首页 探索 帮助
注册 登录
yufeng
/
spring5_demo1
关注 1
点赞 0
派生 0
文件 合并请求 0 Wiki
目录树: b0386c0337
分支列表 标签列表
spring5_demo1
/
spring5-auth
/
spring5-auth-client
/
src
/
main
/
java
/
com
/
yaozhitech
/
spring5
/
filter
/
JwtAuthFilter.java

JwtAuthFilter.java 6.3 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. package com.yaozhitech.spring5.filter;
    2. 

  2. 

  3. 

  4. import java.time.LocalDateTime;
    5. 

  5. import java.time.ZoneId;
    6. 

  6. import java.util.Date;
    7. 

  7. 

  8. import javax.servlet.ServletRequest;
    9. 

  9. import javax.servlet.ServletResponse;
    10. 

  10. import javax.servlet.http.HttpServletRequest;
    11. 

  11. import javax.servlet.http.HttpServletResponse;
    12. 

  12. 

  13. import org.apache.shiro.authc.AuthenticationException;
    14. 

  14. import org.apache.shiro.authc.AuthenticationToken;
    15. 

  15. import org.apache.shiro.subject.Subject;
    16. 

  16. import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
    17. 

  17. import org.apache.shiro.web.util.WebUtils;
    18. 

  18. import org.springframework.beans.factory.annotation.Value;
    19. 

  19. import org.springframework.util.StringUtils;
    20. 

  20. import org.springframework.web.bind.annotation.RequestMethod;
    21. 

  21. 

  22. import com.yaozhitech.spring5.dto.UserDto;
    23. 

  23. import com.yaozhitech.spring5.jwt.JWTToken;
    24. 

  24. import com.yaozhitech.spring5.service.UserService;
    25. 

  25. import com.yaozhitech.spring5.utils.JwtUtils;
    26. 

  26. 

  27. import lombok.extern.slf4j.Slf4j;
    28. 

  28. 

  29. @Slf4j
    30. 

  30. public class JwtAuthFilter extends AuthenticatingFilter {
    31. 

  31. 	
    32. 

  32. 	@Value("${jwt.header}")
    33. 

  33.     private String tokenHeader;
    34. 

  34. 

  35.     @Value("${jwt.tokenHead}")
    36. 

  36.     private String tokenHead;
    37. 

  37. 

  38.     private static final int tokenRefreshInterval = 300;
    39. 

  39.     private UserService userService;
    40. 

  40. 

  41.     public JwtAuthFilter(UserService userService){
    42. 

  42.         this.userService = userService;
    43. 

  43.         this.setLoginUrl("/login");
    44. 

  44.     }
    45. 

  45. 

  46.     @Override
    47. 

  47.     protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
    48. 

  48.         HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
    49. 

  49.         if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) //对于OPTION请求做拦截,不做token校验
    50. 

  50.             return false;
    51. 

  51. 

  52.         return super.preHandle(request, response);
    53. 

  53.     }
    54. 

  54. 

  55.     @Override
    56. 

  56.     protected void postHandle(ServletRequest request, ServletResponse response){
    57. 

  57.         this.fillCorsHeader(WebUtils.toHttp(request), WebUtils.toHttp(response));
    58. 

  58.         request.setAttribute("jwtShiroFilter.FILTERED", true);
    59. 

  59.     }
    60. 

  60. 

  61.     /**
    62. 

  62.           * 父类会在请求进入拦截器后调用该方法,返回true则继续,返回false则会调用onAccessDenied()。这里在不通过时,还调用了isPermissive()方法,
    63. 

  63.      */
    64. 

  64.     @Override
    65. 

  65.     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
    66. 

  66.         if(this.isLoginRequest(request, response))
    67. 

  67.             return true;
    68. 

  68. 

  69.         Boolean afterFiltered = (Boolean)(request.getAttribute("jwtShiroFilter.FILTERED"));
    70. 

  70.         if(afterFiltered != null && afterFiltered)
    71. 

  71.         	return true;
    72. 

  72.         
    73. 

  73.         boolean allowed = false;
    74. 

  74.         try {
    75. 

  75.             allowed = executeLogin(request, response);
    76. 

  76.         } catch(IllegalStateException e){ //not found any token
    77. 

  77.             log.error("Not found any token", e);
    78. 

