Merge pull request #1043 from xu-bin-bin/wvp-28181-2.0
将生成jwt令牌和验证jwt令牌时使用的公钥私钥由固定值修改为每次启动服务时动态生产;剔除jwt token中包含的password和roleId,防止密码泄露。pull/1055/head
648540858
GitHub
commit
44aef5d358
|
|
@ -1,8 +1,10 @@
|
||||||
package com.genersoft.iot.vmp.conf.security;
|
package com.genersoft.iot.vmp.conf.security;
|
||||||
|
|
||||||
import com.genersoft.iot.vmp.conf.security.dto.JwtUser;
|
import com.genersoft.iot.vmp.conf.security.dto.JwtUser;
|
||||||
import org.jose4j.json.JsonUtil;
|
import com.genersoft.iot.vmp.service.IUserService;
|
||||||
|
import com.genersoft.iot.vmp.storager.dao.dto.User;
|
||||||
import org.jose4j.jwk.RsaJsonWebKey;
|
import org.jose4j.jwk.RsaJsonWebKey;
|
||||||
|
import org.jose4j.jwk.RsaJwkGenerator;
|
||||||
import org.jose4j.jws.AlgorithmIdentifiers;
|
import org.jose4j.jws.AlgorithmIdentifiers;
|
||||||
import org.jose4j.jws.JsonWebSignature;
|
import org.jose4j.jws.JsonWebSignature;
|
||||||
import org.jose4j.jwt.JwtClaims;
|
import org.jose4j.jwt.JwtClaims;
|
||||||
|
|
@ -14,45 +16,69 @@ import org.jose4j.jwt.consumer.JwtConsumerBuilder;
|
||||||
import org.jose4j.lang.JoseException;
|
import org.jose4j.lang.JoseException;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
import org.springframework.beans.factory.InitializingBean;
|
||||||
|
import org.springframework.stereotype.Component;
|
||||||
|
|
||||||
import java.security.PrivateKey;
|
import javax.annotation.Resource;
|
||||||
import java.time.LocalDateTime;
|
import java.time.LocalDateTime;
|
||||||
import java.time.ZoneOffset;
|
import java.time.ZoneOffset;
|
||||||
|
|
||||||
public class JwtUtils {
|
@Component
|
||||||
|
public class JwtUtils implements InitializingBean {
|
||||||
|
|
||||||
private static final Logger logger = LoggerFactory.getLogger(JwtUtils.class);
|
private static final Logger logger = LoggerFactory.getLogger(JwtUtils.class);
|
||||||
|
|
||||||
private static final String HEADER = "access-token";
|
private static final String HEADER = "access-token";
|
||||||
|
|
||||||
private static final String AUDIENCE = "Audience";
|
private static final String AUDIENCE = "Audience";
|
||||||
|
|
||||||
private static final long EXPIRED_THRESHOLD = 10 * 60;
|
|
||||||
|
|
||||||
private static final String keyId = "3e79646c4dbc408383a9eed09f2b85ae";
|
private static final String keyId = "3e79646c4dbc408383a9eed09f2b85ae";
|
||||||
private static final String privateKeyStr = "{\"kty\":\"RSA\",\"kid\":\"3e79646c4dbc408383a9eed09f2b85ae\",\"alg\":\"RS256\",\"n\":\"gndmVdiOTSJ5et2HIeTM5f1m61x5ojLUi5HDfvr-jRrESQ5kbKuySGHVwR4QhwinpY1wQqBnwc80tx7cb_6SSqsTOoGln6T_l3k2Pb54ClVnGWiW_u1kmX78V2TZOsVmZmwtdZCMi-2zWIyAdIEXE-gncIehoAgEoq2VAhaCURbJWro_EwzzQwNmCTkDodLAx4npXRd_qSu0Ayp0txym9OFovBXBULRvk4DPiy3i_bPUmCDxzC46pTtFOe9p82uybTehZfULZtXXqRm85FL9n5zkrsTllPNAyEGhgb0RK9sE5nK1m_wNNysDyfLC4EFf1VXTrKm14XNVjc2vqLb7Mw\",\"e\":\"AQAB\",\"d\":\"ed7U_k3rJ4yTk70JtRSIfjKGiEb67BO1TabcymnljKO7RU8nage84zZYuSu_XpQsHk6P1f0Gzxkicghm_Er-FrfVn2pp70Xu52z3yRd6BJUgWLDFk97ngScIyw5OiULKU9SrZk2frDpftNCSUcIgb50F8m0QAnBa_CdPsQKbuuhLv8V8tBAV7F_lAwvSBgu56wRo3hPz5dWH8YeXM7XBfQ9viFMNEKd21sP_j5C7ueUnXT66nBxe3ZJEU3iuMYM6D6dB_KW2GfZC6WmTgvGhhxJD0h7aYmfjkD99MDleB7SkpbvoODOqiQ5Epb7Nyh6kv5u4KUv2CJYtATLZkUeMkQ\",\"p\":\"uBUjWPWtlGksmOqsqCNWksfqJvMcnP_8TDYN7e4-WnHL4N-9HjRuPDnp6kHvCIEi9SEfxm7gNxlRcWegvNQr3IZCz7TnCTexXc5NOklB9OavWFla6u-s3Thn6Tz45-EUjpJr0VJMxhO-KxGmuTwUXBBp4vN6K2qV6rQNFmgkWzk\",\"q\":\"tW_i7cCec56bHkhITL_79dXHz_PLC_f7xlynmlZJGU_d6mqOKmLBNBbTMLnYW8uAFiFzWxDeDHh1o5uF0mSQR-Z1Fg35OftnpbWpy0Cbc2la5WgXQjOwtG1eLYIY2BD3-wQ1VYDBCvowr4FDi-sngxwLqvwmrJ0xjhi99O-Gzcs\",\"dp\":\"q1d5jE85Hz_6M-eTh_lEluEf0NtPEc-vvhw-QO4V-cecNpbrCBdTWBmr4dE3NdpFeJc5ZVFEv-SACyei1MBEh0ItI_pFZi4BmMfy2ELh8ptaMMkTOESYyVy8U7veDq9RnBcr5i1Nqr0rsBkA77-9T6gzdvycBZdzLYAkAmwzEvk\",\"dq\":\"q29A2K08Crs-jmp2Bi8Q_8QzvIX6wSBbwZ4ir24AO-5_HNP56IrPS0yV2GCB0pqCOGb6_Hz_koDvhtuYoqdqvMVAtMoXR3YJBUaVXPt65p4RyNmFwIPe31zHs_BNUTsXVRMw4c16mci03-Af1sEm4HdLfxAp6sfM3xr5wcnhcek\",\"qi\":\"rHPgVTyHUHuYzcxfouyBfb1XAY8nshwn0ddo81o1BccD4Z7zo5It6SefDHjxCAbcmbiCcXBSooLcY-NF5FMv3fg19UE21VyLQltHcVjRRp2tRs4OHcM8yaXIU2x6N6Z6BP2tOksHb9MOBY1wAQzFOAKg_G4Sxev6-_6ud6RISuc\"}";
|
|
||||||
private static final String publicKeyStr = "{\"kty\":\"RSA\",\"kid\":\"3e79646c4dbc408383a9eed09f2b85ae\",\"alg\":\"RS256\",\"n\":\"gndmVdiOTSJ5et2HIeTM5f1m61x5ojLUi5HDfvr-jRrESQ5kbKuySGHVwR4QhwinpY1wQqBnwc80tx7cb_6SSqsTOoGln6T_l3k2Pb54ClVnGWiW_u1kmX78V2TZOsVmZmwtdZCMi-2zWIyAdIEXE-gncIehoAgEoq2VAhaCURbJWro_EwzzQwNmCTkDodLAx4npXRd_qSu0Ayp0txym9OFovBXBULRvk4DPiy3i_bPUmCDxzC46pTtFOe9p82uybTehZfULZtXXqRm85FL9n5zkrsTllPNAyEGhgb0RK9sE5nK1m_wNNysDyfLC4EFf1VXTrKm14XNVjc2vqLb7Mw\",\"e\":\"AQAB\"}";
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* token过期时间(分钟)
|
* token过期时间(分钟)
|
||||||
*/
|
*/
|
||||||
public static final long expirationTime = 30 * 24 * 60;
|
public static final long expirationTime = 30 * 24 * 60;
|
||||||
|
|
||||||
public static String createToken(String username, String password, Integer roleId) {
|
private static RsaJsonWebKey rsaJsonWebKey;
|
||||||
|
|
||||||
|
private static IUserService userService;
|
||||||
|
|
||||||
|
@Resource
|
||||||
|
public void setUserService(IUserService userService) {
|
||||||
|
JwtUtils.userService = userService;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void afterPropertiesSet() {
|
||||||
try {
|
try {
|
||||||
|
rsaJsonWebKey = generateRsaJsonWebKey();
|
||||||
|
} catch (JoseException e) {
|
||||||
|
logger.error("生成RsaJsonWebKey报错。", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
* 创建密钥对
|
||||||
|
* @throws JoseException JoseException
|
||||||
|
*/
|
||||||
|
private RsaJsonWebKey generateRsaJsonWebKey() throws JoseException {
|
||||||
|
// 生成一个RSA密钥对,该密钥对将用于JWT的签名和验证,包装在JWK中
|
||||||
|
RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
|
||||||
|
// 给JWK一个密钥ID
|
||||||
