From 02901efa33afb509e5f7755a781ac212347dccba Mon Sep 17 00:00:00 2001
From: bunny <1319900154@qq.com>
Date: Thu, 17 Jul 2025 00:20:48 +0800
Subject: [PATCH] =?UTF-8?q?:speech=5Fballoon:=20=E5=BE=85=E5=AE=8C?=
 =?UTF-8?q?=E6=88=90=E5=BC=82=E5=B8=B8=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 spring-security/ReadMe.md                     | 11 +++++
 .../controller/test/CheckController.java      |  3 +-
 .../config/SecurityWebConfiguration.java      | 42 -------------------
 .../filter/JwtAuthenticationFilter.java       |  3 +-
 .../com/spring/step3/utils/JwtTokenUtil.java  |  4 +-
 5 files changed, 17 insertions(+), 46 deletions(-)

diff --git a/spring-security/ReadMe.md b/spring-security/ReadMe.md
index 5a16aad..f316720 100644
--- a/spring-security/ReadMe.md
+++ b/spring-security/ReadMe.md
@@ -1362,6 +1362,16 @@ public class AuthenticationEvents {
 
 ## 实现JWT的认证
 
+### 过滤器的介绍
+
+过滤器添加分为：`addFilterBefore`、`addFilterAt`、`addFilter`、`addFilterAfter`。
+
+这里不推荐使用`addFilter`，指定顺序不明确，如需指定顺序使用其余三个。如果不指定顺序会报下面的错。
+
+```properties
+The Filter class com.spring.step3.security.filter.JwtAuthenticationFilter does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.
+```
+
 ### 生成JWT令牌
 
 > [!TIP]
@@ -1524,3 +1534,4 @@ Bunny
 # 解析的用户权限
 [permission::read, role::read]
 ```
+
diff --git a/spring-security/step-3/src/main/java/com/spring/step3/controller/test/CheckController.java b/spring-security/step-3/src/main/java/com/spring/step3/controller/test/CheckController.java
index 9bf26ec..26a5c7c 100644
--- a/spring-security/step-3/src/main/java/com/spring/step3/controller/test/CheckController.java
+++ b/spring-security/step-3/src/main/java/com/spring/step3/controller/test/CheckController.java
@@ -4,6 +4,7 @@ import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -32,7 +33,7 @@ public class CheckController {
         if (principal instanceof UserDetails) {
             return (UserDetails) principal;
         } else {
-            return null;
+            return User.builder().username("未知").password("未知").build();
         }
     }
 
diff --git a/spring-security/step-3/src/main/java/com/spring/step3/security/config/SecurityWebConfiguration.java b/spring-security/step-3/src/main/java/com/spring/step3/security/config/SecurityWebConfiguration.java
index 5e53e3b..9643c25 100644
--- a/spring-security/step-3/src/main/java/com/spring/step3/security/config/SecurityWebConfiguration.java
+++ b/spring-security/step-3/src/main/java/com/spring/step3/security/config/SecurityWebConfiguration.java
@@ -22,47 +22,6 @@ public class SecurityWebConfiguration {
 
     private final JwtAuthenticationFilter jwtAuthenticationFilter;
 
-    // @Bean
-    // SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    //     http.authorizeHttpRequests(authorizeRequests ->
-    //                     // 访问路径为 /api 时需要进行认证
-    //                     authorizeRequests
-    //                             // 只认证 /api/** 下的所有接口
-    //                             .requestMatchers("/api/**").authenticated()
-    //                             // 其余请求都放行
-    //                             .anyRequest().permitAll()
-    //             )
-    //             .formLogin(loginPage -> loginPage
-    //                     // 自定义登录页路径
-    //                     .loginPage("/login-page")
-    //                     // 处理登录的URL（默认就是/login）
-    //                     .loginProcessingUrl("/login")
-    //                     // 登录成功跳转
-    //                     .defaultSuccessUrl("/")
-    //                     // 登录失败跳转
-    //                     .failureUrl("/login-page?error=true")
-    //                     .permitAll()
-    //             )
-    //             // 使用默认的登录
-    //             // .formLogin(Customizer.withDefaults())
-    //             // 禁用表单登录
-    //             // .formLogin(AbstractHttpConfigurer::disable)
-    //             .logout(logout -> logout
-    //                     .logoutSuccessUrl("/login-page?logout=true")
-    //                     .permitAll()
-    //             )
-    //             .csrf(AbstractHttpConfigurer::disable)
-    //             .exceptionHandling(exception -> {
-    //                 // 请求未授权接口
-    //                 exception.authenticationEntryPoint(new SecurityAuthenticationEntryPoint());
-    //                 // 没有权限访问
-    //                 exception.accessDeniedHandler(new SecurityAccessDeniedHandler());
-    //             })
-    //     ;
-    //
-    //     return http.build();
-    // }
-
     @Bean
     SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
@@ -98,7 +57,6 @@ public class SecurityWebConfiguration {
                     exception.accessDeniedHandler(new SecurityAccessDeniedHandler());
                 })
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
-                .addFilter(jwtAuthenticationFilter)
         ;
 
         return http.build();
diff --git a/spring-security/step-3/src/main/java/com/spring/step3/security/filter/JwtAuthenticationFilter.java b/spring-security/step-3/src/main/java/com/spring/step3/security/filter/JwtAuthenticationFilter.java
index 401c2a2..1f3194b 100644
--- a/spring-security/step-3/src/main/java/com/spring/step3/security/filter/JwtAuthenticationFilter.java
+++ b/spring-security/step-3/src/main/java/com/spring/step3/security/filter/JwtAuthenticationFilter.java
@@ -32,7 +32,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(@NotNull HttpServletRequest request,
                                     @NotNull HttpServletResponse response,
-                                    @NotNull FilterChain filterChain) throws ServletException, IOException {
+                                    @NotNull FilterChain filterChain) throws ServletException, IOException, AuthenticSecurityException {
         final String authHeader = request.getHeader("Authorization");
 
         // 如果当前请求不包含验证Token直接返回
@@ -47,6 +47,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
         // 检查当前Token是否过期
         if (jwtBearTokenService.isTokenValid(jwtToken)) {
+            // TODO 抛出异常 Security 未处理
             throw new AuthenticSecurityException(ResultCodeEnum.AUTHENTICATION_EXPIRED);
         }
 
diff --git a/spring-security/step-3/src/main/java/com/spring/step3/utils/JwtTokenUtil.java b/spring-security/step-3/src/main/java/com/spring/step3/utils/JwtTokenUtil.java
index 6fb2f2d..e2b7810 100644
--- a/spring-security/step-3/src/main/java/com/spring/step3/utils/JwtTokenUtil.java
+++ b/spring-security/step-3/src/main/java/com/spring/step3/utils/JwtTokenUtil.java
@@ -205,8 +205,8 @@ public class JwtTokenUtil {
 
             return expiration != null && expiration.before(new Date());
         } catch (Exception exception) {
-            log.error(exception.getMessage(), exception);
-            return true;
+            // TODO 抛出异常 Security 未处理
+            throw new AuthenticSecurityException(ResultCodeEnum.TOKEN_PARSING_FAILED);
         }
     }
 }
\ No newline at end of file