JWT statement is usually used to transfer authenticated user identity information between identity providers and service providers in order to obtain resources from resource servers. Such as for login.
Shiro (9)-The difference between stateful authentication and stateless authentication.
JWT consists of three parts: header, payload and signature. The header defines the type and encryption method; The load part is not very important data; The signature uses the defined encryption method to encrypt the header and payload after base64 and the self-encrypting key. The last token consists of base64 (header). Base64 (payload). Base64 (signature).
eyjhbgcioijuzi 1 NII SINR 5 CCI 6 ikpxvcj 9 . eyjvcmcioilku 4ml 6 xlp ltmnaeilcjuyw 1 lijoirnjzeeggewgncisimv 4 CCI 6 mtuxndm / kloc-0/ nejwmywiawf 0i jox NTE 0 mz 2 uioiiyocj 9.49 uf 72 vskj-sa 4 ahhi yn 5 eoz 9 nb 4 w5 VB 45 PSL F7 x
JWT header is a JSON object that describes JWT metadata.
The complete header is similar to the following json.
The header is then encrypted by base64 to form the first part:
eyjhbgcioijiuzi 1 niis rinr 5 CCI 6 ikpxvcj 9
Load is the place where valid information is stored, and these valid parts contain three parts.
Any information can be added to the public statement, generally adding relevant information of users or other necessary information needed by business, but it is not recommended to add sensitive information, because this part can be decrypted at the client.
Private statements are statements defined by both providers and consumers. It is generally not recommended to store sensitive information, because base64 is symmetrically decrypted, which means that this part of information can be classified as plaintext information.
Define payload:
Then use base64 encryption to get the second part.
eyjvcmcioilku 4 rml 6 xlptmnaeilcjuyw 1 lijoirnjlzeegewgncisimv 4 CCI 6 mtuxndm 1 njewmiwaf 0 ijoxnte 0 mzu 2 mdqzlcjhz 2 uioiiyocj 9
The third part of jwt is visa information, which consists of three parts:
This part requires that base64 encrypted headers and base64 encrypted payloads be used by. Connection, and then through the encryption method declared in the header for salt-dense combination encryption, which constitutes the third part of jwt:
49 uf 72 vskj-sa 4a hiyn 5 eoz 9 nb 4 w5 VB 45 pslf 7 x _ NY
Note: The key is stored in the server, and the server will generate a token based on this key and verify it, so it should be protected.
Analysis results
Replay attack is that the attacker obtains the data packet sent by the client to the server and sends it to the server intact, realizing some functions without modification. For example, the function of a package sent by the client to the server is to query some information. The attacker intercepts the packet, and then when he wants to query this information, he sends the packet to the server, and the server will do the corresponding operation and return the queried information.