Validation parameter verification
This is the back-end small class of the monastery. Each article is shared from
[background introduction] [knowledge analysis] [common problems] [solutions] [coding practice] [extended thinking] [more discussion] [References]
Eight aspects of in-depth analysis of back-end knowledge / skills. This article shares:
[validation parameter verification]
[Java class of the Academy] validation parameter verification
Hello, I'm an honest, pure and kind java programmer of Beijing Branch of it Academy. Today, I'd like to share with you the validation parameter verification, a knowledge point in in-depth thinking, task 2 of Java (profession) on the official website of the Academy
1. Background introduction
Authentication
The server provides resources to the client, but some resources are conditional. Therefore, the server should be able to identify the identity of the requester, and then judge whether the requested resources can be given to the requester.
token
Token is an authentication mechanism. Initially, the user submits account data to the server, The server uses certain strategies to generate a token. The token string contains a small amount of user information and has a certain period of time. The server will pass the token string to the client, and the client will save the token string and bring it in the next request.
In general, it is recommended that the data put into the token is insensitive data. In this way, as long as the server uses the private key to generate a signature for the data, and then splices it with the data as a part of the token. Every request from the client must carry a token. The interceptor will intercept the access to sensitive resources, and then parse the token. Unsuccessful parsing indicates that the tokens do not match. After successful parsing, judge whether the token has expired. If so, refuse the service. When all verification is successful, the interceptor is released.
2. Knowledge analysis
JWT
JSON web token (JWT) is a very lightweight specification. This specification allows us to use JWT to transfer safe and reliable information between users and servers. It consists of three parts: header, payload and signature.
Header
The header contains two parts: the token type and the encryption algorithm {"alg": "hs256", "typ": "JWT"} it will use Base64 coding to form the first part of the JWT structure
Load (payload)
This part is where the information is stored. You can put the user ID and other information used to verify the user's identity here. This part is introduced in detail in the JWT specification, The commonly used fields are ISS (issuer), exp (expiration time), sub (user oriented), aud (receiver) and IAT (issuance time). These five fields are defined by JWT standards.
Signature
The first two parts are encoded using Base64, that is, the front end can unlock and know the information inside. The signature needs to use the encoded header, payload and a key provided by us, and then sign with the signature algorithm specified in the header. The purpose of signature is to ensure that JWT has not been tampered with.
3. Frequently asked questions
4. Solutions
5. Coding practice
6. Expand thinking
JJWT
Jjwt is Java's encapsulation of JWT. It has two important methods, Bulider and parser, which are used to create and parse JWT respectively
Defaultjwtbuilder is the implementation class of jwtbuilder interface, which is used to create JWT. The methods in this implementation class are used to set some fields in JWT
The defaultjwtparser class is used to parse JWT characters, pass in the signature key and the JWT string to be parsed. JWT will automatically verify the validity of JWT when parsing. Three exceptions will be thrown according to the situation, including expiration time exception, JWT format exception and signature exception. You can catch these exceptions for more specific verification.
7. References
reference material:
————JSON web token - securely transfer information between web applications
8. More discussion
The problem of exposing information?
In JWT, no sensitive data should be added to the load. Generally, the user ID of the user needs to be passed in. This value is actually not sensitive and is generally known to be safe. But content like passwords cannot be placed in JWT. If you put the user's password in JWT, you can quickly know your password through Base64 decoding.
Fake JWT to log in as an identity?
When the server generates a token, it uses the UA of the client as the interference code to encrypt the data. When the client makes a request, it will pass in the token and UA at the same time. The server uses the UA to decrypt the token to verify the user's identity. If you only copy the token to another client for use, different UA will lead to the failure of parsing the token on the server, so as to achieve a certain degree of anti impersonation. However, if the attacker guesses that the server uses UA as the encryption key, he can modify his UA.
JWT disadvantages?
Trouble, and all the data is put into JWT, and the data size will soon exceed the capacity limit of cookies.
JWT does not support Undo. No matter what happens, JWT will remain valid until the expiration time, and its validity period cannot be fully controlled.
Once JWT is generated, it will no longer have anything to do with the server. Once the relevant data in the server is updated, the data stored in the stateless JWT becomes expired because it cannot be updated.
9. Acknowledgment
Thank you for watching. If there is any error, please correct it
10. Conclusion
That's all for today's sharing. You are welcome to like, forward, leave messages and make bricks~
Ppt link video link