jwt 密钥校验

spring5-admin/src/main/java/com/yaozhitech/spring5/config/RoleResourceConfiguration.java

@@ -1,25 +0,0 @@
-package com.yaozhitech.spring5.config;
-
-import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
-import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class RoleResourceConfiguration extends ShiroConfiguration {
-	
-	@Override
-	public ShiroFilterChainDefinition shiroFilterChainDefinition() {
-		
-		
-		DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
-//    chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
-//    chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
-        chainDefinition.addPathDefinition("/**", "anon");
-//		chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 只允许admin或manager角色的用户访问
-//		chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authc");
-//		chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authc[permissive]");
-//		chainDefinition.addPathDefinition("/**", "noSessionCreation,authc"); // 默认进行用户鉴权
-		
-		return chainDefinition;
-	}
-}

spring5-auth/spring5-auth-client/pom.xml

@@ -15,18 +15,18 @@
     </parent>
     
 	<dependencies>
-	    <!-- Spring Boot 响应式 Redis 依赖 -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-redis-reactive</artifactId>
-        </dependency>
+<!-- 	    Spring Boot 响应式 Redis 依赖 -->
+<!--         <dependency> -->
+<!--             <groupId>org.springframework.boot</groupId> -->
+<!--             <artifactId>spring-boot-starter-data-redis-reactive</artifactId> -->
+<!--         </dependency> -->
         
 	    <!-- shrio -->
-        <dependency>
-            <groupId>org.apache.shiro</groupId>
-            <artifactId>shiro-spring-boot-web-starter</artifactId>
-            <version>1.4.0</version>
-        </dependency>
+<!--         <dependency> -->
+<!--             <groupId>org.apache.shiro</groupId> -->
+<!--             <artifactId>shiro-spring-boot-web-starter</artifactId> -->
+<!--             <version>1.4.0</version> -->
+<!--         </dependency> -->
         
         <!-- jwt -->
         <dependency>

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/ShiroConfiguration.java

@@ -1,99 +0,0 @@
-package com.yaozhitech.spring5.config;
-
-import java.util.Arrays;
-import java.util.Map;
-
-import javax.servlet.DispatcherType;
-import javax.servlet.Filter;
-
-import org.apache.shiro.authc.Authenticator;
-import org.apache.shiro.authc.pam.FirstSuccessfulStrategy;
-import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
-import org.apache.shiro.mgt.SecurityManager;
-import org.apache.shiro.mgt.SessionStorageEvaluator;
-import org.apache.shiro.realm.Realm;
-import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
-import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
-import org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-import com.yaozhitech.spring5.filter.AnyRolesAuthorizationFilter;
-import com.yaozhitech.spring5.filter.JwtAuthFilter;
-import com.yaozhitech.spring5.jwt.JWTShiroRealm;
-import com.yaozhitech.spring5.service.JwtUserService;
-
-@Configuration
-public abstract class ShiroConfiguration {
-	/**
-	 * 注册shiro的Filter，拦截请求
-	 */
-	@Bean
-    public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,JwtUserService userService) throws Exception{
-        FilterRegistrationBean<Filter> filterRegistration = new FilterRegistrationBean<Filter>();
-        filterRegistration.setFilter((Filter)shiroFilter(securityManager, userService).getObject());
-        filterRegistration.addInitParameter("targetFilterLifecycle", "true");
-        filterRegistration.setAsyncSupported(true);
-        filterRegistration.setEnabled(true);
-        filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.ASYNC);
-
-        return filterRegistration;
-    }
-
-    @Bean
-    public Authenticator authenticator(JwtUserService userService) {
-        ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
-        authenticator.setRealms(Arrays.asList(jwtShiroRealm(userService)));
-        authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
-        return authenticator;
-    }
-
-	/**
-	 * 禁用session, 不保存用户登录状态。保证每次请求都重新认证。
-	 * 需要注意的是，如果用户代码里调用Subject.getSession()还是可以用session，如果要完全禁用，要配合下面的noSessionCreation的Filter来实现
-	 */
-    @Bean
-    protected SessionStorageEvaluator sessionStorageEvaluator(){
-        DefaultWebSessionStorageEvaluator sessionStorageEvaluator = new DefaultWebSessionStorageEvaluator();
-        sessionStorageEvaluator.setSessionStorageEnabled(false);
-        return sessionStorageEvaluator;
-    }
-    
-    /**
-          * 用于JWT token认证的realm
-     */
-    @Bean("jwtRealm")
-    public Realm jwtShiroRealm(JwtUserService userService) {
-        JWTShiroRealm myShiroRealm = new JWTShiroRealm(userService);
-        return myShiroRealm;
-    }
-
-    /**
-          * 设置过滤器，将自定义的Filter加入
-     */
-    @Bean
-    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, JwtUserService userService) {
-    	ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
-        factoryBean.setSecurityManager(securityManager);
-        Map<String, Filter> filterMap = factoryBean.getFilters();
-        filterMap.put("authcToken", createAuthFilter(userService));
-        filterMap.put("anyRole", createRolesFilter());
-        factoryBean.setFilters(filterMap);
-        factoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition().getFilterChainMap());
-
-        return factoryBean;
-    }
-    
-    public abstract ShiroFilterChainDefinition shiroFilterChainDefinition() ;
-
-   //注意不要加@Bean注解，不然spring会自动注册成filter
-    protected JwtAuthFilter createAuthFilter(JwtUserService userService){
-        return new JwtAuthFilter(userService);
-    }
-
-    protected AnyRolesAuthorizationFilter createRolesFilter(){
-        return new AnyRolesAuthorizationFilter();
-    }
-    
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/dto/UserDto.java

