add: some auth config

security-core/build.gradle

@@ -0,0 +1,15 @@
+plugins {
+    id 'java'
+}
+
+
+dependencies {
+    implementation 'org.jetbrains:annotations:20.1.0'
+    implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5'
+    runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.11.5'
+}
+
+test {
+    useJUnitPlatform()
+}

security-core/src/main/java/org/fycd/bigdata/config/WebSecurityConfig.java

@@ -0,0 +1,74 @@
+package org.fycd.bigdata.config;
+
+import lombok.RequiredArgsConstructor;
+import org.fycd.bigdata.config.jwt.AuthEntryPointJwt;
+import org.fycd.bigdata.config.jwt.AuthTokenFilter;
+import org.fycd.bigdata.service.UserDetailsServiceImpl;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.util.StringUtils;
+
+import javax.servlet.http.HttpServletRequest;
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@RequiredArgsConstructor
+public class WebSecurityConfig {
+
+  private final UserDetailsServiceImpl userDetailsService;
+  private final AuthEntryPointJwt authEntryPointJwt;
+
+  @Bean
+  public AuthTokenFilter authenticationJwtTokenFilter() {
+    return new AuthTokenFilter();
+  }
+
+  @Bean
+  public DaoAuthenticationProvider authenticationProvider() {
+    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
+
+    authProvider.setUserDetailsService(userDetailsService);
+    authProvider.setPasswordEncoder(passwordEncoder());
+
+    return authProvider;
+  }
+
+  @Bean
+  public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
+    return authConfig.getAuthenticationManager();
+  }
+
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return new BCryptPasswordEncoder();
+  }
+
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.cors().and().csrf().disable()
+            .exceptionHandling().authenticationEntryPoint(authEntryPointJwt).and()
+            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+            //讓登入登出可以不用驗證
+            .authorizeRequests().antMatchers("/api/auth/**").permitAll()
+            .antMatchers("/api/test/**").permitAll()
+            .anyRequest().authenticated();
+
+    http.authenticationProvider(authenticationProvider());
+
+    http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
+
+    return http.build();
+  }
+
+
+}

security-core/src/main/java/org/fycd/bigdata/config/jwt/AuthEntryPointJwt.java

@@ -0,0 +1,36 @@
+package org.fycd.bigdata.config.jwt;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.MediaType;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+@Component
+@Slf4j
+public class AuthEntryPointJwt implements AuthenticationEntryPoint {
+
+  @Override
+  public void commence(HttpServletRequest request, HttpServletResponse response, org.springframework.security.core.AuthenticationException authException) throws IOException, ServletException {
+    log.error("Unauthorized error: {}", authException.getMessage());
+
+    response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+
+    final Map<String, Object> body = new HashMap<>();
+    body.put("statusCode", HttpServletResponse.SC_UNAUTHORIZED);
+    body.put("error", "未授權的請求");
+    body.put("message", authException.getMessage());
+    body.put("path", request.getServletPath());
+
+    final ObjectMapper mapper = new ObjectMapper();
+    mapper.writeValue(response.getOutputStream(), body);
+  }
+}

security-core/src/main/java/org/fycd/bigdata/config/jwt/AuthTokenFilter.java

@@ -0,0 +1,62 @@
+package org.fycd.bigdata.config.jwt;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.fycd.bigdata.service.UserDetailsImpl;
+import org.fycd.bigdata.service.UserDetailsServiceImpl;
+import org.fycd.bigdata.utils.JwtUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Slf4j
+public class AuthTokenFilter extends OncePerRequestFilter {
+
+  @Autowired
+  private JwtUtils jwtUtils;
+  @Autowired
+  private UserDetailsServiceImpl userDetailsService;
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+    {
+      try {
+        String jwt = parseJwt(request);
+        if (jwt != null && jwtUtils.validateJwtToken(jwt)) {
+          String username = jwtUtils.getUserNameFromJwtToken(jwt);
+
+          UserDetails userDetails = userDetailsService.loadUserByUsername(username);
+          UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null,
+                  userDetails.getAuthorities());
+          authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+
+          SecurityContextHolder.getContext().setAuthentication(authentication);
+        }
+      } catch (Exception e) {
+        log.error("Cannot set user authentication: {}", e.getMessage());
+      }
+
+      filterChain.doFilter(request, response);
+    }
+  }
+
+  private String parseJwt(HttpServletRequest request) {
+    String headerAuth = request.getHeader("Authorization");
+
+    if (StringUtils.hasText(headerAuth) && headerAuth.startsWith("Bearer ")) {
+      return headerAuth.substring(7, headerAuth.length());
+    }
+
+    return null;
+  }
+}

