feat(security): 实现JWT认证并增强API安全控制

添加JWT依赖并实现token生成与验证功能在控制器方法上添加权限注解保护API端点更新安全配置以集成JWT过滤器移除无用的编码测试工具类修改JWT相关配置为更安全的设置
2025-11-03 16:14:53 +08:00
parent f6d1d719a9
commit 25eeab4940
16 changed files with 17549 additions and 2561 deletions
--- a/logs/web_project.log
+++ b/logs/web_project.log
--- a/logs/web_project.log.2025-10-26.0.gz
+++ b/logs/web_project.log.2025-10-26.0.gz
--- a/logs/web_project.log.2025-10-30.0.gz
+++ b/logs/web_project.log.2025-10-30.0.gz
--- a/logs/web_project.log.2025-10-31.0.gz
+++ b/logs/web_project.log.2025-10-31.0.gz
--- a/pom.xml
+++ b/pom.xml
@@ -81,6 +81,13 @@
            <version>0.18.2</version>
        </dependency>
        <!-- JWT依赖 -->
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.9.1</version>
        </dependency>
        <!-- JCache API -->
        <dependency>
            <groupId>javax.cache</groupId>
--- a/src/main/java/com/qf/myafterprojecy/config/JwtAuthenticationFilter.java
+++ b/src/main/java/com/qf/myafterprojecy/config/JwtAuthenticationFilter.java
@@ -0,0 +1,96 @@
 package com.qf.myafterprojecy.config;
 import com.qf.myafterprojecy.utils.JwtUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 /**
 * JWT认证过滤器，用于验证token并授权用户
 */
@Component
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
    @Autowired
    private JwtUtils jwtUtils;
    @Autowired
    private UserDetailsService userDetailsService;
    @Value("${jwt.header:Authorization}")
    private String tokenHeader;
    @Value("${jwt.token-prefix:Bearer}")
    private String tokenPrefix;
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        try {
            // 获取token
            String token = getTokenFromRequest(request);
            System.out.println(token);
            if (token != null && validateToken(token)) {
                // 从token中获取用户名
                String username = jwtUtils.getUsernameFromToken(token);
                // 加载用户信息
                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
                // 创建认证对象
                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                // 设置认证信息到上下文
                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
        } catch (Exception e) {
            logger.error("无法设置用户认证: {}", e);
            SecurityContextHolder.clearContext();
        }
        filterChain.doFilter(request, response);
    }
    /**
     * 从请求头中获取token
     */
    private String getTokenFromRequest(HttpServletRequest request) {
        String bearerToken = request.getHeader(tokenHeader);
        if (bearerToken != null && bearerToken.startsWith(tokenPrefix + " ")) {
            return bearerToken.substring(tokenPrefix.length() + 1);
        }
        return null;
    }
    /**
     * 验证token
     */
    private boolean validateToken(String token) {
        try {
            String username = jwtUtils.getUsernameFromToken(token);
            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
            return jwtUtils.validateToken(token, userDetails);
        } catch (Exception e) {
            logger.error("无效的token: {}", e);
            return false;
        }
    }
 }
--- a/src/main/java/com/qf/myafterprojecy/config/SecurityConfig.java
+++ b/src/main/java/com/qf/myafterprojecy/config/SecurityConfig.java
@@ -32,6 +32,9 @@ public class SecurityConfig {
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Autowired
    private JwtAuthenticationFilter jwtAuthenticationFilter;
    /**
     * 配置AuthenticationManager Bean
     * 使用AuthenticationConfiguration来获取认证管理器，这是更现代的方式
@@ -75,6 +78,9 @@ public class SecurityConfig {
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        // 添加JWT认证过滤器
        http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        // 确保Spring Security不会添加额外的CharacterEncodingFilter
        // 因为我们在CharacterEncodingConfig中已经配置了自定义的过滤器
        http.addFilterBefore((request, response, chain) -> {
@@ -82,7 +88,7 @@ public class SecurityConfig {
