💬 待完成异常处理

spring-security/ReadMe.md

@@ -1362,6 +1362,16 @@ public class AuthenticationEvents {
 
 ## 实现JWT的认证
 
+### 过滤器的介绍
+
+过滤器添加分为：`addFilterBefore`、`addFilterAt`、`addFilter`、`addFilterAfter`。
+
+这里不推荐使用`addFilter`，指定顺序不明确，如需指定顺序使用其余三个。如果不指定顺序会报下面的错。
+
+```properties
+The Filter class com.spring.step3.security.filter.JwtAuthenticationFilter does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.
+```
+
 ### 生成JWT令牌
 
 > [!TIP]
@@ -1524,3 +1534,4 @@ Bunny
 # 解析的用户权限
 [permission::read, role::read]
 ```
+

spring-security/step-3/src/main/java/com/spring/step3/controller/test/CheckController.java

@@ -4,6 +4,7 @@ import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -32,7 +33,7 @@ public class CheckController {
         if (principal instanceof UserDetails) {
             return (UserDetails) principal;
         } else {
-            return null;
+            return User.builder().username("未知").password("未知").build();
         }
     }
 

spring-security/step-3/src/main/java/com/spring/step3/security/config/SecurityWebConfiguration.java

@@ -22,47 +22,6 @@ public class SecurityWebConfiguration {
 
     private final JwtAuthenticationFilter jwtAuthenticationFilter;
 
-    // @Bean
-    // SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    //     http.authorizeHttpRequests(authorizeRequests ->
-    //                     // 访问路径为 /api 时需要进行认证
-    //                     authorizeRequests
-    //                             // 只认证 /api/** 下的所有接口
-    //                             .requestMatchers("/api/**").authenticated()
-    //                             // 其余请求都放行
-    //                             .anyRequest().permitAll()
-    //             )
-    //             .formLogin(loginPage -> loginPage
-    //                     // 自定义登录页路径
-    //                     .loginPage("/login-page")
-    //                     // 处理登录的URL（默认就是/login）
-    //                     .loginProcessingUrl("/login")
-    //                     // 登录成功跳转
-    //                     .defaultSuccessUrl("/")
-    //                     // 登录失败跳转
-    //                     .failureUrl("/login-page?error=true")
-    //                     .permitAll()
-    //             )
-    //             // 使用默认的登录
-    //             // .formLogin(Customizer.withDefaults())
-    //             // 禁用表单登录
-    //             // .formLogin(AbstractHttpConfigurer::disable)
-    //             .logout(logout -> logout
-    //                     .logoutSuccessUrl("/login-page?logout=true")
-    //                     .permitAll()
-    //             )
-    //             .csrf(AbstractHttpConfigurer::disable)
-    //             .exceptionHandling(exception -> {
-    //                 // 请求未授权接口
-    //                 exception.authenticationEntryPoint(new SecurityAuthenticationEntryPoint());
-    //                 // 没有权限访问
-    //                 exception.accessDeniedHandler(new SecurityAccessDeniedHandler());
-    //             })
-    //     ;
-    //
-    //     return http.build();
-    // }
-
     @Bean
     SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
@@ -98,7 +57,6 @@ public class SecurityWebConfiguration {
                     exception.accessDeniedHandler(new SecurityAccessDeniedHandler());
                 })
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
-                .addFilter(jwtAuthenticationFilter)
         ;
 
         return http.build();

spring-security/step-3/src/main/java/com/spring/step3/security/filter/JwtAuthenticationFilter.java

@@ -32,7 +32,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(@NotNull HttpServletRequest request,
                                     @NotNull HttpServletResponse response,
-                                    @NotNull FilterChain filterChain) throws ServletException, IOException {
+                                    @NotNull FilterChain filterChain) throws ServletException, IOException, AuthenticSecurityException {
         final String authHeader = request.getHeader("Authorization");
 
         // 如果当前请求不包含验证Token直接返回
@@ -47,6 +47,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
         // 检查当前Token是否过期
         if (jwtBearTokenService.isTokenValid(jwtToken)) {
+            // TODO 抛出异常 Security 未处理
             throw new AuthenticSecurityException(ResultCodeEnum.AUTHENTICATION_EXPIRED);
         }
 

spring-security/step-3/src/main/java/com/spring/step3/utils/JwtTokenUtil.java

@@ -205,8 +205,8 @@ public class JwtTokenUtil {
 
             return expiration != null && expiration.before(new Date());
         } catch (Exception exception) {
-            log.error(exception.getMessage(), exception);
+            // TODO 抛出异常 Security 未处理
-            return true;
+            throw new AuthenticSecurityException(ResultCodeEnum.TOKEN_PARSING_FAILED);
         }
     }
 }