|
rsaJsonWebKey.setKeyId(keyId);
|
||||||
|
return rsaJsonWebKey;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static String createToken(String username) {
|
||||||
|
try {
|
||||||
|
/*
|
||||||
* “iss” (issuer) 发行人
|
* “iss” (issuer) 发行人
|
||||||
*
|
|
||||||
* “sub” (subject) 主题
|
* “sub” (subject) 主题
|
||||||
*
|
|
||||||
* “aud” (audience) 接收方 用户
|
* “aud” (audience) 接收方 用户
|
||||||
*
|
|
||||||
* “exp” (expiration time) 到期时间
|
* “exp” (expiration time) 到期时间
|
||||||
*
|
|
||||||
* “nbf” (not before) 在此之前不可用
|
* “nbf” (not before) 在此之前不可用
|
||||||
*
|
|
||||||
* “iat” (issued at) jwt的签发时间
|
* “iat” (issued at) jwt的签发时间
|
||||||
*/
|
*/
|
||||||
//Payload
|
|
||||||
JwtClaims claims = new JwtClaims();
|
JwtClaims claims = new JwtClaims();
|
||||||
claims.setGeneratedJwtId();
|
claims.setGeneratedJwtId();
|
||||||
claims.setIssuedAtToNow();
|
claims.setIssuedAtToNow();
|
||||||
|
|
@ -62,9 +88,7 @@ public class JwtUtils {
|
||||||
claims.setSubject("login");
|
claims.setSubject("login");
|
||||||
claims.setAudience(AUDIENCE);
|
claims.setAudience(AUDIENCE);
|
||||||
//添加自定义参数,必须是字符串类型
|
//添加自定义参数,必须是字符串类型
|
||||||
claims.setClaim("username", username);
|
claims.setClaim("userName", username);
|
||||||
claims.setClaim("password", password);
|
|
||||||
claims.setClaim("roleId", roleId);
|
|
||||||
|
|
||||||
//jws
|
//jws
|
||||||
JsonWebSignature jws = new JsonWebSignature();
|
JsonWebSignature jws = new JsonWebSignature();
|
||||||
|
|
@ -73,12 +97,10 @@ public class JwtUtils {
|
||||||
jws.setKeyIdHeaderValue(keyId);
|
jws.setKeyIdHeaderValue(keyId);
|
||||||
jws.setPayload(claims.toJson());
|
jws.setPayload(claims.toJson());
|
||||||
|
|
||||||
PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyStr)).getPrivateKey();
|
jws.setKey(rsaJsonWebKey.getPrivateKey());
|
||||||
jws.setKey(privateKey);
|
|
||||||
|
|
||||||
//get token
|
//get token
|
||||||
String idToken = jws.getCompactSerialization();
|
return jws.getCompactSerialization();
|
||||||
return idToken;
|
|
||||||
} catch (JoseException e) {
|
} catch (JoseException e) {
|
||||||
logger.error("[Token生成失败]: {}", e.getMessage());
|
logger.error("[Token生成失败]: {}", e.getMessage());
|
||||||
}
|
}
|
||||||
|
|
@ -90,7 +112,6 @@ public class JwtUtils {
|
||||||
return HEADER;
|
return HEADER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public static JwtUser verifyToken(String token) {
|
public static JwtUser verifyToken(String token) {
|
||||||
|
|
||||||
JwtUser jwtUser = new JwtUser();
|
JwtUser jwtUser = new JwtUser();
|
||||||
|
|
@ -103,7 +124,7 @@ public class JwtUtils {
|
||||||
.setRequireSubject()
|
.setRequireSubject()
|
||||||
//.setExpectedIssuer("")
|
//.setExpectedIssuer("")
|
||||||
.setExpectedAudience(AUDIENCE)
|
.setExpectedAudience(AUDIENCE)
|
||||||
.setVerificationKey(new RsaJsonWebKey(JsonUtil.parseJson(publicKeyStr)).getPublicKey())
|
.setVerificationKey(rsaJsonWebKey.getPublicKey())
