Commit 7371e857 authored by zengtianlai3's avatar zengtianlai3

解决敏感信息泄漏-JWT认证头

parent 104db084
......@@ -55,6 +55,7 @@ public class LoginController {
LoginVo loginVo = new LoginVo();
loginVo.setAuthorization(token);
UserUtils.setToken(dbUser.getUserId(),token);
UserUtils.setTokenExp(dbUser.getUserId(), JwtUtil.getTokenExp());
return ResResult.success().goRecord(loginVo);
}
}
......@@ -67,6 +68,7 @@ public class LoginController {
public BaseResult logout() {
String loginUserId = UserUtils.getLoginUserId();
UserUtils.removeToken(loginUserId);
UserUtils.removeTokenExp(loginUserId);
return BaseResult.success();
}
......
......@@ -11,6 +11,7 @@ import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;
import java.util.Map;
@Slf4j
......@@ -58,13 +59,11 @@ public class JwtFilter implements Filter {
if (StringUtils.isEmpty(token)) {
request.setAttribute("msg","认证信息不能为空");
request.getRequestDispatcher("/fail").forward(request, response);
return;
} else {
DecodedJWT jwt = JwtUtil.verifyToken(token);
if (jwt == null) {
request.setAttribute("msg","认证信息非法");
request.getRequestDispatcher("/fail").forward(request, response);
return;
} else {
Map<String, Claim> userData = jwt.getClaims();
if (userData == null) {
......@@ -74,13 +73,17 @@ public class JwtFilter implements Filter {
}
String userId = userData.get("userId").asString();
String userName = userData.get("userName").asString();
String password = userData.get("password").asString();
String password = "";
LoginUser loginUser = new LoginUser(userId, userName, password);
if (token.equals(UserUtils.getToken(userId))) {
Date curDate = new Date();
Date tokenExp = UserUtils.getTokenExp(userId);
if (token.equals(UserUtils.getToken(userId)) && curDate.before(tokenExp)) {
UserUtils.setLoginUser(loginUser);
UserUtils.setUri(uri);
filterChain.doFilter(request, response);
} else {
UserUtils.removeToken(userId);
UserUtils.removeTokenExp(userId);
request.setAttribute("msg","token已失效");
request.getRequestDispatcher("/fail").forward(request, response);
}
......
......@@ -39,8 +39,8 @@ public class JwtUtil {
//可以把数据存在claim中
.withClaim("userId", user.getUserId())
.withClaim("userName", user.getUserName())
.withClaim("password", user.getPassword())
.withExpiresAt(expireDate) //超时设置,设置过期的日期
// .withClaim("password", user.getPassword())
// .withExpiresAt(expireDate) //超时设置,设置过期的日期
.withIssuedAt(new Date()) //签发时间
.sign(Algorithm.HMAC256(SECRET)); //SECRET加密
return token;
......@@ -76,4 +76,10 @@ public class JwtUtil {
}
return jwt;
}
public static Date getTokenExp() {
//过期时间
Date expireDate = new Date(System.currentTimeMillis() + EXPIRATION * 1000);
return expireDate;
}
}
package iot.sixiang.license.jwt;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
......@@ -10,6 +11,7 @@ import java.util.Map;
public abstract class UserUtils {
static Map<String, String> tokenMap = new HashMap<>();
static Map<String, Date> tokenExpTimeMap = new HashMap<>();
//线程变量,存放user实体类信息,即使是静态的与其他线程也是隔离的
private static ThreadLocal<LoginUser> userThreadLocal = new ThreadLocal<>();
//线程变量,存放uri,即使是静态的与其他线程也是隔离的
......@@ -40,6 +42,30 @@ public abstract class UserUtils {
userThreadLocal.set(user);
}
//清除userThreadLocal线程变量
public static void removeUser() {
userThreadLocal.remove();
}
//为当前的线程变量赋值上uri信息
public static void setUri(String uri) {
uriThreadLocal.set(uri);
}
/**
* 获取当前访问方法的uri
* @return
*/
public static String getUri() {
String uri = uriThreadLocal.get();
return uri;
}
//清除uriThreadLocal线程变量
public static void removeUri() {
uriThreadLocal.remove();
}
//为当前的线程变量赋值上token信息
public static void setToken(String uId, String token) {
tokenMap.put(uId, token);
......@@ -61,27 +87,22 @@ public abstract class UserUtils {
tokenMap.remove(uId);
}
//清除userThreadLocal线程变量
public static void removeUser() {
userThreadLocal.remove();
}
//为当前的线程变量赋值上uri信息
public static void setUri(String uri) {
uriThreadLocal.set(uri);
//为当前的线程变量赋值上token信息
public static void setTokenExp(String uId, Date tokenExpTime) {
tokenExpTimeMap.put(uId, tokenExpTime);
}
/**
* 获取当前访问方法的uri
* 获取当前访问方法的token
* @return
*/
public static String getUri() {
String uri = uriThreadLocal.get();
return uri;
public static Date getTokenExp(String uId) {
return tokenExpTimeMap.get(uId);
}
//清除uriThreadLocal线程变量
public static void removeUri() {
uriThreadLocal.remove();
//清除tokenThreadLocal线程变量
public static void removeTokenExp(String uId) {
tokenExpTimeMap.remove(uId);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment