For simplicity sake, I generate my own authentication token using UUID
before encrypting the entire token with Jasypt:-
String key = UUID.randomUUID().toString().toUpperCase() +
"|" + someImportantProjectToken +
"|" + userName +
"|" + creationDateTime;
StandardPBEStringEncryptor jasypt = new StandardPBEStringEncryptor();
...
// this is the authentication token user will send in order to use the web service
String authenticationToken = jasypt.encrypt(key);
The key contains the creationDateTime
so that I can use it to verify the time-to-live. This way, if the user uses the same authentication token after X minutes, it will not work anymore, and I'll send back a 403 forbidden code.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…