基于token机制鉴权架构

市面常见的鉴权方式有两种,一种是基于session,另一种是基于token方式的鉴权,我们来浅谈一下两种 鉴权方式的区别。

两种鉴权方式对比

session

  1. 安全性:session是基于cookie进行用户识别的,cookie如果被截获,用户很容易受到跨站请求伪造的攻击。
  2. 扩展性:session是有状态的,是具有IP黏贴性和有中心化特性的,在分布式环境下,虽然每台服务器业务逻辑一样,但是session是保存在各个服务器中的,而且每个服务器内存是不共享的,如果使用session去实现分布式部署的话,需要使用其他的一些技术手段去实现,比如spring session,将session保存在第三方服务中,比如redis,这样一旦第三方服务出现问题,整个验权系统就会奔溃,在电商系统及高并发系统中的集群化处理显然是不合适的。
  3. 抗压能力:通常session是存储在内存中的,每个用户通过认证后都会将session存储在服务器内存中,当用户量增大的情况下服务器的压力也随之增大。

token

  1. 安全性:浏览器会将接收到的token值存储在Local Storage中,(通过js代码写入Local Storage,通过js获取,并不会像cookie一样自动携带)
  2. 扩展性:token是无状态的,是去中心化的,在分布式环境下,各个服务器中的服务只对token进行数据查询,它不需要在服务端保留用户信息或者会话信息,这意味着用户不需要考虑登录的是哪一台服务器,高效的解决了session扩展性的弊端。
  3. 抗压能力:token与session的不同主要在认证成功后,会对当前用户数据进行加密,生成一个加密字符串token,返还给客户端(服务器端并不进行保存)

基于token的鉴权方式

业界常用的授权标准有两种,一种是使用auth2,这种方式更适合于类似第三方授权登录,比如微信、微博、QQ信任登录业务。另一种是oauth,即第三方无需知道用户和密码就可以申请获得该资源的授权,更适用于对用户的权限校验并分配访问权限,比如常见的登录后分配可见资源(按钮、菜单等)类型网站。

Javashop电商系统 采用的是oauth方式的鉴权标准。以下是javashop电商系统对于token鉴权架构的详解。

  1. 登录
    服务端校验密码,成功后返回access_token和refresh_token,客户端记录上述token。
  2. 访问API
    在访问API之前解析access_token,并且查看是否过期,如果不过 期则请求API,如果过期,则要刷新令牌,在请求API。
  3. 刷新token
    携带有效期的refresh_token换回有效token,如果refresh_token过期,则需要用户重新登录。
  4. 注销
    请求注销api,服务器端和客户端应同时删除token的存储。

验权流程

  1. 客户端请求API
    携带access_token信息,如果生成环境不会直接携带access_token,会使用加密后的签名校验。祥见以下防重放机制。
  2. 获取token
    根据环境不同而有不同的获取token方式。
  3. 解析token
    通过JWT工具将token解析。
  4. 由redis读取token
    根据uid拼接key读取access_token, 如果不存在这个用户的token说明已经登出。
  5. 验证token
    判断次token是否属于此uid,判断token是否过期,如果过期则进行以下刷新token的流程。
  6. 注入权限
    如果token验证成功,根据user信息生成权限注入到spring安全上下文中。

刷新token流程

  1. 客户端请求API
    携带refresh_token,如果是生产环境不会直接携带refresh_token信息,详见以下防重放攻击。
  2. 获取token
    根据环境不同而有不同的获取token方式。
  3. 解析token
    通过JWT工具将token解析。
  4. token读取
    根据uid拼接key读取出access_token,如果不存在这个用户的token说明用户已经登出。
  5. 验证token
    判断此token是否属于此uid,判断token是否已经过期,如果过期,则返回refresh_token过期错误,此时用户需要重新登录。
  6. 刷新token
    如果refresh_token 验证成功,则重新生成access_token和refresh_token,上述有效期以当前时间向后计算,替换此用户在redis中的token,并将token返回给客户端。