@@ -1,16 +0,0 @@
-package com.yaozhitech.spring5.dto;
-
-import java.util.List;
-
-import lombok.Data;
-
-@Data
-public class UserDto {
-
-	private String username;
-    private char[] password;
-    private String encryptPwd;
-    private Long userId;
-    private String salt;
-    private List<String> roles;
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/filter/AnyRolesAuthorizationFilter.java

@@ -1,43 +0,0 @@
-package com.yaozhitech.spring5.filter;
-
-import java.io.IOException;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.web.filter.authz.AuthorizationFilter;
-import org.apache.shiro.web.util.WebUtils;
-import org.springframework.http.HttpStatus;
-
-public class AnyRolesAuthorizationFilter  extends AuthorizationFilter {
-	
-	@Override
-    protected void postHandle(ServletRequest request, ServletResponse response){
-	}
-
-    @Override
-    protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
-        Subject subject = getSubject(servletRequest, servletResponse);
-        String[] rolesArray = (String[]) mappedValue;
-        if (rolesArray == null || rolesArray.length == 0) { //没有角色限制，有权限访问
-            return true;
-        }
-        for (String role : rolesArray) {
-            if (subject.hasRole(role)) //若当前用户是rolesArray中的任何一个，则有权限访问
-                return true;
-        }
-        return false;
-    }
-
-    @Override
-    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
-        HttpServletResponse httpResponse = WebUtils.toHttp(response);
-        httpResponse.setCharacterEncoding("UTF-8");
-        httpResponse.setContentType("application/json;charset=utf-8");
-        httpResponse.setStatus(HttpStatus.UNAUTHORIZED.ordinal());
-        return false;
-    }
-
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/filter/JwtAuthFilter.java

