| | |
|---|
| | | package com.genersoft.iot.vmp.conf.security; |
|---|
| | | |
|---|
| | | import com.genersoft.iot.vmp.conf.UserSetting; |
|---|
| | | import com.genersoft.iot.vmp.conf.security.dto.JwtUser; |
|---|
| | | import com.genersoft.iot.vmp.storager.dao.dto.Role; |
|---|
| | | import com.genersoft.iot.vmp.storager.dao.dto.User; |
|---|
| | | import org.apache.commons.lang3.StringUtils; |
|---|
| | | import org.springframework.beans.factory.annotation.Autowired; |
|---|
| | | import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; |
|---|
| | | import org.springframework.security.core.context.SecurityContextHolder; |
|---|
| | | import org.springframework.stereotype.Component; |
|---|
| | |
|---|
| | | public class JwtAuthenticationFilter extends OncePerRequestFilter { |
|---|
| | | |
|---|
| | | |
|---|
| | | @Autowired |
|---|
| | | private UserSetting userSetting; |
|---|
| | | |
|---|
| | | |
|---|
| | | @Override |
|---|
| | | protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { |
|---|
| | | |
|---|
| | | // 忽略登录请求的token验证 |
|---|
| | | String requestURI = request.getRequestURI(); |
|---|
| | | if (requestURI.equalsIgnoreCase("/api/user/login")) { |
|---|
| | | chain.doFilter(request, response); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | if (!userSetting.isInterfaceAuthentication()) { |
|---|
| | | UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null, new ArrayList<>() ); |
|---|
| | | SecurityContextHolder.getContext().setAuthentication(token); |
|---|
| | | chain.doFilter(request, response); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | String jwt = request.getHeader(JwtUtils.getHeader()); |
|---|
| | | // 这里如果没有jwt,继续往后走,因为后面还有鉴权管理器等去判断是否拥有身份凭证,所以是可以放行的 |
|---|
| | | // 没有jwt相当于匿名访问,若有一些接口是需要权限的,则不能访问这些接口 |
|---|
| | | if (StringUtils.isBlank(jwt)) { |
|---|
| | | chain.doFilter(request, response); |
|---|
| | | return; |
|---|
| | | jwt = request.getParameter(JwtUtils.getHeader()); |
|---|
| | | if (StringUtils.isBlank(jwt)) { |
|---|
| | | chain.doFilter(request, response); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | |
|---|
| | | JwtUser jwtUser = JwtUtils.verifyToken(jwt); |
|---|
| | | String username = jwtUser.getUserName(); |
|---|
| | |
|---|
| | | default: |
|---|
| | | } |
|---|
| | | |
|---|
| | | // String password = SecurityUtils.encryptPassword(jwtUser.getPassword()); |
|---|
| | | // user.setPassword(password); |
|---|
| | | |
|---|
| | | // 构建UsernamePasswordAuthenticationToken,这里密码为null,是因为提供了正确的JWT,实现自动登录 |
|---|
| | | UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, jwtUser.getPassword(), new ArrayList<>() ); |
|---|
| | | User user = new User(); |
|---|
| | | user.setUsername(jwtUser.getUserName()); |
|---|
| | | user.setPassword(jwtUser.getPassword()); |
|---|
| | | Role role = new Role(); |
|---|
| | | role.setId(jwtUser.getRoleId()); |
|---|
| | | user.setRole(role); |
|---|
| | | UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, jwtUser.getPassword(), new ArrayList<>() ); |
|---|
| | | SecurityContextHolder.getContext().setAuthentication(token); |
|---|
| | | chain.doFilter(request, response); |
|---|
| | | } |
|---|