security-core/src/main/java/org/fycd/bigdata/controller/AuthController.java

@@ -0,0 +1,14 @@
+package org.fycd.bigdata.controller;
+
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/auth")
+public class AuthController {
+  @PostMapping("/login")
+  public String login() {
+    return "login";
+  }
+}

security-core/src/main/java/org/fycd/bigdata/enums/UserRole.java

@@ -0,0 +1,7 @@
+package org.fycd.bigdata.enums;
+
+public enum UserRole {
+  ROLE_USER, //一般使用者
+  ROLE_MASTER, //點傳師
+  ROLE_ADMIN //管理員
+}

security-core/src/main/java/org/fycd/bigdata/pojo/RefreshTokenSub.java

@@ -0,0 +1,12 @@
+package org.fycd.bigdata.pojo;
+
+import lombok.Data;
+import java.time.LocalDateTime;
+
+@Data
+public class RefreshTokenSub {
+  private long id;
+  private UserSub user;
+  private String token;
+  private LocalDateTime expiryDate;
+}

security-core/src/main/java/org/fycd/bigdata/pojo/RoleSub.java

@@ -0,0 +1,13 @@
+package org.fycd.bigdata.pojo;
+
+import lombok.Data;
+import org.fycd.bigdata.enums.UserRole;
+
+import java.util.HashSet;
+import java.util.Set;
+
+@Data
+public class RoleSub {
+    private Long id;
+    private UserRole name;
+}

security-core/src/main/java/org/fycd/bigdata/pojo/UserSub.java

@@ -0,0 +1,14 @@
+package org.fycd.bigdata.pojo;
+
+import lombok.Data;
+
+import java.util.HashSet;
+import java.util.Set;
+
+@Data
+public class UserSub {
+    private Long id;
+    private String username;
+    private String password;
+    private Set<RoleSub> roles = new HashSet<>();
+}

security-core/src/main/java/org/fycd/bigdata/repository/dao/RefreshTokenDaoSub.java

@@ -0,0 +1,11 @@
+package org.fycd.bigdata.repository.dao;
+
+import org.fycd.bigdata.pojo.RefreshTokenSub;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public class RefreshTokenDaoSub {
+  public RefreshTokenSub findByToken(String token) {
+    return new RefreshTokenSub();
+  }
+}

security-core/src/main/java/org/fycd/bigdata/repository/dao/UserDaoSub.java

@@ -0,0 +1,13 @@
+package org.fycd.bigdata.repository.dao;
+
+import org.fycd.bigdata.pojo.UserSub;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+
+@Repository
+public class UserDaoSub {
+  public Optional<UserSub> findByUsername (String username) {
+    return Optional.of(new UserSub());
+  }
+}

