType).withClaim("identity", identity).withClaim("scope", scope).withExpiresAt(expireDate).sign(this.algorithm);\n}<\/code><\/pre>\n
\u2014\u2014\u2014\u2014\u2014\u2014\u4ee5\u4e0b\u8c03\u7528\u662fcom.auth0.jwt\u7b2c\u4e09\u65b9\u5e93\u4e2d\u7684\u5185\u5bb9\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n
\u8fd9\u91cc\u53cd\u590d\u8c03\u7528\u4e86withClaim\u65b9\u6cd5<\/p>\n
public JWTCreator.Builder withClaim(String name, Long value) throws IllegalArgumentException {\n    this.assertNonNull(name);\n    this.addClaim(name, value);\n    return this;\n}\npublic JWTCreator.Builder withClaim(String name, String value) throws IllegalArgumentException {\n            this.assertNonNull(name);\n            this.addClaim(name, value);\n            return this;\n}\n...\n\u91cd\u8f7d\u7684\u6240\u6709withClaim\u65b9\u6cd5\u5177\u4f53\u5185\u5bb9\u90fd\u4e00\u6837<\/code><\/pre>\n
\u56e0\u4e3a\u8fd9\u4e2a\u65b9\u6cd5\u8fd4\u56de\u7684\u8fd8\u662fthis\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u5faa\u73af\u8c03\u7528\uff0c\u662f\u4e3a\u4e86\u751f\u6210\u5e76\u7ed1\u5b9a\u4e0d\u540c\u5b57\u6bb5\u7684\u503c\u3002<\/p>\n
\u63a5\u7740\u8c03\u7528\u4e86assertNonNull\u65b9\u6cd5\u3001addClaim\u65b9\u6cd5<\/p>\n
private void assertNonNull(String name) {\n    if (name == null) {\n        throw new IllegalArgumentException("The Custom Claim's name can't be null.");\n    }\n}\n\nprivate void addClaim(String name, Object value) {\n    if (value == null) {\n        this.payloadClaims.remove(name);\n    } else {\n        this.payloadClaims.put(name, value);\n    }\n}<\/code><\/pre>\n
assertNonNull\u65b9\u6cd5\u5c31\u662f\u5224\u7a7a\u5904\u7406\uff0caddClaim\u65b9\u6cd5\u5c31\u5c06\u952e\u503c\u5bf9put\u5230payloadClaims\u8fd9\u4e2amap\u5bf9\u8c61\u4e2d\uff0c\u4e5f\u5c31\u662f\u6700\u7ec8\u751f\u6210\u7684payload\u5b57\u6bb5\u3002<\/p>\n
\u8fd9\u91cc\u6267\u884c\u5b8c\u6210\u540e\uff0c\u63a5\u7740\u8fd8\u8df3\u56degenerateToken\u65b9\u6cd5\uff0c\u56e0\u4e3a\u8c03\u7528\u5b8cwithClaim\u65b9\u6cd5\u540e\uff0c\u5c31\u4f1a\u8c03\u7528withExpiresAt(expireDate).sign(this.algorithm)\uff0c<\/p>\n
withExpiresAt\u65b9\u6cd5\uff0c\u5c31\u662f\u6dfb\u52a0exp\u5b57\u6bb5<\/p>\n
public JWTCreator.Builder withExpiresAt(Date expiresAt) {\n    this.addClaim("exp", expiresAt);\n    return this;\n}<\/code><\/pre>\n
\u63a5\u7740\u8fdb\u5165\u6700\u5173\u952e\u7684sign\u65b9\u6cd5<\/p>\n
public String sign(Algorithm algorithm) throws IllegalArgumentException, JWTCreationException {\n    if (algorithm == null) {\n        throw new IllegalArgumentException("The Algorithm cannot be null.");\n    } else {\n        this.headerClaims.put("alg", algorithm.getName());\n        if (!this.headerClaims.containsKey("typ")) {\n            this.headerClaims.put("typ", "JWT");\n        }\n\n        String signingKeyId = algorithm.getSigningKeyId();\n        if (signingKeyId != null) {\n            this.withKeyId(signingKeyId);\n        }\n\n        return (new JWTCreator(algorithm, this.headerClaims, this.payloadClaims)).sign();\n    }\n}<\/code><\/pre>\n
