apache · KeRan213539 · Oct 13, 2021 · Oct 9, 2021 · Oct 10, 2021 · Oct 10, 2021
diff --git a/dubbo-admin-server/pom.xml b/dubbo-admin-server/pom.xml
@@ -33,6 +33,8 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <java.version>1.8</java.version>
         <mockito-version>2.23.4</mockito-version>
+        <jwt-version>3.4.1</jwt-version>
+        <jjwt-version>0.6.0</jjwt-version>
     </properties>
 
     <dependencies>
@@ -189,6 +191,19 @@
             <artifactId>zookeeper</artifactId>
         </dependency>
 
+        <!--JWT-->
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>${jwt-version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>${jjwt-version}</version>
+        </dependency>
+
     </dependencies>
 
     <build>

diff --git a/...min-server/src/main/java/org/apache/dubbo/admin/authentication/impl/DefaultPreHandle.java b/...min-server/src/main/java/org/apache/dubbo/admin/authentication/impl/DefaultPreHandle.java
@@ -19,10 +19,9 @@
 
 import org.apache.dubbo.admin.annotation.Authority;
 import org.apache.dubbo.admin.authentication.InterceptorAuthentication;
-import org.apache.dubbo.admin.controller.UserController;
 import org.apache.dubbo.admin.interceptor.AuthInterceptor;
+import org.apache.dubbo.admin.utils.JwtTokenUtil;
 
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.util.StringUtils;
 import org.springframework.web.method.HandlerMethod;
 
@@ -32,12 +31,6 @@
 
 
 public class DefaultPreHandle implements InterceptorAuthentication {
-    //make session timeout configurable
-    //default to be an hour:1000 * 60 * 60
-    @Value("${admin.check.sessionTimeoutMilli:3600000}")
-    private long sessionTimeoutMilli;
-
-    private AuthInterceptor authInterceptor = new AuthInterceptor();
 
     @Override
     public boolean authentication(HttpServletRequest request, HttpServletResponse response, Object handler) {
@@ -48,25 +41,22 @@ public boolean authentication(HttpServletRequest request, HttpServletResponse re
             authority = method.getDeclaringClass().getDeclaredAnnotation(Authority.class);
         }
 
-        String authorization = request.getHeader("Authorization");
+        String token = request.getHeader("Authorization");
+
         if (null != authority && authority.needLogin()) {
             //check if 'authorization' is empty to prevent NullPointException
-            //since UserController.tokenMap is an instance of ConcurrentHashMap.
-            if (StringUtils.isEmpty(authorization)) {
+            if (StringUtils.isEmpty(token)) {
                 //While authentication is required and 'Authorization' string is missing in the request headers,
                 //reject this request(http403).
-                authInterceptor.rejectedResponse(response);
+                AuthInterceptor.authRejectedResponse(response);
                 return false;
             }
-
-            UserController.User user = UserController.tokenMap.get(authorization);
-            if (null != user && System.currentTimeMillis() - user.getLastUpdateTime() <= sessionTimeoutMilli) {
-                user.setLastUpdateTime(System.currentTimeMillis());
+            if (JwtTokenUtil.canTokenBeExpiration(token)) {
+                JwtTokenUtil.refreshToken(token);
                 return true;
             }
-
-            //while user not found, or session timeout, reject this request(http403).
-            authInterceptor.rejectedResponse(response);
+            //while user not found, or token timeout, reject this request(http401).
+            AuthInterceptor.loginFailResponse(response);
             return false;
         } else {
             return true;

diff --git a/dubbo-admin-server/src/main/java/org/apache/dubbo/admin/controller/UserController.java b/dubbo-admin-server/src/main/java/org/apache/dubbo/admin/controller/UserController.java
@@ -18,39 +18,28 @@
 
 import org.apache.dubbo.admin.annotation.Authority;
 import org.apache.dubbo.admin.authentication.LoginAuthentication;
-
-import org.apache.commons.lang3.StringUtils;
+import org.apache.dubbo.admin.utils.JwtTokenUtil;
 import org.apache.dubbo.common.extension.ExtensionLoader;
+import org.apache.commons.lang3.StringUtils;
+
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.ServletRequestAttributes;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.Iterator;
-import java.util.Map;
-import java.util.Objects;
 import java.util.Set;
-import java.util.UUID;
-import java.util.concurrent.ConcurrentHashMap;
 
 @RestController
 @RequestMapping("/api/{env}/user")
 public class UserController {
-    public static Map<String /*token*/, User /*user info*/> tokenMap = new ConcurrentHashMap<>();
 
     @Value("${admin.root.user.name:}")
     private String rootUserName;
     @Value("${admin.root.user.password:}")
     private String rootUserPassword;
-    //make session timeout configurable
-    //default to be an hour:1000 * 60 * 60
-    @Value("${admin.check.sessionTimeoutMilli:3600000}")
-    private long sessionTimeoutMilli;
 
     @RequestMapping(value = "/login", method = RequestMethod.GET)
     public String login(HttpServletRequest httpServletRequest, @RequestParam String userName, @RequestParam String password) {
@@ -60,35 +49,27 @@ public String login(HttpServletRequest httpServletRequest, @RequestParam String
         boolean flag = true;
         if (iterator == null) {
             if (StringUtils.isBlank(rootUserName) || (rootUserName.equals(userName) && rootUserPassword.equals(password))) {
-                return creatToken(rootUserName);
+                return JwtTokenUtil.generateToken(userName);
             }
         }
         while (iterator.hasNext()) {
             LoginAuthentication loginAuthentication = iterator.next();
             boolean b = loginAuthentication.authentication(httpServletRequest, userName, password);
             flag = b & flag;
-            if (flag == false) {
+            if (!flag) {
                 break;
             }
         }
         if (flag) {
-            return creatToken(userName);
+            return JwtTokenUtil.generateToken(userName);
         }
         return null;
     }
 