security-core/src/main/java/org/fycd/bigdata/service/UserDetailsImpl.java

@@ -0,0 +1,98 @@
+package org.fycd.bigdata.service;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import org.fycd.bigdata.pojo.UserSub;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+public class UserDetailsImpl implements UserDetails {
+  private Long id;
+
+  private String username;
+
+  private String email;
+
+  @JsonIgnore
+  private String password;
+
+  private Collection<? extends GrantedAuthority> authorities;
+
+  public UserDetailsImpl(Long id, String username, String password, Collection<? extends GrantedAuthority> authorities) {
+    this.id = id;
+    this.username = username;
+    this.password = password;
+    this.authorities = authorities;
+  }
+
+  public static UserDetailsImpl build(UserSub user) {
+    List<GrantedAuthority> authorities = user.getRoles().stream()
+            .map(role -> new SimpleGrantedAuthority(role.getName().name()))
+            .collect(Collectors.toList());
+
+    return new UserDetailsImpl(
+            user.getId(),
+            user.getUsername(),
+            user.getPassword(),
+            authorities);
+  }
+
+  @Override
+  public Collection<? extends GrantedAuthority> getAuthorities() {
+    return authorities;
+  }
+
+  public Long getId() {
+    return id;
+  }
+
+  public String getEmail() {
+    return email;
+  }
+
+  @Override
+  public String getPassword() {
+    return password;
+  }
+
+  @Override
+  public String getUsername() {
+    return username;
+  }
+
+  @Override
+  public boolean isAccountNonExpired() {
+    return true;
+  }
+
+  @Override
+  public boolean isAccountNonLocked() {
+    return true;
+  }
+
+  @Override
+  public boolean isCredentialsNonExpired() {
+    return true;
+  }
+
+  @Override
+  public boolean isEnabled() {
+    return true;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o)
+      return true;
+    if (o == null || getClass() != o.getClass())
+      return false;
+    UserDetailsImpl user = (UserDetailsImpl) o;
+    return Objects.equals(id, user.id);
+  }
+}

security-core/src/main/java/org/fycd/bigdata/service/UserDetailsServiceImpl.java

@@ -0,0 +1,26 @@
+package org.fycd.bigdata.service;
+
+import lombok.RequiredArgsConstructor;
+import org.fycd.bigdata.pojo.UserSub;
+import org.fycd.bigdata.repository.dao.UserDaoSub;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+@RequiredArgsConstructor
+public class UserDetailsServiceImpl implements UserDetailsService {
+  private final UserDaoSub userDao;
+
+  @Override
+  @Transactional
+  public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+    UserSub user = userDao.findByUsername(username)
+            .orElseThrow(() -> new UsernameNotFoundException("找不到該使用者: " + username));
+
+    return UserDetailsImpl.build(user);
+  }
+}

security-core/src/main/java/org/fycd/bigdata/utils/JwtUtils.java

@@ -0,0 +1,63 @@
+package org.fycd.bigdata.utils;
+
+import io.jsonwebtoken.*;
+import io.jsonwebtoken.security.Keys;
+import io.jsonwebtoken.security.SignatureException;
+import lombok.extern.slf4j.Slf4j;
+import org.fycd.bigdata.service.UserDetailsImpl;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import javax.xml.bind.DatatypeConverter;
+import java.util.Date;
+
+@Component
+@Slf4j
+public class JwtUtils {
+  @Value("${app.security.jwtSecret}")
+  private static String jwtSecret;
+
+  @Value("${app.security.jwtExpirationMs}")
+  private static int jwtExpirationMs;
+
+  private static final byte[] secretKey = DatatypeConverter.parseBase64Binary(jwtSecret);
+
+  public String generateJwtToken(UserDetailsImpl userPrincipal) {
+    return generateTokenFromUsername(userPrincipal.getUsername());
+  }
+
+  public String generateTokenFromUsername(String username) {
+    return Jwts.builder().setSubject(username).setIssuedAt(new Date())
+            .setExpiration(new Date((new Date()).getTime() + jwtExpirationMs)).signWith(SignatureAlgorithm.HS512, jwtSecret)
+            .compact();
+  }
+
+  public boolean validateJwtToken(String authToken) {
+    try {
+      Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(authToken);
+      return true;
+    } catch (SignatureException e) {
+      log.error("Invalid JWT signature: {}", e.getMessage());
+    } catch (MalformedJwtException e) {
+      log.error("Invalid JWT token: {}", e.getMessage());
+    } catch (ExpiredJwtException e) {
+      log.error("JWT token is expired: {}", e.getMessage());
+    } catch (UnsupportedJwtException e) {
+      log.error("JWT token is unsupported: {}", e.getMessage());
+    } catch (IllegalArgumentException e) {
+      log.error("JWT claims string is empty: {}", e.getMessage());
+    }
+
+    return false;
+  }
+
+  public String getUserNameFromJwtToken(String token) {
+    return Jwts
+            .parserBuilder()
+            .setSigningKey(Keys.hmacShaKeyFor(secretKey))
+            .build()
+            .parseClaimsJws(token)
+            .getBody()
+            .getSubject();
+  }
+}