解决敏感信息泄漏-JWT认证头

license/src/main/java/iot/sixiang/license/controller/LoginController.java

@@ -55,6 +55,7 @@ public class LoginController {
                 LoginVo loginVo = new LoginVo();
                 loginVo.setAuthorization(token);
                 UserUtils.setToken(dbUser.getUserId(),token);
+                UserUtils.setTokenExp(dbUser.getUserId(), JwtUtil.getTokenExp());
                 return ResResult.success().goRecord(loginVo);
             }
         }
@@ -67,6 +68,7 @@ public class LoginController {
     public BaseResult logout() {
         String loginUserId = UserUtils.getLoginUserId();
         UserUtils.removeToken(loginUserId);
+        UserUtils.removeTokenExp(loginUserId);
         return BaseResult.success();
     }
 

license/src/main/java/iot/sixiang/license/jwt/JwtFilter.java

@@ -11,6 +11,7 @@ import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Date;
 import java.util.Map;
 
 @Slf4j
@@ -58,13 +59,11 @@ public class JwtFilter implements Filter {
         if (StringUtils.isEmpty(token)) {
             request.setAttribute("msg","认证信息不能为空");
             request.getRequestDispatcher("/fail").forward(request, response);
-            return;
         } else {
             DecodedJWT jwt = JwtUtil.verifyToken(token);
             if (jwt == null) {
                 request.setAttribute("msg","认证信息非法");
                 request.getRequestDispatcher("/fail").forward(request, response);
-                return;
             } else {
                 Map<String, Claim> userData = jwt.getClaims();
                 if (userData == null) {
@@ -74,13 +73,17 @@ public class JwtFilter implements Filter {
                 }
                 String userId = userData.get("userId").asString();
                 String userName = userData.get("userName").asString();
-                String password = userData.get("password").asString();
+                String password = "";
                 LoginUser loginUser = new LoginUser(userId, userName, password);
-                if (token.equals(UserUtils.getToken(userId))) {
+                Date curDate = new Date();
+                Date tokenExp = UserUtils.getTokenExp(userId);
+                if (token.equals(UserUtils.getToken(userId)) && curDate.before(tokenExp)) {
                     UserUtils.setLoginUser(loginUser);
                     UserUtils.setUri(uri);
                     filterChain.doFilter(request, response);
                 } else {
+                    UserUtils.removeToken(userId);
+                    UserUtils.removeTokenExp(userId);
                     request.setAttribute("msg","token已失效");
                     request.getRequestDispatcher("/fail").forward(request, response);
                 }

license/src/main/java/iot/sixiang/license/jwt/JwtUtil.java

@@ -39,8 +39,8 @@ public class JwtUtil {
                 //可以把数据存在claim中
                 .withClaim("userId", user.getUserId())
                 .withClaim("userName", user.getUserName())
-                .withClaim("password", user.getPassword())
-                .withExpiresAt(expireDate)          //超时设置,设置过期的日期
+//                .withClaim("password", user.getPassword())
+//                .withExpiresAt(expireDate)          //超时设置,设置过期的日期
                 .withIssuedAt(new Date()) //签发时间
                 .sign(Algorithm.HMAC256(SECRET)); //SECRET加密
         return token;
@@ -76,4 +76,10 @@ public class JwtUtil {
         }
         return jwt;
     }
+
+    public static Date getTokenExp() {
+        //过期时间
+        Date expireDate = new Date(System.currentTimeMillis() + EXPIRATION * 1000);
+        return expireDate;
+    }
 }

license/src/main/java/iot/sixiang/license/jwt/UserUtils.java

 package iot.sixiang.license.jwt;
 
 
+import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -10,6 +11,7 @@ import java.util.Map;
 public abstract class UserUtils {
 
     static Map<String, String> tokenMap = new HashMap<>();
+    static Map<String, Date> tokenExpTimeMap = new HashMap<>();
     //线程变量，存放user实体类信息，即使是静态的与其他线程也是隔离的
     private static ThreadLocal<LoginUser> userThreadLocal = new ThreadLocal<>();
     //线程变量，存放uri，即使是静态的与其他线程也是隔离的
@@ -40,6 +42,30 @@ public abstract class UserUtils {
         userThreadLocal.set(user);
     }
 
+    //清除userThreadLocal线程变量
+    public static void removeUser() {
+        userThreadLocal.remove();
+    }
+
+    //为当前的线程变量赋值上uri信息
+    public static void setUri(String uri) {
+        uriThreadLocal.set(uri);
+    }
+
+    /**
+     * 获取当前访问方法的uri
+     * @return
+     */
+    public static String getUri() {
+        String uri = uriThreadLocal.get();
+        return uri;
+    }
+
+    //清除uriThreadLocal线程变量
+    public static void removeUri() {
+        uriThreadLocal.remove();
+    }
+
     //为当前的线程变量赋值上token信息
     public static void setToken(String uId, String token) {
         tokenMap.put(uId, token);
@@ -61,27 +87,22 @@ public abstract class UserUtils {
         tokenMap.remove(uId);
     }
 
-    //清除userThreadLocal线程变量
-    public static void removeUser() {
-        userThreadLocal.remove();
-    }
 
-    //为当前的线程变量赋值上uri信息
-    public static void setUri(String uri) {
-        uriThreadLocal.set(uri);
+    //为当前的线程变量赋值上token信息
+    public static void setTokenExp(String uId, Date tokenExpTime) {
+        tokenExpTimeMap.put(uId, tokenExpTime);
     }
 
     /**
-     * 获取当前访问方法的uri
+     * 获取当前访问方法的token
      * @return
      */
-    public static String getUri() {
-        String uri = uriThreadLocal.get();
-        return uri;
+    public static Date getTokenExp(String uId) {
+        return tokenExpTimeMap.get(uId);
     }
 
-    //清除uriThreadLocal线程变量
-    public static void removeUri() {
-        uriThreadLocal.remove();
+    //清除tokenThreadLocal线程变量
+    public static void removeTokenExp(String uId) {
+        tokenExpTimeMap.remove(uId);
     }
 }