javascript - Spring MVC + AngularJS + JWT Token Expiration - HowTo -


i ensure json web tokens revoked/expire after configurable ammount of time , have following set up:

security filter:

import io.jsonwebtoken.claims; import io.jsonwebtoken.jwts; import yourwebproject2.service.userservice; import org.apache.commons.lang.stringutils; import org.slf4j.logger; import org.slf4j.loggerfactory; import org.springframework.beans.factory.annotation.autowired; import org.springframework.web.filter.onceperrequestfilter;  import javax.servlet.filterchain; import javax.servlet.servletexception; import javax.servlet.http.httpservletrequest; import javax.servlet.http.httpservletresponse; import java.io.ioexception; import java.util.arraylist; import java.util.list; import java.util.regex.pattern;  /**  * @author: kameshr  */ public class jwttokenauthfilter extends onceperrequestfilter {     private static list<pattern> auth_routes = new arraylist<>();     private static list<string> no_auth_routes = new arraylist<>();     public static final string jwt_key = "jwt-token-secret";      static {         auth_routes.add(pattern.compile("/api/*"));         no_auth_routes.add("/api/user/authenticate");         no_auth_routes.add("/api/user/register");     }      private logger log = loggerfactory.getlogger(jwttokenauthfilter.class);      @autowired     private userservice userservice;      @override     protected void dofilterinternal(httpservletrequest request, httpservletresponse response,                                     filterchain filterchain) throws servletexception, ioexception {         string authorizationheader = request.getheader("authorization");         string authenticationheader = request.getheader("authentication");         string route = request.getrequesturi();          // no auth route matching         boolean needsauthentication = false;          (pattern p : auth_routes) {             if (p.matcher(route).matches()) {                 needsauthentication = true;                 break;             }         }          if(route.startswith("/api/")) {             needsauthentication = true;         }          if (no_auth_routes.contains(route)) {             needsauthentication = false;         }          // checking whether current route needs authenticated         if (needsauthentication) {             // check authorization header presence             string authheader = null;             if (authorizationheader == null || authorizationheader.equalsignorecase("")) {                 if (authenticationheader == null || authenticationheader.equalsignorecase("")) {                     authheader = null;                 } else {                     authheader = authenticationheader;                     log.info("authentication: " + authenticationheader);                 }             } else {                 authheader = authorizationheader;                 log.info("authorization: " + authorizationheader);             }              if (stringutils.isblank(authheader) || !authheader.startswith("bearer ")) {                 throw new authcredentialsmissingexception("missing or invalid authorization header.");             }              final string token = authheader.substring(7); // part after "bearer "             try {                 final claims claims = jwts.parser().setsigningkey(jwt_key)                         .parseclaimsjws(token).getbody();                 request.setattribute("claims", claims);                  // since authentication process if finished                 // move request forward                 filterchain.dofilter(request, response);             } catch (final exception e) {                 throw new authenticationfailedexception("invalid token. cause:"+e.getmessage());             }         } else {             filterchain.dofilter(request, response);         }     } }

method creates authentication token:

string token = jwts.builder().setsubject(user.getemail())                 .claim("role", user.getrole().name()).setissuedat(new date())                 .signwith(signaturealgorithm.hs256, jwttokenauthfilter.jwt_key).compact();         authresp.put("token", token);         authresp.put("user", user);

above have claims using on jwt , request token revoked after x ammount of time(of inactivity if possible).

how achieve using jwt / spring mvc / angular js / spring security

set expiration token

 string token = jwts.builder()      .setsubject(user.getemail())      .claim("role", user.getrole().name())      .setissuedat(new date())      .setexpiration(expirationdate)       .signwith(signaturealgorithm.hs256, wttokenauthfilter.jwt_key)      .compact();

then, parseclaimsjws raise expiredjwtexception if currenttime>expirationdate

to revoke valid token hard technique no easy solutions:

1) maintain blacklist in server , compare each request

2) set small expiration time , issue new token

3) insert login time in token , compare if acomplish criteria

4) remove jwt in client side

ser invalidating client side jwt session


-

Popular posts from this blog

php - How should I create my API for mobile applications (Needs Authentication) -

background so i've been researching quite bit past week api's , have been reading concepts , programming one. currently have website programmed in php using popular framework called laravel. website has user database , users able log dashboard on website, works want website side. now next project of business i'm focusing on creating mobile applications (ios & andriod).what need these mobile applications being able login through application ui (not being redirected site callback url) able view , manage dashboard. the method of authentication , authorization want use application go like client asks user login through ui user enters credentials client sends request login api the api checks if credentials correct api creates token stored in token database linked user id api returns 200 ok json response or this { "token" : "ols25usjiay81hdy81", "expiry" : 3/06/2016 14:00} client remembers token , expiry whenever user/c...
Read more

python 3.x - PyQt5 - Signal : pyqtSignal no method connect -

following example in doc found on sourceforge faced error. from pyqt5.qtcore import pyqtsignal, pyqtslot def setsignal(): signal = pyqtsignal() signal.connect(self.myaction) @qtcore.pyqtslot() def myaction(): print("signal triggered") results in attributeerror: 'pyqt5.qtcore.pyqtsignal' object has no attribute 'connect' as mentioned in docs linked, signal needs defined on class level: class foo(qobject): signal = pyqtsignal() def connectsignal(): self.signal.connect(self.myaction) @qtcore.pyqtslot() def myaction(): print("signal triggered")
Read more

5 Reasons to Blog Anonymously (and 5 Reasons Not To)

Image
This guest post is by Phil (not his real name) of somehighschoolblog . It used to be impossible to run a business anonymously. Sure, some authors could pull it off, but if you worked at an office, what were you supposed to do? Go to work with a bag over your head? But today anyone can accomplish this, because anyone can author a blog (and you thought I was going to tell you to work with a mask on, or something). Copyright Ovidiu Iordachi - Fotolia.com Depending on your motives, you may or may not have considered blogging anonymously. You probably didn’t contemplate blogging anonymously if: • your only motivation is to become “famous” • your blog connects to another part of your life • you are blogging to build more connections with your friends or boss. You should consider blogging anonymously if: • you’re planning on touching on a sensitive or taboo subject • you don’t want to be identified with your blog • you are worried about negative real-world consequences that could arise from y...
Read more