JWT 安全认证指南,涵盖 JWT 生成验证、Token 刷新机制、权限校验、安全配置、OAuth2 集成。当用户实现 JWT 认证、配置安全过滤器、处理 Token 刷新或集成 OAuth2 时使用。
View on GitHubJanuary 16, 2026
Select agents to install to:
npx add-skill https://github.com/TencentBlueKing/bk-ci/blob/f0becaae0f12dbd50ec0c83b2499d46e5dc1e196/ai/skills/19-jwt-security/SKILL.md -a claude-code --skill 19-jwt-securityInstallation paths:
.claude/skills/19-jwt-security/# JWT 安全认证
JWT 安全认证指南.
## 触发条件
当用户需要实现 JWT Token 生成、验证、密钥管理时,使用此 Skill。
## JwtManager
```kotlin
@Component
class JwtManager(
private val jwtProperties: JwtProperties,
private val redisOperation: RedisOperation
) {
companion object {
private val logger = LoggerFactory.getLogger(JwtManager::class.java)
}
// 生成 Token
fun generateToken(userId: String, claims: Map<String, Any> = emptyMap()): String {
val now = Date()
val expiration = Date(now.time + jwtProperties.expireSeconds * 1000)
return Jwts.builder()
.setSubject(userId)
.setIssuedAt(now)
.setExpiration(expiration)
.addClaims(claims)
.signWith(getSigningKey(), SignatureAlgorithm.HS256)
.compact()
}
// 验证 Token
fun validateToken(token: String): Claims? {
return try {
Jwts.parserBuilder()
.setSigningKey(getSigningKey())
.build()
.parseClaimsJws(token)
.body
} catch (e: ExpiredJwtException) {
logger.warn("Token 已过期")
null
} catch (e: JwtException) {
logger.warn("Token 无效: ${e.message}")
null
}
}
// 从 Token 获取用户ID
fun getUserId(token: String): String? {
return validateToken(token)?.subject
}
}
```
## Token 缓存
```kotlin
// 缓存 Token 到 Redis
fun cacheToken(userId: String, token: String) {
val key = "jwt:token:$userId"
redisOperation.set(key, token, jwtProperties.expireSeconds)
}
// 验证 Token 是否在缓存中
fun isTokenValid(userId: String, token: String): Boolean {
val key = "jwt:token:$userId"
val cachedToken = redisOperation.get(key)
return cachedToken == token
}
// 使 Token 失效
fun invalidateToken(userId: String) {
val key = "jwt:token:$userId"
redisOperation.delete(key)
}
```
## 配置
```yaml
jwt:
secret: ${JWT_SECRET:your-secret-key}
expireSeconds: 8640