@@ -1,152 +0,0 @@
-package com.yaozhitech.spring5.filter;
-
-
-import java.time.LocalDateTime;
-import java.time.ZoneId;
-import java.util.Date;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
-import org.apache.shiro.web.util.WebUtils;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.RequestMethod;
-
-import com.yaozhitech.spring5.dto.UserDto;
-import com.yaozhitech.spring5.jwt.JWTToken;
-import com.yaozhitech.spring5.service.JwtUserService;
-import com.yaozhitech.spring5.utils.JwtUtils;
-
-import lombok.extern.slf4j.Slf4j;
-
-@Slf4j
-public class JwtAuthFilter extends AuthenticatingFilter {
-	
-	@Value("${jwt.header}")
-    private String tokenHeader;
-
-    @Value("${jwt.tokenHead}")
-    private String tokenHead;
-
-    private static final int tokenRefreshInterval = 300;
-    private JwtUserService userService;
-
-    public JwtAuthFilter(JwtUserService userService){
-        this.userService = userService;
-        this.setLoginUrl("/login");
-    }
-
-    @Override
-    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
-        HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
-        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) //对于OPTION请求做拦截，不做token校验
-            return false;
-
-        return super.preHandle(request, response);
-    }
-
-    @Override
-    protected void postHandle(ServletRequest request, ServletResponse response){
-        this.fillCorsHeader(WebUtils.toHttp(request), WebUtils.toHttp(response));
-    }
-
-    /**
-          * 父类会在请求进入拦截器后调用该方法，返回true则继续，返回false则会调用onAccessDenied()。这里在不通过时，还调用了isPermissive()方法，
-     */
-    @Override
-    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
-        if(this.isLoginRequest(request, response))
-            return true;
-
-        boolean allowed = false;
-        try {
-            allowed = executeLogin(request, response);
-        } catch(IllegalStateException e){ //not found any token
-            log.error("Not found any token", e);
-        }catch (Exception e) {
-            log.error("Error occurs when login", e);
-        }
-        return allowed;// || super.isPermissive(mappedValue);
-    }
-
-    /**
-          * 这里重写了父类的方法，使用我们自己定义的Token类，提交给shiro。这个方法返回null的话会直接抛出异常，进入isAccessAllowed（）的异常处理逻辑。
-     */
-    @Override
-    protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
-        String jwtToken = getAuthzHeader(servletRequest);
-        if(!StringUtils.isEmpty(jwtToken)&&!JwtUtils.isTokenExpired(jwtToken))
-            return new JWTToken(jwtToken);
-
-        return null;
-    }
-
-    @Override
-    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
-        
-    	HttpServletRequest httpServletRequest = WebUtils.toHttp(servletRequest);
-        HttpServletResponse httpResponse = WebUtils.toHttp(servletResponse);
-        // 返回401
-        httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-        httpResponse.getOutputStream().println("401 UNAUTHORIZED");
-        // 设置响应码为401或者直接输出消息
-        String url = httpServletRequest.getRequestURI();
-        log.error("onAccessDenied url：{}", url);
-
-    	return false;
-    }
-
-    /**
-          *  如果Shiro Login认证成功，会进入该方法，等同于用户名密码登录成功，我们这里还判断了是否要刷新Token
-     */
-    @Override
-    protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {
-        HttpServletResponse httpResponse = WebUtils.toHttp(response);
-        String newToken = null;
-        if(token instanceof JWTToken){
-            JWTToken jwtToken = (JWTToken)token;
-            UserDto user = (UserDto) subject.getPrincipal();
-            boolean shouldRefresh = shouldTokenRefresh(JwtUtils.getIssuedAt(jwtToken.getToken()));
-            if(shouldRefresh) {
-                newToken = userService.generateJwtToken(user.getUsername());
-            }
-        }
-        if(!StringUtils.isEmpty(newToken))
-            httpResponse.setHeader("x-auth-token", newToken);
-
-        return true;
-    }
-
-    @Override
-    protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
-        log.error("Validate token fail, token:{}, error:{}", token.toString(), e.getMessage());
-        return false;
-    }
-
-    protected String getAuthzHeader(ServletRequest request) {
-        HttpServletRequest httpRequest = WebUtils.toHttp(request);
-        String header = httpRequest.getHeader("x-auth-token");
-        if (StringUtils.startsWithIgnoreCase(header, "Bearer ")) {
-			return StringUtils.replace(header, "Bearer ", "");
-		}
-        return header;
-    }
-
-    protected boolean shouldTokenRefresh(Date issueAt){
-        LocalDateTime issueTime = LocalDateTime.ofInstant(issueAt.toInstant(), ZoneId.systemDefault());
-        return LocalDateTime.now().minusSeconds(tokenRefreshInterval).isAfter(issueTime);
-    }
-
-    protected void fillCorsHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse){
-        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
-        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,HEAD");
-        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
-    }
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTCredentialsMatcher.java