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
JwtClaims claims = consumer.processToClaims(token);
|
JwtClaims claims = consumer.processToClaims(token);
|
||||||
|
|
@ -113,26 +134,26 @@ public class JwtUtils {
|
||||||
long timeRemaining = LocalDateTime.now().toEpochSecond(ZoneOffset.ofHours(8)) - expirationTime.getValue();
|
long timeRemaining = LocalDateTime.now().toEpochSecond(ZoneOffset.ofHours(8)) - expirationTime.getValue();
|
||||||
if (timeRemaining < 5 * 60) {
|
if (timeRemaining < 5 * 60) {
|
||||||
jwtUser.setStatus(JwtUser.TokenStatus.EXPIRING_SOON);
|
jwtUser.setStatus(JwtUser.TokenStatus.EXPIRING_SOON);
|
||||||
}else {
|
} else {
|
||||||
jwtUser.setStatus(JwtUser.TokenStatus.NORMAL);
|
jwtUser.setStatus(JwtUser.TokenStatus.NORMAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
String username = (String) claims.getClaimValue("username");
|
String username = (String) claims.getClaimValue("userName");
|
||||||
String password = (String) claims.getClaimValue("password");
|
User user = userService.getUserByUsername(username);
|
||||||
Long roleId = (Long) claims.getClaimValue("roleId");
|
|
||||||
jwtUser.setUserName(username);
|
jwtUser.setUserName(username);
|
||||||
jwtUser.setPassword(password);
|
jwtUser.setPassword(user.getPassword());
|
||||||
jwtUser.setRoleId(roleId.intValue());
|
jwtUser.setRoleId(user.getRole().getId());
|
||||||
|
|
||||||
return jwtUser;
|
return jwtUser;
|
||||||
} catch (InvalidJwtException e) {
|
} catch (InvalidJwtException e) {
|
||||||
if (e.hasErrorCode(ErrorCodes.EXPIRED)) {
|
if (e.hasErrorCode(ErrorCodes.EXPIRED)) {
|
||||||
jwtUser.setStatus(JwtUser.TokenStatus.EXPIRED);
|
jwtUser.setStatus(JwtUser.TokenStatus.EXPIRED);
|
||||||
}else {
|
} else {
|
||||||
jwtUser.setStatus(JwtUser.TokenStatus.EXCEPTION);
|
jwtUser.setStatus(JwtUser.TokenStatus.EXCEPTION);
|
||||||
}
|
}
|
||||||
return jwtUser;
|
return jwtUser;
|
||||||
}catch (Exception e) {
|
} catch (Exception e) {
|
||||||
logger.error("[Token解析失败]: {}", e.getMessage());
|
logger.error("[Token解析失败]: {}", e.getMessage());
|
||||||
jwtUser.setStatus(JwtUser.TokenStatus.EXPIRED);
|
jwtUser.setStatus(JwtUser.TokenStatus.EXPIRED);
|
||||||
return jwtUser;
|
return jwtUser;
|
||||||
|
|
|
||||||
|
|
@ -57,7 +57,7 @@ public class UserController {
|
||||||
if (user == null) {
|
if (user == null) {
|
||||||
throw new ControllerException(ErrorCode.ERROR100.getCode(), "用户名或密码错误");
|
throw new ControllerException(ErrorCode.ERROR100.getCode(), "用户名或密码错误");
|
||||||
}else {
|
}else {
|
||||||
String jwt = JwtUtils.createToken(username, password, user.getRole().getId());
|
String jwt = JwtUtils.createToken(username);
|
||||||
response.setHeader(JwtUtils.getHeader(), jwt);
|
response.setHeader(JwtUtils.getHeader(), jwt);
|
||||||
user.setAccessToken(jwt);
|
user.setAccessToken(jwt);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue