feat(security): 实现JWT认证并增强API安全控制

添加JWT依赖并实现token生成与验证功能在控制器方法上添加权限注解保护API端点更新安全配置以集成JWT过滤器移除无用的编码测试工具类修改JWT相关配置为更安全的设置
2025-11-03 16:14:53 +08:00
parent f6d1d719a9
commit 25eeab4940
16 changed files with 17549 additions and 2561 deletions
--- a/src/main/java/com/qf/myafterprojecy/utils/JwtUtils.java
+++ b/src/main/java/com/qf/myafterprojecy/utils/JwtUtils.java
@@ -0,0 +1,103 @@
+package com.qf.myafterprojecy.utils;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.stereotype.Component;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.function.Function;
+
+/**
+ * JWT工具类，用于生成和验证token
+ */
+@Component
+public class JwtUtils {
+
+    @Value("${jwt.secret:default_secret_key_for_development}")
+    private String secret;
+
+    @Value("${jwt.expiration:86400000}")
+    private long expiration;
+
+    @Value("${jwt.token-prefix:Bearer}")
+    private String tokenPrefix;
+
+    /**
+     * 从token中获取用户名
+     */
+    public String getUsernameFromToken(String token) {
+        return getClaimFromToken(token, Claims::getSubject);
+    }
+
+    /**
+     * 从token中获取过期时间
+     */
+    public Date getExpirationDateFromToken(String token) {
+        return getClaimFromToken(token, Claims::getExpiration);
+    }
+
+    /**
+     * 从token中获取指定的claim
+     */
+    public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
+        final Claims claims = getAllClaimsFromToken(token);
+        return claimsResolver.apply(claims);
+    }
+
+    /**
+     * 获取token中的所有claims
+     */
+    private Claims getAllClaimsFromToken(String token) {
+        return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
+    }
+
+    /**
+     * 检查token是否过期
+     */
+    private Boolean isTokenExpired(String token) {
+        final Date expiration = getExpirationDateFromToken(token);
+        return expiration.before(new Date());
+    }
+
+    /**
+     * 生成token
+     */
+    public String generateToken(UserDetails userDetails) {
+        Map<String, Object> claims = new HashMap<>();
+        claims.put("authorities", userDetails.getAuthorities());
+        return doGenerateToken(claims, userDetails.getUsername());
+    }
+
+    /**
+     * 生成token的核心方法
+     */
+    private String doGenerateToken(Map<String, Object> claims, String subject) {
+        return Jwts.builder()
+                .setClaims(claims)
+                .setSubject(subject)
+                .setIssuedAt(new Date(System.currentTimeMillis()))
+                .setExpiration(new Date(System.currentTimeMillis() + expiration))
+                .signWith(SignatureAlgorithm.HS512, secret)
+                .compact();
+    }
+
+    /**
+     * 验证token
+     */
+    public Boolean validateToken(String token, UserDetails userDetails) {
+        final String username = getUsernameFromToken(token);
+        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
+    }
+
+    /**
+     * 获取token前缀
+     */
+    public String getTokenPrefix() {
+        return tokenPrefix;
+    }
+}