headerClaims\u65b9\u6cd5\u5c31\u662f\u5411header\u5b57\u6bb5\u4e2d\u6dfb\u52a0typ\u548calg\u7684\u503c\uff0c\u91cd\u70b9\u5728\u6700\u7ec8return\u7684\u5730\u65b9\uff0c\u63a5\u7740\u8ddf\u5165new JWTCreator(algorithm, this.headerClaims, this.payloadClaims)<\/p>\n
JWTCreator\u7c7b\u7684\u5b9e\u4f8b\u5316\uff0c\u5176\u4e2d\u4f20\u5165\u7684\u53c2\u6570\u5206\u522b\u662f\u52a0\u5bc6\u7b97\u6cd5\u5bf9\u8c61\u3001header\u3001payload<\/p>\n
private JWTCreator(Algorithm algorithm, Map<String, Object> headerClaims, Map<String, Object> payloadClaims) throws JWTCreationException {\n    this.algorithm = algorithm;\n\n    try {\n        ObjectMapper mapper = new ObjectMapper();\n        SimpleModule module = new SimpleModule();\n        module.addSerializer(ClaimsHolder.class, new PayloadSerializer());\n        mapper.registerModule(module);\n        mapper.configure(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY, true);\n        this.headerJson = mapper.writeValueAsString(headerClaims);\n        this.payloadJson = mapper.writeValueAsString(new ClaimsHolder(payloadClaims));\n    } catch (JsonProcessingException var6) {\n        throw new JWTCreationException("Some of the Claims couldn't be converted to a valid JSON format.", var6);\n    }\n}<\/code><\/pre>\n
\u7b80\u5355\u770b\u4e00\u4e0b\u4e0a\u9762\u7684\u903b\u8f91\uff0c\u5c31\u662f\u5bf9\u7b97\u6cd5\u3001header\u3001payload\u8fdb\u884c\u7ed1\u5b9a\uff0c\u7136\u540e\u63a5\u7740\u5f80\u4e0b\u8d70\uff0c\u8df3\u56de\u4e0a\u4e00\u6b65\u7684sign\u65b9\u6cd5\uff0c\u5728\u5bf9JWTCreator\u5b9e\u4f8b\u5316\u540e\uff0c\u7d27\u63a5\u7740\u53c8\u8c03\u7528\u4e86sign\u65b9\u6cd5\uff0c\u4e0d\u8fc7\u8fd9\u4e2asign\u65b9\u6cd5\u6ca1\u6709\u4f20\u5165\u53c2\u6570\uff0c\u4e5f\u5c31\u662f\u4e0b\u9762\u8fd9\u4e2a\u65b9\u6cd5<\/p>\n
private String sign() throws SignatureGenerationException {\n        String header = Base64.encodeBase64URLSafeString(this.headerJson.getBytes(StandardCharsets.UTF_8));\n        String payload = Base64.encodeBase64URLSafeString(this.payloadJson.getBytes(StandardCharsets.UTF_8));\n        byte[] signatureBytes = this.algorithm.sign(header.getBytes(StandardCharsets.UTF_8), payload.getBytes(StandardCharsets.UTF_8));\n        String signature = Base64.encodeBase64URLSafeString(signatureBytes);\n        return String.format("%s.%s.%s", header, payload, signature);\n}<\/code><\/pre>\n
\u65b9\u6cd5\u4e2d\u5bf9header\u548cpayload\u7684\u751f\u6210\u5c31\u662f\u7b80\u5355\u7684\u5bf9json\u6570\u636e\u8fdb\u884cbase64\u7f16\u7801\uff0c\u6700\u7ec8\u751f\u6210signature\u5b57\u6bb5\u7684\u64cd\u4f5c\u4e3athis.algorithm.sign(header.getBytes(StandardCharsets.UTF_8), payload.getBytes(StandardCharsets.UTF_8))<\/code>\uff0c\u63a5\u7740\u8ddf\u5165sign\u65b9\u6cd5<\/p>\n