            response.setCharacterEncoding("UTF-8");
            response.setContentType("text/html;charset=UTF-8");
            chain.doFilter(request, response);
-        }, UsernamePasswordAuthenticationFilter.class);
+        }, JwtAuthenticationFilter.class);
        return http.build();
    }
--- a/src/main/java/com/qf/myafterprojecy/controller/AuthController.java
+++ b/src/main/java/com/qf/myafterprojecy/controller/AuthController.java
@@ -1,6 +1,7 @@
 package com.qf.myafterprojecy.controller;
 import com.qf.myafterprojecy.config.ResponseMessage;
 import com.qf.myafterprojecy.utils.JwtUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -31,6 +32,9 @@ public class AuthController {
    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private JwtUtils jwtUtils;
    /**
     * 用户登录请求体
     */
@@ -77,11 +81,14 @@ public class AuthController {
            // 获取认证后的用户信息
            UserDetails userDetails = (UserDetails) authentication.getPrincipal();
            // 生成JWT token
            String token = jwtUtils.generateToken(userDetails);
            // 构建返回数据
            Map<String, Object> data = new HashMap<>();
            data.put("username", userDetails.getUsername());
            data.put("authorities", userDetails.getAuthorities());
-            // data.put("message", "登录成功");
+            data.put("token", token);
            data.put("tokenPrefix", jwtUtils.getTokenPrefix());
            return ResponseMessage.success(data, "登录成功");
--- a/src/main/java/com/qf/myafterprojecy/controller/CategoryAttributeController.java
+++ b/src/main/java/com/qf/myafterprojecy/controller/CategoryAttributeController.java
@@ -8,6 +8,7 @@ import com.qf.myafterprojecy.service.imp.ICategoryAttributeService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
@@ -53,6 +54,7 @@ public class CategoryAttributeController {
     * @return 创建结果
     */
    @PostMapping
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Category_attribute> createAttribute(@Valid @RequestBody CategoryAttributeDto dto) {
        log.info("接收创建分类属性的请求: 分类ID={}, 属性名称={}", 
                dto.getCategoryid(), dto.getAttributename());
@@ -66,6 +68,7 @@ public class CategoryAttributeController {
     * @return 更新结果
     */
    @PutMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Category_attribute> updateAttribute(
            @PathVariable Integer id, 
            @Valid @RequestBody CategoryAttributeDto dto) {
@@ -80,6 +83,7 @@ public class CategoryAttributeController {
     * @return 删除结果
     */
    @DeleteMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Boolean> deleteAttribute(@PathVariable Integer id) {
        log.info("接收删除分类属性的请求: ID={}", id);
        return categoryAttributeService.deleteCategoryAttribute(id);
--- a/src/main/java/com/qf/myafterprojecy/controller/CategoryController.java
+++ b/src/main/java/com/qf/myafterprojecy/controller/CategoryController.java
@@ -8,6 +8,7 @@ import com.qf.myafterprojecy.service.imp.ICategoryService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
@@ -55,6 +56,7 @@ public class CategoryController {
     * @return 返回创建结果
     */
    @PostMapping
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Category> createCategory(@Valid @RequestBody CategoryDto categoryDto) {
        log.info("接收创建分类的请求: {}", categoryDto.getTypename());
        return categoryService.saveCategory(categoryDto);
@@ -67,6 +69,7 @@ public class CategoryController {
     * @return 返回更新结果
     */
    @PutMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Category> updateCategory(
            @PathVariable Integer id, 
            @Valid @RequestBody CategoryDto categoryDto) {
@@ -80,6 +83,7 @@ public class CategoryController {
     * @return 返回删除结果
     */
    @DeleteMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Boolean> deleteCategory(@PathVariable Integer id) {
        log.info("接收删除分类的请求: {}", id);
        return categoryService.deleteCategory(id);
