From 6bcbe72b43d6fa041d06878d1dae09a6d8903895 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期五, 11 八月 2023 16:19:02 +0800
Subject: [PATCH] [ADD] 為了解決滲透測試JWT token 登出未失效問題, 在登出後會需要建立黑名單並在filter中確定token是否非黑名單
---
pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java | 16 ++++++++++++++++
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
index 1986286..6cff94b 100644
--- a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
+++ b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
@@ -7,8 +7,12 @@
import java.security.Key;
import java.util.*;
import java.util.stream.Collectors;
+
+import javax.servlet.http.HttpServletResponse;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
@@ -16,6 +20,10 @@
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils;
+
+import com.pollex.pam.business.domain.TokenBlackList;
+import com.pollex.pam.business.repository.TokenBlackListRepository;
+
import tech.jhipster.config.JHipsterProperties;
@Component
@@ -33,6 +41,9 @@
private final long tokenValidityInMilliseconds;
private final long tokenValidityInMillisecondsForRememberMe;
+
+ @Autowired
+ TokenBlackListRepository tokenBlackListRepository;
public TokenProvider(JHipsterProperties jHipsterProperties) {
byte[] keyBytes;
@@ -102,4 +113,9 @@
}
return false;
}
+
+ public boolean isBlackListToken(String jwt) {
+ Optional<TokenBlackList> tokenBlack = tokenBlackListRepository.findById(jwt);
+ return tokenBlack.isPresent();
+ }
}
--
Gitblit v1.8.0