public byte[] sign(byte[] headerBytes, byte[] payloadBytes) throws SignatureGenerationException {\n        try {\n            return this.crypto.createSignatureFor(this.getDescription(), this.secret, headerBytes, payloadBytes);\n        } catch (InvalidKeyException | NoSuchAlgorithmException var4) {\n            throw new SignatureGenerationException(this, var4);\n        }\n}<\/code><\/pre>\n
\u8fdb\u5165\u5230createSignatureFor\u65b9\u6cd5\uff0c\u4f20\u5165\u4e86\u52a0\u5bc6\u7b97\u6cd5\u3001\u5bc6\u94a5\u3001header\u548cpayload<\/p>\n
byte[] createSignatureFor(String algorithm, byte[] secretBytes, byte[] headerBytes, byte[] payloadBytes) throws NoSuchAlgorithmException, InvalidKeyException {\n    Mac mac = Mac.getInstance(algorithm);\n    mac.init(new SecretKeySpec(secretBytes, algorithm));\n    mac.update(headerBytes);\n    mac.update((byte)46);\n    return mac.doFinal(payloadBytes);\n}<\/code><\/pre>\n
\u5c31\u4e0d\u7ee7\u7eed\u5f80\u91cc\u8ddf\u4e86\uff08\u91cc\u9762\u6700\u540e\u662f\u8c03javax.crypto.Mac\u7c7b\u4e2d\u7684\u65b9\u6cd5\u8fdb\u884c\u7684\u52a0\u5bc6\uff0c\u8c03\u6765\u8c03\u53bb\u592a\u4e71\u4e86\uff09\uff0c\u5927\u81f4\u539f\u7406\u6211\u4eec\u5df2\u7ecf\u641e\u6e05\u695a\u4e86\uff0c\u5dee\u4e0d\u591a\u5c31\u662f\u6839\u636eheader\u548cpayload\u5b57\u6bb5\uff0c\u7136\u540e\u7528secret\u5f53salt\u505a\u4e00\u6b21hash\uff0c\u6700\u540e\u518dbase64\u7f16\u7801\u4f20\u51fa\u6765\uff0c\u5c31\u662f\u6211\u4eec\u6700\u7ec8\u7684token\u3002<\/p>\n
\u4ee5\u4e0a\u5c31\u662f\u4ece\u767b\u5f55\u5230\u83b7\u53d6token\u7684\u5927\u81f4\u8fc7\u7a0b\u3002<\/p>\n
\u901a\u8fc7jwt\u8fdb\u884c\u8eab\u4efd\u6821\u9a8c\u4ee3\u7801\u793a\u4f8b<\/h4>\n
\u8fd9\u91cc\u662f\u62e6\u622a\u5668\u4e2d\u7684\u4e00\u4e2a\u65b9\u6cd5\uff0c\u5c31\u4e0d\u4e00\u6b65\u4e00\u6b65\u7684\u8ddf\u4e86\uff0c<\/p>\n
public boolean handleLogin(HttpServletRequest request, HttpServletResponse response, MetaInfo meta) {\n    \/\/\u83b7\u53d6\u8bf7\u6c42\u5934\u4e2d\u7684Authorization\u5934\n    String tokenStr = verifyHeader(request, response);\n    Map<String, Claim> claims;\n    try {\n        \/\/\u5728\u8fd9\u91cc\u505a\u7684\u6821\u9a8c\n        claims = jwt.decodeAccessToken(tokenStr);\n    } catch (TokenExpiredException e) {\n        throw new io.github.talelin.autoconfigure.exception.TokenExpiredException(10051);\n    } catch (AlgorithmMismatchException | SignatureVerificationException | JWTDecodeException | InvalidClaimException e) {\n        throw new TokenInvalidException(10041);\n    }\n    return getClaim(claims);\n}<\/code><\/pre>\n
\u6700\u7ec8\u9a8c\u8bc1\u7684\u5730\u65b9\u5728com.auth0.jwt.algorithms.HMACAlgorithm#verify\u65b9\u6cd5\u4e2d<\/p>\n
