Fix #381 fix findbugs

This commit is contained in:
water.lyl 2019-01-14 23:21:32 +08:00
parent 65f2ab2d2c
commit c9d32ed260
6 changed files with 63 additions and 41 deletions

View File

@ -16,9 +16,9 @@
package com.alibaba.nacos.console.config;
import com.alibaba.nacos.console.filter.JwtAuthenticationTokenFilter;
import com.alibaba.nacos.console.security.CustomUserDetailsService;
import com.alibaba.nacos.console.security.CustomUserDetailsServiceImpl;
import com.alibaba.nacos.console.security.JwtAuthenticationEntryPoint;
import com.alibaba.nacos.console.utils.JWTTokenUtils;
import com.alibaba.nacos.console.utils.JwtTokenUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -48,14 +48,16 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final String AUTHORIZATION_TOKEN = "access_token";
public static final String SECURITY_IGNORE_URLS_SPILT_CHAR = ",";
@Autowired
private CustomUserDetailsService userDetailsService;
private CustomUserDetailsServiceImpl userDetailsService;
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private JWTTokenUtils tokenProvider;
private JwtTokenUtils tokenProvider;
@Autowired
private Environment env;
@ -74,7 +76,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) {
String ignoreURLs = env.getProperty("nacos.security.ignore.urls", "/**");
for (String ignoreURL : ignoreURLs.trim().split(",")) {
for (String ignoreURL : ignoreURLs.trim().split(SECURITY_IGNORE_URLS_SPILT_CHAR)) {
web.ignoring().antMatchers(ignoreURL.trim());
}
}

View File

@ -17,7 +17,7 @@ package com.alibaba.nacos.console.controller;
import com.alibaba.nacos.console.config.WebSecurityConfig;
import com.alibaba.nacos.config.server.model.RestResult;
import com.alibaba.nacos.console.utils.JWTTokenUtils;
import com.alibaba.nacos.console.utils.JwtTokenUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@ -40,12 +40,10 @@ import javax.servlet.http.HttpServletResponse;
public class AuthController {
@Autowired
private JWTTokenUtils jwtTokenUtils;
private JwtTokenUtils jwtTokenUtils;
@Autowired
private AuthenticationManager authenticationManager;
private static final Logger logger = LoggerFactory.getLogger(AuthController.class);
/**
* Whether the Nacos is in broken states or not, and cannot recover except by being restarted
*

View File

@ -16,9 +16,7 @@
package com.alibaba.nacos.console.filter;
import com.alibaba.nacos.console.config.WebSecurityConfig;
import com.alibaba.nacos.console.utils.JWTTokenUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.alibaba.nacos.console.utils.JwtTokenUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.StringUtils;
@ -37,11 +35,11 @@ import java.io.IOException;
*/
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
private static final String TOKEN_PREFIX = "Bearer ";
private JWTTokenUtils tokenProvider;
private JwtTokenUtils tokenProvider;
public JwtAuthenticationTokenFilter(JWTTokenUtils tokenProvider) {
public JwtAuthenticationTokenFilter(JwtTokenUtils tokenProvider) {
this.tokenProvider = tokenProvider;
}
@ -51,9 +49,13 @@ public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
if (!StringUtils.isEmpty(jwt.trim()) && SecurityContextHolder.getContext().getAuthentication() == null) {
if (this.tokenProvider.validateToken(jwt)) {
//获取用户认证信息
/**
* get auth info
*/
Authentication authentication = this.tokenProvider.getAuthentication(jwt);
//将用户保存到SecurityContext
/**
* save user info to securityContext
*/
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
@ -61,14 +63,14 @@ public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
chain.doFilter(request, response);
}
/**
* Get token from header
*/
private String resolveToken(HttpServletRequest request) {
//从HTTP头部获取TOKEN
String bearerToken = request.getHeader(WebSecurityConfig.AUTHORIZATION_HEADER);
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
//返回Token字符串去除Bearer
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith(TOKEN_PREFIX)) {
return bearerToken.substring(7, bearerToken.length());
}
//从请求参数中获取TOKEN
String jwt = request.getParameter(WebSecurityConfig.AUTHORIZATION_TOKEN);
if (StringUtils.hasText(jwt)) {
return jwt;

View File

@ -32,7 +32,7 @@ import org.springframework.stereotype.Component;
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private CustomUserDetailsService userDetailsService;
private CustomUserDetailsServiceImpl userDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

View File

@ -30,14 +30,13 @@ import org.springframework.stereotype.Service;
* @author wfnuser
*/
@Service
public class CustomUserDetailsService implements UserDetailsService {
public class CustomUserDetailsServiceImpl implements UserDetailsService {
@Autowired
private transient PersistService persistService;
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
// 持久层写一个获取用户信息的sql
User user = persistService.findUserByUsername(userName);
if (user == null) {
throw new UsernameNotFoundException(userName);

View File

@ -36,16 +36,20 @@ import java.util.List;
* @author wfnuser
*/
@Component
public class JWTTokenUtils {
public class JwtTokenUtils {
private final Logger log = LoggerFactory.getLogger(JWTTokenUtils.class);
private final Logger log = LoggerFactory.getLogger(JwtTokenUtils.class);
private static final String AUTHORITIES_KEY = "auth";
// 签名密钥
/**
* secret key
*/
private String secretKey;
// 失效日期
/**
* Token validity time(ms)
*/
private long tokenValidityInMilliseconds;
@PostConstruct
@ -54,15 +58,26 @@ public class JWTTokenUtils {
this.tokenValidityInMilliseconds = 1000 * 60 * 30L;
}
// 创建Token
/**
* Create token
*
* @param authentication auth info
* @return token
*/
public String createToken(Authentication authentication) {
// 获取当前时间戳
/**
* Current time
*/
long now = (new Date()).getTime();
// 存放过期时间
/**
* Validity date
*/
Date validity;
validity = new Date(now + this.tokenValidityInMilliseconds);
// 创建Token令牌
/**
* create token
*/
return Jwts.builder()
.setSubject(authentication.getName())
.claim(AUTHORITIES_KEY, "")
@ -71,9 +86,16 @@ public class JWTTokenUtils {
.compact();
}
// 获取用户权限
/**
* Get auth Info
*
* @param token token
* @return auth info
*/
public Authentication getAuthentication(String token) {
// 解析Token的payload
/**
* parse the payload of token
*/
Claims claims = Jwts.parser()
.setSigningKey(secretKey)
.parseClaimsJws(token)
@ -86,30 +108,29 @@ public class JWTTokenUtils {
return new UsernamePasswordAuthenticationToken(principal, "", authorities);
}
//验证Token是否正确
/**
* validate token
*
* @param token token
* @return whether valid
*/
public boolean validateToken(String token) {
try {
//通过密钥验证Token
Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token);
return true;
} catch (SignatureException e) {
//签名异常
log.info("Invalid JWT signature.");
log.trace("Invalid JWT signature trace: {}", e);
} catch (MalformedJwtException e) {
//JWT格式错误
log.info("Invalid JWT token.");
log.trace("Invalid JWT token trace: {}", e);
} catch (ExpiredJwtException e) {
//JWT过期
log.info("Expired JWT token.");
log.trace("Expired JWT token trace: {}", e);
} catch (UnsupportedJwtException e) {
//不支持该JWT
log.info("Unsupported JWT token.");
log.trace("Unsupported JWT token trace: {}", e);
} catch (IllegalArgumentException e) {
//参数错误异常
log.info("JWT token compact of handler are invalid.");
log.trace("JWT token compact of handler are invalid trace: {}", e);
}