🍩JWT(Hutool-jwt)
overview

overview

Origin

Starting from version 5.7.0, Hutool provides a zero-dependency implementation of JWT (JSON Web Token).

Introduction to JWT

There is a lot of relevant information available on the internet, and you can search for it yourself. In simple terms, JWT is a network authentication and information exchange format.

Structure

  • Header: Contains information about the JWT’s signing algorithm, among other things.
  • Payload: Carries various claims and transmits plaintext data.
  • Signature: The JWT with this part is called JWS, which is a signed JWS used to verify the data.

The overall structure is:

header.payload.signature

Usage

The core of the JWT module mainly consists of two classes:

  1. The JWT class is used for chaining generation, parsing, or verifying JWT information.
  2. The JWTUtil class mainly encapsulates some tools for JWT, providing a more concise JWT generation, parsing, and verification process.

JWT Generation

  1. HS256 (HmacSHA256) Algorithm
// Secret key
byte[] key = "1234567890".getBytes();

String token = JWT.create()
    .setPayload("sub", "1234567890")
    .setPayload("name", "looly")
    .setPayload("admin", true)
    .setKey(key)
    .sign();

The generated content is:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiYWRtaW4iOnRydWUsIm5hbWUiOiJsb29seSJ9.536690902d931d857d2f47d337ec81048ee09a8e71866bcc8404edbbcbf4cc40
  1. Other Algorithms
// Secret key
byte[] key = "1234567890".getBytes();

// SHA256withRSA
String id = "rs256";
JWTSigner signer = JWTSignerUtil.createSigner(id, 
    // Generate a random key pair, where the user can generate a `JWTSigner` by reading the `KeyPair`, public key, or private key.
    KeyUtil.generateKeyPair(AlgorithmUtil.getAlgorithm(id)));

String token = JWT.create()
    .setPayload("sub", "1234567890")
    .setPayload("name", "looly")
    .setPayload("admin", true)
    .setSigner(signer)
    .sign();
  1. Unsigned JWT
// eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiYWRtaW4iOnRydWUsIm5hbWUiOiJsb29seSJ9.
String token = JWT.create()
    .setPayload("sub", "1234567890")
    .setPayload("name", "looly")
    .setPayload("admin", true)
    .setSigner(JWTSignerUtil.none())
    .sign()

JWT Parsing 

String rightToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." +
    "eyJzdWIiOiIxMjM0NTY3ODkwIiwiYWRtaW4iOnRydWUsIm5hbWUiOiJsb29seSJ9." +
    "536690902d931d857d2f47d337ec81048ee09a8e71866bcc8404edbbcbf4cc40";

JWT jwt = JWT.of(rightToken);

// JWT
jwt.getHeader(JWTHeader.TYPE);
// HS256
jwt.getHeader(JWTHeader.ALGORITHM);

// 1234567890
jwt.getPayload("sub");
// looly
jwt.getPayload("name");
// true
jwt.getPayload("admin");

JWT Verification

  1. Verifying Signature
String rightToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." +
    "eyJzdWIiOiIxMjM0NTY3ODkwIiwiYWRtaW4iOnRydWUsIm5hbWUiOiJsb29seSJ9." +
    "536690902d931d857d2f47d337ec81048ee09a8e71866bcc8404edbbcbf4cc40";

// Secret key
byte[] key = "1234567890".getBytes();

// Verify HS256 algorithm by default
JWT.of(rightToken).setKey(key).verify();
  1. Detailed Verification

In addition to verifying the signature, Hutool provides more detailed verification: validate, which mainly includes:

  • Whether the token is correct.
  • The effective time cannot be later than the current time.
  • The expiration time cannot be earlier than the current time.
  • The issue time cannot be later than the current time.

Here’s how to use it:

String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJNb0xpIiwiZXhwIjoxNjI0OTU4MDk0NTI4LCJpYXQiOjE2MjQ5NTgwMzQ1MjAsInVzZXIiOiJ1c2VyIn0.L0uB38p9sZrivbmP0VlDe--j_11YUXTu3TfHhfQhRKc";

byte[] key = "1234567890".getBytes();
boolean validate = JWT.of(token).setKey(key).validate(0);

For other custom detailed verifications, please refer to the “JWT Verification - JWTValidator” section.

🍩JWT(Hutool-jwt)JWTUtil