Merge pull request #6 from darioseidl/master

Prevent ArrayIndexOutOfBoundsException in JwtTokenFilter.getTokenString
This commit is contained in:
aisensiy 2018-04-16 12:13:21 +08:00 committed by GitHub
commit eef3d052fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 3 deletions

View File

@ -48,10 +48,15 @@ public class JwtTokenFilter extends OncePerRequestFilter {
}
private Optional<String> getTokenString(String header) {
if (header == null || header.split("").length < 2) {
if (header == null) {
return Optional.empty();
} else {
return Optional.ofNullable(header.split(" ")[1]);
String[] split = header.split(" ");
if (split.length < 2) {
return Optional.empty();
} else {
return Optional.ofNullable(split[1]);
}
}
}
}

View File

@ -1,5 +1,6 @@
package io.spring.api.security;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@ -18,6 +19,10 @@ import static java.util.Arrays.asList;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${spring.h2.console.enabled:false}")
private boolean h2ConsoleEnabled;
@Bean
public JwtTokenFilter jwtTokenFilter() {
return new JwtTokenFilter();
@ -25,6 +30,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
if (h2ConsoleEnabled)
http.authorizeRequests()
.antMatchers("/h2-console", "/h2-console/**").permitAll()
.and()
.headers().frameOptions().sameOrigin();
http.csrf().disable()
.cors()
.and()

View File

@ -4,4 +4,6 @@ jwt.secret=nRvyYC4soFxBdZ-F-5Nnzz5USXstR1YylsTd-mA0aKtI9HUlriGrtkf-TiuDapkLiUCog
jwt.sessionTime=86400
mybatis.config-location=classpath:mybatis-config.xml
mybatis.mapper-locations=mapper/*.xml
logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG
logging.level.io.spring.infrastructure.mybatis.readservice.ArticleReadService=DEBUG
# Uncomment the following line to enable and allow access to the h2-console
#spring.h2.console.enabled=true