  78.         }catch (Exception e) {
    79. 

  79.             log.error("Error occurs when login", e);
    80. 

  80.         }
    81. 

  81.         return allowed;// || super.isPermissive(mappedValue);
    82. 

  82.     }
    83. 

  83. 

  84.     /**
    85. 

  85.           * 这里重写了父类的方法,使用我们自己定义的Token类,提交给shiro。这个方法返回null的话会直接抛出异常,进入isAccessAllowed()的异常处理逻辑。
    86. 

  86.      */
    87. 

  87.     @Override
    88. 

  88.     protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
    89. 

  89.         String jwtToken = getAuthzHeader(servletRequest);
    90. 

  90.         if(!StringUtils.isEmpty(jwtToken)&&!JwtUtils.isTokenExpired(jwtToken))
    91. 

  91.             return new JWTToken(jwtToken);
    92. 

  92. 

  93.         return null;
    94. 

  94.     }
    95. 

  95. 

  96.     @Override
    97. 

  97.     protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
    98. 

  98.         
    99. 

  99.     	HttpServletRequest httpServletRequest = WebUtils.toHttp(servletRequest);
    100. 

  100.         HttpServletResponse httpResponse = WebUtils.toHttp(servletResponse);
    101. 

  101.         // 返回401
    102. 

  102.         httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    103. 

  103.         httpResponse.getOutputStream().println("401 UNAUTHORIZED");
    104. 

  104.         // 设置响应码为401或者直接输出消息
    105. 

  105.         String url = httpServletRequest.getRequestURI();
    106. 

  106.         log.error("onAccessDenied url:{}", url);
    107. 

  107. 

  108.     	return false;
    109. 

  109.     }
    110. 

  110. 

  111.     /**
    112. 

  112.           *  如果Shiro Login认证成功,会进入该方法,等同于用户名密码登录成功,我们这里还判断了是否要刷新Token
    113. 

  113.      */
    114. 

  114.     @Override
    115. 

  115.     protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {
    116. 

  116.         HttpServletResponse httpResponse = WebUtils.toHttp(response);
    117. 

  117.         String newToken = null;
    118. 

  118.         if(token instanceof JWTToken){
    119. 

  119.             JWTToken jwtToken = (JWTToken)token;
    120. 

  120.             UserDto user = (UserDto) subject.getPrincipal();
    121. 

  121.             boolean shouldRefresh = shouldTokenRefresh(JwtUtils.getIssuedAt(jwtToken.getToken()));
    122. 

  122.             if(shouldRefresh) {
    123. 

  123.                 newToken = userService.generateJwtToken(user.getUsername());
    124. 

  124.             }
    125. 

  125.         }
    126. 

  126.         if(!StringUtils.isEmpty(newToken))
    127. 

  127.             httpResponse.setHeader("x-auth-token", newToken);
    128. 

  128. 

  129.         return true;
    130. 

  130.     }
    131. 

  131. 

  132.     @Override
    133. 

  133.     protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
    134. 

  134.         log.error("Validate token fail, token:{}, error:{}", token.toString(), e.getMessage());
    135. 

  135.         return false;
    136. 

  136.     }
    137. 

  137. 

  138.     protected String getAuthzHeader(ServletRequest request) {
    139. 

  139.         HttpServletRequest httpRequest = WebUtils.toHttp(request);
    140. 

  140.         String header = httpRequest.getHeader("x-auth-token");
    141. 

  141.         if (StringUtils.startsWithIgnoreCase(header, "Bearer ")) {
    142. 

  142. 			return StringUtils.replace(header, "Bearer ", "");
    143. 

  143. 		}
    144. 

  144.         return header;
    145. 

  145.     }
    146. 

  146. 

  147.     protected boolean shouldTokenRefresh(Date issueAt){
    148. 

  148.         LocalDateTime issueTime = LocalDateTime.ofInstant(issueAt.toInstant(), ZoneId.systemDefault());
    149. 

  149.         return LocalDateTime.now().minusSeconds(tokenRefreshInterval).isAfter(issueTime);
    150. 

  150.     }
    151. 

  151. 

  152.     protected void fillCorsHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse){
    153. 

  153.         httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
    154. 

  154.         httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,HEAD");
    155. 

  155.         httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
    156. 

  156.     }
    157. 

  157. }
    158. 

  158.