防重放机制

一、 参数的读取

  1. 在生产环境时,不能直接传递token,而是要传递签名数据,服务器端验签后由Redis中获取签名。
  2. 如果是非生产环境,直接由header中读取token。
    二、 生产环境传递如下参数
    memberid (用户id)
    nonce(随机字串,6位)
    timestamp(当前时间戳,到秒)
    sign= md5( uid+ nonce + timestamp +token )
    三、 验证逻辑
  3. 验证时间戳
    判断时间戳是否起过60s,大于60s则判别为重放功击。
  4. 验证nonce
    首先验证nonce在 reids中是否存在,如果存在,则判别为重放功击,否则将nonce记录在redis中(key为:”nonce”+uid+”_”+nonce),失效时间为60s。
  5. 验证sign
    md5( uid+ nonce + timestamp +token ) 验证是签名是否通过。
  6. 验证token
    通过uid拿到token ,验证逻辑同验权流程。
  • 当然在不同的业务场景下实现方案是多种多样的,仅以此方案抛转引玉,供大家参考。

“基于token机制鉴权架构”的0个回复

  1. For non-gamers, these options are overkill; for dedicated avid gamers, they supply a competitive edge. Some gaming mice are common gaming models, whereas others are designed for particular recreation genres. In the latter case, depending upon the style of the game that the mouse is intended for (first-person shooter, real-time technique recreation,MMO), you may even see a big selection of specialized features.

    This may be through dedicated-purpose button, otherwise you might be able to program one of many mouse’s buttons or toggles to execute resolution/sensitivity changes on the fly. The simplest way to hook up a mouse to your PC is through a wired USB connection. Computer mice are normally plug-and-play devices, with no further software to install (with the exception of higher-end gaming mice), that means that plugging in the cable is all of the setup you may need to take care of. Unlike wi-fi options, a wired system will draw its power over USB, so there are no batteries to worry about. Wired connections are additionally preferable for severe gaming or esports use , although some high-end wi-fi mice are indistinguishable, from a response-time perspective, from wired ones. There are lots of strawberry laptop mouse options for gamers.

    This consists of wi-fi gaming mouse listings that characteristic daring designs. A lot of these bluetooth mouse choices have LED lighting implanted in them to supply that neon look. We have each rechargeable options with built in batteries and mice that take exterior batteries.

    But this isn’t an absolute, and albeit, if you’re concerned at all about mousing precision, a basic mouse pad will clear up all ails. For maximum consolation, some gaming mice let you customize the physique of the mouse itself. Removable weights are frequent, letting you tweak the entire heft of the mouse one means or the other. Some fashions take this even additional, letting you shift the middle of stability, or adjust the peak and pitch of the palm relaxation.

    SpytoStyle.Com, distinct classes of mice have developed, every made for different computing conditions. The most typical of these is the mainstream desktop mouse, designed for use with a desktop or laptop computer PC at a desk or table. Aside from the inevitable right and left mouse buttons, the identical old features are a clickable scroll wheel and, in some instances, extra thumb buttons that permit you to navigate ahead and again in your web browser. Laser mice function in an identical method, but they use an infrared laser diode instead of an LED.

    You’ll see advert outcomes primarily based on components like relevancy, and the amount sellers pay per click. During that point, I’ve built and torn down enough desktop PCs to equip a metropolis block’s price of web cafes. Under race conditions, I’ve built PCs from bare-board to bootup in underneath 5 minutes. Sign up for Lab Report to get the newest evaluations and prime product advice delivered proper to your inbox.

    It is a succesful little system that allows folks of all ages to explore computing, and to discover methods to program in languages like Scratch and Python. It’s able to doing every little thing you’d anticipate a desktop computer to do, from browsing the internet and playing high-definition video, to making spreadsheets, word-processing, and playing games. So, finalize your order right now by trying on the options of the products available right here on onOverseas.com.

发表评论

电子邮件地址不会被公开。 必填项已用*标注