     @Authority(needLogin = true)
     @RequestMapping(value = "/logout", method = RequestMethod.DELETE)
     public boolean logout() {
-        HttpServletRequest request =
-                ((ServletRequestAttributes) Objects.requireNonNull(RequestContextHolder.getRequestAttributes())).getRequest();
-        String token = request.getHeader("Authorization");
-        return null != tokenMap.remove(token);
-    }
-
-    @Scheduled(cron= "0 5 * * * ?")
-    public void clearExpiredToken() {
-        tokenMap.entrySet().removeIf(entry -> entry.getValue() == null || System.currentTimeMillis() - entry.getValue().getLastUpdateTime() > sessionTimeoutMilli);
+        return true;
     }
 
     public static class User {
@@ -112,13 +93,4 @@ public void setLastUpdateTime(long lastUpdateTime) {
         }
     }
 
-    public String creatToken(String userName) {
-        UUID uuid = UUID.randomUUID();
-        String token = uuid.toString();
-        User user = new User();
-        user.setUserName(userName);
-        user.setLastUpdateTime(System.currentTimeMillis());
-        tokenMap.put(token, user);
-        return token;
-    }
 }
diff --git a/dubbo-admin-server/src/main/java/org/apache/dubbo/admin/interceptor/AuthInterceptor.java b/dubbo-admin-server/src/main/java/org/apache/dubbo/admin/interceptor/AuthInterceptor.java
@@ -35,11 +35,7 @@
 public class AuthInterceptor extends HandlerInterceptorAdapter {
     @Value("${admin.check.authority:true}")
     private boolean checkAuthority;
-
-    //make session timeout configurable
-    //default to be an hour:1000 * 60 * 60
-    @Value("${admin.check.sessionTimeoutMilli:3600000}")
-    private long sessionTimeoutMilli;
+
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
         if (!(handler instanceof HandlerMethod) || !checkAuthority) {
@@ -53,14 +49,18 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
             InterceptorAuthentication interceptorAuthentication = iterator.next();
             boolean b = interceptorAuthentication.authentication(request, response, handler);
             flag = b & flag;
-            if (flag == false) {
+            if (!flag) {
                 break;
             }
         }
         return flag;
     }
 
-    public static void rejectedResponse(@NotNull HttpServletResponse response) {
+    public static void loginFailResponse(@NotNull HttpServletResponse response) {
         response.setStatus(HttpStatus.UNAUTHORIZED.value());
     }
+
+    public static void authRejectedResponse(@NotNull HttpServletResponse response) {
+        response.setStatus(HttpStatus.FORBIDDEN.value());
+    }
 }
diff --git a/dubbo-admin-server/src/main/java/org/apache/dubbo/admin/utils/JwtTokenUtil.java b/dubbo-admin-server/src/main/java/org/apache/dubbo/admin/utils/JwtTokenUtil.java
@@ -0,0 +1,127 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.dubbo.admin.utils;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Jwt token tool class.
+ */
+public class JwtTokenUtil {
+    /**
+     * Jwt signingKey
+     */
+    private static final String secret = "a1g2y47dg3dj59fjhhsd7cnewy73j";
+
+    /**
+     * token timeout configurable
+     * default to be an hour: 1000 * 60 * 60
+     */
+    private static final long expiration = 60 * 60 * 1000;
+
+    /**
+     * initialise jwt token and claims
+     *
+     * @return jwt token
+     * @param rootUserName
+     */
+    public static String generateToken(String rootUserName) {
+        Map<String, Object> claims = new HashMap<>(1);
+        claims.put("sub", rootUserName);
+        return generateToken(claims);
+    }
+
+    /**
+     * generate token
+     *
+     * @return jwt token
+     * @param claims
+     */
+    private static String generateToken(Map<String, Object> claims) {
+        return Jwts.builder()
+                .setClaims(claims)
+                .setExpiration(generateExpirationDate())
+                .setIssuedAt(generateCurrentDate())
+                .signWith(SignatureAlgorithm.HS512, secret)
+                .compact();
+    }
+
+    /**
+     * Get the current time
+     */
+    private static Date generateCurrentDate() {
+        return new Date(System.currentTimeMillis());
+    }
+
+    /**
+     * Get the token expiration time
+     */
+    private static Date generateExpirationDate() {
+        return new Date(System.currentTimeMillis() + expiration);
+    }
+
+    /**
+     * Check whether the token is invalid
+     *
+     * @return boolean type
+     * @param token
+     */
+    public static Boolean canTokenBeExpiration(String token) {
+        Claims claims;
+        try {
+            claims = Jwts.parser()
+                    .setSigningKey(secret)
+                    .parseClaimsJws(token)
+                    .getBody();
+            final Date exp = claims.getExpiration();
+            if (exp.before(generateCurrentDate())) {
+                return false;
+            }
+            return true;
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
+    /**
+     * refresh token
+     *
+     * @return token
+     * @param token
+     */
+    public static String refreshToken(String token) {
+        String refreshedToken;
+        try {
+            final Claims claims = Jwts.parser()
+                    .setSigningKey(secret)
+                    .parseClaimsJws(token)
+                    .getBody();
+            refreshedToken = generateToken(claims);
+        } catch (Exception e) {
+            refreshedToken = null;
+        }
+        return refreshedToken;
+    }
+
+}