我正在跟踪next tutorial以使我的休息服务安全化。
但是步骤验证令牌字段有问题,首先我不知道依赖项是否正确:
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.13.1-beta</version>
</dependency>
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client-gson</artifactId>
<version>1.13.1-beta</version>
</dependency>
其次,当我在示例中使用类检查器时,在调用
Verifier.verify(token)时它返回false,这是因为在类GoogleIdTokenVerifier中,set clients是空的。我一步一步地跟着教程,我完全迷路了谢谢大家。
编辑:这是我现在使用的代码,它似乎正在工作:
public class Checker {
private final String mAudience;
private final Lock lock = new ReentrantLock();
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";
private final List<String> mClientIDs;
private List<PublicKey> publicKeys;
private final Clock clock;
NetHttpTransport transport;
private long expirationTimeMilliseconds;
public Checker(String[] clientIDs, String audience) {
mClientIDs = Arrays.asList(clientIDs);
mAudience = audience;
transport = new NetHttpTransport();
mJFactory = new GsonFactory();
mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
clock = Clock.SYSTEM;
}
public GoogleIdToken.Payload check(String tokenString) {
GoogleIdToken.Payload payload = null;
try {
GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
if (checkSignature(mClientIDs.get(0), token)) {
GoogleIdToken.Payload tempPayload = token.getPayload();
if (!tempPayload.getAudience().equals(mAudience))
mProblem = "Audience mismatch";
else if (!mClientIDs.contains(tempPayload.getIssuee()))
mProblem = "Client ID mismatch";
else
payload = tempPayload;
}
} catch (GeneralSecurityException e) {
mProblem = "Security issue: " + e.getLocalizedMessage();
} catch (IOException e) {
mProblem = "Network problem: " + e.getLocalizedMessage();
} catch (Exception e) {
mProblem = "Problem: " + e.getLocalizedMessage();
}
return payload;
}
public String problem() {
return mProblem;
}
boolean checkSignature(String clientIds, GoogleIdToken idToken)
throws GeneralSecurityException, IOException {
JsonWebSignature.Header header = idToken.getHeader();
String algorithm = header.getAlgorithm();
if (algorithm.equals("RS256")) {
lock.lock();
try {
if (publicKeys == null
|| clock.currentTimeMillis() + 300000 > expirationTimeMilliseconds) {
mVerifier.loadPublicCerts();
publicKeys = mVerifier.getPublicKeys();
expirationTimeMilliseconds = mVerifier
.getExpirationTimeMilliseconds();
}
Signature signer = Signature.getInstance("SHA256withRSA");
for (PublicKey publicKey : publicKeys) {
signer.initVerify(publicKey);
signer.update(idToken.getSignedContentBytes());
if (signer.verify(idToken.getSignatureBytes())) {
return true;
}
}
} finally {
lock.unlock();
}
}
return false;
}
}
最佳答案
不知道你的依赖关系;那是maven对吧?我是个特立独行的白痴。
至于您的客户机,代码假设您将传入一个客户机列表,因为您希望确保知道要与哪个客户机交谈。如果你不想这么做,我可以看到两个明显的选择:
只需删除构造函数的clientids参数、mclientids成员变量和“if(!mclientids.contains()“调用check()方法。
更改代码以跳过mclientids是否为空的检查