[ADD] 為了解決滲透測試JWT token 登出未失效問題, 在登出後會需要建立黑名單並在filter中確定token是否非黑名單

jack

2023-08-11 6bcbe72b43d6fa041d06878d1dae09a6d8903895

 pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java

@@ -7,8 +7,12 @@
import java.security.Key;
import java.util.*;
import java.util.stream.Collectors;

import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
@@ -16,6 +20,10 @@
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils;

import com.pollex.pam.business.domain.TokenBlackList;
import com.pollex.pam.business.repository.TokenBlackListRepository;

import tech.jhipster.config.JHipsterProperties;

@Component
@@ -33,6 +41,9 @@
    private final long tokenValidityInMilliseconds;

    private final long tokenValidityInMillisecondsForRememberMe;

    @Autowired
    TokenBlackListRepository tokenBlackListRepository;

    public TokenProvider(JHipsterProperties jHipsterProperties) {
        byte[] keyBytes;
@@ -102,4 +113,9 @@
        }
        return false;
    }

   public boolean isBlackListToken(String jwt) {
      Optional<TokenBlackList> tokenBlack = tokenBlackListRepository.findById(jwt);
       return tokenBlack.isPresent();
   }
}