Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/346.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java 如何在Nimbus JOSE+中验证令牌签名;JWT_Java_Oauth_Jwt - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java 如何在Nimbus JOSE+中验证令牌签名;JWT

Java 如何在Nimbus JOSE+中验证令牌签名;JWT

java oauth jwt

Java 如何在Nimbus JOSE+中验证令牌签名;JWT,java,oauth,jwt,Java,Oauth,Jwt,在每次请求使用资源时,我都会在服务器和客户端之间来回使用令牌 用于创建JWT令牌的代码: public class TokenProvider { String token = ""; public String getToken(String email) { try { KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); k

在每次请求使用资源时,我都会在服务器和客户端之间来回使用令牌

用于创建JWT令牌的代码:

public class TokenProvider {

    String token = "";

    public String getToken(String email) {
        try {
            KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
            keyGenerator.initialize(1024);

            KeyPair kp = keyGenerator.genKeyPair();
            RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
            RSAPrivateKey privateKey = (RSAPrivateKey) kp.getPrivate();

            System.out.println("publicKey: " + publicKey);
            System.out.println("privateKey: " + privateKey.toString());

            JWSSigner signer = new RSASSASigner(privateKey);

            JWTClaimsSet claimsSet = new JWTClaimsSet();
            claimsSet.setSubject("RTH");
            claimsSet.setCustomClaim("email", email);
            claimsSet.setCustomClaim("role", "USER");
            claimsSet.setIssuer("https://rth.com");
            claimsSet.setExpirationTime(new Date(new Date().getTime() + 60 * 1000));

            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);

            signedJWT.sign(signer);
            token = signedJWT.serialize();
            TokenSaverAndValidatorDAO tokenSaver = new TokenSaverAndValidatorDAO();
            tokenSaver.saveTokenToDB(email, token);

            signedJWT = SignedJWT.parse(token);

            JWSVerifier verifier = new RSASSAVerifier(publicKey);
            System.out.println("verifier: " + verifier);
            System.out.println("verify method: " + signedJWT.verify(verifier));
            assertTrue(signedJWT.verify(verifier));
            assertEquals("RTH", signedJWT.getJWTClaimsSet().getSubject());
            assertEquals("https://rth.com", signedJWT.getJWTClaimsSet().getIssuer());
            assertTrue(new Date().before(signedJWT.getJWTClaimsSet().getExpirationTime()));
        } catch (JOSEException | ParseException | NoSuchAlgorithmException ex) {
            Logger.getLogger(TokenProvider.class.getName()).log(Level.SEVERE, null, ex);
        }
        return token;
    }
}
到目前为止,它工作正常,但问题是如何验证从客户端收到的令牌签名

从中,只有一种方法看起来像是用于验证,但它只接受公钥(
RSAPublicKey
)作为参数而不是令牌

任何使用此库进行JWT工作的人请提供帮助。谢谢你

这是必须的,但是在你的问题中,你已经准备好了所有的代码

对于共享密钥:

JWSVerifier verifier = new MACVerifier(sharedKey.getBytes());
如果您使用的是RSA密钥对(如示例中所示),则只需提供公钥:

JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
然后要求它验证签名,注意如果签名无效,它将抛出异常:

boolean verifiedSignature = false;

    try {
      JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
      verifiedSignature = signedJWT.verify(verifier);
    }
    catch (JOSEException e) {
      System.err.println("Couldn't verify signature: " + e.getMessage());
    }
检查令牌签名的完整方法可能如下所示:

public static boolean isSignatureValid(String token) {
    // Parse the JWS and verify its RSA signature
    SignedJWT signedJWT;
    try {
        signedJWT = SignedJWT.parse(token);
        JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
        return signedJWT.verify(verifier);
    } catch (ParseException | JOSEException e) {
        return false;
    }
}