1、项目中使用的是spring-security+jwt根据用户名和密码来生成token,可是实际项目尤其是移动端是使用手机号来做验证的,这个 如何解决?
2、如何在注册 的时候就做登录操作,也就是说之前是登录才返回token,现在想在注册的时候就返回token如何实现?
package com.qtay.gls.filter;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.qtay.gls.dao.entity.User;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import static com.qtay.gls.auth.SecurityConstants.SECRET;
public class JWTLoginFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
public JWTLoginFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req,
HttpServletResponse res) throws AuthenticationException {
try {
User user = new ObjectMapper()
.readValue(req.getInputStream(), User.class);
return authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
user.getUsername(),
user.getPassword(),
new ArrayList<>())
);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest req,
HttpServletResponse res,
FilterChain chain,
Authentication auth) throws IOException, ServletException {
String token = Jwts.builder()
.setSubject(((org.springframework.security.core.userdetails.User) auth.getPrincipal()).getUsername())
.setExpiration(new Date(System.currentTimeMillis() + 60 * 60 * 24 * 1000))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
res.addHeader("Authorization", "Bearer " + token);
}
}
回答
1.生成token的claim可以用手机号码,填写username也用手机号码,解析的时候提取出手机号码来验证
2.注册的时候可以返回吧,注册的路由下返回的信息携带一个Token类,将生成的access_token和refresh_token一同返回就ok了。