@@ -1,41 +0,0 @@
-package com.yaozhitech.spring5.jwt;
-
-import java.io.UnsupportedEncodingException;
-
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.credential.CredentialsMatcher;
-
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.JWTVerifier;
-import com.auth0.jwt.algorithms.Algorithm;
-import com.auth0.jwt.exceptions.JWTVerificationException;
-import com.yaozhitech.spring5.dto.UserDto;
-
-import lombok.extern.slf4j.Slf4j;
-
-@Slf4j
-public class JWTCredentialsMatcher implements CredentialsMatcher {
-	
-    @Override
-    public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
-        String token = (String) authenticationToken.getCredentials();
-        Object stored = authenticationInfo.getCredentials();
-        String salt = stored.toString();
-
-        UserDto user = (UserDto)authenticationInfo.getPrincipals().getPrimaryPrincipal();
-        try {
-            Algorithm algorithm = Algorithm.HMAC256(salt);
-            JWTVerifier verifier = JWT.require(algorithm)
-                    .withClaim("username", user.getUsername())
-                    .build();
-            verifier.verify(token);
-            return true;
-        } catch (UnsupportedEncodingException | JWTVerificationException e) {
-            log.error("Token Error:{}", e.getMessage());
-        }
-
-        return false;
-    }
-
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTShiroRealm.java

@@ -1,58 +0,0 @@
-package com.yaozhitech.spring5.jwt;
-
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.SimpleAuthenticationInfo;
-import org.apache.shiro.authz.AuthorizationInfo;
-import org.apache.shiro.authz.SimpleAuthorizationInfo;
-import org.apache.shiro.realm.AuthorizingRealm;
-import org.apache.shiro.subject.PrincipalCollection;
-
-import com.yaozhitech.spring5.dto.UserDto;
-import com.yaozhitech.spring5.service.JwtUserService;
-import com.yaozhitech.spring5.utils.JwtUtils;
-
-
-/**
- * 自定义身份认证
- * 基于HMAC（ 散列消息认证码）的控制域
- */
-
-public class JWTShiroRealm extends AuthorizingRealm {
-
-    protected JwtUserService userService;
-
-    public JWTShiroRealm(JwtUserService userService){
-        this.userService = userService;
-        this.setCredentialsMatcher(new JWTCredentialsMatcher());
-    }
-
-    @Override
-    public boolean supports(AuthenticationToken token) {
-        return token instanceof JWTToken;
-    }
-
-    /**
-     * 认证信息.(身份验证) : Authentication 是用来验证用户身份
-     * 默认使用此方法进行用户名正确与否验证，错误抛出异常即可。
-     */
-    @Override
-    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {    
-        JWTToken jwtToken = (JWTToken) authcToken;
-        String token = jwtToken.getToken();
-        
-        UserDto user = userService.getJwtTokenInfo(JwtUtils.getUsername(token));
-        if(user == null)
-            throw new AuthenticationException("token过期，请重新登录");
-
-        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user, user.getSalt(), "jwtRealm");
-
-        return authenticationInfo;
-    }
-
-    @Override
-    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
-        return new SimpleAuthorizationInfo();
-    }
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTToken.java

@@ -1,44 +0,0 @@
-package com.yaozhitech.spring5.jwt;
-
-import org.apache.shiro.authc.HostAuthenticationToken;
-
-import lombok.Data;
-
-@Data
-public class JWTToken implements HostAuthenticationToken {
-
-	/**
-	 * 
-	 */
-	private static final long serialVersionUID = -6910437116441110747L;
-	
-	private String token;
-    private String host;
-    
-    public JWTToken(String token) {
-        this(token, null);
-    }
-
-    public JWTToken(String token, String host) {
-        this.token = token;
-        this.host = host;
-    }
-    
-	@Override
-	public Object getPrincipal() {
-		return token;
-	}
-	@Override
-	public Object getCredentials() {
-		return token;
-	}
-	@Override
-	public String getHost() {
-		return host;
-	}
-    
-	@Override
-    public String toString(){
-        return token + ':' + host;
-    }
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/service/JwtUserService.java

