angular - JWT Token was removed from header when page refreshed -
i'm using jwt token based authentication,its working fine until page refreshed. if press f5 page reloading token missing
host "localhost:9090" user-agent "mozilla/5.0 (windows nt 10.0;… gecko/20100101 firefox/54.0" accept "application/json, text/plain, */*" accept-language "en-us,en;q=0.5" accept-encoding "gzip, deflate" **authorization "bearer eyjhbgcioijiuzi1niisin…sd-zdipmzibmk4gq_ddmguwbizsi"** referer "http://localhost:9090/fg.html" connection "keep-alive"
after refresh of page
host "localhost:9090" user-agent "mozilla/5.0 (windows nt 10.0;… gecko/20100101 firefox/54.0" accept "application/json, text/plain, */*" accept-language "en-us,en;q=0.5" accept-encoding "gzip, deflate" **authorization "null"** referer "http://localhost:9090/fg.html" connection "keep-alive"
which creating authentication problem token missing header
in login check controller
responsemap.put("loginname",adminuser1.getadminid()); responsemap.put("isuserexist",boolean.tostring(true)); responsemap.put("role",adminuser1.getpermissiongroup()); responsemap.put("session",session); responsemap.put("balance",adminuser1.getbalance().tostring()); responsemap.put("phase",phase.getprefix()); responsemap.put("token",gettoken(adminuser1.getadminid())); return objectmapper.writevalueasstring(responsemap); public string gettoken(string loginname){ string jwttoken = ""; final string uuid = uuid.randomuuid().tostring().replaceall("-", ""); map<string, object> headerclaims = new hashmap<>(); headerclaims.put("typ", "jwt"); jwttoken = jwts.builder() .setsubject(loginname) .setissuedat(new date()) .setaudience(uuid) .setheader(headerclaims) .setexpiration(new date(system.currenttimemillis() + 120000l)) .signwith(signaturealgorithm.hs256, constants.key) .compact(); return jwttoken; }
jwtfilter
public class jwtfilter extends genericfilterbean { public void dofilter(final servletrequest req, final servletresponse res, final filterchain chain) throws ioexception, servletexception { final httpservletrequest request = (httpservletrequest) req; final httpservletresponse response = (httpservletresponse) res; final string authheader = request.getheader("authorization"); if ("options".equals(request.getmethod())) { response.setstatus(httpservletresponse.sc_ok); chain.dofilter(req, res); } else { if (authheader == null || !authheader.startswith("bearer ")) { throw new servletexception("missing or invalid authorization header"); } final string token = authheader.substring(7); final claims claims; try { claims = parseclaims(constants.key,token); request.setattribute("claims", claims); } catch (badcredentialsexception e) { e.printstacktrace(); } catch (jwtexpiredtokenexception e) { e.printstacktrace(); } } chain.dofilter(req, res); } public claims parseclaims(string signingkey, string token) throws badcredentialsexception, jwtexpiredtokenexception { try { return jwts.parser().setsigningkey(signingkey).parseclaimsjws(token).getbody(); } catch (unsupportedjwtexception | malformedjwtexception | illegalargumentexception | io.jsonwebtoken.signatureexception ex) { throw new badcredentialsexception("invalid jwt token: "); } catch (expiredjwtexception expiredex) { throw new jwtexpiredtokenexception("jwt token expired"); } }
how on come problem, storing token in localstorage might create more security problem..?
Comments
Post a Comment