From 6bcbe72b43d6fa041d06878d1dae09a6d8903895 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期五, 11 八月 2023 16:19:02 +0800
Subject: [PATCH] [ADD] 為了解決滲透測試JWT token 登出未失效問題, 在登出後會需要建立黑名單並在filter中確定token是否非黑名單

---
 pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java |   22 +++++++++++++++++++++-
 1 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
index d17fca0..6cff94b 100644
--- a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
+++ b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
@@ -7,8 +7,12 @@
 import java.security.Key;
 import java.util.*;
 import java.util.stream.Collectors;
+
+import javax.servlet.http.HttpServletResponse;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -16,6 +20,10 @@
 import org.springframework.security.core.userdetails.User;
 import org.springframework.stereotype.Component;
 import org.springframework.util.ObjectUtils;
+
+import com.pollex.pam.business.domain.TokenBlackList;
+import com.pollex.pam.business.repository.TokenBlackListRepository;
+
 import tech.jhipster.config.JHipsterProperties;
 
 @Component
@@ -24,6 +32,7 @@
     private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
 
     private static final String AUTHORITIES_KEY = "auth";
+    private static final String AUTHORITIES_DETAILS = "details";
 
     private final Key key;
 
@@ -32,6 +41,9 @@
     private final long tokenValidityInMilliseconds;
 
     private final long tokenValidityInMillisecondsForRememberMe;
+
+    @Autowired
+    TokenBlackListRepository tokenBlackListRepository;
 
     public TokenProvider(JHipsterProperties jHipsterProperties) {
         byte[] keyBytes;
@@ -69,6 +81,7 @@
             .builder()
             .setSubject(authentication.getName())
             .claim(AUTHORITIES_KEY, authorities)
+            .claim(AUTHORITIES_DETAILS, authentication.getDetails())
             .signWith(key, SignatureAlgorithm.HS512)
             .setExpiration(validity)
             .compact();
@@ -84,8 +97,10 @@
             .collect(Collectors.toList());
 
         User principal = new User(claims.getSubject(), "", authorities);
+        UsernamePasswordAuthenticationToken authInfo = new UsernamePasswordAuthenticationToken(principal, token, authorities);
+        authInfo.setDetails(claims.get(AUTHORITIES_DETAILS));
 
-        return new UsernamePasswordAuthenticationToken(principal, token, authorities);
+        return authInfo;
     }
 
     public boolean validateToken(String authToken) {
@@ -98,4 +113,9 @@
         }
         return false;
     }
+
+	public boolean isBlackListToken(String jwt) {
+		Optional<TokenBlackList> tokenBlack = tokenBlackListRepository.findById(jwt);
+    	return tokenBlack.isPresent();
+	}
 }

--
Gitblit v1.8.0