JWT过滤器

最新推荐文章于 2024-06-16 07:30:00 发布

samgreat911

最新推荐文章于 2024-06-16 07:30:00 发布

阅读量455

点赞数

文章标签： java servlet 开发语言

本文链接：https://blog.csdn.net/samgreat911/article/details/128187701

版权

/**
 * <p>JWT过滤器</p>
 *
 * <p>此JWT的主要作用：</p>
 * <ul>
 *     <li>获取客户端携带的JWT，惯用做法是：客户端应该通过请求头中的Authorization属性来携带JWT</li>
 *     <li>解析客户端携带的JWT，并创建出Authentication对象，存入到SecurityContext中</li>
 * </ul>
 */
@Slf4j
@Component
public class JwtAuthorizationFilter extends OncePerRequestFilter {

    public static final int JWT_MIN_LENGTH = 113;

    @Value("${csmall.jwt.secret-key}")
    private String secretKey;

    public JwtAuthorizationFilter() {
        log.info("创建过滤器对象：JwtAuthorizationFilter");
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
        log.debug("JwtAuthorizationFilter开始执行过滤……");

        // 清空Security上下文
        // Security上下文中的认证信息也会被清除
        // 避免前序携带JWT且解析成功后将认证信息存入Security上下文后，后续不携带JWT也能访问的“问题”
        SecurityContextHolder.clearContext();

        // 获取客户端携带的JWT
        String jwt = request.getHeader("Authorization");
        log.debug("获取客户端携带的JWT：{}", jwt);

        // 检查是否获取到了基本有效的JWT
        if (!StringUtils.hasText(jwt) || jwt.length() < JWT_MIN_LENGTH) {
            // 对于无效的JWT，直接放行，交由后续的组件进行处理
            log.debug("获取到的JWT被视为无效，当前过滤器将放行……");
            filterChain.doFilter(request, response);
            return;
        }

        // 尝试解析JWT
        log.debug("获取到的JWT被视为有效，准备解析JWT……");
        response.setContentType("application/json; charset=utf-8");
        Claims claims = null;
        try {
            claims = Jwts.parser()
                    .setSigningKey(secretKey)
                    .parseClaimsJws(jwt)
                    .getBody();
        } catch (SignatureException e) {
            log.debug("解析JWT时出现SignatureException");
            String message = "非法访问！";
            JsonResult<Void> jsonResult = JsonResult.fail(ServiceCode.ERR_JWT_SIGNATURE, message);
            String jsonResultString = JSON.toJSONString(jsonResult);
            PrintWriter writer = response.getWriter();
            writer.println(jsonResultString);
            return;
        } catch (MalformedJwtException e) {
            log.debug("解析JWT时出现MalformedJwtException");
            String message = "非法访问！";//格式异常
            JsonResult<Void> jsonResult = JsonResult.fail(ServiceCode.ERR_JWT_MALFORMED, message);
            String jsonResultString = JSON.toJSONString(jsonResult);
            PrintWriter writer = response.getWriter();
            writer.println(jsonResultString);
            return;
        } catch (ExpiredJwtException e) {
            log.debug("解析JWT时出现ExpiredJwtException");
            String message = "登录信息已过期，请重新登录！";
            JsonResult<Void> jsonResult = JsonResult.fail(ServiceCode.ERR_JWT_EXPIRED, message);
            String jsonResultString = JSON.toJSONString(jsonResult);
            PrintWriter writer = response.getWriter();
            writer.println(jsonResultString);
            return;
        } catch (Throwable e) {
            log.debug("解析JWT时出现Throwable，需要开发人员在JWT过滤器补充对异常的处理");
            e.printStackTrace();
            String message = "你有异常没有处理，请根据服务器端控制台的信息，补充对此类异常的处理！！！";
            PrintWriter writer = response.getWriter();
            writer.println(message);
            return;
        }

        // 获取JWT中的管理员信息
        Long id = claims.get("id", Long.class);
        String username = claims.get("username", String.class);
        String authoritiesJsonString = claims.get("authoritiesJsonString", String.class);
        log.debug("从JWT中获取id：{}", id);
        log.debug("从JWT中获取username：{}", username);
        log.debug("从JWT中获取authoritiesJsonString：{}", authoritiesJsonString);

        // 处理权限信息
        List<SimpleGrantedAuthority> authorities
                = JSON.parseArray(authoritiesJsonString, SimpleGrantedAuthority.class);

        // 创建Authentication对象
        LoginPrincipal loginPrincipal = new LoginPrincipal(id, username);
        Authentication authentication
                = new UsernamePasswordAuthenticationToken(
                    loginPrincipal, null, authorities);

        // 将Authentication对象存入到SecurityContext
        log.debug("向SecurityContext中存入认证信息：{}", authentication);
        SecurityContextHolder.getContext().setAuthentication(authentication);

        // 过滤器链继续向后传递，即：放行
        log.debug("JWT过滤器执行完毕，放行！");
        filterChain.doFilter(request, response);
    }

}

#UserDetailsServiceImpl#

@Slf4j
@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private AdminMapper adminMapper;

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        log.debug("Spring Security框架自动调用UserDetailsServiceImpl中的loadUserByUsername方法，参数：{}", s);
        AdminLoginInfoVO admin = adminMapper.getLoginInfoByUsername(s);
        log.debug("从数据库中根据用户名【{}】查询管理员信息，结果：{}", s, admin);
        if (admin == null) {
            log.debug("没有与用户名【{}】匹配的管理员信息，即将抛出BadCredentialsException", s);
            String message = "登录失败，用户名不存在！";
            throw new BadCredentialsException(message);
        }

        List<GrantedAuthority> authorities = new ArrayList<>();
        for (String permission : admin.getPermissions()) {
            GrantedAuthority authority = new SimpleGrantedAuthority(permission);
            authorities.add(authority);
        }

        AdminDetails adminDetails = new AdminDetails(
                admin.getId(),
                admin.getUsername(),
                admin.getPassword(),
                admin.getEnable() == 1,
                authorities);

        // UserDetails userDetails = User.builder()
        //        .username(admin.getUsername())
        //        .password(admin.getPassword())
        //        .disabled(admin.getEnable() == 0)
        //        .accountLocked(false) // 此项目未设计“账号锁定”的机制，固定为false
        //        .accountExpired(false) // 此项目未设计“账号过期”的机制，固定为false
        //         .credentialsExpired(false) // 此项目未设计“凭证锁定”的机制，固定为false
        //        .authorities("暂时给出的假的权限标识") // 权限
        //        .build();
        log.debug("即将向Spring Security框架返回UserDetails对象：{}", adminDetails);
        return adminDetails;
    }

}

#管理员详情类#

/**
 * 管理员详情类，是Spring Security框架的loadUserByUsername()的返回结果
 */
@Setter
@Getter
@ToString(callSuper = true)
@EqualsAndHashCode
public class AdminDetails extends User {

    private Long id;

    public AdminDetails(Long id,
                        String username,
                        String password,
                        boolean enabled,
                        Collection<? extends GrantedAuthority> authorities) {
        super(username, password, enabled, true,
                true, true, authorities);
        this.id = id;
    }

}

#LoginPrincipal#

@Data
@NoArgsConstructor
@AllArgsConstructor
public class LoginPrincipal implements Serializable {

    private Long id;
    private String username;

}