guzijian / wvp-GB28181-pro · Commits

Commit e8b2ca46862565b7b6d2f05c3f45f7873afe044e

Authored by xubinbin
1 parent dc37f667

将生成jwt令牌和验证jwt令牌时使用的公钥私钥由固定值修改为每次启动服务时动态生产;剔除jwt token中包含的password和roleId,防止密码泄露。

Inline Side-by-side
Showing 2 changed files with 54 additions and 33 deletions
src/main/java/com/genersoft/iot/vmp/conf/security/JwtUtils.java
  View file @e8b2ca4
1 1 package com.genersoft.iot.vmp.conf.security;
2 2  
3 3 import com.genersoft.iot.vmp.conf.security.dto.JwtUser;
4   -import org.jose4j.json.JsonUtil;
  4 +import com.genersoft.iot.vmp.service.IUserService;
  5 +import com.genersoft.iot.vmp.storager.dao.dto.User;
5 6 import org.jose4j.jwk.RsaJsonWebKey;
  7 +import org.jose4j.jwk.RsaJwkGenerator;
6 8 import org.jose4j.jws.AlgorithmIdentifiers;
7 9 import org.jose4j.jws.JsonWebSignature;
8 10 import org.jose4j.jwt.JwtClaims;
... ... @@ -14,45 +16,69 @@ import org.jose4j.jwt.consumer.JwtConsumerBuilder;
14 16 import org.jose4j.lang.JoseException;
15 17 import org.slf4j.Logger;
16 18 import org.slf4j.LoggerFactory;
  19 +import org.springframework.beans.factory.InitializingBean;
  20 +import org.springframework.stereotype.Component;
17 21  
18   -import java.security.PrivateKey;
  22 +import javax.annotation.Resource;
19 23 import java.time.LocalDateTime;
20 24 import java.time.ZoneOffset;
21 25  
22   -public class JwtUtils {
  26 +@Component
  27 +public class JwtUtils implements InitializingBean {
23 28  
24 29 private static final Logger logger = LoggerFactory.getLogger(JwtUtils.class);
25 30  
26 31 private static final String HEADER = "access-token";
27   - private static final String AUDIENCE = "Audience";
28 32  
29   - private static final long EXPIRED_THRESHOLD = 10 * 60;
  33 + private static final String AUDIENCE = "Audience";
30 34  
31 35 private static final String keyId = "3e79646c4dbc408383a9eed09f2b85ae";
32   - private static final String privateKeyStr = "{\"kty\":\"RSA\",\"kid\":\"3e79646c4dbc408383a9eed09f2b85ae\",\"alg\":\"RS256\",\"n\":\"gndmVdiOTSJ5et2HIeTM5f1m61x5ojLUi5HDfvr-jRrESQ5kbKuySGHVwR4QhwinpY1wQqBnwc80tx7cb_6SSqsTOoGln6T_l3k2Pb54ClVnGWiW_u1kmX78V2TZOsVmZmwtdZCMi-2zWIyAdIEXE-gncIehoAgEoq2VAhaCURbJWro_EwzzQwNmCTkDodLAx4npXRd_qSu0Ayp0txym9OFovBXBULRvk4DPiy3i_bPUmCDxzC46pTtFOe9p82uybTehZfULZtXXqRm85FL9n5zkrsTllPNAyEGhgb0RK9sE5nK1m_wNNysDyfLC4EFf1VXTrKm14XNVjc2vqLb7Mw\",\"e\":\"AQAB\",\"d\":\"ed7U_k3rJ4yTk70JtRSIfjKGiEb67BO1TabcymnljKO7RU8nage84zZYuSu_XpQsHk6P1f0Gzxkicghm_Er-FrfVn2pp70Xu52z3yRd6BJUgWLDFk97ngScIyw5OiULKU9SrZk2frDpftNCSUcIgb50F8m0QAnBa_CdPsQKbuuhLv8V8tBAV7F_lAwvSBgu56wRo3hPz5dWH8YeXM7XBfQ9viFMNEKd21sP_j5C7ueUnXT66nBxe3ZJEU3iuMYM6D6dB_KW2GfZC6WmTgvGhhxJD0h7aYmfjkD99MDleB7SkpbvoODOqiQ5Epb7Nyh6kv5u4KUv2CJYtATLZkUeMkQ\",\"p\":\"uBUjWPWtlGksmOqsqCNWksfqJvMcnP_8TDYN7e4-WnHL4N-9HjRuPDnp6kHvCIEi9SEfxm7gNxlRcWegvNQr3IZCz7TnCTexXc5NOklB9OavWFla6u-s3Thn6Tz45-EUjpJr0VJMxhO-KxGmuTwUXBBp4vN6K2qV6rQNFmgkWzk\",\"q\":\"tW_i7cCec56bHkhITL_79dXHz_PLC_f7xlynmlZJGU_d6mqOKmLBNBbTMLnYW8uAFiFzWxDeDHh1o5uF0mSQR-Z1Fg35OftnpbWpy0Cbc2la5WgXQjOwtG1eLYIY2BD3-wQ1VYDBCvowr4FDi-sngxwLqvwmrJ0xjhi99O-Gzcs\",\"dp\":\"q1d5jE85Hz_6M-eTh_lEluEf0NtPEc-vvhw-QO4V-cecNpbrCBdTWBmr4dE3NdpFeJc5ZVFEv-SACyei1MBEh0ItI_pFZi4BmMfy2ELh8ptaMMkTOESYyVy8U7veDq9RnBcr5i1Nqr0rsBkA77-9T6gzdvycBZdzLYAkAmwzEvk\",\"dq\":\"q29A2K08Crs-jmp2Bi8Q_8QzvIX6wSBbwZ4ir24AO-5_HNP56IrPS0yV2GCB0pqCOGb6_Hz_koDvhtuYoqdqvMVAtMoXR3YJBUaVXPt65p4RyNmFwIPe31zHs_BNUTsXVRMw4c16mci03-Af1sEm4HdLfxAp6sfM3xr5wcnhcek\",\"qi\":\"rHPgVTyHUHuYzcxfouyBfb1XAY8nshwn0ddo81o1BccD4Z7zo5It6SefDHjxCAbcmbiCcXBSooLcY-NF5FMv3fg19UE21VyLQltHcVjRRp2tRs4OHcM8yaXIU2x6N6Z6BP2tOksHb9MOBY1wAQzFOAKg_G4Sxev6-_6ud6RISuc\"}";
33   - private static final String publicKeyStr = "{\"kty\":\"RSA\",\"kid\":\"3e79646c4dbc408383a9eed09f2b85ae\",\"alg\":\"RS256\",\"n\":\"gndmVdiOTSJ5et2HIeTM5f1m61x5ojLUi5HDfvr-jRrESQ5kbKuySGHVwR4QhwinpY1wQqBnwc80tx7cb_6SSqsTOoGln6T_l3k2Pb54ClVnGWiW_u1kmX78V2TZOsVmZmwtdZCMi-2zWIyAdIEXE-gncIehoAgEoq2VAhaCURbJWro_EwzzQwNmCTkDodLAx4npXRd_qSu0Ayp0txym9OFovBXBULRvk4DPiy3i_bPUmCDxzC46pTtFOe9p82uybTehZfULZtXXqRm85FL9n5zkrsTllPNAyEGhgb0RK9sE5nK1m_wNNysDyfLC4EFf1VXTrKm14XNVjc2vqLb7Mw\",\"e\":\"AQAB\"}";
34 36  
35 37 /**
36 38 * token过期时间(分钟)
37 39 */
38 40 public static final long expirationTime = 30 * 24 * 60;
39 41  
40   - public static String createToken(String username, String password, Integer roleId) {
  42 + private static RsaJsonWebKey rsaJsonWebKey;
  43 +
  44 + private static IUserService userService;
  45 +
  46 + @Resource
  47 + public void setUserService(IUserService userService) {
  48 + JwtUtils.userService = userService;
  49 + }
  50 +
  51 + @Override
  52 + public void afterPropertiesSet() {
41 53 try {
42   - /**
  54 + rsaJsonWebKey = generateRsaJsonWebKey();
  55 + } catch (JoseException e) {
  56 + logger.error("生成RsaJsonWebKey报错。", e);
  57 + }
  58 + }
  59 +
  60 + /**
  61 + * 创建密钥对
  62 + * @throws JoseException JoseException
  63 + */
  64 + private RsaJsonWebKey generateRsaJsonWebKey() throws JoseException {
  65 + // 生成一个RSA密钥对,该密钥对将用于JWT的签名和验证,包装在JWK中
  66 + RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
  67 + // 给JWK一个密钥ID
  68 + rsaJsonWebKey.setKeyId(keyId);
  69 + return rsaJsonWebKey;
  70 + }
  71 +
  72 + public static String createToken(String username) {
  73 + try {
  74 + /*
43 75 * “iss” (issuer) 发行人
44   - *
45 76 * “sub” (subject) 主题
46   - *
47 77 * “aud” (audience) 接收方 用户
48   - *
49 78 * “exp” (expiration time) 到期时间
50   - *
51 79 * “nbf” (not before) 在此之前不可用
52   - *
53 80 * “iat” (issued at) jwt的签发时间
54 81 */
55   - //Payload
56 82 JwtClaims claims = new JwtClaims();
57 83 claims.setGeneratedJwtId();
58 84 claims.setIssuedAtToNow();
... ... @@ -62,9 +88,7 @@ public class JwtUtils {
62 88 claims.setSubject("login");
63 89 claims.setAudience(AUDIENCE);
64 90 //添加自定义参数,必须是字符串类型
65   - claims.setClaim("username", username);
66   - claims.setClaim("password", password);
67   - claims.setClaim("roleId", roleId);
  91 + claims.setClaim("userName", username);
68 92  
69 93 //jws
70 94 JsonWebSignature jws = new JsonWebSignature();
... ... @@ -73,12 +97,10 @@ public class JwtUtils {
