Do not keep password in jwt payload,

password just for first verify

Author: VancySavoki

moss-extension/src/main/java/org/xujin/moss/controller/BaseController.java

@@ -1,5 +1,9 @@
 package org.xujin.moss.controller;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.context.annotation.RequestScope;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.servlet.support.RequestContextUtils;
 import org.xujin.moss.security.jwt.JwtUtil;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -12,33 +16,18 @@
  * BaseController用于统一获取信息
  */
 public class BaseController {
+    @Autowired
+    HttpServletRequest httpServletRequest;
 
-    private static final Log logger = LogFactory.getLog(BaseController.class);
-
-    protected static final ThreadLocal<HttpServletRequest> requests = new ThreadLocal();
-    protected static final ThreadLocal<HttpServletResponse> responses = new ThreadLocal();
-
-    public BaseController() {
-    }
-
-    @ModelAttribute
-    public void init(HttpServletRequest request, HttpServletResponse response) {
-        requests.set(request);
-        responses.set(response);
-    }
-
-    public HttpServletRequest getRequest() {
-        return (HttpServletRequest)requests.get();
-    }
 
    public String getUserNameByToken() {
-       HttpServletRequest req=(HttpServletRequest)requests.get();
+       HttpServletRequest req=(HttpServletRequest)httpServletRequest;
        String token = req.getHeader("Token");
-       return  JwtUtil.getUsername(token);
+       return JwtUtil.getUsername(token);
    }
 
    public String getRegisterSource() {
-        HttpServletRequest req=(HttpServletRequest)requests.get();
+        HttpServletRequest req=(HttpServletRequest)httpServletRequest;
         String registerSource = req.getHeader("registerSource");
         return registerSource;
     }

moss-extension/src/main/java/org/xujin/moss/controller/LoginController.java

@@ -1,12 +1,15 @@
 package org.xujin.moss.controller;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.xujin.moss.common.ResultData;
+import org.xujin.moss.model.UserModel;
 import org.xujin.moss.security.jwt.JwtToken;
 import org.xujin.moss.security.jwt.JwtUtil;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.subject.Subject;
 import org.springframework.web.bind.annotation.*;
+import org.xujin.moss.service.UserService;
 
 import java.util.Date;
 import java.util.HashMap;
@@ -15,11 +18,16 @@
 @RestController
 @RequestMapping("/admin")
 public class LoginController {
-
+    @Autowired
+    UserService userService;
     @PostMapping("/login")
     public ResultData login(String username, String password) {
         try {
-            String token= JwtUtil.createToken(username,password);
+            UserModel user = userService.getUserByUserNameAndPassWord(username, password);
+            if(user == null) {
+                throw new AuthenticationException();
+            }
+            String token= JwtUtil.createToken(username);
             Date tokenExpired = new Date(new Date().getTime() + JwtUtil.EXPIRE_TIME);
             JwtToken jwtToken = new JwtToken(token);
             Subject subject = SecurityUtils.getSubject();

moss-extension/src/main/java/org/xujin/moss/security/jwt/JwtToken.java

@@ -1,5 +1,7 @@
 package org.xujin.moss.security.jwt;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import org.apache.shiro.authc.AuthenticationToken;
 
 /**
@@ -8,9 +10,10 @@
  */
 public class JwtToken implements AuthenticationToken {
     private String token;
-
+    private DecodedJWT jwt;
     public JwtToken(String token) {
         this.token = token;
+        this.jwt = JWT.decode(token);
     }
 
     @Override
@@ -22,4 +25,8 @@ public Object getPrincipal() {
     public Object getCredentials() {
         return token;
     }
+
+    public String getClaim(String claim) {
+        return this.jwt.getClaim(claim).asString();
+    }
 }

moss-extension/src/main/java/org/xujin/moss/security/jwt/JwtUtil.java

@@ -25,14 +25,13 @@ public class JwtUtil {
      * @param username 用户名
      * @return 加密的token
      */
-    public static String createToken(String username,String password) {
+    public static String createToken(String username) {
         try {
             Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
             Algorithm algorithm = Algorithm.HMAC256(SECRET);
             // 附带username信息
             return JWT.create()
                     .withClaim("username", username)
-                    .withClaim("password",password)
                     //到期时间
                     .withExpiresAt(date)
                     //创建一个新的JWT，并使用给定的算法进行标记
@@ -49,13 +48,12 @@ public static String createToken(String username,String password) {
      * @param username 用户名
      * @return 是否正确
      */
-    public static boolean verify(String token, String username,String password) {
+    public static boolean verify(String token, String username) {
         try {
             Algorithm algorithm = Algorithm.HMAC256(SECRET);
             //在token中附带了username信息
             JWTVerifier verifier = JWT.require(algorithm)
                     .withClaim("username", username)
-                    .withClaim("password",password)
                     .build();
             //验证 token
             verifier.verify(token);
@@ -79,15 +77,4 @@ public static String getUsername(String token) {
         }
     }
 
-
-    public static String getPassWord(String token) {
-        try {
-            DecodedJWT jwt = JWT.decode(token);
-            return jwt.getClaim("password").asString();
-        } catch (JWTDecodeException e) {
-            return null;
-        }
-    }
-
-
 }

moss-extension/src/main/java/org/xujin/moss/security/shiro/DBRealm.java

@@ -49,11 +49,11 @@ protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken auth
         String token = (String) authenticationToken.getCredentials();
         // 解密获得username，用于和数据库进行对比
         String username = JwtUtil.getUsername(token);
-        String password = JwtUtil.getPassWord(token);
-        if (null==username  || !JwtUtil.verify(token, username,password)) {
+
+        if (null==username  || !JwtUtil.verify(token, username)) {
             throw new AuthenticationException("token认证失败！");
         }
-        UserModel userModel= userService.getUserByUserNameAndPassWord(username,password);
+        UserModel userModel= userService.getUserByUserName(username);
         if(null==userModel){
             return null;
         }

moss-extension/src/main/java/org/xujin/moss/security/shiro/LdapRealm.java

@@ -57,13 +57,13 @@ protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken auth
         String token = (String) authenticationToken.getCredentials();
         // 解密获得username，用于和数据库进行对比
         String username = JwtUtil.getUsername(token);
-        String password = JwtUtil.getPassWord(token);
-        if (null==username  || !JwtUtil.verify(token, username,password)) {
+
+        if (null==username  || !JwtUtil.verify(token, username)) {
             throw new AuthenticationException("token认证失败！");
         }
         LdapContext ctx = null;
         try {
-            ctx = ldapContextFactory.getLdapContext(username, password);
+            ctx = ldapContextFactory.getLdapContext(username, null);
         } catch (Throwable e) {
             LOGGER.error(e.getMessage(), e);
             return null;