How to implement security certification for Java back-end function development?

How to implement security authentication for Java back-end function development?

With the continuous development of the Internet, people's demand for network security is also getting higher and higher. When developing Java back-end functions, security authentication is an aspect that cannot be ignored. This article will introduce how to implement security authentication for Java back-end function development to protect user accounts and data security.

1. Use JWT to implement authentication and authorization

JWT (Json Web Token) is a JSON-based token used to transfer security information between the client and the server. It stores user information and permission information in tokens through encryption, avoiding the server from saving users' sensitive information.

The following is a sample code that uses JWT for authentication and authorization:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

import java.util.Date;

public class JwtUtils {
    private static final String SECRET_KEY = "your_secret_key";
    private static final long EXPIRATION_TIME = 86400000; // 24小时

    // 生成JWT令牌
    public static String generateToken(String username, String roles) {
        Date expirationDate = new Date(System.currentTimeMillis() + EXPIRATION_TIME);
        return Jwts.builder()
                .setSubject(username)
                .claim("roles", roles)
                .setExpiration(expirationDate)
                .signWith(SignatureAlgorithm.HS512, SECRET_KEY)
                .compact();
    }

    // 解析JWT令牌
    public static Claims parseToken(String token) {
        return Jwts.parser()
                .setSigningKey(SECRET_KEY)
                .parseClaimsJws(token)
                .getBody();
    }
    
    // 验证JWT令牌是否过期
    public static boolean isTokenExpired(String token) {
        Claims claims = parseToken(token);
        Date expirationDate = claims.getExpiration();
        return expirationDate.before(new Date());
    }
}

In actual code, you can use this tool class to generate a JWT token and verify it in the interface, for example:

@RestController
public class UserController {
    @Autowired
    private UserService userService;

    @PostMapping("/login")
    public String login(@RequestBody Map<String, String> loginInfo) {
        String username = loginInfo.get("username");
        String password = loginInfo.get("password");

        // 验证用户名密码
        boolean isValid = userService.validateLogin(username, password);
        if (!isValid) {
            return "用户名或密码错误";
        }

        // 生成JWT令牌
        String roles = userService.getUserRoles(username);
        String token = JwtUtils.generateToken(username, roles);

        return token;
    }

    @GetMapping("/userinfo")
    public String getUserInfo(@RequestHeader("Authorization") String token) {
        // 验证令牌是否过期
        if (JwtUtils.isTokenExpired(token)) {
            return "令牌已过期";
        }

        // 解析令牌，获取用户名和角色信息
        Claims claims = JwtUtils.parseToken(token);
        String username = claims.getSubject();
        String roles = (String) claims.get("roles");

        // 根据用户名获取用户信息
        UserInfo userInfo = userService.getUserInfoByUsername(username);

        // 返回用户信息和角色信息
        return "用户名：" + userInfo.getUsername() + "，角色：" + roles;
    }
}

Through the above code example, we can see that when the user logs in, the correctness of the username and password is first verified, and then the JWT token is generated and returned to the front end. The front end needs to pass the token in the Authorization field of the request header in subsequent requests.

In the interface for obtaining user information, we first need to verify whether the token has expired, and then parse the token to obtain the user name and role information. Finally, the user information is obtained based on the user name and returned to the front end. If the token expires or fails to parse, the corresponding error message will be returned.

2. Strengthen password security

In addition to using JWT for authentication and authorization, we also need to strengthen password security. Generally speaking, passwords should follow the following rules:

1. must be no less than 8 characters long;
2. contains uppercase and lowercase letters, numbers, and special characters;
3. should be avoided Passwords associated with usernames, mobile phone numbers, or other personal information.

In addition, in order to prevent the password from being reversely cracked, we can also use a hash algorithm to encrypt the password. Commonly used encryption algorithms include MD5, SHA-1, SHA-256, etc., among which SHA-256 is one of the currently widely used hash algorithms.

The following is a sample code that uses the SHA-256 encryption algorithm to encrypt a password:

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class PasswordUtils {
    public static String encryptPassword(String password) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            byte[] hash = md.digest(password.getBytes(StandardCharsets.UTF_8));
            StringBuilder hexString = new StringBuilder();
            for (byte b : hash) {
                String hex = Integer.toHexString(0xff & b);
                if (hex.length() == 1) {
                    hexString.append('0');
                }
                hexString.append(hex);
            }
            return hexString.toString();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }
}

When the user performs password verification, we can use the above code to encrypt the password entered by the user, And compare it with the password saved in the database.

Summary:

This article introduces how to implement security authentication for Java back-end function development. By using JWT to implement authentication and authorization, the security of user accounts and data can be protected. In addition, strengthening the security of passwords is also a very important measure. I hope this article can be helpful to your Java back-end development security certification.

The above is the detailed content of How to implement security certification for Java back-end function development?. For more information, please follow other related articles on the PHP Chinese website!