public void verify(DecodedJWT jwt) throws SignatureVerificationException {\n    byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());\n\n    try {\n        \/\/\u7136\u540e\u8c03\u7528verifySignatureFor\u65b9\u6cd5\u6821\u9a8c\n        boolean valid = this.crypto.verifySignatureFor(this.getDescription(), this.secret, jwt.getHeader(), jwt.getPayload(), signatureBytes);\n        if (!valid) {\n            throw new SignatureVerificationException(this);\n        }\n    } catch (InvalidKeyException | NoSuchAlgorithmException | IllegalStateException var4) {\n        throw new SignatureVerificationException(this, var4);\n    }\n}<\/code><\/pre>\n
\u8ddf\u5165<\/p>\n
boolean verifySignatureFor(String algorithm, byte[] secretBytes, String header, String payload, byte[] signatureBytes) throws NoSuchAlgorithmException, InvalidKeyException {\n    return this.verifySignatureFor(algorithm, secretBytes, header.getBytes(StandardCharsets.UTF_8), payload.getBytes(StandardCharsets.UTF_8), signatureBytes);\n}\n\nboolean verifySignatureFor(String algorithm, byte[] secretBytes, byte[] headerBytes, byte[] payloadBytes, byte[] signatureBytes) throws NoSuchAlgorithmException, InvalidKeyException {\n    return MessageDigest.isEqual(this.createSignatureFor(algorithm, secretBytes, headerBytes, payloadBytes), signatureBytes);\n}<\/code><\/pre>\n
\u8ddf\u5165<\/p>\n
byte[] createSignatureFor(String algorithm, byte[] secretBytes, byte[] headerBytes, byte[] payloadBytes) throws NoSuchAlgorithmException, InvalidKeyException {\n    Mac mac = Mac.getInstance(algorithm);\n    mac.init(new SecretKeySpec(secretBytes, algorithm));\n    mac.update(headerBytes);\n    mac.update((byte)46);\n    return mac.doFinal(payloadBytes);\n}<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\uff0c\u8fd9\u91cc\u7684createSignatureFor\u65b9\u6cd5\uff0c\u90a3\u4e48\u6700\u7ec8\u5b9e\u73b0\u7684\u539f\u7406\u4e5f\u5c31\u662f\u6839\u636e\u4f20\u5165\u7684header\u548cpayload\uff0c\u518d\u8c03\u7528\u521b\u5efa\u7b7e\u540d\u65b9\u6cd5\u6839\u636esecret\u5bc6\u94a5\u521b\u5efa\u7b7e\u540d\uff0c\u5982\u679c\u6700\u7ec8\u521b\u5efa\u51fa\u6765\u7684\u7b7e\u540d\u548c\u4f60\u4f20\u5165\u7684jwttoken\u4e2d\u7684Signature\u5b57\u6bb5\u503c\u76f8\u7b49\uff0c\u5219\u5224\u5b9a\u4e3a\u771f\u3002 <\/p>\n
JWT\u5b89\u5168\u95ee\u9898<\/h2>\n
secret\u786c\u7f16\u7801<\/h3>\n
\u5c06\u52a0\u5bc6\u4f7f\u7528\u7684secret\u5bc6\u94a5\u786c\u7f16\u7801\u5728\u6846\u67b6\u4e2d\uff0c\u5982\u679c\u5f00\u53d1\u8005\u4e0d\u6ce8\u610f\u7684\u8bdd\uff0c\u4f7f\u7528\u9ed8\u8ba4\u5bc6\u94a5\uff0c\u6ca1\u6709\u8fdb\u884c\u4fee\u6539\uff0c\u90a3\u4e48\u53ea\u8981\u83b7\u53d6\u5230\u5bc6\u94a5\uff0c\u5c31\u53ef\u4ee5\u4f2a\u9020token\u3002<\/p>\n
