From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password

---
 pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
index d17fca0..3fdd62f 100644
--- a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
+++ b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
@@ -7,8 +7,12 @@
 import java.security.Key;
 import java.util.*;
 import java.util.stream.Collectors;
+
+import javax.servlet.http.HttpServletResponse;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -16,6 +20,11 @@
 import org.springframework.security.core.userdetails.User;
 import org.springframework.stereotype.Component;
 import org.springframework.util.ObjectUtils;
+
+import com.pollex.pam.business.config.AppProperties;
+import com.pollex.pam.business.domain.TokenBlackList;
+import com.pollex.pam.business.repository.TokenBlackListRepository;
+
 import tech.jhipster.config.JHipsterProperties;
 
 @Component
@@ -24,6 +33,7 @@
     private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
 
     private static final String AUTHORITIES_KEY = "auth";
+    private static final String AUTHORITIES_DETAILS = "details";
 
     private final Key key;
 
@@ -32,6 +42,12 @@
     private final long tokenValidityInMilliseconds;
 
     private final long tokenValidityInMillisecondsForRememberMe;
+
+    @Autowired
+    TokenBlackListRepository tokenBlackListRepository;
+    
+    @Autowired
+	AppProperties applicationProperties;
 
     public TokenProvider(JHipsterProperties jHipsterProperties) {
         byte[] keyBytes;
@@ -69,6 +85,7 @@
             .builder()
             .setSubject(authentication.getName())
             .claim(AUTHORITIES_KEY, authorities)
+            .claim(AUTHORITIES_DETAILS, authentication.getDetails())
             .signWith(key, SignatureAlgorithm.HS512)
             .setExpiration(validity)
             .compact();
@@ -82,10 +99,12 @@
             .filter(auth -> !auth.trim().isEmpty())
             .map(SimpleGrantedAuthority::new)
             .collect(Collectors.toList());
+        System.out.println("applicationProperties.getDefaultPaxxword()+++++++++++===="+applicationProperties.getDefaultPaxxword());
+        User principal = new User(claims.getSubject(), applicationProperties.getDefaultPaxxword(), authorities);
+        UsernamePasswordAuthenticationToken authInfo = new UsernamePasswordAuthenticationToken(principal, token, authorities);
+        authInfo.setDetails(claims.get(AUTHORITIES_DETAILS));
 
-        User principal = new User(claims.getSubject(), "", authorities);
-
-        return new UsernamePasswordAuthenticationToken(principal, token, authorities);
+        return authInfo;
     }
 
     public boolean validateToken(String authToken) {
@@ -98,4 +117,9 @@
         }
         return false;
     }
+
+	public boolean isBlackListToken(String jwt) {
+		Optional<TokenBlackList> tokenBlack = tokenBlackListRepository.findById(jwt);
+    	return tokenBlack.isPresent();
+	}
 }

--
Gitblit v1.8.0