root/light
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

JWT 密钥强度问题修复
All checks were successful
构建并部署 Spring Boot 应用 / build-and-deploy (push) Successful in 10m58s
Details

Browse Source
This commit is contained in:
Doubleyin
2025-10-15 00:35:19 +08:00
parent 31e61cf571
commit faab6d300c
2 changed files with 48 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/main/java/com/light/delivery/config/RequestLogInterceptor.java
View File

@@ -14,15 +14,19 @@ public class RequestLogInterceptor implements HandlerInterceptor {
@Override @Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) { public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
// 关键:将请求转换为 ContentCachingRequestWrapper 类型 // 安全地处理请求包装器
ContentCachingRequestWrapper wrappedRequest = (ContentCachingRequestWrapper) request; String body = "[无法读取请求体]";
if (request instanceof ContentCachingRequestWrapper) {
ContentCachingRequestWrapper wrappedRequest = (ContentCachingRequestWrapper) request;
body = getRequestBody(wrappedRequest);
}
logger.debug("\n=== 收到请求 ===\nMethod: {}\nURI: {}\nParams: {}\nHeaders: {}\nBody: {}", logger.debug("\n=== 收到请求 ===\nMethod: {}\nURI: {}\nParams: {}\nHeaders: {}\nBody: {}",
request.getMethod(), request.getMethod(),
request.getRequestURI(), request.getRequestURI(),
request.getQueryString(), request.getQueryString(),
getHeadersAsString(request), getHeadersAsString(request),
getRequestBody(wrappedRequest)); // 传入包装后的请求 body);
return true; return true;
} }

45
src/main/java/com/light/delivery/util/JwtUtil.java
View File

@@ -34,6 +34,23 @@ public class JwtUtil {
@Value("${jwt.expiration}") @Value("${jwt.expiration}")
private Long expiration; private Long expiration;
/**
* 用于签名JWT的安全密钥
*/
private SecretKey secretKey;
/**
* 在初始化时根据配置的密钥创建安全的SecretKey
*/
public void init() {
if (secret != null && !secret.isEmpty()) {
// 如果配置了密钥则使用它创建SecretKey
secretKey = Keys.hmacShaKeyFor(secret.getBytes());
} else {
// 否则生成一个随机的安全密钥
secretKey = Keys.secretKeyFor(SignatureAlgorithm.HS512);
}
}
/** /**
* 生成一个安全的随机密钥并打印其Base64编码字符串用于配置到配置文件中 * 生成一个安全的随机密钥并打印其Base64编码字符串用于配置到配置文件中
@@ -69,12 +86,17 @@ public class JwtUtil {
* @return Token 字符串 * @return Token 字符串
*/ */
private String createToken(Map<String, Object> claims, String subject) { private String createToken(Map<String, Object> claims, String subject) {
// 确保secretKey已初始化
if (secretKey == null) {
init();
}
return Jwts.builder() return Jwts.builder()
.setClaims(claims) .setClaims(claims)
.setSubject(subject) .setSubject(subject)
.setIssuedAt(new Date(System.currentTimeMillis())) .setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + expiration * 1000)) .setExpiration(new Date(System.currentTimeMillis() + expiration * 1000))
.signWith(SignatureAlgorithm.HS512, secret) .signWith(secretKey)
.compact(); .compact();
} }
@@ -89,8 +111,14 @@ public class JwtUtil {
throw new IllegalArgumentException("Token cannot be null"); throw new IllegalArgumentException("Token cannot be null");
} }
Claims claims = Jwts.parser() // 确保secretKey已初始化
.setSigningKey(secret) // secret 为你的 JWT 密钥 if (secretKey == null) {
init();
}
Claims claims = Jwts.parserBuilder()
.setSigningKey(secretKey)
.build()
.parseClaimsJws(token.replace("Bearer ", "")) .parseClaimsJws(token.replace("Bearer ", ""))
.getBody(); .getBody();
return claims.getSubject(); // subject 通常存储用户名 return claims.getSubject(); // subject 通常存储用户名
@@ -157,7 +185,16 @@ public class JwtUtil {
* @return 声明信息 * @return 声明信息
*/ */
private Claims extractAllClaims(String token) { private Claims extractAllClaims(String token) {
return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody(); // 确保secretKey已初始化
if (secretKey == null) {
init();
}
return Jwts.parserBuilder()
.setSigningKey(secretKey)
.build()
.parseClaimsJws(token)
.getBody();
} }
/** /**