73 97 jws.setKeyIdHeaderValue(keyId);
74 98 jws.setPayload(claims.toJson());
75 99  
76   - PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyStr)).getPrivateKey();
77   - jws.setKey(privateKey);
  100 + jws.setKey(rsaJsonWebKey.getPrivateKey());
78 101  
79 102 //get token
80   - String idToken = jws.getCompactSerialization();
81   - return idToken;
  103 + return jws.getCompactSerialization();
82 104 } catch (JoseException e) {
83 105 logger.error("[Token生成失败]: {}", e.getMessage());
84 106 }
... ... @@ -90,7 +112,6 @@ public class JwtUtils {
90 112 return HEADER;
91 113 }
92 114  
93   -
94 115 public static JwtUser verifyToken(String token) {
95 116  
96 117 JwtUser jwtUser = new JwtUser();
... ... @@ -103,7 +124,7 @@ public class JwtUtils {
103 124 .setRequireSubject()
104 125 //.setExpectedIssuer("")
105 126 .setExpectedAudience(AUDIENCE)
106   - .setVerificationKey(new RsaJsonWebKey(JsonUtil.parseJson(publicKeyStr)).getPublicKey())
  127 + .setVerificationKey(rsaJsonWebKey.getPublicKey())
107 128 .build();
108 129  
109 130 JwtClaims claims = consumer.processToClaims(token);
... ... @@ -113,26 +134,26 @@ public class JwtUtils {
113 134 long timeRemaining = LocalDateTime.now().toEpochSecond(ZoneOffset.ofHours(8)) - expirationTime.getValue();
114 135 if (timeRemaining < 5 * 60) {
115 136 jwtUser.setStatus(JwtUser.TokenStatus.EXPIRING_SOON);
116   - }else {
  137 + } else {
117 138 jwtUser.setStatus(JwtUser.TokenStatus.NORMAL);
118 139 }
119 140  
120   - String username = (String) claims.getClaimValue("username");
121   - String password = (String) claims.getClaimValue("password");
122   - Long roleId = (Long) claims.getClaimValue("roleId");
  141 + String username = (String) claims.getClaimValue("userName");
  142 + User user = userService.getUserByUsername(username);
  143 +
123 144 jwtUser.setUserName(username);
124   - jwtUser.setPassword(password);
125   - jwtUser.setRoleId(roleId.intValue());
  145 + jwtUser.setPassword(user.getPassword());
  146 + jwtUser.setRoleId(user.getRole().getId());
126 147  
127 148 return jwtUser;
128 149 } catch (InvalidJwtException e) {
129 150 if (e.hasErrorCode(ErrorCodes.EXPIRED)) {
130 151 jwtUser.setStatus(JwtUser.TokenStatus.EXPIRED);
131   - }else {
  152 + } else {
132 153 jwtUser.setStatus(JwtUser.TokenStatus.EXCEPTION);
133 154 }
134 155 return jwtUser;
135   - }catch (Exception e) {
  156 + } catch (Exception e) {
136 157 logger.error("[Token解析失败]: {}", e.getMessage());
137 158 jwtUser.setStatus(JwtUser.TokenStatus.EXPIRED);
138 159 return jwtUser;
... ...
src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
  View file @e8b2ca4
... ... @@ -57,7 +57,7 @@ public class UserController {
57 57 if (user == null) {
58 58 throw new ControllerException(ErrorCode.ERROR100.getCode(), "用户名或密码错误");
59 59 }else {
60   - String jwt = JwtUtils.createToken(username, password, user.getRole().getId());
  60 + String jwt = JwtUtils.createToken(username);
61 61 response.setHeader(JwtUtils.getHeader(), jwt);
62 62 user.setAccessToken(jwt);
63 63 }
... ...