--- a/src/main/java/com/qf/myafterprojecy/controller/MessageController.java
+++ b/src/main/java/com/qf/myafterprojecy/controller/MessageController.java
@@ -8,6 +8,7 @@ import com.qf.myafterprojecy.service.imp.IMessageService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import java.util.List;
@@ -87,6 +88,7 @@ public class MessageController {
     * 创建新消息
     */
    @PostMapping
    @PreAuthorize("isAuthenticated()")
    public ResponseMessage<Message> createMessage(@RequestBody MessageDto message) {
        logger.info("接收创建消息的请求: {}", message != null ? message.getNickname() : "null");
        return messageService.saveMessage(message);
@@ -101,6 +103,7 @@ public class MessageController {
     * 根据ID删除消息
     */
    @DeleteMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN') or #id == authentication.principal.id")
    public ResponseMessage<Message> deleteMessage(@PathVariable Integer id) {
        logger.info("接收删除消息的请求: {}", id);
        return messageService.deleteMessage(id);
--- a/src/main/java/com/qf/myafterprojecy/controller/UserController.java
+++ b/src/main/java/com/qf/myafterprojecy/controller/UserController.java
@@ -8,6 +8,8 @@ import com.qf.myafterprojecy.service.imp.IUserService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import javax.validation.Valid;
@@ -15,6 +17,7 @@ import java.util.List;
@RestController
@RequestMapping("/api/users")
@Validated
 public class UserController {
    private static final Logger logger = LoggerFactory.getLogger(UserController.class);
@@ -38,6 +41,7 @@ public class UserController {
     * @return 用户列表
     */
    @GetMapping
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<List<Users>> getAllUsers() {
        logger.info("获取所有用户列表");
        return userService.getAllUsers();
@@ -45,10 +49,10 @@ public class UserController {
    /**
     * 根据用户名获取用户信息
     * @param username 用户名
     * @return 用户信息
     */
    @GetMapping("/username/{username}")
    @PreAuthorize("hasRole('ADMIN') or #username == authentication.name")
    public ResponseMessage<Users> getUserByUsername(@PathVariable String username) {
        logger.info("根据用户名获取用户信息，用户名: {}", username);
        return userService.getUserByUsername(username);
@@ -72,6 +76,7 @@ public class UserController {
     * @return 更新结果
     */
    @PutMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN') or #id == authentication.principal.id")
    public ResponseMessage<Users> updateUser(@PathVariable Long id, @Valid @RequestBody UserDto userDto) {
        logger.info("更新用户信息，用户ID: {}", id);
        return userService.updateUser(id, userDto);
@@ -83,6 +88,7 @@ public class UserController {
     * @return 删除结果
     */
    @DeleteMapping("/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<Boolean> deleteUser(@PathVariable Long id) {
        logger.info("删除用户，用户ID: {}", id);
        return userService.deleteUser(id);
@@ -94,6 +100,7 @@ public class UserController {
     * @return 用户列表
     */
    @GetMapping("/role/{role}")
    @PreAuthorize("hasRole('ADMIN')")
    public ResponseMessage<List<Users>> getUsersByRole(@PathVariable int role) {
        logger.info("根据角色查询用户列表，角色: {}", role);
        return userService.getUsersByRole(role);
--- a/src/main/java/com/qf/myafterprojecy/pojo/dto/ArticleDto.java
+++ b/src/main/java/com/qf/myafterprojecy/pojo/dto/ArticleDto.java
@@ -9,8 +9,7 @@ public class ArticleDto {
    @NotBlank(message = "标题不能为空")
    private String title;
-    @NotBlank(message = "内容不能为空")
+    private String content;// 如果为空说明是长篇文章 不为空则是短篇说说
    private String content;
    @NotNull(message = "属性ID不能为空")
    private Integer attributeid;
@@ -23,8 +22,7 @@ public class ArticleDto {
    private Integer status;
-    @NotBlank(message = "Markdown内容不能为空")
+    private String markdownscontent; // 文章内容的Markdown格式
    private String markdownscontent;
    // Getters and Setters
    public Integer getArticleid() {
--- a/src/main/java/com/qf/myafterprojecy/util/EncodingTestUtil.java