@@ -1,82 +0,0 @@
-package com.yaozhitech.spring5.service;
-
-import java.time.Duration;
-import java.util.Arrays;
-import java.util.List;
-
-import org.apache.shiro.crypto.hash.Sha256Hash;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.data.redis.core.StringRedisTemplate;
-import org.springframework.stereotype.Service;
-
-import com.yaozhitech.spring5.dto.UserDto;
-import com.yaozhitech.spring5.utils.JwtUtils;
-
-@Service
-public class JwtUserService {
-
-	@Value("${password.salt}")
-	private String encryptSalt;
-
-	@Autowired
-	private StringRedisTemplate redisTemplate;
-
-	/**
-	 * 保存user登录信息，返回token
-	 * 
-	 * @param userDto
-	 */
-	public String generateJwtToken(String username) {
-		String salt = JwtUtils.generateSalt();
-		redisTemplate.opsForValue().set("token:"+username, salt, Duration.ofSeconds(3600));
-		return JwtUtils.sign(username, salt, 3600); // 生成jwt token，设置过期时间为1小时
-	}
-
-	/**
-	 * 获取上次token生成时的salt值和登录用户信息
-	 * 
-	 * @param username
-	 * @return
-	 */
-	public UserDto getJwtTokenInfo(String username) {
-		String salt = redisTemplate.opsForValue().get("token:"+username);
-		UserDto user = getUserInfo(username);
-		user.setSalt(salt);
-		return user;
-	}
-
-	/**
-	 * 清除token信息
-	 * 
-	 * @param userName 登录用户名
-	 * @param terminal 登录终端
-	 */
-	public void deleteLoginInfo(String username) {
-		redisTemplate.delete("token:"+username);
-	}
-
-	/**
-	 * 获取数据库中保存的用户信息，主要是加密后的密码
-	 * 
-	 * @param userName
-	 * @return
-	 */
-	public UserDto getUserInfo(String userName) {
-		UserDto user = new UserDto();
-		user.setUserId(1L);
-		user.setUsername("admin");
-		user.setEncryptPwd(new Sha256Hash("123456", encryptSalt).toHex());
-		return user;
-	}
-
-	/**
-	 * 获取用户角色列表，强烈建议从缓存中获取
-	 * 
-	 * @param userId
-	 * @return
-	 */
-	public List<String> getUserRoles(Long userId) {
-		return Arrays.asList("admin");
-	}
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/utils/JwtUtils.java

@@ -3,14 +3,19 @@ package com.yaozhitech.spring5.utils;
 import java.io.UnsupportedEncodingException;
 import java.util.Calendar;
 import java.util.Date;
-
-import org.apache.shiro.crypto.SecureRandomNumberGenerator;
+import java.util.Map;
 
 import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.interfaces.Claim;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import com.yaozhitech.spring5.common.util.UUIDUtils;
+
+import lombok.extern.slf4j.Slf4j;
 