\u77e5\u9053\u5bc6\u94a5\u540e\uff0c\u90a3\u4e48\u53ef\u4ee5\u901a\u8fc7\u8be5\u7f51\u7ad9https:\/\/jwt.io\u6216\u8005\u7f16\u5199\u811a\u672c\u4f2a\u9020token<\/p>\n
\u4f8b\u5982\u8be5cms\uff1a<\/p>\n
\"\"<\/p>\n
\u901a\u8fc7\u5728\u7ebf\u7f51\u7ad9\u751f\u6210token\uff1a<\/p>\n
\"\"<\/p>\n
\u90a3\u4e48\u6211\u4eec\u76f4\u63a5\u4f7f\u7528\u8fd9\u4e2atoken\u5373\u53ef\u8bbf\u95ee\u7f51\u7ad9\u4e2d\u9700\u8981\u8eab\u4efd\u9a8c\u8bc1\u7684\u63a5\u53e3\u8d44\u6e90\u3002<\/p>\n
\"\"<\/p>\n
\u540e\u7aef\u672a\u6821\u9a8cSignature\u5b57\u6bb5\u6216<\/h3>\n
\u653b\u51fb\u65b9\u6cd5\uff1a\u53ef\u4efb\u610f\u4fee\u6539\u6216\u8005\u76f4\u63a5\u5220\u9664<\/p>\n
\u539f\u7406\uff1a\u540e\u7aef\u672a\u5bf9Signature\u5b57\u6bb5\u8fdb\u884c\u6821\u9a8c\uff0c\u5c31\u53d6payload\u4e2d\u7684\u6570\u636e\u8fdb\u884c\u540e\u7eed\u64cd\u4f5c<\/p>\n
alg=none\u7b7e\u540d\u7ed5\u8fc7\u6f0f\u6d1e\uff08CVE-2015-2951\uff09<\/h3>\n
\u653b\u51fb\u65b9\u6cd5\uff1a\u5c06header\u4e2d\u7684alg\u7684\u952e\u503c\u6539\u4e3anone\uff0c\u7136\u540e\u5c06Signature\u5220\u9664\u5373\u53ef<\/p>\n
\u539f\u7406\uff1a\u540e\u7aef\u672a\u5bf9\u4f20\u5165\u7684header\u4e2d\u7684alg\u5b57\u6bb5\u8fdb\u884c\u6821\u9a8c\uff0c\u76f4\u63a5\u4f7f\u7528\u5176\u4e2d\u6307\u5b9a\u7684\u52a0\u5bc6\u7b97\u6cd5\u5bf9Signature<\/p>\n
\u9488\u5bf9\u4ee5\u4e0a\u4e24\u79cd\u5b89\u5168\u95ee\u9898\uff0c\u5982\u679c\u6ca1\u6709\u539f\u59cbjwt_token\uff0c\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u811a\u672c\u751f\u6210token\uff1a<\/p>\n
\u4f7f\u7528\u4e4b\u524d\u9700\u8981\u5148\u4f7f\u7528pip\u5b89\u88c5PyJWT\uff0c\u800c\u4e0d\u662fJWT\uff0c\u76f4\u63a5python37 -m pip install PyJWT<\/code>\u5373\u53ef<\/p>\n
import jwt\npayload = {\n  "identity": 1,\n  "scope": "lin",\n  "type": "access",\n  "exp": 1659797574\n}\nprint(jwt.encode(payload,None,algorithm="none"))<\/code><\/pre>\n
Secret\u7206\u7834<\/h3>\n
\u4e0a\u9762\u6211\u4eec\u77e5\u9053\u786c\u7f16\u7801\u7684\u8bdd\u6211\u4eec\u53ef\u4ee5\u4efb\u610f\u4f2a\u9020token\uff0c\u5176\u5b9e\u539f\u7406\u5c31\u662f\u77e5\u9053secret\u5bc6\u94a5\uff0c\u9664\u4e86\u5f00\u6e90CMS\u7684\u8fd9\u79cd\u6cc4\u9732\uff0c\u6216\u8005\u5176\u4ed6\u7cfb\u7edf\u5907\u4efd\u6587\u4ef6\u3001\u65e5\u5fd7\u4e4b\u7c7b\u7684\u6cc4\u9732\u5bc6\u94a5\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u901a\u8fc7\u7206\u7834\u7684\u65b9\u6cd5\u83b7\u53d6\u5bc6\u94a5\uff08\u5982\u679c\u4e0d\u662f\u5f31\u5bc6\u94a5\uff0c\u96be\u5ea6\u975e\u5e38\u5927\uff09<\/p>\n
\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u5de5\u5177\uff1ahttps:\/\/github.com\/ticarpi\/jwt_tool<\/a><\/p>\n
\u4fee\u6539\u975e\u5bf9\u79f0\u5bc6\u7801\u7b97\u6cd5\u4e3a\u5bf9\u79f0\u5bc6\u7801\u7b97\u6cd5(CVE-2016-10555)<\/h3>\n
\u8fd9\u4e2a\u6f0f\u6d1e\u53ea\u9488\u5bf9\u4f7f\u7528\u975e\u5bf9\u79f0\u52a0\u5bc6\u7b97\u6cd5\uff08RS256\uff09\u505a\u6821\u9a8c\u7684\u7cfb\u7edf\uff0c\u5f53\u540e\u7aef\u4f7f\u7528RS256\u52a0\u5bc6\u65f6\uff0c\u4f7f\u7528\u79c1\u94a5\u52a0\u5bc6\uff0c\u800c\u6821\u9a8c\u65f6\u7528\u5230\u7684\u662f\u516c\u79c1\u94a5\u5bf9\u4e2d\u7684\u516c\u94a5\u505a\u6821\u9a8c\uff0c\u800c\u516c\u94a5\u662f\u516c\u5f00\u7684\uff0c\u6211\u4eec\u5f88\u5bb9\u6613\u83b7\u53d6\u3002<\/p>\n
\u90a3\u4e48\u5f53\u6211\u4eec\u4fee\u6539RS256\u4e3aHS256\u65f6\uff0c\u540e\u7aef\u4f1a\u4ee5\u4e3a\u4f7f\u7528\u7684\u662fHS256\u5bf9\u79f0\u52a0\u5bc6\u505a\u6821\u9a8c\uff0c\u5373\u4f7f\u7528\u516c\u94a5\u5f53\u4f5cHS256\u6821\u9a8c\u65f6\u7684secret\u6765\u8fdb\u884c\u52a0\u5bc6\u5bf9\u6bd4\u662f\u5426\u76f8\u7b49\uff0c\u628a\u516c\u94a5\u5f53\u6210secret\u6765\u4f7f\u7528\uff0c\u4e5f\u5c31\u76f8\u5f53\u4e8e\u6cc4\u9732\u4e86secret\uff0c\u6240\u4ee5\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528\u516c\u94a5\u6765\u4f2a\u9020token\u3002<\/p>\n
\u4f2a\u9020\u5bc6\u94a5\uff08CVE-2018-0114\uff09<\/h3>\n
\u6211\u7406\u89e3\u8fd9\u4e2a\u6f0f\u6d1e\u548c\u4e0a\u9762\u7684\u6f0f\u6d1e\u6bd4\u8f83\u50cf\uff0c\u4e0a\u4e00\u4e2a\u6f0f\u6d1e\u662f\u540e\u53f0\u4fe1\u4efb\u4e86\u6211\u4eec\u63d0\u4f9b\u7684header\u4e2d\u7684\u7b97\u6cd5\uff0c\u8fd9\u4e2a\u662f\u4f7f\u7528\u4e86JWS\uff0c\u91cc\u9762\u4e5f\u662f\u5b58\u50a8\u7684\u516c\u94a5\uff0c\u90a3\u4e48\u6211\u4eec\u81ea\u5df1\u751f\u6210\u516c\u79c1\u94a5\u5bf9\uff0c\u7136\u540e\u4f7f\u7528\u79c1\u94a5\u751f\u6210token\uff0c\u518d\u5c06\u81ea\u5df1\u751f\u6210\u7684\u516c\u94a5\u653e\u5230JWS\u4e2d\uff0c\u8ba9\u540e\u53f0\u4f7f\u7528\u8fd9\u4e2a\u516c\u94a5\u89e3\u5bc6\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u5de7\u5999\u5730\u7ed5\u8fc7\u540e\u53f0\u7684\u9a8c\u8bc1\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u8a00\uff1a\u5de5\u4f5c\u4e2d\u9700\u8981\u57fa\u4e8e\u6846\u67b6\u5f00\u53d1\u4e00\u4e2a\u8d34\u8fd1\u5b9e\u9645\u7684\u5e94\u7528\uff0c\u627e\u5230\u4e00\u6b3e\u6bd4\u8f83\u5408\u9002\u7684cms\u6846\u67b6\uff0c\u5176\u4e2d\u6b63\u597d\u7528\u5230\u7684\u5c31\u662fjwt\u505a\u8eab\u4efd\u4fe1 … \u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,14],"tags":[30],"class_list":["post-415","post","type-post","status-publish","format-standard","hentry","category-recurrence_analysis","category-safety_research","tag-30"],"_links":{"self":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/comments?post=415"}],"version-history":[{"count":2,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/415\/revisions"}],"predecessor-version":[{"id":469,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/415\/revisions\/469"}],"wp:attachment":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/media?parent=415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/categories?post=415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/tags?post=415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}