diff --git a/sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java b/sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java index cb871585..901e8d01 100644 --- a/sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java +++ b/sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java @@ -548,7 +548,7 @@ public class StpLogic { if(loginId == null) { throw NotLoginException.newInstance(loginType, NotLoginException.INVALID_TOKEN, tokenValue); } - // 如果是已经过期,则抛出已经过期 + // 如果是已经过期,则抛出:已经过期 if(loginId.equals(NotLoginException.TOKEN_TIMEOUT)) { throw NotLoginException.newInstance(loginType, NotLoginException.TOKEN_TIMEOUT, tokenValue); } @@ -612,7 +612,7 @@ public class StpLogic { } // loginId为null或者在异常项里面,均视为未登录, 返回null Object loginId = getLoginIdNotHandle(tokenValue); - if(loginId == null || NotLoginException.ABNORMAL_LIST.contains(loginId)) { + if(isValidLoginId(loginId) == false) { return null; } // 如果已经[临时过期] @@ -653,10 +653,17 @@ public class StpLogic { * @return 账号id */ public Object getLoginIdByToken(String tokenValue) { + // token为空时,直接返回null if(tokenValue == null) { return null; } - return getLoginIdNotHandle(tokenValue); + // loginId为无效值时,直接返回null + String loginId = getLoginIdNotHandle(tokenValue); + if(isValidLoginId(loginId) == false) { + return null; + } + // + return loginId; } /** diff --git a/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaSessionForJacksonCustomized.java b/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaSessionForJacksonCustomized.java new file mode 100644 index 00000000..e83471d6 --- /dev/null +++ b/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaSessionForJacksonCustomized.java @@ -0,0 +1,33 @@ +package cn.dev33.satoken.dao; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; + +import cn.dev33.satoken.session.SaSession; + +/** + * Jackson定制版SaSession,忽略 timeout 属性的序列化 + * + * @author kong + * + */ +@JsonIgnoreProperties("timeout") +public class SaSessionForJacksonCustomized extends SaSession { + + /** + * + */ + private static final long serialVersionUID = -7600983549653130681L; + + public SaSessionForJacksonCustomized() { + super(); + } + + /** + * 构建一个Session对象 + * @param id Session的id + */ + public SaSessionForJacksonCustomized(String id) { + super(id); + } + +} diff --git a/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaTokenDaoRedisJackson.java b/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaTokenDaoRedisJackson.java index 16c510c2..c3442149 100644 --- a/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaTokenDaoRedisJackson.java +++ b/sa-token-plugin/sa-token-dao-redis-jackson/src/main/java/cn/dev33/satoken/dao/SaTokenDaoRedisJackson.java @@ -1,23 +1,5 @@ package cn.dev33.satoken.dao; -import cn.dev33.satoken.util.SaFoxUtil; -import com.fasterxml.jackson.databind.DeserializationFeature; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; -import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateDeserializer; -import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateTimeDeserializer; -import com.fasterxml.jackson.datatype.jsr310.deser.LocalTimeDeserializer; -import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateSerializer; -import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateTimeSerializer; -import com.fasterxml.jackson.datatype.jsr310.ser.LocalTimeSerializer; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.data.redis.connection.RedisConnectionFactory; -import org.springframework.data.redis.core.RedisTemplate; -import org.springframework.data.redis.core.StringRedisTemplate; -import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer; -import org.springframework.data.redis.serializer.StringRedisSerializer; -import org.springframework.stereotype.Component; - import java.lang.reflect.Field; import java.time.LocalDate; import java.time.LocalDateTime; @@ -28,6 +10,27 @@ import java.util.List; import java.util.Set; import java.util.concurrent.TimeUnit; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.data.redis.connection.RedisConnectionFactory; +import org.springframework.data.redis.core.RedisTemplate; +import org.springframework.data.redis.core.StringRedisTemplate; +import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer; +import org.springframework.data.redis.serializer.StringRedisSerializer; +import org.springframework.stereotype.Component; + +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; +import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateDeserializer; +import com.fasterxml.jackson.datatype.jsr310.deser.LocalDateTimeDeserializer; +import com.fasterxml.jackson.datatype.jsr310.deser.LocalTimeDeserializer; +import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateSerializer; +import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateTimeSerializer; +import com.fasterxml.jackson.datatype.jsr310.ser.LocalTimeSerializer; + +import cn.dev33.satoken.strategy.SaStrategy; +import cn.dev33.satoken.util.SaFoxUtil; + /** * Sa-Token持久层接口 [Redis版] (使用 jackson 序列化方式) * @@ -90,6 +93,8 @@ public class SaTokenDaoRedisJackson implements SaTokenDao { timeModule.addSerializer(new LocalTimeSerializer(TIME_FORMATTER)); timeModule.addDeserializer(LocalTime.class, new LocalTimeDeserializer(TIME_FORMATTER)); this.objectMapper.registerModule(timeModule); + // 重写Session生成策略 + SaStrategy.me.createSession = (sessionId) -> new SaSessionForJacksonCustomized(sessionId); } catch (Exception e) { System.err.println(e.getMessage()); } diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2Config.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2Config.java index 6e5e99ea..6f505bc8 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2Config.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2Config.java @@ -30,19 +30,19 @@ public class SaOAuth2Config implements Serializable { /** 是否在每次 Refresh-Token 刷新 Access-Token 时,产生一个新的 Refresh-Token */ public Boolean isNewRefresh = false; - /** Code授权码 保存的时间(单位秒) 默认五分钟 */ + /** Code授权码 保存的时间(单位:秒) 默认五分钟 */ public long codeTimeout = 60 * 5; - /** Access-Token 保存的时间(单位秒) 默认两个小时 */ + /** Access-Token 保存的时间(单位:秒) 默认两个小时 */ public long accessTokenTimeout = 60 * 60 * 2; - /** Refresh-Token 保存的时间(单位秒) 默认30 天 */ + /** Refresh-Token 保存的时间(单位:秒) 默认30 天 */ public long refreshTokenTimeout = 60 * 60 * 24 * 30; - /** Client-Token 保存的时间(单位秒) 默认两个小时 */ + /** Client-Token 保存的时间(单位:秒) 默认两个小时 */ public long clientTokenTimeout = 60 * 60 * 2; - /** Past-Client-Token 保存的时间(单位秒) 默认為 null */ + /** Past-Client-Token 保存的时间(单位:秒) 默认為 null */ public Long pastClientTokenTimeout = null; diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Handle.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Handle.java index 6823a046..7aefc0fd 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Handle.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Handle.java @@ -256,9 +256,10 @@ public class SaOAuth2Handle { String username = req.getParamNotNull(Param.username); String password = req.getParamNotNull(Param.password); String clientId = req.getParamNotNull(Param.client_id); + String scope = req.getParam(Param.scope, ""); - // 2、校验client_id - SaOAuth2Util.checkClientModel(clientId); + // 2、校验 ClientScope + SaOAuth2Util.checkContract(clientId, scope); // 3、防止因前端误传token造成逻辑干扰 SaHolder.getStorage().set(StpUtil.stpLogic.splicingKeyJustCreatedSave(), "no-token"); @@ -273,10 +274,7 @@ public class SaOAuth2Handle { RequestAuthModel ra = new RequestAuthModel(); ra.clientId = clientId; ra.loginId = StpUtil.getLoginId(); - ra.scope = req.getParam(Param.scope, ""); - - // 6、校验 ClientScope - SaOAuth2Util.checkContract(clientId, ra.scope); + ra.scope = scope; // 7、生成 Access-Token AccessTokenModel at = SaOAuth2Util.generateAccessToken(ra, true);