+@Slf4j
 public class JwtUtils {
 
 	/**
@@ -22,6 +27,7 @@ public class JwtUtils {
             DecodedJWT jwt = JWT.decode(token);
             return jwt.getIssuedAt();
         } catch (JWTDecodeException e) {
+        	log.error(e.getMessage(), e);
             return null;
         }
     }
@@ -35,8 +41,36 @@ public class JwtUtils {
             DecodedJWT jwt = JWT.decode(token);
             return jwt.getClaim("username").asString();
         } catch (JWTDecodeException e) {
+        	log.error(e.getMessage(), e);
+            return null;
+        }
+    }
+    
+    /**
+     * 需要密钥才能获得信息
+     */
+    public static Map<String, Claim> verifyToken(String token, String secret) {
+        DecodedJWT jwt = null;
+        try {
+            JWTVerifier verifier = JWT.require(Algorithm.HMAC256(secret)).build();
+            jwt = verifier.verify(token);
+        } catch (Exception e) {
+        	log.error(e.getMessage(), e);
+            return null;
+        }
+        return jwt.getClaims();
+    }
+    
+    public static String verifyTokenAndGet(String token, String secret) {
+        DecodedJWT jwt = null;
+        try {
+            JWTVerifier verifier = JWT.require(Algorithm.HMAC256(secret)).build();
+            jwt = verifier.verify(token);
+        } catch (Exception e) {
+        	log.error(e.getMessage(), e);
             return null;
         }
+        return jwt.getClaim("username").asString();
     }
 
     /**
@@ -75,8 +109,6 @@ public class JwtUtils {
      * @return
      */
     public static String generateSalt(){
-        SecureRandomNumberGenerator secureRandom = new SecureRandomNumberGenerator();
-        String hex = secureRandom.nextBytes(16).toHex();
-        return hex;
+        return UUIDUtils.generateShortUuid();
     }
 }

spring5-auth/spring5-auth-client/src/main/resources/application.yml

@@ -0,0 +1,2 @@
+jwt:
+  salt: xP3La8IhZjl4fmWXD.AYVH5tor5bn-Rr

spring5-order/src/main/java/com/yaozhitech/spring5/config/RoleResourceConfiguration.java

@@ -1,25 +0,0 @@
-package com.yaozhitech.spring5.config;
-
-import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
-import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class RoleResourceConfiguration extends ShiroConfiguration{
-	
-	@Override
-	public ShiroFilterChainDefinition shiroFilterChainDefinition() {
-		
-		
-		DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
-//    chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
-//    chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
-//    chainDefinition.addPathDefinition("/image/**", "anon"); ,anyRole[admin,manager]
-		chainDefinition.addPathDefinition("/**", "anon"); // 只允许admin或manager角色的用户访问
-//		chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authc");
-//		chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authc[permissive]");
-//		chainDefinition.addPathDefinition("/**", "noSessionCreation,authc"); // 默认进行用户鉴权
-		
-		return chainDefinition;
-	}
-}

spring5-order/src/main/java/com/yaozhitech/spring5/controller/OrderController.java

@@ -12,6 +12,9 @@ import com.yaozhitech.spring5.annotation.IgnoreClientToken;
 import com.yaozhitech.spring5.provider.AdminProvider;
 import com.yaozhitech.spring5.utils.JwtUtils;
 
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
 @RestController
 @RequestMapping("/order")
 public class OrderController {
@@ -24,6 +27,9 @@ public class OrderController {
 	
 	@Value("${auth.client.secret}")
     private String clientSecret;
+	
+	@Value("$jwt.salt}")
+	private String jwtSalt;
 
 	@GetMapping("/{id}")
 	public ResponseEntity<String> read(@PathVariable Long id) {
@@ -33,6 +39,15 @@ public class OrderController {
 	@IgnoreClientToken
 	@GetMapping("/token")
 	public ResponseEntity<String> token() {
-		return ResponseEntity.ok(JwtUtils.sign(applicationName + "." + clientSecret, JwtUtils.generateSalt(), 3600));
+		String token = JwtUtils.sign(applicationName + "." + clientSecret, jwtSalt, 3600);
+		
+		String decodeToken = JwtUtils.getUsername(token);
+		log.info(decodeToken);
+		
+		decodeToken = JwtUtils.verifyTokenAndGet("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NzY3NTgzMjUsImlhdCI6MTU3Njc1NDcyNSwidXNlcm5hbWUiOiJvcmRlci5xeDRNWFZSOVNKbTMxcTJDIn0.W_1wgNjhIfB-3D_v7qhqlpxzc2setbAtHo0Iich_GFc",
+				jwtSalt);
+		log.info(decodeToken);
+		
+		return ResponseEntity.ok(token);
 	}
 }