JWT 密钥强度问题修复

2025-10-15 00:35:19 +08:00
parent 31e61cf571
commit faab6d300c
2 changed files with 48 additions and 7 deletions
--- a/src/main/java/com/light/delivery/config/RequestLogInterceptor.java
+++ b/src/main/java/com/light/delivery/config/RequestLogInterceptor.java
@@ -14,15 +14,19 @@ public class RequestLogInterceptor implements HandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
-        // 关键：将请求转换为 ContentCachingRequestWrapper 类型
-        ContentCachingRequestWrapper wrappedRequest = (ContentCachingRequestWrapper) request;
+        // 安全地处理请求包装器
+        String body = "[无法读取请求体]";
+        if (request instanceof ContentCachingRequestWrapper) {
+            ContentCachingRequestWrapper wrappedRequest = (ContentCachingRequestWrapper) request;
+            body = getRequestBody(wrappedRequest);
+        }

        logger.debug("\n=== 收到请求 ===\nMethod: {}\nURI: {}\nParams: {}\nHeaders: {}\nBody: {}",
                request.getMethod(),
                request.getRequestURI(),
                request.getQueryString(),
                getHeadersAsString(request),
-                getRequestBody(wrappedRequest)); // 传入包装后的请求
+                body);
        return true;
    }

--- a/src/main/java/com/light/delivery/util/JwtUtil.java
+++ b/src/main/java/com/light/delivery/util/JwtUtil.java
@@ -34,6 +34,23 @@ public class JwtUtil {
    @Value("${jwt.expiration}")
    private Long expiration;

+    /**
+     * 用于签名JWT的安全密钥
+     */
+    private SecretKey secretKey;
+
+    /**
+     * 在初始化时根据配置的密钥创建安全的SecretKey
+     */
+    public void init() {
+        if (secret != null && !secret.isEmpty()) {
+            // 如果配置了密钥，则使用它创建SecretKey
+            secretKey = Keys.hmacShaKeyFor(secret.getBytes());
+        } else {
+            // 否则生成一个随机的安全密钥
+            secretKey = Keys.secretKeyFor(SignatureAlgorithm.HS512);
+        }
+    }

    /**
     * 生成一个安全的随机密钥，并打印其Base64编码字符串（用于配置到配置文件中）
@@ -69,12 +86,17 @@ public class JwtUtil {
     * @return Token 字符串
     */
    private String createToken(Map<String, Object> claims, String subject) {
+        // 确保secretKey已初始化
+        if (secretKey == null) {
+            init();
+        }
+        
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
-                .signWith(SignatureAlgorithm.HS512, secret)
+                .signWith(secretKey)
                .compact();
    }

@@ -89,8 +111,14 @@ public class JwtUtil {
            throw new IllegalArgumentException("Token cannot be null");
        }
        
-        Claims claims = Jwts.parser()
-                .setSigningKey(secret) // secret 为你的 JWT 密钥
+        // 确保secretKey已初始化
+        if (secretKey == null) {
+            init();
+        }
+        
+        Claims claims = Jwts.parserBuilder()
+                .setSigningKey(secretKey)
+                .build()
                .parseClaimsJws(token.replace("Bearer ", ""))
                .getBody();
        return claims.getSubject(); // subject 通常存储用户名
@@ -157,7 +185,16 @@ public class JwtUtil {
     * @return 声明信息
     */
    private Claims extractAllClaims(String token) {
-        return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
+        // 确保secretKey已初始化
+        if (secretKey == null) {
+            init();
+        }
+        
+        return Jwts.parserBuilder()
+                .setSigningKey(secretKey)
+                .build()
+                .parseClaimsJws(token)
+                .getBody();
    }

    /**