在SpringBoot项目上构建JWT访问token和刷新token时,遇到一个Date类型的问题,由于序列化JWT token时只支持秒,将毫秒级自然丢弃。
<dependency> <groupId>com.auth0</groupId> <artifactId>java-jwt</artifactId> <version>3.10.3</version> </dependency>如果有基于签发时间戳(iat,IssuedAt)的应用,需要特别小心,这是一个坑,比如作为验证。
解析分发的token,包括exp,nbf,iat:
{ ... "exp": 1594351823, "iat": 1593747023, ... }发现都是秒级而非毫秒级的,一般代码中,我们会使用毫秒timestamp:
//签发时间 final Date issusedAtTime = new Date(); jwtBuilder.withIssuedAt(issusedAtTime); long timestamp = issusedAtTime.getTime();经过读JWT源码分析,序列化主要是PayloadSerializer,通过方法dateToSeconds明确了JWT中的日期全部按秒序列化:
public class PayloadSerializer extends StdSerializer<ClaimsHolder> { .... private long dateToSeconds(Date date) { return date.getTime() / 1000L; } }顺便研究了下解析类PayloadDeserializer,通过方法getDateFromSeconds将秒级的日期,转换为毫秒然后构造Date对象:
class PayloadDeserializer extends StdDeserializer<Payload> { .... public Payload deserialize(JsonParser p, DeserializationContext ctxt) throws IOException { Map<String, JsonNode> tree = (Map)p.getCodec().readValue(p, new TypeReference<Map<String, JsonNode>>() { }); if (tree == null) { throw new JWTDecodeException("Parsing the Payload's JSON resulted on a Null map"); } else { String issuer = this.getString(tree, "iss"); String subject = this.getString(tree, "sub"); List<String> audience = this.getStringOrArray(tree, "aud"); Date expiresAt = this.getDateFromSeconds(tree, "exp"); Date notBefore = this.getDateFromSeconds(tree, "nbf"); Date issuedAt = this.getDateFromSeconds(tree, "iat"); String jwtId = this.getString(tree, "jti"); return new PayloadImpl(issuer, subject, audience, expiresAt, notBefore, issuedAt, jwtId, tree, this.objectReader); } } .... Date getDateFromSeconds(Map<String, JsonNode> tree, String claimName) { JsonNode node = (JsonNode)tree.get(claimName); if (node != null && !node.isNull()) { if (!node.canConvertToLong()) { throw new JWTDecodeException(String.format("The claim '%s' contained a non-numeric date value.", claimName)); } else { long ms = node.asLong() * 1000L; return new Date(ms); } } else { return null; } } .... }
至此,破案成功!