+++ b/src/main/java/com/qf/myafterprojecy/util/EncodingTestUtil.java
@@ -1,38 +0,0 @@
 // package com.qf.myafterprojecy.util;
 // import org.slf4j.Logger;
 // import org.slf4j.LoggerFactory;
 // import org.springframework.stereotype.Component;
 // import javax.annotation.PostConstruct;
 // /**
 //  * 编码测试工具类
 //  * 用于验证系统编码配置是否正确，解决中文乱码问题
 //  */
 // @Component
 // public class EncodingTestUtil {
 //     private static final Logger logger = LoggerFactory.getLogger(EncodingTestUtil.class);
 //     /**
 //      * 在Bean初始化时执行编码测试
 //      * 验证日志系统是否能正确输出中文
 //      */
 //     @PostConstruct
 //     public void testEncoding() {
 //         // 输出系统编码信息
 //         logger.info("===== 系统编码测试开始 =====");
 //         logger.info("默认字符编码: {}", java.nio.charset.Charset.defaultCharset());
 //         logger.info("file.encoding: {}", System.getProperty("file.encoding"));
 //         logger.info("sun.stdout.encoding: {}", System.getProperty("sun.stdout.encoding"));
 //         logger.info("sun.stderr.encoding: {}", System.getProperty("sun.stderr.encoding"));
 //         // 测试中文字符输出
 //         logger.info("中文测试 - 这是一条测试日志，用于验证中文是否正常显示");
 //         logger.warn("中文警告测试 - 这是一条警告日志，用于验证中文是否正常显示");
 //         logger.error("中文错误测试 - 这是一条错误日志，用于验证中文是否正常显示");
 //         logger.info("===== 系统编码测试结束 =====");
 //     }
 // }
--- a/src/main/java/com/qf/myafterprojecy/utils/JwtUtils.java
+++ b/src/main/java/com/qf/myafterprojecy/utils/JwtUtils.java
@@ -0,0 +1,103 @@
 package com.qf.myafterprojecy.utils;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Component;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Function;
 /**
 * JWT工具类，用于生成和验证token
 */
@Component
 public class JwtUtils {
    @Value("${jwt.secret:default_secret_key_for_development}")
    private String secret;
    @Value("${jwt.expiration:86400000}")
    private long expiration;
    @Value("${jwt.token-prefix:Bearer}")
    private String tokenPrefix;
    /**
     * 从token中获取用户名
     */
    public String getUsernameFromToken(String token) {
        return getClaimFromToken(token, Claims::getSubject);
    }
    /**
     * 从token中获取过期时间
     */
    public Date getExpirationDateFromToken(String token) {
        return getClaimFromToken(token, Claims::getExpiration);
    }
    /**
     * 从token中获取指定的claim
     */
    public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = getAllClaimsFromToken(token);
        return claimsResolver.apply(claims);
    }
    /**
     * 获取token中的所有claims
     */
    private Claims getAllClaimsFromToken(String token) {
        return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
    }
    /**
     * 检查token是否过期
     */
    private Boolean isTokenExpired(String token) {
        final Date expiration = getExpirationDateFromToken(token);
        return expiration.before(new Date());
    }
    /**
     * 生成token
     */
    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        claims.put("authorities", userDetails.getAuthorities());
        return doGenerateToken(claims, userDetails.getUsername());
    }
    /**
     * 生成token的核心方法
     */
    private String doGenerateToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + expiration))
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }
    /**
     * 验证token
     */
    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = getUsernameFromToken(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }
    /**
     * 获取token前缀
     */
    public String getTokenPrefix() {
        return tokenPrefix;
    }
 }
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -72,10 +72,10 @@ management.endpoint.health.show-details=when_authorized
 management.metrics.export.prometheus.enabled=true
 # JWT配置 - 生产环境应使用更安全的密钥和环境变量
-jwt.secret=mySecretKey
+jwt.secret=myAfterProjectSecretKey2024SecureJwtTokenGeneration
 jwt.expiration=86400000
 jwt.header=Authorization
-jwt.token-prefix=Bearer 
+jwt.token-prefix=Bearer
 # CORS配置 - 生产环境应限制允许的源
 cors.allowed-origins=http://localhost:3000